Allow removing users federated from a kerberos provider

Closes #31603 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-08-05 17:43:58 -03:00 · 2024-08-05 17:43:58 -03:00 · d04d2bb852
commit d04d2bb852
parent e13c9bf462
2 changed files with 32 additions and 1 deletions
--- a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/KerberosFederationProvider.java
+++ b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/KerberosFederationProvider.java
@ -42,6 +42,7 @@ import org.keycloak.storage.UserStorageProvider;
 import org.keycloak.storage.UserStorageProviderModel;
 import org.keycloak.storage.user.ImportedUserValidation;
 import org.keycloak.storage.user.UserLookupProvider;
+import org.keycloak.storage.user.UserRegistrationProvider;
 import org.keycloak.userprofile.AttributeGroupMetadata;
 import org.keycloak.userprofile.AttributeMetadata;
 import org.keycloak.userprofile.UserProfileDecorator;
@ -65,7 +66,8 @@ public class KerberosFederationProvider implements UserStorageProvider,
        CredentialInputUpdater,
        CredentialAuthentication,
        ImportedUserValidation,
-        UserProfileDecorator {
+        UserProfileDecorator,
+        UserRegistrationProvider {

    private static final Logger logger = Logger.getLogger(KerberosFederationProvider.class);
    public static final String KERBEROS_PRINCIPAL = KerberosConstants.KERBEROS_PRINCIPAL;
@ -311,4 +313,15 @@ public class KerberosFederationProvider implements UserStorageProvider,
        AttributeGroupMetadata metadataGroup = UserProfileUtil.lookupUserMetadataGroup(session);
        return Collections.singletonList(UserProfileUtil.createAttributeMetadata(KerberosConstants.KERBEROS_PRINCIPAL, metadata, metadataGroup, guiOrder++, model.getName()));
    }
+
+    @Override
+    public boolean removeUser(RealmModel realm, UserModel user) {
+        return true;
+    }
+
+    @Override
+    public UserModel addUser(RealmModel realm, String username) {
+        // no support for creating users
+        return null;
+    }
 }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosStandaloneTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosStandaloneTest.java
@ -18,6 +18,7 @@
 package org.keycloak.testsuite.federation.kerberos;

 import jakarta.mail.internet.MimeMessage;
+import jakarta.ws.rs.NotFoundException;
 import jakarta.ws.rs.client.Entity;
 import jakarta.ws.rs.core.Form;
 import jakarta.ws.rs.core.MultivaluedMap;
@ -274,4 +275,21 @@ public class KerberosStandaloneTest extends AbstractKerberosSingleRealmTest {
        infoPage.assertCurrent();
        Assert.assertEquals("Your account has been updated.", infoPage.getInfo());
    }
+
+    @Test
+    public void testRemoveUserTest() throws Exception {
+        assertSuccessfulSpnegoLogin("hnelson", "hnelson", "secret");
+
+        // User-profile data should be present (including KERBEROS_PRINCIPAL attribute)
+        UserResource johnResource = ApiUtil.findUserByUsernameId(testRealmResource(), "hnelson");
+        UserRepresentation john = johnResource.toRepresentation(true);
+        Assert.assertNames(john.getUserProfileMetadata().getAttributes(), UserModel.FIRST_NAME, UserModel.LAST_NAME, UserModel.EMAIL, UserModel.USERNAME, KerberosConstants.KERBEROS_PRINCIPAL);
+        johnResource.remove();
+
+        try {
+            john = johnResource.toRepresentation(true);
+            Assert.fail("should remove the user");
+        } catch (NotFoundException expected) {
+        }
+    }
 }