libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Review feedback

Browse source
This commit is contained in:
Ian Duffy 2019-05-25 14:21:12 +01:00 committed by Marek Posolda
parent 54909d3ef4
commit de0ee474dd
9 changed files with 28 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPConfig.java
View file

@ -111,7 +111,7 @@ public class LDAPConfig {
} }
public String getConnectionPooling() { public String getConnectionPooling() {
if(isTls()) { if(isStartTls()) {
return null; return null;
} else { } else {
return config.getFirst(LDAPConstants.CONNECTION_POOLING); return config.getFirst(LDAPConstants.CONNECTION_POOLING);
@ -223,9 +223,8 @@ public class LDAPConfig {
return null; return null;
} }
public boolean isTls() { public boolean isStartTls() {
String tls = config.getFirst(LDAPConstants.TLS); return Boolean.parseBoolean(config.getFirst(LDAPConstants.START_TLS));
return Boolean.parseBoolean(tls);
} }
public UserStorageProvider.EditMode getEditMode() { public UserStorageProvider.EditMode getEditMode() {

5
federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java
View file

@ -128,7 +128,7 @@ public class LDAPStorageProviderFactory implements UserStorageProviderFactory<LD
.type(ProviderConfigProperty.STRING_TYPE) .type(ProviderConfigProperty.STRING_TYPE)
.defaultValue("simple") .defaultValue("simple")
.add() .add()
.property().name(LDAPConstants.TLS) .property().name(LDAPConstants.START_TLS)
.type(ProviderConfigProperty.BOOLEAN_TYPE) .type(ProviderConfigProperty.BOOLEAN_TYPE)
.add() .add()
.property().name(LDAPConstants.BIND_DN) .property().name(LDAPConstants.BIND_DN)
@ -270,6 +270,9 @@ public class LDAPStorageProviderFactory implements UserStorageProviderFactory<LD
} }
} }
if(cfg.isStartTls() && cfg.getConnectionPooling() != null) {
throw new ComponentValidationException("ldapErrorCantEnableStartTlsAndConnectionPooling");
}
} }
@Override @Override

17
federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java
View file

@ -39,7 +39,14 @@ import javax.naming.directory.DirContext;
import javax.naming.directory.ModificationItem; import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls; import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult; import javax.naming.directory.SearchResult;
import javax.naming.ldap.*; import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.PagedResultsControl;
import javax.naming.ldap.PagedResultsResponseControl;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
@ -497,7 +504,7 @@ public class LDAPOperationManager {
// Never use connection pool to prevent password caching // Never use connection pool to prevent password caching
env.put("com.sun.jndi.ldap.connect.pool", "false"); env.put("com.sun.jndi.ldap.connect.pool", "false");
if(!this.config.isTls()) { if(!this.config.isStartTls()) {
env.put(Context.SECURITY_AUTHENTICATION, this.config.getAuthType()); env.put(Context.SECURITY_AUTHENTICATION, this.config.getAuthType());
env.put(Context.SECURITY_PRINCIPAL, dn); env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, password); env.put(Context.SECURITY_CREDENTIALS, password);
@ -527,7 +534,7 @@ public class LDAPOperationManager {
} }
private void startTLS(LdapContext ldapContext, String authType, String bindDN, String bindCredentials) throws NamingException { private void startTLS(LdapContext ldapContext, String authType, String bindDN, String bindCredentials) throws NamingException {
if(this.config.isTls()) { if(this.config.isStartTls()) {
try { try {
StartTlsResponse tls = (StartTlsResponse) ldapContext.extendedOperation(new StartTlsRequest()); StartTlsResponse tls = (StartTlsResponse) ldapContext.extendedOperation(new StartTlsRequest());
tls.negotiate(); tls.negotiate();
@ -675,7 +682,7 @@ public class LDAPOperationManager {
} }
private LdapContext createLdapContext() throws NamingException { private LdapContext createLdapContext() throws NamingException {
if(!config.isTls()) { if(!config.isStartTls()) {
return new InitialLdapContext(new Hashtable<Object, Object>(this.connectionProperties), null); return new InitialLdapContext(new Hashtable<Object, Object>(this.connectionProperties), null);
} else { } else {
LdapContext ldapContext = new InitialLdapContext(new Hashtable<Object, Object>(this.connectionProperties), null); LdapContext ldapContext = new InitialLdapContext(new Hashtable<Object, Object>(this.connectionProperties), null);
@ -689,7 +696,7 @@ public class LDAPOperationManager {
env.put(Context.INITIAL_CONTEXT_FACTORY, this.config.getFactoryName()); env.put(Context.INITIAL_CONTEXT_FACTORY, this.config.getFactoryName());
if(!this.config.isTls()) { if(!this.config.isStartTls()) {
String authType = this.config.getAuthType(); String authType = this.config.getAuthType();
env.put(Context.SECURITY_AUTHENTICATION, authType); env.put(Context.SECURITY_AUTHENTICATION, authType);

2
server-spi-private/src/main/java/org/keycloak/models/LDAPConstants.java
View file

@ -82,7 +82,7 @@ public class LDAPConstants {
// Custom user search filter // Custom user search filter
public static final String CUSTOM_USER_SEARCH_FILTER = "customUserSearchFilter"; public static final String CUSTOM_USER_SEARCH_FILTER = "customUserSearchFilter";
public static final String TLS = "tls"; public static final String START_TLS = "startTls";
// Custom attributes on UserModel, which is mapped to LDAP // Custom attributes on UserModel, which is mapped to LDAP
public static final String LDAP_ID = "LDAP_ID"; public static final String LDAP_ID = "LDAP_ID";

4
services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
View file

@ -930,14 +930,14 @@ public class RealmAdminResource {
public Response testLDAPConnection(@FormParam("action") String action, @FormParam("connectionUrl") String connectionUrl, public Response testLDAPConnection(@FormParam("action") String action, @FormParam("connectionUrl") String connectionUrl,
@FormParam("bindDn") String bindDn, @FormParam("bindCredential") String bindCredential, @FormParam("bindDn") String bindDn, @FormParam("bindCredential") String bindCredential,
@FormParam("useTruststoreSpi") String useTruststoreSpi, @FormParam("connectionTimeout") String connectionTimeout, @FormParam("useTruststoreSpi") String useTruststoreSpi, @FormParam("connectionTimeout") String connectionTimeout,
@FormParam("componentId") String componentId, @FormParam("tls") String tls) { @FormParam("componentId") String componentId, @FormParam("startTls") String startTls) {
auth.realm().requireManageRealm(); auth.realm().requireManageRealm();
if (componentId != null && bindCredential.equals(ComponentRepresentation.SECRET_VALUE)) { if (componentId != null && bindCredential.equals(ComponentRepresentation.SECRET_VALUE)) {
bindCredential = realm.getComponent(componentId).getConfig().getFirst(LDAPConstants.BIND_CREDENTIAL); bindCredential = realm.getComponent(componentId).getConfig().getFirst(LDAPConstants.BIND_CREDENTIAL);
} }
boolean result = new LDAPConnectionTestManager().testLDAP(action, connectionUrl, bindDn, bindCredential, useTruststoreSpi, connectionTimeout, tls); boolean result = new LDAPConnectionTestManager().testLDAP(action, connectionUrl, bindDn, bindCredential, useTruststoreSpi, connectionTimeout, startTls);
return result ? Response.noContent().build() : ErrorResponse.error("LDAP test error", Response.Status.BAD_REQUEST); return result ? Response.noContent().build() : ErrorResponse.error("LDAP test error", Response.Status.BAD_REQUEST);
} }

3
themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
View file

@ -968,7 +968,7 @@ ldap.connection-pooling.prefsize.tooltip=The string representation of an integer
ldap.connection-pooling.protocol.tooltip=A list of space-separated protocol types of connections that may be pooled. Valid types are "plain" and "ssl". ldap.connection-pooling.protocol.tooltip=A list of space-separated protocol types of connections that may be pooled. Valid types are "plain" and "ssl".
ldap.connection-pooling.timeout.tooltip=The string representation of an integer that represents the number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool. ldap.connection-pooling.timeout.tooltip=The string representation of an integer that represents the number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool.
ldap.pagination.tooltip=Does the LDAP server support pagination. ldap.pagination.tooltip=Does the LDAP server support pagination.
ldap.tls.tooltip=Does the LDAP server require STARTTLS. ldap.startTls.tooltip=Encrypts the connection to LDAP using STARTTLS, this will disable connection pooling.
kerberos-integration=Kerberos Integration kerberos-integration=Kerberos Integration
allow-kerberos-authentication=Allow Kerberos authentication allow-kerberos-authentication=Allow Kerberos authentication
ldap.allow-kerberos-authentication.tooltip=Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from this LDAP server ldap.allow-kerberos-authentication.tooltip=Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from this LDAP server
@ -993,7 +993,6 @@ identity-provider-user-id.tooltip=Unique ID of the user on the Identity Provider
identity-provider-username=Identity Provider Username identity-provider-username=Identity Provider Username
identity-provider-username.tooltip=Username on the Identity Provider side identity-provider-username.tooltip=Username on the Identity Provider side
pagination=Pagination pagination=Pagination
tls=TLS
browser-flow=Browser Flow browser-flow=Browser Flow
browser-flow.tooltip=Select the flow you want to use for browser authentication. browser-flow.tooltip=Select the flow you want to use for browser authentication.
registration-flow=Registration Flow registration-flow=Registration Flow

1
themes/src/main/resources/theme/base/admin/messages/messages_en.properties
View file

@ -16,6 +16,7 @@ ldapErrorMissingClientId=Client ID needs to be provided in config when Realm Rol
ldapErrorCantPreserveGroupInheritanceWithUIDMembershipType=Not possible to preserve group inheritance and use UID membership type together. ldapErrorCantPreserveGroupInheritanceWithUIDMembershipType=Not possible to preserve group inheritance and use UID membership type together.
ldapErrorCantWriteOnlyForReadOnlyLdap=Can't set write only when LDAP provider mode is not WRITABLE ldapErrorCantWriteOnlyForReadOnlyLdap=Can't set write only when LDAP provider mode is not WRITABLE
ldapErrorCantWriteOnlyAndReadOnly=Can't set write-only and read-only together ldapErrorCantWriteOnlyAndReadOnly=Can't set write-only and read-only together
ldapErrorCantEnableStartTlsAndConnectionPooling=Can't enable both StartTLS and connection pooling.
clientRedirectURIsFragmentError=Redirect URIs must not contain an URI fragment clientRedirectURIsFragmentError=Redirect URIs must not contain an URI fragment
clientRootURLFragmentError=Root URL must not contain an URL fragment clientRootURLFragmentError=Root URL must not contain an URL fragment

2
themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js
View file

@ -1523,7 +1523,7 @@ module.controller('LDAPUserStorageCtrl', function($scope, $location, Notificatio
bindCredential: ldapConfig.bindCredential, bindCredential: ldapConfig.bindCredential,
useTruststoreSpi: ldapConfig.useTruststoreSpi, useTruststoreSpi: ldapConfig.useTruststoreSpi,
connectionTimeout: ldapConfig.connectionTimeout, connectionTimeout: ldapConfig.connectionTimeout,
tls: ldapConfig.tls, startTls: ldapConfig.startTls,
componentId: instance.id componentId: instance.id
}; };
}; };

6
themes/src/main/resources/theme/base/admin/resources/partials/user-storage-ldap.html
View file

@ -141,11 +141,11 @@
<kc-tooltip>{{:: 'ldap.authentication-type.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'ldap.authentication-type.tooltip' | translate}}</kc-tooltip>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-md-2 control-label" for="tls">{{:: 'tls' | translate}}</label> <label class="col-md-2 control-label" for="startTls">{{:: 'enable-start-tls' | translate}}</label>
<div class="col-md-6"> <div class="col-md-6">
<input ng-model="instance.config['tls'][0]" name="tls" id="tls" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" /> <input ng-model="instance.config['startTls'][0]" name="startTls" id="startTls" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
</div> </div>
<kc-tooltip>{{:: 'ldap.tls.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'ldap.startTls.tooltip' | translate}}</kc-tooltip>
</div> </div>
<div class="form-group clearfix" data-ng-hide="instance.config['authType'][0] == 'none'"> <div class="form-group clearfix" data-ng-hide="instance.config['authType'][0] == 'none'">
<label class="col-md-2 control-label" for="ldapBindDn"><span class="required">*</span> {{:: 'bind-dn' | translate}}</label> <label class="col-md-2 control-label" for="ldapBindDn"><span class="required">*</span> {{:: 'bind-dn' | translate}}</label>