From f82577a7f32ca2efc9853f212a19660f9a498a54 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Tue, 20 Jun 2023 20:46:57 +0200 Subject: [PATCH] Removed old account console (#21098) Co-authored-by: Jon Koops Closes #9864 --- .../migration/migrators/MigrateTo22_0_0.java | 13 +- .../keycloak/forms/account/AccountPages.java | 27 - .../forms/account/AccountProvider.java | 73 -- .../forms/account/AccountProviderFactory.java | 27 - .../keycloak/forms/account/AccountSpi.java | 49 - .../services/org.keycloak.provider.Spi | 1 - .../freemarker/FreeMarkerAccountProvider.java | 400 ------ .../FreeMarkerAccountProviderFactory.java | 53 - .../forms/account/freemarker/Templates.java | 52 - .../account/freemarker/model/AccountBean.java | 91 -- .../model/AccountFederatedIdentityBean.java | 135 -- .../freemarker/model/ApplicationsBean.java | 221 ---- .../freemarker/model/AuthorizationBean.java | 456 ------- .../freemarker/model/FeaturesBean.java | 52 - .../account/freemarker/model/LogBean.java | 99 -- .../freemarker/model/PasswordBean.java | 35 - .../account/freemarker/model/RealmBean.java | 76 -- .../freemarker/model/ReferrerBean.java | 39 - .../freemarker/model/SessionsBean.java | 90 -- .../account/freemarker/model/TotpBean.java | 122 -- .../account/freemarker/model/UrlBean.java | 116 -- .../main/java/org/keycloak/services/Urls.java | 66 - .../resources/IdentityBrokerService.java | 4 +- .../resources/PublicRealmResource.java | 4 +- .../resources/account/AccountConsole.java | 3 + .../resources/account/AccountFormService.java | 1093 ----------------- .../resources/account/AccountLoader.java | 24 +- .../resources/admin/UserResource.java | 4 +- ...cloak.forms.account.AccountProviderFactory | 18 - ...=> CustomDefaultEmailSenderProvider1.java} | 6 +- ...=> CustomDefaultEmailSenderProvider2.java} | 6 +- ...omDefaultEmailSenderProviderFactory1.java} | 10 +- ...omDefaultEmailSenderProviderFactory2.java} | 10 +- ...keycloak.email.EmailSenderProviderFactory} | 4 +- .../testsuite/pages/AbstractAccountPage.java | 51 - .../testsuite/AbstractKeycloakTest.java | 12 - .../testsuite/admin/ConsentsTest.java | 9 +- .../authz/UmaRepresentationTest.java | 91 +- .../testsuite/forms/ResetPasswordTest.java | 2 +- .../providers/ProvidersOverrideTest.java | 12 +- themes/UPDATING-NODE-MODULES.md | 4 +- .../resources/META-INF/keycloak-themes.json | 2 +- .../resources/theme/base/account/account.ftl | 70 -- .../theme/base/account/applications.ftl | 76 -- .../theme/base/account/federatedIdentity.ftl | 42 - .../main/resources/theme/base/account/log.ftl | 35 - .../resources/theme/base/account/password.ftl | 59 - .../theme/base/account/resource-detail.ftl | 277 ----- .../theme/base/account/resources.ftl | 403 ------ .../resources/theme/base/account/sessions.ftl | 44 - .../resources/theme/base/account/template.ftl | 88 -- .../resources/theme/base/account/totp.ftl | 141 --- .../account/resources/css/account.css | 277 ----- .../resources/img/icon-sidebar-active.png | Bin 202 -> 0 bytes .../account/resources/img/keycloak-logo.png | Bin 5213 -> 0 bytes .../keycloak/account/resources/img/logo.png | Bin 4156 -> 0 bytes .../theme/keycloak/account/theme.properties | 14 - 57 files changed, 109 insertions(+), 5079 deletions(-) delete mode 100755 server-spi-private/src/main/java/org/keycloak/forms/account/AccountPages.java delete mode 100755 server-spi-private/src/main/java/org/keycloak/forms/account/AccountProvider.java delete mode 100755 server-spi-private/src/main/java/org/keycloak/forms/account/AccountProviderFactory.java delete mode 100755 server-spi-private/src/main/java/org/keycloak/forms/account/AccountSpi.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProvider.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProviderFactory.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/Templates.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/AccountBean.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/AccountFederatedIdentityBean.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/AuthorizationBean.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/FeaturesBean.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/LogBean.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/PasswordBean.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/RealmBean.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/ReferrerBean.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/SessionsBean.java delete mode 100644 services/src/main/java/org/keycloak/forms/account/freemarker/model/TotpBean.java delete mode 100755 services/src/main/java/org/keycloak/forms/account/freemarker/model/UrlBean.java delete mode 100755 services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java delete mode 100755 services/src/main/resources/META-INF/services/org.keycloak.forms.account.AccountProviderFactory rename testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/{CustomFreemarkerAccountProvider2.java => CustomDefaultEmailSenderProvider1.java} (79%) rename testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/{CustomFreemarkerAccountProvider1.java => CustomDefaultEmailSenderProvider2.java} (79%) rename testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/{CustomFreemarkerAccountProviderFactory1.java => CustomDefaultEmailSenderProviderFactory1.java} (73%) rename testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/{CustomFreemarkerAccountProviderFactory2.java => CustomDefaultEmailSenderProviderFactory2.java} (74%) rename testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/{org.keycloak.forms.account.AccountProviderFactory => org.keycloak.email.EmailSenderProviderFactory} (80%) delete mode 100755 testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AbstractAccountPage.java delete mode 100755 themes/src/main/resources/theme/base/account/account.ftl delete mode 100755 themes/src/main/resources/theme/base/account/applications.ftl delete mode 100755 themes/src/main/resources/theme/base/account/federatedIdentity.ftl delete mode 100644 themes/src/main/resources/theme/base/account/log.ftl delete mode 100755 themes/src/main/resources/theme/base/account/password.ftl delete mode 100755 themes/src/main/resources/theme/base/account/resource-detail.ftl delete mode 100755 themes/src/main/resources/theme/base/account/resources.ftl delete mode 100755 themes/src/main/resources/theme/base/account/sessions.ftl delete mode 100644 themes/src/main/resources/theme/base/account/template.ftl delete mode 100755 themes/src/main/resources/theme/base/account/totp.ftl delete mode 100644 themes/src/main/resources/theme/keycloak/account/resources/css/account.css delete mode 100644 themes/src/main/resources/theme/keycloak/account/resources/img/icon-sidebar-active.png delete mode 100644 themes/src/main/resources/theme/keycloak/account/resources/img/keycloak-logo.png delete mode 100644 themes/src/main/resources/theme/keycloak/account/resources/img/logo.png delete mode 100644 themes/src/main/resources/theme/keycloak/account/theme.properties diff --git a/model/legacy-private/src/main/java/org/keycloak/migration/migrators/MigrateTo22_0_0.java b/model/legacy-private/src/main/java/org/keycloak/migration/migrators/MigrateTo22_0_0.java index dc56c64a5c..9935fdca1a 100644 --- a/model/legacy-private/src/main/java/org/keycloak/migration/migrators/MigrateTo22_0_0.java +++ b/model/legacy-private/src/main/java/org/keycloak/migration/migrators/MigrateTo22_0_0.java @@ -41,12 +41,16 @@ public class MigrateTo22_0_0 implements Migration { @Override public void migrate(KeycloakSession session) { - session.realms().getRealmsStream().forEach(this::removeHttpChallengeFlow); + session.realms().getRealmsStream().forEach((realm) -> { + removeHttpChallengeFlow(realm); + updateAccountTheme(realm); + }); } @Override public void migrateImport(KeycloakSession session, RealmModel realm, RealmRepresentation rep, boolean skipUserDependent) { removeHttpChallengeFlow(realm); + updateAccountTheme(realm); } private void removeHttpChallengeFlow(RealmModel realm) { @@ -63,6 +67,13 @@ public class MigrateTo22_0_0 implements Migration { } } + private void updateAccountTheme(RealmModel realm) { + String accountTheme = realm.getAccountTheme(); + if ("keycloak".equals(accountTheme) || "rh-sso".equals(accountTheme)) { + realm.setAccountTheme("keycloak.v2"); + } + } + @Override public ModelVersion getVersion() { return VERSION; diff --git a/server-spi-private/src/main/java/org/keycloak/forms/account/AccountPages.java b/server-spi-private/src/main/java/org/keycloak/forms/account/AccountPages.java deleted file mode 100755 index 6c01f79aba..0000000000 --- a/server-spi-private/src/main/java/org/keycloak/forms/account/AccountPages.java +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account; - -/** - * @author Stian Thorgersen - */ -public enum AccountPages { - - ACCOUNT, PASSWORD, TOTP, FEDERATED_IDENTITY, LOG, SESSIONS, APPLICATIONS, RESOURCES, RESOURCE_DETAIL; - -} diff --git a/server-spi-private/src/main/java/org/keycloak/forms/account/AccountProvider.java b/server-spi-private/src/main/java/org/keycloak/forms/account/AccountProvider.java deleted file mode 100755 index 4642c7fc50..0000000000 --- a/server-spi-private/src/main/java/org/keycloak/forms/account/AccountProvider.java +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account; - -import org.keycloak.events.Event; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.UserSessionModel; -import org.keycloak.models.utils.FormMessage; -import org.keycloak.provider.Provider; - -import jakarta.ws.rs.core.HttpHeaders; -import jakarta.ws.rs.core.MultivaluedMap; -import jakarta.ws.rs.core.Response; -import jakarta.ws.rs.core.UriInfo; -import java.util.List; - -/** - * @author Stian Thorgersen - */ -public interface AccountProvider extends Provider { - - AccountProvider setUriInfo(UriInfo uriInfo); - - AccountProvider setHttpHeaders(HttpHeaders httpHeaders); - - Response createResponse(AccountPages page); - - AccountProvider setError(Response.Status status, String message, Object ... parameters); - - AccountProvider setErrors(Response.Status status, List messages); - - AccountProvider setSuccess(String message, Object ... parameters); - - AccountProvider setWarning(String message, Object ... parameters); - - AccountProvider setUser(UserModel user); - - AccountProvider setProfileFormData(MultivaluedMap formData); - - AccountProvider setRealm(RealmModel realm); - - AccountProvider setReferrer(String[] referrer); - - AccountProvider setEvents(List events); - - AccountProvider setSessions(List sessions); - - AccountProvider setPasswordSet(boolean passwordSet); - - AccountProvider setStateChecker(String stateChecker); - - AccountProvider setIdTokenHint(String idTokenHint); - - AccountProvider setFeatures(boolean social, boolean events, boolean passwordUpdateSupported, boolean authorizationSupported); - - AccountProvider setAttribute(String key, String value); -} diff --git a/server-spi-private/src/main/java/org/keycloak/forms/account/AccountProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/forms/account/AccountProviderFactory.java deleted file mode 100755 index cc2f6d41ed..0000000000 --- a/server-spi-private/src/main/java/org/keycloak/forms/account/AccountProviderFactory.java +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account; - -import org.keycloak.provider.ProviderFactory; - -/** - * @author Stian Thorgersen - */ -public interface AccountProviderFactory extends ProviderFactory { - -} diff --git a/server-spi-private/src/main/java/org/keycloak/forms/account/AccountSpi.java b/server-spi-private/src/main/java/org/keycloak/forms/account/AccountSpi.java deleted file mode 100755 index 5ea993739e..0000000000 --- a/server-spi-private/src/main/java/org/keycloak/forms/account/AccountSpi.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account; - -import org.keycloak.provider.Provider; -import org.keycloak.provider.ProviderFactory; -import org.keycloak.provider.Spi; - -/** - * @author Stian Thorgersen - */ -public class AccountSpi implements Spi { - - @Override - public boolean isInternal() { - return true; - } - - @Override - public String getName() { - return "account"; - } - - @Override - public Class getProviderClass() { - return AccountProvider.class; - } - - @Override - public Class getProviderFactoryClass() { - return AccountProviderFactory.class; - } - -} diff --git a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi index 2467b8b1eb..4920730d77 100755 --- a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi +++ b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi @@ -46,7 +46,6 @@ org.keycloak.protocol.ProtocolMapperSpi org.keycloak.broker.provider.IdentityProviderSpi org.keycloak.broker.provider.IdentityProviderMapperSpi org.keycloak.broker.social.SocialProviderSpi -org.keycloak.forms.account.AccountSpi org.keycloak.forms.login.LoginFormsSpi org.keycloak.email.EmailSenderSpi org.keycloak.email.EmailTemplateSpi diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProvider.java b/services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProvider.java deleted file mode 100755 index 52fd229deb..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProvider.java +++ /dev/null @@ -1,400 +0,0 @@ -/* - * Copyright 2022 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.keycloak.forms.account.freemarker; - -import org.jboss.logging.Logger; -import org.keycloak.events.Event; -import org.keycloak.forms.account.AccountPages; -import org.keycloak.forms.account.AccountProvider; -import org.keycloak.forms.account.freemarker.model.AccountBean; -import org.keycloak.forms.account.freemarker.model.AccountFederatedIdentityBean; -import org.keycloak.forms.account.freemarker.model.ApplicationsBean; -import org.keycloak.forms.account.freemarker.model.AuthorizationBean; -import org.keycloak.forms.account.freemarker.model.FeaturesBean; -import org.keycloak.forms.account.freemarker.model.LogBean; -import org.keycloak.forms.account.freemarker.model.PasswordBean; -import org.keycloak.forms.account.freemarker.model.RealmBean; -import org.keycloak.forms.account.freemarker.model.ReferrerBean; -import org.keycloak.forms.account.freemarker.model.SessionsBean; -import org.keycloak.forms.account.freemarker.model.TotpBean; -import org.keycloak.forms.account.freemarker.model.UrlBean; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.UserSessionModel; -import org.keycloak.models.utils.FormMessage; -import org.keycloak.services.util.CacheControlUtil; -import org.keycloak.theme.FreeMarkerException; -import org.keycloak.theme.Theme; -import org.keycloak.theme.beans.AdvancedMessageFormatterMethod; -import org.keycloak.theme.beans.LocaleBean; -import org.keycloak.theme.beans.MessageBean; -import org.keycloak.theme.beans.MessageFormatterMethod; -import org.keycloak.theme.beans.MessageType; -import org.keycloak.theme.beans.MessagesPerFieldBean; -import org.keycloak.theme.freemarker.FreeMarkerProvider; -import org.keycloak.utils.MediaType; - -import jakarta.ws.rs.core.HttpHeaders; -import jakarta.ws.rs.core.MultivaluedMap; -import jakarta.ws.rs.core.Response; -import jakarta.ws.rs.core.Response.Status; -import jakarta.ws.rs.core.UriBuilder; -import jakarta.ws.rs.core.UriInfo; -import java.io.IOException; -import java.net.URI; -import java.text.MessageFormat; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Locale; -import java.util.Map; -import java.util.Properties; - -/** - * @author Stian Thorgersen - */ -public class FreeMarkerAccountProvider implements AccountProvider { - - private static final Logger logger = Logger.getLogger(FreeMarkerAccountProvider.class); - - protected UserModel user; - protected MultivaluedMap profileFormData; - protected Response.Status status = Response.Status.OK; - protected RealmModel realm; - protected String[] referrer; - protected List events; - protected String stateChecker; - protected String idTokenHint; - protected List sessions; - protected boolean identityProviderEnabled; - protected boolean eventsEnabled; - protected boolean passwordUpdateSupported; - protected boolean passwordSet; - protected KeycloakSession session; - protected FreeMarkerProvider freeMarker; - protected HttpHeaders headers; - protected Map attributes; - - protected UriInfo uriInfo; - - protected List messages = null; - protected MessageType messageType = MessageType.ERROR; - private boolean authorizationSupported; - - public FreeMarkerAccountProvider(KeycloakSession session) { - this.session = session; - this.freeMarker = session.getProvider(FreeMarkerProvider.class); - } - - public AccountProvider setUriInfo(UriInfo uriInfo) { - this.uriInfo = uriInfo; - return this; - } - - @Override - public AccountProvider setHttpHeaders(HttpHeaders httpHeaders) { - this.headers = httpHeaders; - return this; - } - - @Override - public Response createResponse(AccountPages page) { - Map attributes = new HashMap<>(); - - if (this.attributes != null) { - attributes.putAll(this.attributes); - } - - Theme theme; - try { - theme = getTheme(); - } catch (IOException e) { - logger.error("Failed to create theme", e); - return Response.serverError().build(); - } - - Locale locale = session.getContext().resolveLocale(user); - Properties messagesBundle = handleThemeResources(theme, locale, attributes); - - URI baseUri = uriInfo.getBaseUri(); - UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder(); - for (Map.Entry> e : uriInfo.getQueryParameters().entrySet()) { - baseUriBuilder.queryParam(e.getKey(), e.getValue().toArray()); - } - URI baseQueryUri = baseUriBuilder.build(); - - if (stateChecker != null) { - attributes.put("stateChecker", stateChecker); - } - - handleMessages(locale, messagesBundle, attributes); - - if (referrer != null) { - attributes.put("referrer", new ReferrerBean(referrer)); - } - - if(realm != null){ - attributes.put("realm", new RealmBean(realm)); - } - - attributes.put("url", new UrlBean(realm, theme, baseUri, baseQueryUri, uriInfo.getRequestUri(), idTokenHint)); - - if (realm.isInternationalizationEnabled()) { - UriBuilder b = UriBuilder.fromUri(baseQueryUri).path(uriInfo.getPath()); - attributes.put("locale", new LocaleBean(realm, locale, b, messagesBundle)); - } - - attributes.put("features", new FeaturesBean(identityProviderEnabled, eventsEnabled, passwordUpdateSupported, authorizationSupported)); - attributes.put("account", new AccountBean(user, profileFormData)); - - switch (page) { - case TOTP: - attributes.put("totp", new TotpBean(session, realm, user, uriInfo.getRequestUriBuilder())); - break; - case FEDERATED_IDENTITY: - attributes.put("federatedIdentity", new AccountFederatedIdentityBean(session, realm, user, uriInfo.getBaseUri(), stateChecker)); - break; - case LOG: - attributes.put("log", new LogBean(events)); - break; - case SESSIONS: - attributes.put("sessions", new SessionsBean(realm, sessions)); - break; - case APPLICATIONS: - attributes.put("applications", new ApplicationsBean(session, realm, user)); - attributes.put("advancedMsg", new AdvancedMessageFormatterMethod(locale, messagesBundle)); - break; - case PASSWORD: - attributes.put("password", new PasswordBean(passwordSet)); - break; - case RESOURCES: - if (!realm.isUserManagedAccessAllowed()) { - return Response.status(Status.FORBIDDEN).build(); - } - attributes.put("authorization", new AuthorizationBean(session, realm, user, uriInfo)); - case RESOURCE_DETAIL: - if (!realm.isUserManagedAccessAllowed()) { - return Response.status(Status.FORBIDDEN).build(); - } - attributes.put("authorization", new AuthorizationBean(session, realm, user, uriInfo)); - } - - return processTemplate(theme, page, attributes, locale); - } - - /** - * Get Theme used for page rendering. - * - * @return theme for page rendering, never null - * @throws IOException in case of Theme loading problem - */ - protected Theme getTheme() throws IOException { - return session.theme().getTheme(Theme.Type.ACCOUNT); - } - - /** - * Load message bundle and place it into msg template attribute. Also load Theme properties and place them into properties template attribute. - * - * @param theme actual Theme to load bundle from - * @param locale to load bundle for - * @param attributes template attributes to add resources to - * @return message bundle for other use - */ - protected Properties handleThemeResources(Theme theme, Locale locale, Map attributes) { - Properties messagesBundle; - try { - messagesBundle = theme.getEnhancedMessages(realm, locale); - attributes.put("msg", new MessageFormatterMethod(locale, messagesBundle)); - } catch (IOException e) { - logger.warn("Failed to load messages", e); - messagesBundle = new Properties(); - } - try { - attributes.put("properties", theme.getProperties()); - } catch (IOException e) { - logger.warn("Failed to load properties", e); - } - return messagesBundle; - } - - /** - * Handle messages to be shown on the page - set them to template attributes - * - * @param locale to be used for message text loading - * @param messagesBundle to be used for message text loading - * @param attributes template attributes to messages related info to - * @see #messageType - * @see #messages - */ - protected void handleMessages(Locale locale, Properties messagesBundle, Map attributes) { - MessagesPerFieldBean messagesPerField = new MessagesPerFieldBean(); - if (messages != null) { - MessageBean wholeMessage = new MessageBean(null, messageType); - for (FormMessage message : this.messages) { - String formattedMessageText = formatMessage(message, messagesBundle, locale); - if (formattedMessageText != null) { - wholeMessage.appendSummaryLine(formattedMessageText); - messagesPerField.addMessage(message.getField(), formattedMessageText, messageType); - } - } - attributes.put("message", wholeMessage); - } - attributes.put("messagesPerField", messagesPerField); - } - - /** - * Process FreeMarker template and prepare Response. Some fields are used for rendering also. - * - * @param theme to be used (provided by getTheme()) - * @param page to be rendered - * @param attributes pushed to the template - * @param locale to be used - * @return Response object to be returned to the browser, never null - */ - protected Response processTemplate(Theme theme, AccountPages page, Map attributes, Locale locale) { - try { - String result = freeMarker.processTemplate(attributes, Templates.getTemplate(page), theme); - Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML_UTF_8_TYPE).language(locale).entity(result); - builder.cacheControl(CacheControlUtil.noCache()); - return builder.build(); - } catch (FreeMarkerException e) { - logger.error("Failed to process template", e); - return Response.serverError().build(); - } - } - - public AccountProvider setPasswordSet(boolean passwordSet) { - this.passwordSet = passwordSet; - return this; - } - - protected void setMessage(MessageType type, String message, Object... parameters) { - messageType = type; - messages = new ArrayList<>(); - messages.add(new FormMessage(null, message, parameters)); - } - - protected String formatMessage(FormMessage message, Properties messagesBundle, Locale locale) { - if (message == null) - return null; - if (messagesBundle.containsKey(message.getMessage())) { - return new MessageFormat(messagesBundle.getProperty(message.getMessage()), locale).format(message.getParameters()); - } else { - return message.getMessage(); - } - } - - @Override - public AccountProvider setErrors(Response.Status status, List messages) { - this.status = status; - this.messageType = MessageType.ERROR; - this.messages = new ArrayList<>(messages); - return this; - } - - - @Override - public AccountProvider setError(Response.Status status, String message, Object ... parameters) { - this.status = status; - setMessage(MessageType.ERROR, message, parameters); - return this; - } - - @Override - public AccountProvider setSuccess(String message, Object ... parameters) { - setMessage(MessageType.SUCCESS, message, parameters); - return this; - } - - @Override - public AccountProvider setWarning(String message, Object ... parameters) { - setMessage(MessageType.WARNING, message, parameters); - return this; - } - - @Override - public AccountProvider setUser(UserModel user) { - this.user = user; - return this; - } - - @Override - public AccountProvider setProfileFormData(MultivaluedMap formData) { - this.profileFormData = formData; - return this; - } - - @Override - public AccountProvider setRealm(RealmModel realm) { - this.realm = realm; - return this; - } - - @Override - public AccountProvider setReferrer(String[] referrer) { - this.referrer = referrer; - return this; - } - - @Override - public AccountProvider setEvents(List events) { - this.events = events; - return this; - } - - @Override - public AccountProvider setSessions(List sessions) { - this.sessions = sessions; - return this; - } - - @Override - public AccountProvider setStateChecker(String stateChecker) { - this.stateChecker = stateChecker; - return this; - } - - @Override - public AccountProvider setIdTokenHint(String idTokenHint) { - this.idTokenHint = idTokenHint; - return this; - } - - @Override - public AccountProvider setFeatures(boolean identityProviderEnabled, boolean eventsEnabled, boolean passwordUpdateSupported, boolean authorizationSupported) { - this.identityProviderEnabled = identityProviderEnabled; - this.eventsEnabled = eventsEnabled; - this.passwordUpdateSupported = passwordUpdateSupported; - this.authorizationSupported = authorizationSupported; - return this; - } - - @Override - public AccountProvider setAttribute(String key, String value) { - if (attributes == null) { - attributes = new HashMap<>(); - } - attributes.put(key, value); - return this; - } - - @Override - public void close() { - } - -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProviderFactory.java b/services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProviderFactory.java deleted file mode 100755 index 703b4cf1be..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProviderFactory.java +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker; - -import org.keycloak.Config; -import org.keycloak.forms.account.AccountProvider; -import org.keycloak.forms.account.AccountProviderFactory; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.KeycloakSessionFactory; - -/** - * @author Stian Thorgersen - */ -public class FreeMarkerAccountProviderFactory implements AccountProviderFactory { - - @Override - public AccountProvider create(KeycloakSession session) { - return new FreeMarkerAccountProvider(session); - } - - @Override - public void init(Config.Scope config) { - } - - @Override - public void postInit(KeycloakSessionFactory factory) { - - } - @Override - public void close() { - } - - @Override - public String getId() { - return "freemarker"; - } - -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/Templates.java b/services/src/main/java/org/keycloak/forms/account/freemarker/Templates.java deleted file mode 100755 index 48822937f3..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/Templates.java +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker; - -import org.keycloak.forms.account.AccountPages; - -/** - * @author Stian Thorgersen - */ -public class Templates { - - public static String getTemplate(AccountPages page) { - switch (page) { - case ACCOUNT: - return "account.ftl"; - case PASSWORD: - return "password.ftl"; - case TOTP: - return "totp.ftl"; - case FEDERATED_IDENTITY: - return "federatedIdentity.ftl"; - case LOG: - return "log.ftl"; - case SESSIONS: - return "sessions.ftl"; - case APPLICATIONS: - return "applications.ftl"; - case RESOURCES: - return "resources.ftl"; - case RESOURCE_DETAIL: - return "resource-detail.ftl"; - default: - throw new IllegalArgumentException(); - } - } - -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/AccountBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/AccountBean.java deleted file mode 100755 index 8d0ebbc79e..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/AccountBean.java +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -import org.jboss.logging.Logger; -import org.keycloak.models.Constants; -import org.keycloak.models.UserModel; - -import jakarta.ws.rs.core.MultivaluedMap; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -/** - * @author Stian Thorgersen - */ -public class AccountBean { - - private static final Logger logger = Logger.getLogger(AccountBean.class); - - private final UserModel user; - private final MultivaluedMap profileFormData; - - // TODO: More proper multi-value attribute support - private final Map attributes = new HashMap<>(); - - public AccountBean(UserModel user, MultivaluedMap profileFormData) { - this.user = user; - this.profileFormData = profileFormData; - - for (Map.Entry> attr : user.getAttributes().entrySet()) { - List attrValue = attr.getValue(); - if (attrValue.size() > 0) { - attributes.put(attr.getKey(), attrValue.get(0)); - } - - if (attrValue.size() > 1) { - logger.warnf("There are more values for attribute '%s' of user '%s' . Will display just first value", attr.getKey(), user.getUsername()); - } - } - - if (profileFormData != null) { - for (String key : profileFormData.keySet()) { - if (key.startsWith(Constants.USER_ATTRIBUTES_PREFIX)) { - String attribute = key.substring(Constants.USER_ATTRIBUTES_PREFIX.length()); - attributes.put(attribute, profileFormData.getFirst(key)); - } - } - } - } - - public String getFirstName() { - return profileFormData != null ? profileFormData.getFirst("firstName") : user.getFirstName(); - } - - public String getLastName() { - return profileFormData != null ? profileFormData.getFirst("lastName") :user.getLastName(); - } - - public String getUsername() { - if (profileFormData != null && profileFormData.containsKey("username")) { - return profileFormData.getFirst("username"); - } else { - return user.getUsername(); - } - } - - public String getEmail() { - return profileFormData != null ? profileFormData.getFirst("email") :user.getEmail(); - } - - public Map getAttributes() { - return attributes; - } - -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/AccountFederatedIdentityBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/AccountFederatedIdentityBean.java deleted file mode 100755 index 6a46bd344a..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/AccountFederatedIdentityBean.java +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -import org.keycloak.models.FederatedIdentityModel; -import org.keycloak.models.IdentityProviderModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.OrderedModel; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.utils.KeycloakModelUtils; -import org.keycloak.services.resources.account.AccountFormService; - -import java.net.URI; -import java.util.List; -import java.util.Objects; -import java.util.concurrent.atomic.AtomicInteger; -import java.util.stream.Collectors; -import java.util.stream.Stream; - -/** - * @author Marek Posolda - * @author Vlastimil Elias - */ -public class AccountFederatedIdentityBean { - - private static OrderedModel.OrderedModelComparator IDP_COMPARATOR_INSTANCE = new OrderedModel.OrderedModelComparator<>(); - - private final List identities; - private final boolean removeLinkPossible; - private final KeycloakSession session; - - public AccountFederatedIdentityBean(KeycloakSession session, RealmModel realm, UserModel user, URI baseUri, String stateChecker) { - this.session = session; - - AtomicInteger availableIdentities = new AtomicInteger(0); - this.identities = realm.getIdentityProvidersStream() - .filter(IdentityProviderModel::isEnabled) - .map(provider -> { - String providerId = provider.getAlias(); - - FederatedIdentityModel identity = getIdentity(session.users().getFederatedIdentitiesStream(realm, user), providerId); - - if (identity != null) { - availableIdentities.getAndIncrement(); - } - - String displayName = KeycloakModelUtils.getIdentityProviderDisplayName(session, provider); - return new FederatedIdentityEntry(identity, displayName, provider.getAlias(), provider.getAlias(), - provider.getConfig() != null ? provider.getConfig().get("guiOrder") : null); - }) - .sorted(IDP_COMPARATOR_INSTANCE) - .collect(Collectors.toList()); - - // Removing last social provider is not possible if you don't have other possibility to authenticate - this.removeLinkPossible = availableIdentities.get() > 1 || user.getFederationLink() != null || AccountFormService.isPasswordSet(session, realm, user); - } - - private FederatedIdentityModel getIdentity(Stream identities, String providerId) { - return identities.filter(federatedIdentityModel -> Objects.equals(federatedIdentityModel.getIdentityProvider(), providerId)) - .findFirst().orElse(null); - } - - public List getIdentities() { - return identities; - } - - public boolean isRemoveLinkPossible() { - return removeLinkPossible; - } - - public static class FederatedIdentityEntry implements OrderedModel { - - private FederatedIdentityModel federatedIdentityModel; - private final String providerId; - private final String providerName; - private final String guiOrder; - private final String displayName; - - public FederatedIdentityEntry(FederatedIdentityModel federatedIdentityModel, String displayName, String providerId, - String providerName, String guiOrder) { - this.federatedIdentityModel = federatedIdentityModel; - this.displayName = displayName; - this.providerId = providerId; - this.providerName = providerName; - this.guiOrder = guiOrder; - } - - public String getProviderId() { - return providerId; - } - - public String getProviderName() { - return providerName; - } - - public String getUserId() { - return federatedIdentityModel != null ? federatedIdentityModel.getUserId() : null; - } - - public String getUserName() { - return federatedIdentityModel != null ? federatedIdentityModel.getUserName() : null; - } - - public boolean isConnected() { - return federatedIdentityModel != null; - } - - @Override - public String getGuiOrder() { - return guiOrder; - } - - public String getDisplayName() { - return displayName; - } - - } - -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java deleted file mode 100755 index cadd1a830e..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java +++ /dev/null @@ -1,221 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -import org.keycloak.common.util.MultivaluedHashMap; -import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientScopeModel; -import org.keycloak.models.Constants; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.OrderedModel; -import org.keycloak.models.RealmModel; -import org.keycloak.models.RoleModel; -import org.keycloak.models.UserConsentModel; -import org.keycloak.models.UserModel; -import org.keycloak.protocol.oidc.TokenManager; -import org.keycloak.services.managers.UserSessionManager; -import org.keycloak.services.resources.admin.permissions.AdminPermissions; -import org.keycloak.services.util.ResolveRelative; -import org.keycloak.storage.StorageId; - -import java.util.ArrayList; -import java.util.LinkedList; -import java.util.List; -import java.util.Objects; -import java.util.Set; -import java.util.function.Predicate; -import java.util.stream.Collectors; -import java.util.stream.Stream; - -/** - * @author Marek Posolda - */ -public class ApplicationsBean { - - private List applications = new LinkedList<>(); - - public ApplicationsBean(KeycloakSession session, RealmModel realm, UserModel user) { - Set offlineClients = new UserSessionManager(session).findClientsWithOfflineToken(realm, user); - - this.applications = this.getApplications(session, realm, user) - .filter(client -> !isAdminClient(client) || AdminPermissions.realms(session, realm, user).isAdmin()) - .map(client -> toApplicationEntry(session, realm, user, client, offlineClients)) - .filter(Objects::nonNull) - .collect(Collectors.toList()); - } - - public static boolean isAdminClient(ClientModel client) { - return client.getClientId().equals(Constants.ADMIN_CLI_CLIENT_ID) - || client.getClientId().equals(Constants.ADMIN_CONSOLE_CLIENT_ID); - } - - private Stream getApplications(KeycloakSession session, RealmModel realm, UserModel user) { - Predicate bearerOnly = ClientModel::isBearerOnly; - Stream clients = realm.getClientsStream().filter(bearerOnly.negate()); - - Predicate isLocal = client -> new StorageId(client.getId()).isLocal(); - return Stream.concat(clients, session.users().getConsentsStream(realm, user.getId()) - .map(UserConsentModel::getClient) - .filter(isLocal.negate())).distinct(); - } - - private void processRoles(Set inputRoles, List realmRoles, MultivaluedHashMap clientRoles) { - for (RoleModel role : inputRoles) { - if (role.getContainer() instanceof RealmModel) { - realmRoles.add(role); - } else { - ClientModel currentClient = (ClientModel) role.getContainer(); - ClientRoleEntry clientRole = new ClientRoleEntry(currentClient.getClientId(), currentClient.getName(), - role.getName(), role.getDescription()); - clientRoles.add(currentClient.getClientId(), clientRole); - } - } - } - - public List getApplications() { - return applications; - } - - public static class ApplicationEntry { - - private KeycloakSession session; - private final List realmRolesAvailable; - private final MultivaluedHashMap resourceRolesAvailable; - private final ClientModel client; - private final List clientScopesGranted; - private final List additionalGrants; - - public ApplicationEntry(KeycloakSession session, List realmRolesAvailable, MultivaluedHashMap resourceRolesAvailable, - ClientModel client, List clientScopesGranted, List additionalGrants) { - this.session = session; - this.realmRolesAvailable = realmRolesAvailable; - this.resourceRolesAvailable = resourceRolesAvailable; - this.client = client; - this.clientScopesGranted = clientScopesGranted; - this.additionalGrants = additionalGrants; - } - - public List getRealmRolesAvailable() { - return realmRolesAvailable; - } - - public MultivaluedHashMap getResourceRolesAvailable() { - return resourceRolesAvailable; - } - - public List getClientScopesGranted() { - return clientScopesGranted; - } - - public String getEffectiveUrl() { - return ResolveRelative.resolveRelativeUri(session, getClient().getRootUrl(), getClient().getBaseUrl()); - } - - public ClientModel getClient() { - return client; - } - - public List getAdditionalGrants() { - return additionalGrants; - } - } - - // Same class used in OAuthGrantBean as well. Maybe should be merged into common-freemarker... - public static class ClientRoleEntry { - - private final String clientId; - private final String clientName; - private final String roleName; - private final String roleDescription; - - public ClientRoleEntry(String clientId, String clientName, String roleName, String roleDescription) { - this.clientId = clientId; - this.clientName = clientName; - this.roleName = roleName; - this.roleDescription = roleDescription; - } - - public String getClientId() { - return clientId; - } - - public String getClientName() { - return clientName; - } - - public String getRoleName() { - return roleName; - } - - public String getRoleDescription() { - return roleDescription; - } - } - - /** - * Constructs a {@link ApplicationEntry} from the specified parameters. - * - * @param session a reference to the {@code Keycloak} session. - * @param realm a reference to the realm. - * @param user a reference to the user. - * @param client a reference to the client that contains the applications. - * @param offlineClients a {@link Set} containing the offline clients. - * @return the constructed {@link ApplicationEntry} instance or {@code null} if the user can't access the applications - * in the specified client. - */ - private ApplicationEntry toApplicationEntry(final KeycloakSession session, final RealmModel realm, final UserModel user, - final ClientModel client, final Set offlineClients) { - - // Construct scope parameter with all optional scopes to see all potentially available roles - Stream allClientScopes = Stream.concat( - client.getClientScopes(true).values().stream(), - client.getClientScopes(false).values().stream()); - allClientScopes = Stream.concat(allClientScopes, Stream.of(client)).distinct(); - - Set availableRoles = TokenManager.getAccess(user, client, allClientScopes); - - // Don't show applications, which user doesn't have access into (any available roles) - // unless this is can be changed by approving/revoking consent - if (! isAdminClient(client) && availableRoles.isEmpty() && ! client.isConsentRequired()) { - return null; - } - - List realmRolesAvailable = new LinkedList<>(); - MultivaluedHashMap resourceRolesAvailable = new MultivaluedHashMap<>(); - processRoles(availableRoles, realmRolesAvailable, resourceRolesAvailable); - - List orderedScopes = new LinkedList<>(); - if (client.isConsentRequired()) { - UserConsentModel consent = session.users().getConsentByClient(realm, user.getId(), client.getId()); - - if (consent != null) { - orderedScopes.addAll(consent.getGrantedClientScopes()); - } - } - List clientScopesGranted = orderedScopes.stream() - .sorted(OrderedModel.OrderedModelComparator.getInstance()) - .map(ClientScopeModel::getConsentScreenText) - .collect(Collectors.toList()); - - List additionalGrants = new ArrayList<>(); - if (offlineClients.contains(client)) { - additionalGrants.add("${offlineToken}"); - } - return new ApplicationEntry(session, realmRolesAvailable, resourceRolesAvailable, client, clientScopesGranted, additionalGrants); - } -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/AuthorizationBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/AuthorizationBean.java deleted file mode 100755 index b821bc45a4..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/AuthorizationBean.java +++ /dev/null @@ -1,456 +0,0 @@ -/* - * Copyright 2022 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.Date; -import java.util.EnumMap; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.stream.Collectors; - -import jakarta.ws.rs.core.UriInfo; - -import org.keycloak.authorization.AuthorizationProvider; -import org.keycloak.authorization.model.PermissionTicket; -import org.keycloak.authorization.model.Policy; -import org.keycloak.authorization.model.Resource; -import org.keycloak.authorization.model.ResourceServer; -import org.keycloak.authorization.model.Scope; -import org.keycloak.authorization.store.PermissionTicketStore; -import org.keycloak.common.util.Time; -import org.keycloak.models.ClientModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.utils.ModelToRepresentation; -import org.keycloak.representations.idm.authorization.ScopeRepresentation; -import org.keycloak.services.util.ResolveRelative; - -/** - * @author Stian Thorgersen - */ -public class AuthorizationBean { - - private final KeycloakSession session; - private final RealmModel realm; - private final UserModel user; - private final AuthorizationProvider authorization; - private final UriInfo uriInfo; - private ResourceBean resource; - private List resources; - private Collection userSharedResources; - private Collection requestsWaitingPermission; - private Collection resourcesWaitingOthersApproval; - - public AuthorizationBean(KeycloakSession session, RealmModel realm, UserModel user, UriInfo uriInfo) { - this.session = session; - this.realm = realm; - this.user = user; - this.uriInfo = uriInfo; - authorization = session.getProvider(AuthorizationProvider.class); - List pathParameters = uriInfo.getPathParameters().get("resource_id"); - - if (pathParameters != null && !pathParameters.isEmpty()) { - Resource resource = authorization.getStoreFactory().getResourceStore().findById(realm, null, pathParameters.get(0)); - - if (resource != null && !resource.getOwner().equals(user.getId())) { - throw new RuntimeException("User [" + user.getUsername() + "] can not access resource [" + resource.getId() + "]"); - } - } - } - - public Collection getResourcesWaitingOthersApproval() { - if (resourcesWaitingOthersApproval == null) { - Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); - - filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId()); - filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString()); - - resourcesWaitingOthersApproval = toResourceRepresentation(findPermissions(filters)); - } - - return resourcesWaitingOthersApproval; - } - - public Collection getResourcesWaitingApproval() { - if (requestsWaitingPermission == null) { - Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); - - filters.put(PermissionTicket.FilterOption.OWNER, user.getId()); - filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString()); - - requestsWaitingPermission = toResourceRepresentation(findPermissions(filters)); - } - - return requestsWaitingPermission; - } - - public List getResources() { - if (resources == null) { - resources = authorization.getStoreFactory().getResourceStore().findByOwner(realm, null, user.getId()).stream() - .filter(Resource::isOwnerManagedAccess) - .map(ResourceBean::new) - .collect(Collectors.toList()); - } - return resources; - } - - public Collection getSharedResources() { - if (userSharedResources == null) { - Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); - - filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId()); - filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); - - PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore(); - - userSharedResources = toResourceRepresentation(ticketStore.find(realm,null, filters, null, null)); - } - return userSharedResources; - } - - public ResourceBean getResource() { - if (resource == null) { - String resourceId = uriInfo.getPathParameters().getFirst("resource_id"); - - if (resourceId != null) { - resource = getResource(resourceId); - } - } - - return resource; - } - - private ResourceBean getResource(String id) { - return new ResourceBean(authorization.getStoreFactory().getResourceStore().findById(realm, null, id)); - } - - public static class RequesterBean { - - private final Long createdTimestamp; - private final Long grantedTimestamp; - private UserModel requester; - private List scopes = new ArrayList<>(); - private boolean granted; - - public RequesterBean(PermissionTicket ticket, AuthorizationProvider authorization) { - this.requester = authorization.getKeycloakSession().users().getUserById(authorization.getRealm(), ticket.getRequester()); - granted = ticket.isGranted(); - createdTimestamp = ticket.getCreatedTimestamp(); - grantedTimestamp = ticket.getGrantedTimestamp(); - } - - public UserModel getRequester() { - return requester; - } - - public List getScopes() { - return scopes; - } - - private void addScope(PermissionTicket ticket) { - if (ticket != null) { - scopes.add(new PermissionScopeBean(ticket)); - } - } - - public boolean isGranted() { - return (granted && scopes.isEmpty()) || scopes.stream().filter(permissionScopeBean -> permissionScopeBean.isGranted()).count() > 0; - } - - public Date getCreatedDate() { - return Time.toDate(createdTimestamp); - } - - public Date getGrantedDate() { - if (grantedTimestamp == null) { - PermissionScopeBean permission = scopes.stream().filter(permissionScopeBean -> permissionScopeBean.isGranted()).findFirst().orElse(null); - - if (permission == null) { - return null; - } - - return permission.getGrantedDate(); - } - return Time.toDate(grantedTimestamp); - } - } - - public static class PermissionScopeBean { - - private final Scope scope; - private final PermissionTicket ticket; - - public PermissionScopeBean(PermissionTicket ticket) { - this.ticket = ticket; - scope = ticket.getScope(); - } - - public String getId() { - return ticket.getId(); - } - - public Scope getScope() { - return scope; - } - - public boolean isGranted() { - return ticket.isGranted(); - } - - private Date getGrantedDate() { - if (isGranted()) { - return Time.toDate(ticket.getGrantedTimestamp()); - } - return null; - } - } - - public class ResourceBean { - - private final ResourceServerBean resourceServer; - private final String ownerName; - private final UserModel userOwner; - private ClientModel clientOwner; - private Resource resource; - private Map permissions = new HashMap<>(); - private Collection shares; - - public ResourceBean(Resource resource) { - RealmModel realm = authorization.getRealm(); - ResourceServer resourceServerModel = resource.getResourceServer(); - resourceServer = new ResourceServerBean(realm.getClientById(resourceServerModel.getClientId()), resourceServerModel); - this.resource = resource; - userOwner = authorization.getKeycloakSession().users().getUserById(realm, resource.getOwner()); - if (userOwner == null) { - clientOwner = realm.getClientById(resource.getOwner()); - ownerName = clientOwner.getClientId(); - } else if (userOwner.getEmail() != null) { - ownerName = userOwner.getEmail(); - } else { - ownerName = userOwner.getUsername(); - } - } - - public String getId() { - return resource.getId(); - } - - public String getName() { - return resource.getName(); - } - - public String getDisplayName() { - return resource.getDisplayName(); - } - - public String getIconUri() { - return resource.getIconUri(); - } - - public String getOwnerName() { - return ownerName; - } - - public UserModel getUserOwner() { - return userOwner; - } - - public ClientModel getClientOwner() { - return clientOwner; - } - - public List getScopes() { - return resource.getScopes().stream().map(ModelToRepresentation::toRepresentation).collect(Collectors.toList()); - } - - public Collection getShares() { - if (shares == null) { - Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); - - filters.put(PermissionTicket.FilterOption.RESOURCE_ID, this.resource.getId()); - filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); - - shares = toPermissionRepresentation(findPermissions(filters)); - } - - return shares; - } - - public Collection getPolicies() { - ResourceServer resourceServer = getResourceServer().getResourceServerModel(); - RealmModel realm = resourceServer.getRealm(); - Map filters = new EnumMap<>(Policy.FilterOption.class); - - filters.put(Policy.FilterOption.TYPE, new String[] {"uma"}); - filters.put(Policy.FilterOption.RESOURCE_ID, new String[] {this.resource.getId()}); - if (getUserOwner() != null) { - filters.put(Policy.FilterOption.OWNER, new String[] {getUserOwner().getId()}); - } else { - filters.put(Policy.FilterOption.OWNER, new String[] {getClientOwner().getId()}); - } - - List policies = authorization.getStoreFactory().getPolicyStore().find(realm, resourceServer, filters, null, null); - - if (policies.isEmpty()) { - return Collections.emptyList(); - } - - return policies.stream() - .filter(policy -> { - Map filters1 = new EnumMap<>(PermissionTicket.FilterOption.class); - - filters1.put(PermissionTicket.FilterOption.POLICY_ID, policy.getId()); - - return authorization.getStoreFactory().getPermissionTicketStore().find(realm, resourceServer, filters1, -1, 1) - .isEmpty(); - }) - .map(ManagedPermissionBean::new).collect(Collectors.toList()); - } - - public ResourceServerBean getResourceServer() { - return resourceServer; - } - - public Collection getPermissions() { - return permissions.values(); - } - - private void addPermission(PermissionTicket ticket, AuthorizationProvider authorization) { - permissions.computeIfAbsent(ticket.getRequester(), key -> new RequesterBean(ticket, authorization)).addScope(ticket); - } - } - - private Collection toPermissionRepresentation(List permissionRequests) { - Map requests = new HashMap<>(); - - for (PermissionTicket ticket : permissionRequests) { - Resource resource = ticket.getResource(); - - if (!resource.isOwnerManagedAccess()) { - continue; - } - - requests.computeIfAbsent(ticket.getRequester(), resourceId -> new RequesterBean(ticket, authorization)).addScope(ticket); - } - - return requests.values(); - } - - private Collection toResourceRepresentation(List tickets) { - Map requests = new HashMap<>(); - - for (PermissionTicket ticket : tickets) { - Resource resource = ticket.getResource(); - - if (!resource.isOwnerManagedAccess()) { - continue; - } - - requests.computeIfAbsent(resource.getId(), resourceId -> getResource(resourceId)).addPermission(ticket, authorization); - } - - return requests.values(); - } - - private List findPermissions(Map filters) { - return authorization.getStoreFactory().getPermissionTicketStore().find(realm, null, filters, null, null); - } - - public class ResourceServerBean { - - private ClientModel clientModel; - private ResourceServer resourceServer; - - public ResourceServerBean(ClientModel clientModel, ResourceServer resourceServer) { - this.clientModel = clientModel; - this.resourceServer = resourceServer; - } - - public String getId() { - return resourceServer.getId(); - } - - public String getName() { - String name = clientModel.getName(); - - if (name != null) { - return name; - } - - return clientModel.getClientId(); - } - - public String getClientId() { - return clientModel.getClientId(); - } - - public String getRedirectUri() { - Set redirectUris = clientModel.getRedirectUris(); - - if (redirectUris.isEmpty()) { - return null; - } - - return redirectUris.iterator().next(); - } - - public String getBaseUri() { - return ResolveRelative.resolveRelativeUri(session, clientModel.getRootUrl(), clientModel.getBaseUrl()); - } - - public ResourceServer getResourceServerModel() { - return resourceServer; - } - } - - public class ManagedPermissionBean { - - private final Policy policy; - private List policies; - - public ManagedPermissionBean(Policy policy) { - this.policy = policy; - } - - public String getId() { - return policy.getId(); - } - - public Collection getScopes() { - return policy.getScopes().stream().map(ModelToRepresentation::toRepresentation).collect(Collectors.toList()); - } - - public String getDescription() { - return this.policy.getDescription(); - } - - public Collection getPolicies() { - if (this.policies == null) { - this.policies = policy.getAssociatedPolicies().stream().map(ManagedPermissionBean::new).collect(Collectors.toList()); - } - - return this.policies; - } - } -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/FeaturesBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/FeaturesBean.java deleted file mode 100755 index 262063d882..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/FeaturesBean.java +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -/** - * @author Stian Thorgersen - */ -public class FeaturesBean { - - private final boolean identityFederation; - private final boolean log; - private final boolean passwordUpdateSupported; - private boolean authorization; - - public FeaturesBean(boolean identityFederation, boolean log, boolean passwordUpdateSupported, boolean authorization) { - this.identityFederation = identityFederation; - this.log = log; - this.passwordUpdateSupported = passwordUpdateSupported; - this.authorization = authorization; - } - - public boolean isIdentityFederation() { - return identityFederation; - } - - public boolean isLog() { - return log; - } - - public boolean isPasswordUpdateSupported() { - return passwordUpdateSupported; - } - - public boolean isAuthorization() { - return authorization; - } -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/LogBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/LogBean.java deleted file mode 100755 index e539d7f86e..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/LogBean.java +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -import org.keycloak.events.Event; - -import java.util.Date; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; - -/** - * @author Stian Thorgersen - */ -public class LogBean { - - private List events; - - public LogBean(List events) { - this.events = new LinkedList(); - for (Event e : events) { - this.events.add(new EventBean(e)); - } - } - - public List getEvents() { - return events; - } - - public static class EventBean { - - private Event event; - - public EventBean(Event event) { - this.event = event; - } - - public Date getDate() { - return new Date(event.getTime()); - } - - public String getEvent() { - return event.getType().toString().toLowerCase().replace("_", " "); - } - - public String getClient() { - return event.getClientId(); - } - - public String getIpAddress() { - return event.getIpAddress(); - } - - public List getDetails() { - List details = new LinkedList(); - if (event.getDetails() != null) { - for (Map.Entry e : event.getDetails().entrySet()) { - details.add(new DetailBean(e)); - } - } - return details; - } - - } - - public static class DetailBean { - - private Map.Entry entry; - - public DetailBean(Map.Entry entry) { - this.entry = entry; - } - - public String getKey() { - return entry.getKey(); - } - - public String getValue() { - return entry.getValue().replace("_", " "); - } - - } - -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/PasswordBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/PasswordBean.java deleted file mode 100755 index 09ad32ce62..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/PasswordBean.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -/** - * @author Stian Thorgersen - */ -public class PasswordBean { - - private boolean passwordSet; - - public PasswordBean(boolean passwordSet) { - this.passwordSet = passwordSet; - } - - public boolean isPasswordSet() { - return passwordSet; - } - -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/RealmBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/RealmBean.java deleted file mode 100755 index f79ca94153..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/RealmBean.java +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.keycloak.forms.account.freemarker.model; - -import org.keycloak.models.RealmModel; - -import java.util.Set; -import java.util.stream.Collectors; - -/** - * @author Michael Gerber - */ -public class RealmBean { - - private RealmModel realm; - - public RealmBean(RealmModel realmModel) { - realm = realmModel; - } - - public String getName() { - return realm.getName(); - } - - public String getDisplayName() { - String displayName = realm.getDisplayName(); - if (displayName != null && displayName.length() > 0) { - return displayName; - } else { - return getName(); - } - } - - public String getDisplayNameHtml() { - String displayNameHtml = realm.getDisplayNameHtml(); - if (displayNameHtml != null && displayNameHtml.length() > 0) { - return displayNameHtml; - } else { - return getDisplayName(); - } - } - - public boolean isInternationalizationEnabled() { - return realm.isInternationalizationEnabled(); - } - - public Set getSupportedLocales(){ - return realm.getSupportedLocalesStream().collect(Collectors.toSet()); - } - - public boolean isEditUsernameAllowed() { - return realm.isEditUsernameAllowed(); - } - - public boolean isRegistrationEmailAsUsername() { - return realm.isRegistrationEmailAsUsername(); - } - - public boolean isUserManagedAccessAllowed() { - return realm.isUserManagedAccessAllowed(); - } -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/ReferrerBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/ReferrerBean.java deleted file mode 100755 index cc132d7604..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/ReferrerBean.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -/** - * @author Stian Thorgersen - */ -public class ReferrerBean { - - private String[] referrer; - - public ReferrerBean(String[] referrer) { - this.referrer = referrer; - } - - public String getName() { - return referrer[0]; - } - - public String getUrl() { - return referrer[1]; - } - -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/SessionsBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/SessionsBean.java deleted file mode 100755 index 218d23c67f..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/SessionsBean.java +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -import org.keycloak.common.util.Time; -import org.keycloak.models.ClientModel; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserSessionModel; - -import java.util.Date; -import java.util.HashSet; -import java.util.LinkedList; -import java.util.List; -import java.util.Set; - -/** - * @author Stian Thorgersen - */ -public class SessionsBean { - - private List events; - private RealmModel realm; - - public SessionsBean(RealmModel realm, List sessions) { - this.events = new LinkedList<>(); - for (UserSessionModel session : sessions) { - this.events.add(new UserSessionBean(realm, session)); - } - } - - public List getSessions() { - return events; - } - - public static class UserSessionBean { - - private UserSessionModel session; - private RealmModel realm; - - public UserSessionBean(RealmModel realm, UserSessionModel session) { - this.realm = realm; - this.session = session; - } - - public String getId() {return session.getId(); } - - public String getIpAddress() { - return session.getIpAddress(); - } - - public Date getStarted() { - return Time.toDate(session.getStarted()); - } - - public Date getLastAccess() { - return Time.toDate(session.getLastSessionRefresh()); - } - - public Date getExpires() { - int maxLifespan = session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0 ? realm.getSsoSessionMaxLifespanRememberMe() : realm.getSsoSessionMaxLifespan(); - int max = session.getStarted() + maxLifespan; - return Time.toDate(max); - } - - public Set getClients() { - Set clients = new HashSet<>(); - for (String clientUUID : session.getAuthenticatedClientSessions().keySet()) { - ClientModel client = realm.getClientById(clientUUID); - clients.add(client.getClientId()); - } - return clients; - } - } - -} diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/TotpBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/TotpBean.java deleted file mode 100644 index 4607c8f3ce..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/TotpBean.java +++ /dev/null @@ -1,122 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -import org.keycloak.authentication.otp.OTPApplicationProvider; -import org.keycloak.credential.CredentialModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.OTPPolicy; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.credential.OTPCredentialModel; -import org.keycloak.models.utils.HmacOTP; -import org.keycloak.models.utils.RepresentationToModel; -import org.keycloak.representations.idm.CredentialRepresentation; -import org.keycloak.utils.TotpUtils; - -import jakarta.ws.rs.core.UriBuilder; -import java.util.Collections; -import java.util.List; -import java.util.stream.Collectors; - -import static org.keycloak.utils.CredentialHelper.createUserStorageCredentialRepresentation; - - -/** - * @author Stian Thorgersen - */ -public class TotpBean { - - private final RealmModel realm; - private final String totpSecret; - private final String totpSecretEncoded; - private final String totpSecretQrCode; - private final boolean enabled; - private KeycloakSession session; - private final UriBuilder uriBuilder; - private final List otpCredentials; - private final List supportedApplications; - - public TotpBean(KeycloakSession session, RealmModel realm, UserModel user, UriBuilder uriBuilder) { - this.session = session; - this.uriBuilder = uriBuilder; - this.enabled = user.credentialManager().isConfiguredFor(OTPCredentialModel.TYPE); - if (enabled) { - List otpCredentials = user.credentialManager().getStoredCredentialsByTypeStream(OTPCredentialModel.TYPE).collect(Collectors.toList()); - - if (otpCredentials.isEmpty()) { - // Credential is configured on userStorage side. Create the "fake" credential similar like we do for the new account console - CredentialRepresentation credential = createUserStorageCredentialRepresentation(OTPCredentialModel.TYPE); - this.otpCredentials = Collections.singletonList(RepresentationToModel.toModel(credential)); - } else { - this.otpCredentials = otpCredentials; - } - } else { - this.otpCredentials = Collections.EMPTY_LIST; - } - - this.realm = realm; - this.totpSecret = HmacOTP.generateSecret(20); - this.totpSecretEncoded = TotpUtils.encode(totpSecret); - this.totpSecretQrCode = TotpUtils.qrCode(totpSecret, realm, user); - - OTPPolicy otpPolicy = realm.getOTPPolicy(); - this.supportedApplications = session.getAllProviders(OTPApplicationProvider.class).stream() - .filter(p -> p.supports(otpPolicy)) - .map(OTPApplicationProvider::getName) - .collect(Collectors.toList()); - } - - public boolean isEnabled() { - return enabled; - } - - public String getTotpSecret() { - return totpSecret; - } - - public String getTotpSecretEncoded() { - return totpSecretEncoded; - } - - public String getTotpSecretQrCode() { - return totpSecretQrCode; - } - - public String getManualUrl() { - return uriBuilder.replaceQueryParam("mode", "manual").build().toString(); - } - - public String getQrUrl() { - return uriBuilder.replaceQueryParam("mode", "qr").build().toString(); - } - - public OTPPolicy getPolicy() { - return realm.getOTPPolicy(); - } - - public List getSupportedApplications() { - return supportedApplications; - } - - public List getOtpCredentials() { - return otpCredentials; - } - -} - diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/UrlBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/UrlBean.java deleted file mode 100755 index 4562059af3..0000000000 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/UrlBean.java +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.forms.account.freemarker.model; - -import org.jboss.logging.Logger; -import org.keycloak.models.RealmModel; -import org.keycloak.services.Urls; -import org.keycloak.theme.Theme; - -import java.io.IOException; -import java.net.URI; - -/** - * @author Stian Thorgersen - */ -public class UrlBean { - - private static final Logger logger = Logger.getLogger(UrlBean.class); - private String realm; - private Theme theme; - private URI baseURI; - private URI baseQueryURI; - private URI currentURI; - private String idTokenHint; - - public UrlBean(RealmModel realm, Theme theme, URI baseURI, URI baseQueryURI, URI currentURI, String idTokenHint) { - this.realm = realm.getName(); - this.theme = theme; - this.baseURI = baseURI; - this.baseQueryURI = baseQueryURI; - this.currentURI = currentURI; - this.idTokenHint = idTokenHint; - } - - public String getApplicationsUrl() { - return Urls.accountApplicationsPage(baseQueryURI, realm).toString(); - } - - public String getAccountUrl() { - return Urls.accountPage(baseQueryURI, realm).toString(); - } - - public String getPasswordUrl() { - return Urls.accountPasswordPage(baseQueryURI, realm).toString(); - } - - public String getSocialUrl() { - return Urls.accountFederatedIdentityPage(baseQueryURI, realm).toString(); - } - - public String getTotpUrl() { - return Urls.accountTotpPage(baseQueryURI, realm).toString(); - } - - public String getLogUrl() { - return Urls.accountLogPage(baseQueryURI, realm).toString(); - } - - public String getSessionsUrl() { - return Urls.accountSessionsPage(baseQueryURI, realm).toString(); - } - - public String getLogoutUrl() { - return Urls.accountLogout(baseQueryURI, currentURI, realm, idTokenHint).toString(); - } - - public String getResourceUrl() { - return Urls.accountResourcesPage(baseQueryURI, realm).toString(); - } - - public String getResourceDetailUrl(String id) { - return Urls.accountResourceDetailPage(id, baseQueryURI, realm).toString(); - } - - public String getResourceGrant(String id) { - return Urls.accountResourceGrant(id, baseQueryURI, realm).toString(); - } - - public String getResourceShare(String id) { - return Urls.accountResourceShare(id, baseQueryURI, realm).toString(); - } - - public String getResourcesPath() { - URI uri = Urls.themeRoot(baseURI); - return uri.getPath() + "/" + theme.getType().toString().toLowerCase() +"/" + theme.getName(); - } - - public String getResourcesCommonPath() { - URI uri = Urls.themeRoot(baseURI); - String commonPath = ""; - try { - commonPath = theme.getProperties().getProperty("import"); - } catch (IOException ex) { - logger.warn("Failed to load properties", ex); - } - if (commonPath == null || commonPath.isEmpty()) { - commonPath = "/common/keycloak"; - } - return uri.getPath() + "/" + commonPath; - } -} diff --git a/services/src/main/java/org/keycloak/services/Urls.java b/services/src/main/java/org/keycloak/services/Urls.java index a66f9359fa..4057e382b6 100755 --- a/services/src/main/java/org/keycloak/services/Urls.java +++ b/services/src/main/java/org/keycloak/services/Urls.java @@ -16,14 +16,12 @@ */ package org.keycloak.services; -import org.keycloak.OAuth2Constants; import org.keycloak.common.Version; import org.keycloak.models.Constants; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.OIDCLoginProtocolService; import org.keycloak.protocol.oidc.endpoints.LogoutEndpoint; import org.keycloak.protocol.saml.SamlProtocol; -import org.keycloak.services.resources.account.AccountFormService; import org.keycloak.services.resources.IdentityBrokerService; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.resources.RealmsResource; @@ -42,34 +40,10 @@ public class Urls { return UriBuilder.fromUri(baseUri).path(AdminRoot.class).path("{realm}/console/").build(realmName); } - public static URI accountApplicationsPage(URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "applicationsPage").build(realmName); - } - public static UriBuilder accountBase(URI baseUri) { return realmBase(baseUri).path(RealmsResource.class, "getAccountService"); } - public static URI accountPage(URI baseUri, String realmName) { - return accountPageBuilder(baseUri).build(realmName); - } - - public static UriBuilder accountPageBuilder(URI baseUri) { - return accountBase(baseUri).path(AccountFormService.class, "accountPage"); - } - - public static URI accountPasswordPage(URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "passwordPage").build(realmName); - } - - public static URI accountFederatedIdentityPage(URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "federatedIdentityPage").build(realmName); - } - - public static URI accountFederatedIdentityUpdate(URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "processFederatedIdentityUpdate").build(realmName); - } - public static URI identityProviderAuthnResponse(URI baseUri, String providerId, String realmName) { return realmBase(baseUri).path(RealmsResource.class, "getBrokerService") .path(IdentityBrokerService.class, "getEndpoint") @@ -129,42 +103,10 @@ public class Urls { .build(realmName); } - public static URI accountTotpPage(URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "totpPage").build(realmName); - } - - public static URI accountLogPage(URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "logPage").build(realmName); - } - - public static URI accountSessionsPage(URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "sessionsPage").build(realmName); - } - - public static URI accountLogout(URI baseUri, URI redirectUri, String realmName, String idTokenHint) { - return realmLogout(baseUri).queryParam(OAuth2Constants.POST_LOGOUT_REDIRECT_URI, redirectUri).queryParam(OAuth2Constants.ID_TOKEN_HINT, idTokenHint).build(realmName); - } - public static URI logoutConfirm(URI baseUri, String realmName) { return realmLogout(baseUri).path(LogoutEndpoint.class, "logoutConfirmAction").build(realmName); } - public static URI accountResourcesPage(URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "resourcesPage").build(realmName); - } - - public static URI accountResourceDetailPage(String resourceId, URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "resourceDetailPage").build(realmName, resourceId); - } - - public static URI accountResourceGrant(String resourceId, URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "grantPermission").build(realmName, resourceId); - } - - public static URI accountResourceShare(String resourceId, URI baseUri, String realmName) { - return accountBase(baseUri).path(AccountFormService.class, "shareResource").build(realmName, resourceId); - } - public static URI loginActionUpdatePassword(URI baseUri, String realmName) { return loginActionsBase(baseUri).path(LoginActionsService.class, "updatePassword").build(realmName); } @@ -182,10 +124,6 @@ public class Urls { return loginActionsBase(baseUri).path(LoginActionsService.class, "updateProfile").build(realmName); } - public static URI loginActionEmailVerification(URI baseUri, String realmName) { - return loginActionEmailVerificationBuilder(baseUri).build(realmName); - } - public static UriBuilder loginActionEmailVerificationBuilder(URI baseUri) { return loginActionsBase(baseUri).path(LoginActionsService.class, "emailVerification"); } @@ -256,10 +194,6 @@ public class Urls { .build(realmName); } - public static String localeCookiePath(URI baseUri, String realmName){ - return realmBase(baseUri).path(realmName).build().getRawPath(); - } - public static URI themeRoot(URI baseUri) { return themeBase(baseUri).path(Version.RESOURCES_VERSION).build(); } diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java index 53f071822d..2a09c1067d 100755 --- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java +++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java @@ -81,7 +81,7 @@ import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.BruteForceProtector; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; -import org.keycloak.services.resources.account.AccountFormService; +import org.keycloak.services.resources.account.AccountConsole; import org.keycloak.services.util.AuthenticationFlowURLHelper; import org.keycloak.services.util.BrowserHistoryHelper; import org.keycloak.services.util.CacheControlUtil; @@ -1184,7 +1184,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal FormMessage errorMessage = new FormMessage(message, parameters); try { String serializedError = JsonSerialization.writeValueAsString(errorMessage); - authSession.setAuthNote(AccountFormService.ACCOUNT_MGMT_FORWARDED_ERROR_NOTE, serializedError); + authSession.setAuthNote(AccountConsole.ACCOUNT_MGMT_FORWARDED_ERROR_NOTE, serializedError); } catch (IOException ioe) { throw new RuntimeException(ioe); } diff --git a/services/src/main/java/org/keycloak/services/resources/PublicRealmResource.java b/services/src/main/java/org/keycloak/services/resources/PublicRealmResource.java index f2e2196c1e..ebe1e97f98 100755 --- a/services/src/main/java/org/keycloak/services/resources/PublicRealmResource.java +++ b/services/src/main/java/org/keycloak/services/resources/PublicRealmResource.java @@ -25,7 +25,7 @@ import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.protocol.oidc.OIDCLoginProtocolService; import org.keycloak.representations.idm.PublishedRealmRepresentation; -import org.keycloak.services.resources.account.AccountFormService; +import org.keycloak.services.Urls; import jakarta.ws.rs.GET; import jakarta.ws.rs.OPTIONS; @@ -87,7 +87,7 @@ public class PublicRealmResource { PublishedRealmRepresentation rep = new PublishedRealmRepresentation(); rep.setRealm(realm.getName()); rep.setTokenServiceUrl(OIDCLoginProtocolService.tokenServiceBaseUrl(uriInfo).build(realm.getName()).toString()); - rep.setAccountServiceUrl(AccountFormService.accountServiceBaseUrl(uriInfo).build(realm.getName()).toString()); + rep.setAccountServiceUrl(Urls.accountBase(uriInfo.getBaseUri()).build(realm.getName()).toString()); rep.setPublicKeyPem(PemUtils.encodeKey(session.keys().getActiveRsaKey(realm).getPublicKey())); rep.setNotBefore(realm.getNotBefore()); return rep; diff --git a/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java b/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java index 2c975a8c59..a524d8b213 100644 --- a/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java +++ b/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java @@ -51,6 +51,9 @@ import org.keycloak.utils.MediaType; */ public class AccountConsole { + // Used when some other context (ie. IdentityBrokerService) wants to forward error to account management and display it here + public static final String ACCOUNT_MGMT_FORWARDED_ERROR_NOTE = "ACCOUNT_MGMT_FORWARDED_ERROR"; + private final Pattern bundleParamPattern = Pattern.compile("(\\{\\s*(\\d+)\\s*\\})"); protected final KeycloakSession session; diff --git a/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java b/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java deleted file mode 100755 index 0d4371d822..0000000000 --- a/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java +++ /dev/null @@ -1,1093 +0,0 @@ -/* - * Copyright 2022 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.keycloak.services.resources.account; - -import org.jboss.logging.Logger; -import org.keycloak.authorization.AuthorizationProvider; -import org.keycloak.authorization.model.PermissionTicket; -import org.keycloak.authorization.model.Policy; -import org.keycloak.authorization.model.Resource; -import org.keycloak.authorization.model.ResourceServer; -import org.keycloak.authorization.model.Scope; -import org.keycloak.authorization.store.PermissionTicketStore; -import org.keycloak.authorization.store.PolicyStore; -import org.keycloak.authorization.store.ScopeStore; -import org.keycloak.common.Profile; -import org.keycloak.common.util.Base64Url; -import org.keycloak.common.util.Time; -import org.keycloak.common.util.UriUtils; -import org.keycloak.events.Details; -import org.keycloak.events.Errors; -import org.keycloak.events.Event; -import org.keycloak.events.EventBuilder; -import org.keycloak.events.EventStoreProvider; -import org.keycloak.events.EventType; -import org.keycloak.forms.account.AccountPages; -import org.keycloak.forms.account.AccountProvider; -import org.keycloak.forms.login.LoginFormsProvider; -import org.keycloak.locale.LocaleSelectorProvider; -import org.keycloak.locale.LocaleUpdaterProvider; -import org.keycloak.models.AccountRoles; -import org.keycloak.models.AuthenticatedClientSessionModel; -import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionContext; -import org.keycloak.models.FederatedIdentityModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.ModelException; -import org.keycloak.models.OTPPolicy; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserCredentialModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.UserSessionModel; -import org.keycloak.models.credential.OTPCredentialModel; -import org.keycloak.models.credential.PasswordCredentialModel; -import org.keycloak.models.utils.CredentialValidation; -import org.keycloak.models.utils.FormMessage; -import org.keycloak.protocol.oidc.TokenManager; -import org.keycloak.protocol.oidc.utils.RedirectUtils; -import org.keycloak.representations.IDToken; -import org.keycloak.services.ErrorResponse; -import org.keycloak.services.ForbiddenException; -import org.keycloak.services.ServicesLogger; -import org.keycloak.services.Urls; -import org.keycloak.services.managers.AppAuthManager; -import org.keycloak.services.managers.Auth; -import org.keycloak.services.managers.AuthenticationManager; -import org.keycloak.services.managers.AuthenticationSessionManager; -import org.keycloak.services.managers.UserConsentManager; -import org.keycloak.services.messages.Messages; -import org.keycloak.services.resources.AbstractSecuredLocalService; -import org.keycloak.services.resources.RealmsResource; -import org.keycloak.services.util.DefaultClientSessionContext; -import org.keycloak.services.util.ResolveRelative; -import org.keycloak.services.validation.Validation; -import org.keycloak.sessions.AuthenticationSessionModel; -import org.keycloak.storage.ReadOnlyException; -import org.keycloak.userprofile.UserProfileContext; -import org.keycloak.userprofile.ValidationException; -import org.keycloak.userprofile.UserProfile; -import org.keycloak.userprofile.UserProfileProvider; -import org.keycloak.userprofile.EventAuditingAttributeChangeListener; -import org.keycloak.util.JsonSerialization; -import org.keycloak.utils.CredentialHelper; - -import jakarta.ws.rs.Consumes; -import jakarta.ws.rs.FormParam; -import jakarta.ws.rs.GET; -import jakarta.ws.rs.NotFoundException; -import jakarta.ws.rs.POST; -import jakarta.ws.rs.Path; -import jakarta.ws.rs.PathParam; -import jakarta.ws.rs.Produces; -import jakarta.ws.rs.QueryParam; -import jakarta.ws.rs.core.MediaType; -import jakarta.ws.rs.core.MultivaluedMap; -import jakarta.ws.rs.core.Response; -import jakarta.ws.rs.core.Response.Status; -import jakarta.ws.rs.core.UriBuilder; -import jakarta.ws.rs.core.UriInfo; -import java.io.IOException; -import java.lang.reflect.Method; -import java.net.URI; -import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.EnumMap; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import java.util.Set; -import java.util.UUID; -import java.util.stream.Collectors; - -/** - * @author Stian Thorgersen - */ -public class AccountFormService extends AbstractSecuredLocalService { - - private static final Logger logger = Logger.getLogger(AccountFormService.class); - - private static Set VALID_PATHS = new HashSet<>(); - - static { - for (Method m : AccountFormService.class.getMethods()) { - Path p = m.getAnnotation(Path.class); - if (p != null) { - VALID_PATHS.add(p.value()); - } - } - } - - // Used when some other context (ie. IdentityBrokerService) wants to forward error to account management and display it here - public static final String ACCOUNT_MGMT_FORWARDED_ERROR_NOTE = "ACCOUNT_MGMT_FORWARDED_ERROR"; - - private final AppAuthManager authManager; - private final EventBuilder event; - private AccountProvider account; - private EventStoreProvider eventStore; - - public AccountFormService(KeycloakSession session, ClientModel client, EventBuilder event) { - super(session, client); - this.event = event; - this.authManager = new AppAuthManager(); - } - - public void init() { - session.getContext().setClient(client); - eventStore = session.getProvider(EventStoreProvider.class); - - account = session.getProvider(AccountProvider.class).setRealm(realm).setUriInfo(session.getContext().getUri()).setHttpHeaders(headers); - - AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm); - if (authResult != null) { - stateChecker = (String) session.getAttribute("state_checker"); - auth = new Auth(realm, authResult.getToken(), authResult.getUser(), client, authResult.getSession(), true); - account.setStateChecker(stateChecker); - } - - String requestOrigin = UriUtils.getOrigin(session.getContext().getUri().getBaseUri()); - - String origin = headers.getRequestHeaders().getFirst("Origin"); - if (origin != null && !origin.equals("null") && !requestOrigin.equals(origin)) { - throw new ForbiddenException(); - } - - if (!request.getHttpMethod().equals("GET")) { - String referrer = headers.getRequestHeaders().getFirst("Referer"); - if (referrer != null && !requestOrigin.equals(UriUtils.getOrigin(referrer))) { - throw new ForbiddenException(); - } - } - - if (authResult != null) { - UserSessionModel userSession = authResult.getSession(); - if (userSession != null) { - AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(client.getId()); - if (clientSession == null) { - clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession); - } - auth.setClientSession(clientSession); - } - - account.setUser(auth.getUser()); - - ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionScopeParameter(auth.getClientSession(), session); - IDToken idToken = new TokenManager().responseBuilder(realm, client, event, session, userSession, clientSessionCtx).accessToken(authResult.getToken()).generateIDToken().getIdToken(); - idToken.issuedFor(client.getClientId()); - account.setIdTokenHint(session.tokens().encodeAndEncrypt(idToken)); - } - - account.setFeatures(realm.isIdentityFederationEnabled(), eventStore != null && realm.isEventsEnabled(), true, Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)); - } - - public static UriBuilder accountServiceBaseUrl(UriInfo uriInfo) { - UriBuilder base = uriInfo.getBaseUriBuilder().path(RealmsResource.class).path(RealmsResource.class, "getAccountService"); - return base; - } - - public static UriBuilder accountServiceApplicationPage(UriInfo uriInfo) { - return accountServiceBaseUrl(uriInfo).path(AccountFormService.class, "applicationsPage"); - } - - protected Set getValidPaths() { - return AccountFormService.VALID_PATHS; - } - - private Response forwardToPage(String path, AccountPages page) { - if (auth != null) { - try { - auth.require(AccountRoles.MANAGE_ACCOUNT); - } catch (ForbiddenException e) { - return session.getProvider(LoginFormsProvider.class).setError(Messages.NO_ACCESS).createErrorPage(Response.Status.FORBIDDEN); - } - - setReferrerOnPage(); - - UserSessionModel userSession = auth.getSession(); - - String tabId = session.getContext().getUri().getQueryParameters().getFirst(org.keycloak.models.Constants.TAB_ID); - if (tabId != null) { - AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getAuthenticationSessionByIdAndClient(realm, userSession.getId(), client, tabId); - if (authSession != null) { - String forwardedError = authSession.getAuthNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE); - if (forwardedError != null) { - try { - FormMessage errorMessage = JsonSerialization.readValue(forwardedError, FormMessage.class); - account.setError(Response.Status.INTERNAL_SERVER_ERROR, errorMessage.getMessage(), errorMessage.getParameters()); - authSession.removeAuthNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE); - } catch (IOException ioe) { - throw new RuntimeException(ioe); - } - } - } - } - - String locale = session.getContext().getUri().getQueryParameters().getFirst(LocaleSelectorProvider.KC_LOCALE_PARAM); - if (locale != null) { - LocaleUpdaterProvider updater = session.getProvider(LocaleUpdaterProvider.class); - updater.updateUsersLocale(auth.getUser(), locale); - } - - return account.createResponse(page); - } else { - return login(path); - } - } - - private void setReferrerOnPage() { - String[] referrer = getReferrer(); - if (referrer != null) { - account.setReferrer(referrer); - } - } - - /** - * Get account information. - * - * @return - */ - @Path("/") - @GET - @Produces(MediaType.TEXT_HTML) - public Response accountPage() { - return forwardToPage(null, AccountPages.ACCOUNT); - } - - public static UriBuilder totpUrl(UriBuilder base) { - return RealmsResource.accountUrl(base).path(AccountFormService.class, "totpPage"); - } - - @Path("totp") - @GET - public Response totpPage() { - account.setAttribute("mode", session.getContext().getUri().getQueryParameters().getFirst("mode")); - return forwardToPage("totp", AccountPages.TOTP); - } - - public static UriBuilder passwordUrl(UriBuilder base) { - return RealmsResource.accountUrl(base).path(AccountFormService.class, "passwordPage"); - } - - @Path("password") - @GET - public Response passwordPage() { - if (auth != null) { - account.setPasswordSet(isPasswordSet(session, realm, auth.getUser())); - } - - return forwardToPage("password", AccountPages.PASSWORD); - } - - @Path("identity") - @GET - public Response federatedIdentityPage() { - return forwardToPage("identity", AccountPages.FEDERATED_IDENTITY); - } - - @Path("log") - @GET - public Response logPage() { - if (!realm.isEventsEnabled()) { - throw new NotFoundException(); - } - - if (auth != null) { - List events = eventStore.createQuery().type(Constants.EXPOSED_LOG_EVENTS) - .realm(auth.getRealm().getId()).user(auth.getUser().getId()).maxResults(30) - .getResultStream() - .peek(e -> { - if (e.getDetails() != null) { - Iterator> itr = e.getDetails().entrySet().iterator(); - while (itr.hasNext()) { - if (!Constants.EXPOSED_LOG_DETAILS.contains(itr.next().getKey())) { - itr.remove(); - } - } - } - }) - .collect(Collectors.toList()); - account.setEvents(events); - } - return forwardToPage("log", AccountPages.LOG); - } - - @Path("sessions") - @GET - public Response sessionsPage() { - if (auth != null) { - account.setSessions(session.sessions().getUserSessionsStream(realm, auth.getUser()).collect(Collectors.toList())); - } - return forwardToPage("sessions", AccountPages.SESSIONS); - } - - @Path("applications") - @GET - public Response applicationsPage() { - return forwardToPage("applications", AccountPages.APPLICATIONS); - } - - /** - * Update account information. - *

- * Form params: - *

- * firstName - * lastName - * email - * - * @return - */ - @Path("/") - @POST - @Consumes(MediaType.APPLICATION_FORM_URLENCODED) - public Response processAccountUpdate() { - MultivaluedMap formData = request.getDecodedFormParameters(); - - if (auth == null) { - return login(null); - } - - auth.require(AccountRoles.MANAGE_ACCOUNT); - - String action = formData.getFirst("submitAction"); - if (action != null && action.equals("Cancel")) { - setReferrerOnPage(); - return account.createResponse(AccountPages.ACCOUNT); - } - - csrfCheck(formData); - - UserModel user = auth.getUser(); - - event.event(EventType.UPDATE_PROFILE).client(auth.getClient()).user(auth.getUser()).detail(Details.CONTEXT, UserProfileContext.ACCOUNT_OLD.name()); - - UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class); - UserProfile profile = profileProvider.create(UserProfileContext.ACCOUNT_OLD, formData, user); - - try { - // backward compatibility with old account console where attributes are not removed if missing - profile.update(false, new EventAuditingAttributeChangeListener(profile, event)); - } catch (ValidationException pve) { - List errors = Validation.getFormErrorsFromValidation(pve.getErrors()); - - if (!errors.isEmpty()) { - setReferrerOnPage(); - Response.Status status = Status.OK; - - if (pve.hasError(Messages.READ_ONLY_USERNAME)) { - status = Response.Status.BAD_REQUEST; - } else if (pve.hasError(Messages.EMAIL_EXISTS, Messages.USERNAME_EXISTS)) { - status = Response.Status.CONFLICT; - } - - return account.setErrors(status, errors).setProfileFormData(formData).createResponse(AccountPages.ACCOUNT); - } - } catch (ReadOnlyException e) { - setReferrerOnPage(); - return account.setError(Response.Status.BAD_REQUEST, Messages.READ_ONLY_USER).setProfileFormData(formData).createResponse(AccountPages.ACCOUNT); - } - - event.success(); - setReferrerOnPage(); - return account.setSuccess(Messages.ACCOUNT_UPDATED).createResponse(AccountPages.ACCOUNT); - - } - - - @Path("sessions") - @POST - public Response processSessionsLogout() { - MultivaluedMap formData = request.getDecodedFormParameters(); - - if (auth == null) { - return login("sessions"); - } - - auth.require(AccountRoles.MANAGE_ACCOUNT); - csrfCheck(formData); - - UserModel user = auth.getUser(); - - // Rather decrease time a bit. To avoid situation when user is immediatelly redirected to login screen, then automatically authenticated (eg. with Kerberos) and then seeing issues due the stale token - // as time on the token will be same like notBefore - session.users().setNotBeforeForUser(realm, user, Time.currentTime() - 1); - - session.sessions().getUserSessionsStream(realm, user) - .collect(Collectors.toList()) // collect to avoid concurrent modification as backchannelLogout removes the user sessions. - .forEach(userSession -> AuthenticationManager.backchannelLogout(session, realm, userSession, - session.getContext().getUri(), clientConnection, headers, true)); - - UriBuilder builder = Urls.accountBase(session.getContext().getUri().getBaseUri()).path(AccountFormService.class, "sessionsPage"); - String referrer = session.getContext().getUri().getQueryParameters().getFirst("referrer"); - if (referrer != null) { - builder.queryParam("referrer", referrer); - - } - URI location = builder.build(realm.getName()); - return Response.seeOther(location).build(); - } - - @Path("applications") - @POST - @Consumes(MediaType.APPLICATION_FORM_URLENCODED) - public Response processRevokeGrant() { - MultivaluedMap formData = request.getDecodedFormParameters(); - - if (auth == null) { - return login("applications"); - } - - auth.require(AccountRoles.MANAGE_ACCOUNT); - csrfCheck(formData); - - String clientId = formData.getFirst("clientId"); - if (clientId == null) { - setReferrerOnPage(); - return account.setError(Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND).createResponse(AccountPages.APPLICATIONS); - } - ClientModel client = realm.getClientById(clientId); - if (client == null) { - setReferrerOnPage(); - return account.setError(Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND).createResponse(AccountPages.APPLICATIONS); - } - - // Revoke grant in UserModel - UserModel user = auth.getUser(); - UserConsentManager.revokeConsentToClient(session, client, user); - - event.event(EventType.REVOKE_GRANT).client(auth.getClient()).user(auth.getUser()).detail(Details.REVOKED_CLIENT, client.getClientId()).success(); - setReferrerOnPage(); - - UriBuilder builder = Urls.accountBase(session.getContext().getUri().getBaseUri()).path(AccountFormService.class, "applicationsPage"); - String referrer = session.getContext().getUri().getQueryParameters().getFirst("referrer"); - if (referrer != null) { - builder.queryParam("referrer", referrer); - - } - URI location = builder.build(realm.getName()); - return Response.seeOther(location).build(); - } - - /** - * Update the TOTP for this account. - *

- * form parameters: - *

- * totp - otp generated by authenticator - * totpSecret - totp secret to register - * - * @return - */ - @Path("totp") - @POST - @Consumes(MediaType.APPLICATION_FORM_URLENCODED) - public Response processTotpUpdate() { - MultivaluedMap formData = request.getDecodedFormParameters(); - - if (auth == null) { - return login("totp"); - } - - auth.require(AccountRoles.MANAGE_ACCOUNT); - - account.setAttribute("mode", session.getContext().getUri().getQueryParameters().getFirst("mode")); - - String action = formData.getFirst("submitAction"); - if (action != null && action.equals("Cancel")) { - setReferrerOnPage(); - return account.createResponse(AccountPages.TOTP); - } - - csrfCheck(formData); - - UserModel user = auth.getUser(); - - if (action != null && action.equals("Delete")) { - String credentialId = formData.getFirst("credentialId"); - if (credentialId == null) { - setReferrerOnPage(); - return account.setError(Status.OK, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST).createResponse(AccountPages.TOTP); - } - CredentialHelper.deleteOTPCredential(session, realm, user, credentialId); - event.event(EventType.REMOVE_TOTP).client(auth.getClient()).user(auth.getUser()).success(); - setReferrerOnPage(); - return account.setSuccess(Messages.SUCCESS_TOTP_REMOVED).createResponse(AccountPages.TOTP); - } else { - String challengeResponse = formData.getFirst("totp"); - String totpSecret = formData.getFirst("totpSecret"); - String userLabel = formData.getFirst("userLabel"); - - OTPPolicy policy = realm.getOTPPolicy(); - OTPCredentialModel credentialModel = OTPCredentialModel.createFromPolicy(realm, totpSecret, userLabel); - if (Validation.isBlank(challengeResponse)) { - setReferrerOnPage(); - return account.setError(Status.OK, Messages.MISSING_TOTP).createResponse(AccountPages.TOTP); - } else if (!CredentialValidation.validOTP(challengeResponse, credentialModel, policy.getLookAheadWindow())) { - setReferrerOnPage(); - return account.setError(Status.OK, Messages.INVALID_TOTP).createResponse(AccountPages.TOTP); - } - - if (!CredentialHelper.createOTPCredential(session, realm, user, challengeResponse, credentialModel)) { - setReferrerOnPage(); - return account.setError(Status.OK, Messages.INVALID_TOTP).createResponse(AccountPages.TOTP); - } - event.event(EventType.UPDATE_TOTP).client(auth.getClient()).user(auth.getUser()).success(); - - setReferrerOnPage(); - return account.setSuccess(Messages.SUCCESS_TOTP).createResponse(AccountPages.TOTP); - } - } - - /** - * Update account password - *

- * Form params: - *

- * password - old password - * password-new - * pasword-confirm - * - * @return - */ - @Path("password") - @POST - @Consumes(MediaType.APPLICATION_FORM_URLENCODED) - public Response processPasswordUpdate() { - MultivaluedMap formData = request.getDecodedFormParameters(); - - if (auth == null) { - return login("password"); - } - - auth.require(AccountRoles.MANAGE_ACCOUNT); - - csrfCheck(formData); - UserModel user = auth.getUser(); - - boolean requireCurrent = isPasswordSet(session, realm, user); - account.setPasswordSet(requireCurrent); - - String password = formData.getFirst("password"); - String passwordNew = formData.getFirst("password-new"); - String passwordConfirm = formData.getFirst("password-confirm"); - - EventBuilder errorEvent = event.clone().event(EventType.UPDATE_PASSWORD_ERROR) - .client(auth.getClient()) - .user(auth.getSession().getUser()); - - if (requireCurrent) { - if (Validation.isBlank(password)) { - setReferrerOnPage(); - errorEvent.error(Errors.PASSWORD_MISSING); - return account.setError(Status.OK, Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD); - } - - UserCredentialModel cred = UserCredentialModel.password(password); - if (!user.credentialManager().isValid(cred)) { - setReferrerOnPage(); - errorEvent.error(Errors.INVALID_USER_CREDENTIALS); - return account.setError(Status.OK, Messages.INVALID_PASSWORD_EXISTING).createResponse(AccountPages.PASSWORD); - } - } - - if (Validation.isBlank(passwordNew)) { - setReferrerOnPage(); - errorEvent.error(Errors.PASSWORD_MISSING); - return account.setError(Status.OK, Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD); - } - - if (!passwordNew.equals(passwordConfirm)) { - setReferrerOnPage(); - errorEvent.error(Errors.PASSWORD_CONFIRM_ERROR); - return account.setError(Status.OK, Messages.INVALID_PASSWORD_CONFIRM).createResponse(AccountPages.PASSWORD); - } - - try { - user.credentialManager().updateCredential(UserCredentialModel.password(passwordNew, false)); - } catch (ReadOnlyException mre) { - setReferrerOnPage(); - errorEvent.error(Errors.NOT_ALLOWED); - return account.setError(Response.Status.BAD_REQUEST, Messages.READ_ONLY_PASSWORD).createResponse(AccountPages.PASSWORD); - } catch (ModelException me) { - ServicesLogger.LOGGER.failedToUpdatePassword(me); - setReferrerOnPage(); - errorEvent.detail(Details.REASON, me.getMessage()).error(Errors.PASSWORD_REJECTED); - return account.setError(Response.Status.NOT_ACCEPTABLE, me.getMessage(), me.getParameters()).createResponse(AccountPages.PASSWORD); - } catch (Exception ape) { - ServicesLogger.LOGGER.failedToUpdatePassword(ape); - setReferrerOnPage(); - errorEvent.detail(Details.REASON, ape.getMessage()).error(Errors.PASSWORD_REJECTED); - return account.setError(Response.Status.INTERNAL_SERVER_ERROR, ape.getMessage()).createResponse(AccountPages.PASSWORD); - } - - session.sessions().getUserSessionsStream(realm, user).filter(s -> !Objects.equals(s.getId(), auth.getSession().getId())) - .collect(Collectors.toList()) // collect to avoid concurrent modification as backchannelLogout removes the user sessions. - .forEach(s -> AuthenticationManager.backchannelLogout(session, realm, s, session.getContext().getUri(), clientConnection, headers, true)); - - event.event(EventType.UPDATE_PASSWORD).client(auth.getClient()).user(auth.getUser()).success(); - - setReferrerOnPage(); - return account.setPasswordSet(true).setSuccess(Messages.ACCOUNT_PASSWORD_UPDATED).createResponse(AccountPages.PASSWORD); - } - - @Path("identity") - @POST - @Consumes(MediaType.APPLICATION_FORM_URLENCODED) - public Response processFederatedIdentityUpdate() { - MultivaluedMap formData = request.getDecodedFormParameters(); - - if (auth == null) { - return login("identity"); - } - - auth.require(AccountRoles.MANAGE_ACCOUNT); - csrfCheck(formData); - UserModel user = auth.getUser(); - - String action = formData.getFirst("action"); - String providerId = formData.getFirst("providerId"); - - if (Validation.isEmpty(providerId)) { - setReferrerOnPage(); - return account.setError(Status.OK, Messages.MISSING_IDENTITY_PROVIDER).createResponse(AccountPages.FEDERATED_IDENTITY); - } - AccountSocialAction accountSocialAction = AccountSocialAction.getAction(action); - if (accountSocialAction == null) { - setReferrerOnPage(); - return account.setError(Status.OK, Messages.INVALID_FEDERATED_IDENTITY_ACTION).createResponse(AccountPages.FEDERATED_IDENTITY); - } - - if (!realm.getIdentityProvidersStream().anyMatch(model -> Objects.equals(model.getAlias(), providerId))) { - setReferrerOnPage(); - return account.setError(Status.OK, Messages.IDENTITY_PROVIDER_NOT_FOUND).createResponse(AccountPages.FEDERATED_IDENTITY); - } - - if (!user.isEnabled()) { - setReferrerOnPage(); - return account.setError(Status.OK, Messages.ACCOUNT_DISABLED).createResponse(AccountPages.FEDERATED_IDENTITY); - } - - switch (accountSocialAction) { - case ADD: - String redirectUri = UriBuilder.fromUri(Urls.accountFederatedIdentityPage(session.getContext().getUri().getBaseUri(), realm.getName())).build().toString(); - - try { - String nonce = UUID.randomUUID().toString(); - MessageDigest md = MessageDigest.getInstance("SHA-256"); - String input = nonce + auth.getSession().getId() + client.getClientId() + providerId; - byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8)); - String hash = Base64Url.encode(check); - URI linkUrl = Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), providerId, realm.getName()); - linkUrl = UriBuilder.fromUri(linkUrl) - .queryParam("nonce", nonce) - .queryParam("hash", hash) - .queryParam("client_id", client.getClientId()) - .queryParam("redirect_uri", redirectUri) - .build(); - return Response.seeOther(linkUrl) - .build(); - } catch (Exception spe) { - setReferrerOnPage(); - return account.setError(Response.Status.INTERNAL_SERVER_ERROR, Messages.IDENTITY_PROVIDER_REDIRECT_ERROR).createResponse(AccountPages.FEDERATED_IDENTITY); - } - case REMOVE: - FederatedIdentityModel link = session.users().getFederatedIdentity(realm, user, providerId); - if (link != null) { - - // Removing last social provider is not possible if you don't have other possibility to authenticate - if (session.users().getFederatedIdentitiesStream(realm, user).count() > 1 || user.getFederationLink() != null || isPasswordSet(session, realm, user)) { - session.users().removeFederatedIdentity(realm, user, providerId); - - logger.debugv("Social provider {0} removed successfully from user {1}", providerId, user.getUsername()); - - event.event(EventType.REMOVE_FEDERATED_IDENTITY).client(auth.getClient()).user(auth.getUser()) - .detail(Details.USERNAME, auth.getUser().getUsername()) - .detail(Details.IDENTITY_PROVIDER, link.getIdentityProvider()) - .detail(Details.IDENTITY_PROVIDER_USERNAME, link.getUserName()) - .success(); - - setReferrerOnPage(); - return account.setSuccess(Messages.IDENTITY_PROVIDER_REMOVED).createResponse(AccountPages.FEDERATED_IDENTITY); - } else { - setReferrerOnPage(); - return account.setError(Status.OK, Messages.FEDERATED_IDENTITY_REMOVING_LAST_PROVIDER).createResponse(AccountPages.FEDERATED_IDENTITY); - } - } else { - setReferrerOnPage(); - return account.setError(Status.OK, Messages.FEDERATED_IDENTITY_NOT_ACTIVE).createResponse(AccountPages.FEDERATED_IDENTITY); - } - default: - throw new IllegalArgumentException(); - } - } - - @Path("resource") - @GET - public Response resourcesPage(@QueryParam("resource_id") String resourceId) { - return forwardToPage("resource", AccountPages.RESOURCES); - } - - @Path("resource/{resource_id}") - @GET - public Response resourceDetailPage(@PathParam("resource_id") String resourceId) { - return forwardToPage("resource", AccountPages.RESOURCE_DETAIL); - } - - @Path("resource/{resource_id}/grant") - @GET - public Response resourceDetailPageAfterGrant(@PathParam("resource_id") String resourceId) { - return resourceDetailPage(resourceId); - } - - @Path("resource/{resource_id}/grant") - @POST - public Response grantPermission(@PathParam("resource_id") String resourceId, @FormParam("action") String action, @FormParam("permission_id") String[] permissionId, @FormParam("requester") String requester) { - MultivaluedMap formData = request.getDecodedFormParameters(); - - if (auth == null) { - return login("resource"); - } - - auth.require(AccountRoles.MANAGE_ACCOUNT); - - csrfCheck(formData); - - AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class); - PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore(); - Resource resource = authorization.getStoreFactory().getResourceStore().findById(realm, null, resourceId); - - if (resource == null) { - throw ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST); - } - - if (action == null) { - throw ErrorResponse.error("Invalid action", Response.Status.BAD_REQUEST); - } - - boolean isGrant = "grant".equals(action); - boolean isDeny = "deny".equals(action); - boolean isRevoke = "revoke".equals(action); - boolean isRevokePolicy = "revokePolicy".equals(action); - boolean isRevokePolicyAll = "revokePolicyAll".equals(action); - - if (isRevokePolicy || isRevokePolicyAll) { - List ids = new ArrayList<>(Arrays.asList(permissionId)); - Iterator iterator = ids.iterator(); - PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore(); - ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findByClient(client); - Policy policy = null; - - while (iterator.hasNext()) { - String id = iterator.next(); - - if (!id.contains(":")) { - policy = policyStore.findById(realm, resourceServer, id); - iterator.remove(); - break; - } - } - - Set scopesToKeep = new HashSet<>(); - - if (isRevokePolicyAll) { - for (Scope scope : policy.getScopes()) { - policy.removeScope(scope); - } - } else { - for (String id : ids) { - scopesToKeep.add(authorization.getStoreFactory().getScopeStore().findById(realm, resourceServer, id.split(":")[1])); - } - - for (Scope scope : policy.getScopes()) { - if (!scopesToKeep.contains(scope)) { - policy.removeScope(scope); - } - } - } - - if (policy.getScopes().isEmpty()) { - for (Policy associated : policy.getAssociatedPolicies()) { - policyStore.delete(realm, associated.getId()); - } - - policyStore.delete(realm, policy.getId()); - } - } else { - Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); - - filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId()); - filters.put(PermissionTicket.FilterOption.REQUESTER, session.users().getUserByUsername(realm, requester).getId()); - - if (isRevoke) { - filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); - } else { - filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString()); - } - - List tickets = ticketStore.find(realm, resource.getResourceServer(), filters, null, null); - Iterator iterator = tickets.iterator(); - - while (iterator.hasNext()) { - PermissionTicket ticket = iterator.next(); - - if (isGrant) { - if (permissionId != null && permissionId.length > 0 && !Arrays.asList(permissionId).contains(ticket.getId())) { - continue; - } - } - - if (isGrant && !ticket.isGranted()) { - ticket.setGrantedTimestamp(System.currentTimeMillis()); - iterator.remove(); - } else if (isDeny || isRevoke) { - if (permissionId != null && permissionId.length > 0 && Arrays.asList(permissionId).contains(ticket.getId())) { - iterator.remove(); - } - } - } - - for (PermissionTicket ticket : tickets) { - ticketStore.delete(client.getRealm(), ticket.getId()); - } - } - - if (isRevoke || isRevokePolicy || isRevokePolicyAll) { - return forwardToPage("resource", AccountPages.RESOURCE_DETAIL); - } - - return forwardToPage("resource", AccountPages.RESOURCES); - } - - @Path("resource/{resource_id}/share") - @GET - public Response resourceDetailPageAfterShare(@PathParam("resource_id") String resourceId) { - return resourceDetailPage(resourceId); - } - - @Path("resource/{resource_id}/share") - @POST - public Response shareResource(@PathParam("resource_id") String resourceId, @FormParam("user_id") String[] userIds, @FormParam("scope_id") String[] scopes) { - MultivaluedMap formData = request.getDecodedFormParameters(); - - if (auth == null) { - return login("resource"); - } - - auth.require(AccountRoles.MANAGE_ACCOUNT); - - csrfCheck(formData); - - AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class); - PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore(); - ScopeStore scopeStore = authorization.getStoreFactory().getScopeStore(); - Resource resource = authorization.getStoreFactory().getResourceStore().findById(realm, null, resourceId); - ResourceServer resourceServer = resource.getResourceServer(); - - if (resource == null) { - throw ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST); - } - - if (userIds == null || userIds.length == 0) { - setReferrerOnPage(); - return account.setError(Status.BAD_REQUEST, Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD); - } - - for (String id : userIds) { - UserModel user = session.users().getUserById(realm, id); - - if (user == null) { - user = session.users().getUserByUsername(realm, id); - } - - if (user == null) { - user = session.users().getUserByEmail(realm, id); - } - - if (user == null) { - setReferrerOnPage(); - return account.setError(Status.BAD_REQUEST, Messages.INVALID_USER).createResponse(AccountPages.RESOURCE_DETAIL); - } - - Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); - - filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId()); - filters.put(PermissionTicket.FilterOption.OWNER, auth.getUser().getId()); - filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId()); - - List tickets = ticketStore.find(realm, resourceServer, filters, null, null); - final String userId = user.getId(); - - if (tickets.isEmpty()) { - if (scopes != null && scopes.length > 0) { - for (String scopeId : scopes) { - Scope scope = scopeStore.findById(realm, resourceServer, scopeId); - PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, userId); - ticket.setGrantedTimestamp(System.currentTimeMillis()); - } - } else { - if (resource.getScopes().isEmpty()) { - PermissionTicket ticket = ticketStore.create(resourceServer, resource, null, userId); - ticket.setGrantedTimestamp(System.currentTimeMillis()); - } else { - for (Scope scope : resource.getScopes()) { - PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, userId); - ticket.setGrantedTimestamp(System.currentTimeMillis()); - } - } - } - } else if (scopes != null && scopes.length > 0) { - List grantScopes = new ArrayList<>(Arrays.asList(scopes)); - Set alreadyGrantedScopes = tickets.stream() - .map(PermissionTicket::getScope) - .map(Scope::getId) - .collect(Collectors.toSet()); - - grantScopes.removeIf(alreadyGrantedScopes::contains); - - for (String scopeId : grantScopes) { - Scope scope = scopeStore.findById(realm, resourceServer, scopeId); - PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, userId); - ticket.setGrantedTimestamp(System.currentTimeMillis()); - } - } - } - - return forwardToPage("resource", AccountPages.RESOURCE_DETAIL); - } - - @Path("resource") - @POST - public Response processResourceActions(@FormParam("resource_id") String[] resourceIds, @FormParam("action") String action) { - MultivaluedMap formData = request.getDecodedFormParameters(); - - if (auth == null) { - return login("resource"); - } - - auth.require(AccountRoles.MANAGE_ACCOUNT); - csrfCheck(formData); - - AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class); - PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore(); - - if (action == null) { - throw ErrorResponse.error("Invalid action", Response.Status.BAD_REQUEST); - } - - for (String resourceId : resourceIds) { - Resource resource = authorization.getStoreFactory().getResourceStore().findById(realm, null, resourceId); - - if (resource == null) { - throw ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST); - } - - Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); - - filters.put(PermissionTicket.FilterOption.REQUESTER, auth.getUser().getId()); - filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId()); - - if ("cancel".equals(action)) { - filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); - } else if ("cancelRequest".equals(action)) { - filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString()); - } - - RealmModel realm = resource.getResourceServer().getRealm(); - for (PermissionTicket ticket : ticketStore.find(realm, resource.getResourceServer(), filters, null, null)) { - ticketStore.delete(realm, ticket.getId()); - } - } - - return forwardToPage("authorization", AccountPages.RESOURCES); - } - - public static UriBuilder loginRedirectUrl(UriBuilder base) { - return RealmsResource.accountUrl(base).path(AccountFormService.class, "loginRedirect"); - } - - @Override - protected URI getBaseRedirectUri() { - return Urls.accountBase(session.getContext().getUri().getBaseUri()).path("/").build(realm.getName()); - } - - public static boolean isPasswordSet(KeycloakSession session, RealmModel realm, UserModel user) { - return user.credentialManager().isConfiguredFor(PasswordCredentialModel.TYPE); - } - - private String[] getReferrer() { - String referrer = session.getContext().getUri().getQueryParameters().getFirst("referrer"); - if (referrer == null) { - return null; - } - - String referrerUri = session.getContext().getUri().getQueryParameters().getFirst("referrer_uri"); - - ClientModel referrerClient = realm.getClientByClientId(referrer); - if (referrerClient != null) { - if (referrerUri != null) { - referrerUri = RedirectUtils.verifyRedirectUri(session, referrerUri, referrerClient); - } else { - referrerUri = ResolveRelative.resolveRelativeUri(session, referrerClient.getRootUrl(), referrerClient.getBaseUrl()); - } - - if (referrerUri != null) { - String referrerName = referrerClient.getName(); - if (Validation.isBlank(referrerName)) { - referrerName = referrer; - } - return new String[]{referrerName, referrerUri}; - } - } else if (referrerUri != null) { - if (client != null) { - referrerUri = RedirectUtils.verifyRedirectUri(session, referrerUri, client); - - if (referrerUri != null) { - return new String[]{referrer, referrerUri}; - } - } - } - - return null; - } - - private enum AccountSocialAction { - ADD, - REMOVE; - - public static AccountSocialAction getAction(String action) { - if ("add".equalsIgnoreCase(action)) { - return ADD; - } else if ("remove".equalsIgnoreCase(action)) { - return REMOVE; - } else { - return null; - } - } - } - - private void csrfCheck(final MultivaluedMap formData) { - String formStateChecker = formData.getFirst("stateChecker"); - if (formStateChecker == null || !formStateChecker.equals(this.stateChecker)) { - throw new ForbiddenException(); - } - } - - -} diff --git a/services/src/main/java/org/keycloak/services/resources/account/AccountLoader.java b/services/src/main/java/org/keycloak/services/resources/account/AccountLoader.java index 6e3abfb5d7..9b2557f847 100644 --- a/services/src/main/java/org/keycloak/services/resources/account/AccountLoader.java +++ b/services/src/main/java/org/keycloak/services/resources/account/AccountLoader.java @@ -17,6 +17,7 @@ package org.keycloak.services.resources.account; import org.jboss.logging.Logger; +import org.keycloak.common.Profile; import org.keycloak.http.HttpRequest; import org.keycloak.http.HttpResponse; import org.keycloak.common.enums.AccountRestApiVersion; @@ -75,23 +76,18 @@ public class AccountLoader { List accepts = headers.getAcceptableMediaTypes(); Theme theme = getTheme(session); - boolean deprecatedAccount = isDeprecatedFormsAccountConsole(theme); UriInfo uriInfo = session.getContext().getUri(); if (request.getHttpMethod().equals(HttpMethod.OPTIONS)) { return new CorsPreflightService(request); } else if ((accepts.contains(MediaType.APPLICATION_JSON_TYPE) || MediaType.APPLICATION_JSON_TYPE.equals(content)) && !uriInfo.getPath().endsWith("keycloak.json")) { return getAccountRestService(client, null); + } else if (Profile.isFeatureEnabled(Profile.Feature.ACCOUNT2) || Profile.isFeatureEnabled(Profile.Feature.ACCOUNT3)) { + AccountConsole console = new AccountConsole(session, client, theme); + console.init(); + return console; } else { - if (deprecatedAccount) { - AccountFormService accountFormService = new AccountFormService(session, client, event); - accountFormService.init(); - return accountFormService; - } else { - AccountConsole console = new AccountConsole(session, client, theme); - console.init(); - return console; - } + throw new NotFoundException(); } } @@ -112,14 +108,6 @@ public class AccountLoader { } } - private boolean isDeprecatedFormsAccountConsole(Theme theme) { - try { - return Boolean.parseBoolean(theme.getProperties().getProperty("deprecatedMode", "true")); - } catch (IOException e) { - throw new InternalServerErrorException(e); - } - } - private AccountRestService getAccountRestService(ClientModel client, String versionStr) { AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session) .setAudience(client.getClientId()) diff --git a/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java b/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java index b064f10cab..0c9cc571d3 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java @@ -66,12 +66,12 @@ import org.keycloak.services.ErrorResponse; import org.keycloak.services.ErrorResponseException; import org.keycloak.services.ForbiddenException; import org.keycloak.services.ServicesLogger; +import org.keycloak.services.Urls; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.BruteForceProtector; import org.keycloak.services.managers.UserConsentManager; import org.keycloak.services.managers.UserSessionManager; import org.keycloak.services.resources.LoginActionsService; -import org.keycloak.services.resources.account.AccountFormService; import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator; import org.keycloak.services.validation.Validation; import org.keycloak.storage.ReadOnlyException; @@ -354,7 +354,7 @@ public class UserResource { userSession.setNote(IMPERSONATOR_USERNAME.toString(), impersonator); AuthenticationManager.createLoginCookie(session, realm, userSession.getUser(), userSession, session.getContext().getUri(), clientConnection); - URI redirect = AccountFormService.accountServiceBaseUrl(session.getContext().getUri()).build(realm.getName()); + URI redirect = Urls.accountBase(session.getContext().getUri().getBaseUri()).build(realm.getName()); Map result = new HashMap<>(); result.put("sameRealm", sameRealm); result.put("redirect", redirect.toString()); diff --git a/services/src/main/resources/META-INF/services/org.keycloak.forms.account.AccountProviderFactory b/services/src/main/resources/META-INF/services/org.keycloak.forms.account.AccountProviderFactory deleted file mode 100755 index 5e77335de9..0000000000 --- a/services/src/main/resources/META-INF/services/org.keycloak.forms.account.AccountProviderFactory +++ /dev/null @@ -1,18 +0,0 @@ -# -# Copyright 2016 Red Hat, Inc. and/or its affiliates -# and other contributors as indicated by the @author tags. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -org.keycloak.forms.account.freemarker.FreeMarkerAccountProviderFactory \ No newline at end of file diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProvider2.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProvider1.java similarity index 79% rename from testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProvider2.java rename to testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProvider1.java index e68326835d..7a74514dd1 100644 --- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProvider2.java +++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProvider1.java @@ -19,15 +19,15 @@ package org.keycloak.examples.providersoverride; -import org.keycloak.forms.account.freemarker.FreeMarkerAccountProvider; +import org.keycloak.email.DefaultEmailSenderProvider; import org.keycloak.models.KeycloakSession; /** * @author Marek Posolda */ -public class CustomFreemarkerAccountProvider2 extends FreeMarkerAccountProvider { +public class CustomDefaultEmailSenderProvider1 extends DefaultEmailSenderProvider { - public CustomFreemarkerAccountProvider2(KeycloakSession session) { + public CustomDefaultEmailSenderProvider1(KeycloakSession session) { super(session); } } diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProvider1.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProvider2.java similarity index 79% rename from testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProvider1.java rename to testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProvider2.java index f11c38f7a8..39ea1ee633 100644 --- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProvider1.java +++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProvider2.java @@ -19,15 +19,15 @@ package org.keycloak.examples.providersoverride; -import org.keycloak.forms.account.freemarker.FreeMarkerAccountProvider; +import org.keycloak.email.DefaultEmailSenderProvider; import org.keycloak.models.KeycloakSession; /** * @author Marek Posolda */ -public class CustomFreemarkerAccountProvider1 extends FreeMarkerAccountProvider { +public class CustomDefaultEmailSenderProvider2 extends DefaultEmailSenderProvider { - public CustomFreemarkerAccountProvider1(KeycloakSession session) { + public CustomDefaultEmailSenderProvider2(KeycloakSession session) { super(session); } } diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProviderFactory1.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProviderFactory1.java similarity index 73% rename from testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProviderFactory1.java rename to testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProviderFactory1.java index b2c578889a..cf38ae6e20 100644 --- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProviderFactory1.java +++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProviderFactory1.java @@ -19,14 +19,14 @@ package org.keycloak.examples.providersoverride; -import org.keycloak.forms.account.AccountProvider; -import org.keycloak.forms.account.freemarker.FreeMarkerAccountProviderFactory; +import org.keycloak.email.DefaultEmailSenderProviderFactory; +import org.keycloak.email.EmailSenderProvider; import org.keycloak.models.KeycloakSession; /** * Won't be used due lower order than CustomFreemarkerAccountProviderFactory2 */ -public class CustomFreemarkerAccountProviderFactory1 extends FreeMarkerAccountProviderFactory { +public class CustomDefaultEmailSenderProviderFactory1 extends DefaultEmailSenderProviderFactory { @Override public int order() { @@ -34,7 +34,7 @@ public class CustomFreemarkerAccountProviderFactory1 extends FreeMarkerAccountPr } @Override - public AccountProvider create(KeycloakSession session) { - return new CustomFreemarkerAccountProvider1(session); + public EmailSenderProvider create(KeycloakSession session) { + return new CustomDefaultEmailSenderProvider1(session); } } diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProviderFactory2.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProviderFactory2.java similarity index 74% rename from testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProviderFactory2.java rename to testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProviderFactory2.java index 3b64a18c29..b11dda02c6 100644 --- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomFreemarkerAccountProviderFactory2.java +++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/examples/providersoverride/CustomDefaultEmailSenderProviderFactory2.java @@ -19,14 +19,14 @@ package org.keycloak.examples.providersoverride; -import org.keycloak.forms.account.AccountProvider; -import org.keycloak.forms.account.freemarker.FreeMarkerAccountProviderFactory; +import org.keycloak.email.DefaultEmailSenderProviderFactory; +import org.keycloak.email.EmailSenderProvider; import org.keycloak.models.KeycloakSession; /** * Test for order (This one should be called in favour of FreemarkerAccountProviderFactory and CustomFreemarkerAccountProviderFactory1 as it has highest order) */ -public class CustomFreemarkerAccountProviderFactory2 extends FreeMarkerAccountProviderFactory { +public class CustomDefaultEmailSenderProviderFactory2 extends DefaultEmailSenderProviderFactory { @Override public int order() { @@ -34,7 +34,7 @@ public class CustomFreemarkerAccountProviderFactory2 extends FreeMarkerAccountPr } @Override - public AccountProvider create(KeycloakSession session) { - return new CustomFreemarkerAccountProvider2(session); + public EmailSenderProvider create(KeycloakSession session) { + return new CustomDefaultEmailSenderProvider2(session); } } diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.forms.account.AccountProviderFactory b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.email.EmailSenderProviderFactory similarity index 80% rename from testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.forms.account.AccountProviderFactory rename to testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.email.EmailSenderProviderFactory index 41429aea85..1ce8b3b612 100644 --- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.forms.account.AccountProviderFactory +++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.email.EmailSenderProviderFactory @@ -17,5 +17,5 @@ # # -org.keycloak.examples.providersoverride.CustomFreemarkerAccountProviderFactory1 -org.keycloak.examples.providersoverride.CustomFreemarkerAccountProviderFactory2 \ No newline at end of file +org.keycloak.examples.providersoverride.CustomDefaultEmailSenderProviderFactory1 +org.keycloak.examples.providersoverride.CustomDefaultEmailSenderProviderFactory2 \ No newline at end of file diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AbstractAccountPage.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AbstractAccountPage.java deleted file mode 100755 index 9b0bd76804..0000000000 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AbstractAccountPage.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.pages; - -import org.openqa.selenium.By; -import org.openqa.selenium.WebElement; -import org.openqa.selenium.support.FindBy; - -/** - * @author Stian Thorgersen - */ -public abstract class AbstractAccountPage extends AbstractPage { - - @FindBy(linkText = "Sign out") - private WebElement logoutLink; - - @FindBy(id = "kc-current-locale-link") - private WebElement languageText; - - @FindBy(id = "kc-locale-dropdown") - private WebElement localeDropdown; - - public void logout() { - logoutLink.click(); - } - - public String getLanguageDropdownText() { - return languageText.getText(); - } - - public void openLanguage(String language){ - WebElement langLink = localeDropdown.findElement(By.xpath("//a[text()='" +language +"']")); - String url = langLink.getAttribute("href"); - driver.navigate().to(url); - } -} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java index 6c888934a1..c99534bb99 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java @@ -47,7 +47,6 @@ import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RequiredActionProviderRepresentation; import org.keycloak.representations.idm.UserRepresentation; -import org.keycloak.services.resources.account.AccountFormService; import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.arquillian.AuthServerTestEnricher; import org.keycloak.testsuite.arquillian.KcArquillian; @@ -723,17 +722,6 @@ public abstract class AbstractKeycloakTest { return log; } - protected String getAccountRedirectUrl(String realm) { - return AccountFormService - .loginRedirectUrl(UriBuilder.fromUri(oauth.AUTH_SERVER_ROOT)) - .build(realm) - .toString(); - } - - protected String getAccountRedirectUrl() { - return getAccountRedirectUrl("test"); - } - protected static InputStream httpsAwareConfigurationStream(InputStream input) throws IOException { if (!AUTH_SERVER_SSL_REQUIRED) { return input; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ConsentsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ConsentsTest.java index 8d8901f8e4..7ea69c5563 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ConsentsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ConsentsTest.java @@ -59,6 +59,8 @@ import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; import static org.keycloak.testsuite.admin.ApiUtil.createUserWithAdminClient; import static org.keycloak.testsuite.admin.ApiUtil.findClientByClientId; import static org.keycloak.testsuite.admin.ApiUtil.resetUserPassword; + +import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse; import org.keycloak.testsuite.util.OAuthClient.AuthorizationEndpointResponse; @@ -354,8 +356,9 @@ public class ConsentsTest extends AbstractKeycloakTest { RealmRepresentation providerRealmRep = providerRealm.toRepresentation(); providerRealmRep.setAccountTheme("keycloak"); providerRealm.update(providerRealmRep); + providerRealm.clients().create(ClientBuilder.create().clientId("test-app").redirectUris("*").addWebOrigin("*").publicClient().build()); - ClientRepresentation providerAccountRep = providerRealm.clients().findByClientId("account").get(0); + ClientRepresentation providerAccountRep = providerRealm.clients().findByClientId("test-app").get(0); // add offline_scope to default account-console client scope ClientScopeRepresentation offlineAccessScope = providerRealm.getDefaultOptionalClientScopes().stream() @@ -371,7 +374,7 @@ public class ConsentsTest extends AbstractKeycloakTest { List searchResult = providerRealm.users().search(getUserLogin()); UserRepresentation user = searchResult.get(0); - driver.navigate().to(getAccountUrl(providerRealmName())); + accountLoginPage.open(providerRealmName()); waitForPage("Sign in to provider"); log.debug("Logging in"); @@ -382,8 +385,6 @@ public class ConsentsTest extends AbstractKeycloakTest { Assert.assertTrue(consentPage.isCurrent()); consentPage.confirm(); - waitForPage("keycloak account console"); - // disable consent required again to enable direct grant token retrieval. providerAccountRep.setConsentRequired(false); providerRealm.clients().get(providerAccountRep.getId()).update(providerAccountRep); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaRepresentationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaRepresentationTest.java index 8d67a1264c..37cd078018 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaRepresentationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaRepresentationTest.java @@ -18,21 +18,28 @@ package org.keycloak.testsuite.authz; import org.junit.Assert; +import org.junit.Ignore; import org.junit.Test; import org.keycloak.admin.client.resource.RealmResource; import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.client.resource.PermissionResource; -import org.keycloak.forms.account.freemarker.model.AuthorizationBean; -import org.keycloak.forms.account.freemarker.model.AuthorizationBean.ResourceBean; +import org.keycloak.authorization.model.ResourceServer; +//import org.keycloak.forms.account.freemarker.model.AuthorizationBean; +//import org.keycloak.forms.account.freemarker.model.AuthorizationBean.ResourceBean; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.representations.idm.UserRepresentation; -import org.keycloak.representations.idm.authorization.*; -import java.util.List; -import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.representations.idm.authorization.DecisionEffect; +import org.keycloak.representations.idm.authorization.PermissionTicketRepresentation; +import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest; +import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse; +import org.keycloak.representations.idm.authorization.ResourceRepresentation; +import java.util.List; + +@Ignore public class UmaRepresentationTest extends AbstractResourceServerTest { private ResourceRepresentation resource; private PermissionResource permission; @@ -148,25 +155,25 @@ public class UmaRepresentationTest extends AbstractResourceServerTest { } public static void testCanRepresentResourceBeanOfResourceOwnedByUser(KeycloakSession session) { - RealmModel realm = session.realms().getRealmByName("authz-test"); - session.getContext().setRealm(realm); - AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class); - - AuthorizationBean authorizationBean = new AuthorizationBean(session, realm, null, session.getContext().getUri()); - ClientModel client = session.getContext().getRealm().getClientByClientId("resource-server-test"); - UserModel user = session.users().getUserByUsername(session.getContext().getRealm(), "marta"); - ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findByClient(client); - ResourceBean resourceBean = authorizationBean.new ResourceBean( - authorization.getStoreFactory().getResourceStore().findByName( - resourceServer, "Resource A", user.getId() - ) - ); - - Assert.assertEquals("Resource A", resourceBean.getName()); - Assert.assertEquals("marta", resourceBean.getOwnerName()); - Assert.assertNotNull(resourceBean.getUserOwner()); - Assert.assertEquals("marta", resourceBean.getUserOwner().getUsername()); - Assert.assertNull(resourceBean.getClientOwner()); +// RealmModel realm = session.realms().getRealmByName("authz-test"); +// session.getContext().setRealm(realm); +// AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class); +// +// AuthorizationBean authorizationBean = new AuthorizationBean(session, realm, null, session.getContext().getUri()); +// ClientModel client = session.getContext().getRealm().getClientByClientId("resource-server-test"); +// UserModel user = session.users().getUserByUsername(session.getContext().getRealm(), "marta"); +// ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findByClient(client); +// ResourceBean resourceBean = authorizationBean.new ResourceBean( +// authorization.getStoreFactory().getResourceStore().findByName( +// resourceServer, "Resource A", user.getId() +// ) +// ); +// +// Assert.assertEquals("Resource A", resourceBean.getName()); +// Assert.assertEquals("marta", resourceBean.getOwnerName()); +// Assert.assertNotNull(resourceBean.getUserOwner()); +// Assert.assertEquals("marta", resourceBean.getUserOwner().getUsername()); +// Assert.assertNull(resourceBean.getClientOwner()); } @Test @@ -176,23 +183,23 @@ public class UmaRepresentationTest extends AbstractResourceServerTest { } public static void testCanRepresentResourceBeanOfResourceOwnedByClient(KeycloakSession session) { - RealmModel realm = session.realms().getRealmByName("authz-test"); - session.getContext().setRealm(realm); - AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class); - - AuthorizationBean authorizationBean = new AuthorizationBean(session, realm, null, session.getContext().getUri()); - ClientModel client = session.getContext().getRealm().getClientByClientId("resource-server-test"); - ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findByClient(client); - ResourceBean resourceBean = authorizationBean.new ResourceBean( - authorization.getStoreFactory().getResourceStore().findByName( - resourceServer, "Resource A", client.getId() - ) - ); - - Assert.assertEquals("Resource A", resourceBean.getName()); - Assert.assertEquals("resource-server-test", resourceBean.getOwnerName()); - Assert.assertNotNull(resourceBean.getClientOwner()); - Assert.assertEquals("resource-server-test", resourceBean.getClientOwner().getClientId()); - Assert.assertNull(resourceBean.getUserOwner()); +// RealmModel realm = session.realms().getRealmByName("authz-test"); +// session.getContext().setRealm(realm); +// AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class); +// +// AuthorizationBean authorizationBean = new AuthorizationBean(session, realm, null, session.getContext().getUri()); +// ClientModel client = session.getContext().getRealm().getClientByClientId("resource-server-test"); +// ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findByClient(client); +// ResourceBean resourceBean = authorizationBean.new ResourceBean( +// authorization.getStoreFactory().getResourceStore().findByName( +// resourceServer, "Resource A", client.getId() +// ) +// ); +// +// Assert.assertEquals("Resource A", resourceBean.getName()); +// Assert.assertEquals("resource-server-test", resourceBean.getOwnerName()); +// Assert.assertNotNull(resourceBean.getClientOwner()); +// Assert.assertEquals("resource-server-test", resourceBean.getClientOwner().getClientId()); +// Assert.assertNull(resourceBean.getUserOwner()); } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java index 6191e0ceea..c112223f42 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java @@ -1127,7 +1127,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { @Test public void resetPasswordLinkNewTabAndProperRedirectAccount() throws IOException { final String REQUIRED_URI = getAuthServerRoot() + "realms/test/account/login-redirect?path=applications"; - final String REDIRECT_URI = getAccountRedirectUrl() + "?path=applications"; + final String REDIRECT_URI = getAuthServerRoot() + "realms/test/account/login-redirect?path=applications"; final String CLIENT_ID = "account"; final String ACCOUNT_MANAGEMENT_TITLE = "Keycloak Account Management"; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/providers/ProvidersOverrideTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/providers/ProvidersOverrideTest.java index e575efaf6f..12ecedc710 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/providers/ProvidersOverrideTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/providers/ProvidersOverrideTest.java @@ -19,23 +19,23 @@ package org.keycloak.testsuite.providers; -import java.util.List; - import org.junit.Test; import org.keycloak.authentication.Authenticator; import org.keycloak.authentication.authenticators.directgrant.ValidateOTP; import org.keycloak.authentication.authenticators.directgrant.ValidatePassword; import org.keycloak.authentication.authenticators.directgrant.ValidateUsername; +import org.keycloak.email.EmailSenderProvider; +import org.keycloak.examples.providersoverride.CustomDefaultEmailSenderProvider2; +import org.keycloak.examples.providersoverride.CustomLoginFormsProvider; import org.keycloak.examples.providersoverride.CustomValidatePassword2; import org.keycloak.examples.providersoverride.CustomValidateUsername; -import org.keycloak.forms.account.AccountProvider; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.provider.Provider; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.Assert; -import org.keycloak.examples.providersoverride.CustomFreemarkerAccountProvider2; -import org.keycloak.examples.providersoverride.CustomLoginFormsProvider; + +import java.util.List; /** * Test for having multiple providerFactory of smae SPI with same providerId @@ -66,7 +66,7 @@ public class ProvidersOverrideTest extends AbstractKeycloakTest { testProviderImplementationClass(LoginFormsProvider.class, null, CustomLoginFormsProvider.class); // The provider with highest order is chosen - testProviderImplementationClass(AccountProvider.class, null, CustomFreemarkerAccountProvider2.class); + testProviderImplementationClass(EmailSenderProvider.class, null, CustomDefaultEmailSenderProvider2.class); } private void testProviderImplementationClass(Class providerClass, String providerId, Class expectedProviderImplClass) { diff --git a/themes/UPDATING-NODE-MODULES.md b/themes/UPDATING-NODE-MODULES.md index c60e6620d9..b34df1b966 100644 --- a/themes/UPDATING-NODE-MODULES.md +++ b/themes/UPDATING-NODE-MODULES.md @@ -2,7 +2,7 @@ The dependencies will be downloaded at build time, based on the contents of `package-lock.json`. You should verify the new set of packages don't break anything before committing the new `package-lock.json`. -## For login and old account console +## For the login ```bash cd src/main/resources/theme/keycloak/common/resources @@ -11,7 +11,7 @@ git add package-lock.json cd - ``` -## For the new account console +## For account console v2 ```bash cd src/main/resources/theme/keycloak.v2/account/src diff --git a/themes/src/main/resources/META-INF/keycloak-themes.json b/themes/src/main/resources/META-INF/keycloak-themes.json index 1df68b3b51..dc2201c6af 100755 --- a/themes/src/main/resources/META-INF/keycloak-themes.json +++ b/themes/src/main/resources/META-INF/keycloak-themes.json @@ -4,7 +4,7 @@ "types": [ "admin", "account", "login", "email" ] }, { "name" : "keycloak", - "types": [ "account", "login", "common", "email", "welcome" ] + "types": [ "login", "common", "email", "welcome" ] }, { "name" : "keycloak.v2", "types": [ "account", "admin" ] diff --git a/themes/src/main/resources/theme/base/account/account.ftl b/themes/src/main/resources/theme/base/account/account.ftl deleted file mode 100755 index 9254b96682..0000000000 --- a/themes/src/main/resources/theme/base/account/account.ftl +++ /dev/null @@ -1,70 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.mainLayout active='account' bodyClass='user'; section> - -

-
-

${msg("editAccountHtmlTitle")}

-
-
- * ${msg("requiredFields")} -
-
- -
- - - - <#if !realm.registrationEmailAsUsername> -
-
- <#if realm.editUsernameAllowed>* -
- -
- disabled="disabled" value="${(account.username!'')}"/> -
-
- - -
-
- * -
- -
- -
-
- -
-
- * -
- -
- -
-
- -
-
- * -
- -
- -
-
- -
-
-
- <#if url.referrerURI??>${kcSanitize(msg("backToApplication")?no_esc)} - - -
-
-
-
- - diff --git a/themes/src/main/resources/theme/base/account/applications.ftl b/themes/src/main/resources/theme/base/account/applications.ftl deleted file mode 100755 index a8edc38444..0000000000 --- a/themes/src/main/resources/theme/base/account/applications.ftl +++ /dev/null @@ -1,76 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.mainLayout active='applications' bodyClass='applications'; section> - -
-
-

${msg("applicationsHtmlTitle")}

-
-
- -
- - - - - - - - - - - - - - - - <#list applications.applications as application> - - - - - - - - - - - - - -
${msg("application")}${msg("availableRoles")}${msg("grantedPermissions")}${msg("additionalGrants")}${msg("action")}
- <#if application.effectiveUrl?has_content> - <#if application.client.name?has_content>${advancedMsg(application.client.name)}<#else>${application.client.clientId} - <#if application.effectiveUrl?has_content> - - <#list application.realmRolesAvailable as role> - <#if role.description??>${advancedMsg(role.description)}<#else>${advancedMsg(role.name)} - <#if role_has_next>, - - <#list application.resourceRolesAvailable?keys as resource> - <#if application.realmRolesAvailable?has_content>, - <#list application.resourceRolesAvailable[resource] as clientRole> - <#if clientRole.roleDescription??>${advancedMsg(clientRole.roleDescription)}<#else>${advancedMsg(clientRole.roleName)} - ${msg("inResource")} <#if clientRole.clientName??>${advancedMsg(clientRole.clientName)}<#else>${clientRole.clientId} - <#if clientRole_has_next>, - - - - <#if application.client.consentRequired> - <#list application.clientScopesGranted as claim> - ${advancedMsg(claim)}<#if claim_has_next>, - - <#else> - ${msg("fullAccess")} - - - <#list application.additionalGrants as grant> - ${advancedMsg(grant)}<#if grant_has_next>, - - - <#if (application.client.consentRequired && application.clientScopesGranted?has_content) || application.additionalGrants?has_content> - - -
-
- - \ No newline at end of file diff --git a/themes/src/main/resources/theme/base/account/federatedIdentity.ftl b/themes/src/main/resources/theme/base/account/federatedIdentity.ftl deleted file mode 100755 index c2eb76985f..0000000000 --- a/themes/src/main/resources/theme/base/account/federatedIdentity.ftl +++ /dev/null @@ -1,42 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.mainLayout active='social' bodyClass='social'; section> - -
-
-

${msg("federatedIdentitiesHtmlTitle")}

-
-
- -
- <#list federatedIdentity.identities as identity> -
-
- -
-
- -
-
- <#if identity.connected> - <#if federatedIdentity.removeLinkPossible> -
- - - - -
- - <#else> -
- - - - -
- -
-
- -
- - diff --git a/themes/src/main/resources/theme/base/account/log.ftl b/themes/src/main/resources/theme/base/account/log.ftl deleted file mode 100644 index 29046cf0d2..0000000000 --- a/themes/src/main/resources/theme/base/account/log.ftl +++ /dev/null @@ -1,35 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.mainLayout active='log' bodyClass='log'; section> - -
-
-

${msg("accountLogHtmlTitle")}

-
-
- - - - - - - - - - - - - - <#list log.events as event> - - - - - - - - - - -
${msg("date")}${msg("event")}${msg("ip")}${msg("client")}${msg("details")}
${event.date?datetime}${event.event}${event.ipAddress}${event.client!}<#list event.details as detail>${detail.key} = ${detail.value} <#if detail_has_next>,
- - \ No newline at end of file diff --git a/themes/src/main/resources/theme/base/account/password.ftl b/themes/src/main/resources/theme/base/account/password.ftl deleted file mode 100755 index 4a043f28b9..0000000000 --- a/themes/src/main/resources/theme/base/account/password.ftl +++ /dev/null @@ -1,59 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.mainLayout active='password' bodyClass='password'; section> - -
-
-

${msg("changePasswordHtmlTitle")}

-
-
- ${msg("allFieldsRequired")} -
-
- -
- - - <#if password.passwordSet> -
-
- -
- -
- -
-
- - - - -
-
- -
- -
- -
-
- -
-
- -
- -
- -
-
- -
-
-
- -
-
-
-
- - diff --git a/themes/src/main/resources/theme/base/account/resource-detail.ftl b/themes/src/main/resources/theme/base/account/resource-detail.ftl deleted file mode 100755 index 2c963d7732..0000000000 --- a/themes/src/main/resources/theme/base/account/resource-detail.ftl +++ /dev/null @@ -1,277 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.mainLayout active='authorization' bodyClass='authorization'; section> - - - - -
-
-

- ${msg("myResources")} <#if authorization.resource.displayName??>${authorization.resource.displayName}<#else>${authorization.resource.name} -

-
-
- - <#if authorization.resource.iconUri??> - -
- - -
-
-

- ${msg("peopleAccessResource")} -

-
-
-
-
- - - - - - - - - - - <#if authorization.resource.shares?size != 0> - <#list authorization.resource.shares as permission> - - - - - - - - - - - - - <#else> - - - - - -
${msg("user")}${msg("permission")}${msg("date")}${msg("action")}
- <#if permission.requester.email??>${permission.requester.email}<#else>${permission.requester.username} - - <#if permission.scopes?size != 0> - <#list permission.scopes as scope> - <#if scope.granted && scope.scope??> -
- <#if scope.scope.displayName??> - ${scope.scope.displayName} - <#else> - ${scope.scope.name} - - - -
- <#else> - ${msg("anyPermission")} - - - <#else> - Any action - - 		- ${permission.createdDate?datetime} - - ${msg("doRevoke")} -
${msg("resourceIsNotBeingShared")}
- -
-
-
-
-

- ${msg("resourceManagedPolicies")} -

-
-
-
-
- - - - - - - - - - <#if authorization.resource.policies?size != 0> - <#list authorization.resource.policies as permission> - - - - - - - - - - - - <#else> - - - - - -
${msg("description")}${msg("permission")}${msg("action")}
- <#if permission.description??> - ${permission.description} - - - <#if permission.scopes?size != 0> - <#list permission.scopes as scope> -
- <#if scope.displayName??> - ${scope.displayName} - <#else> - ${scope.name} - - - -
- - <#else> - ${msg("anyAction")} - - 		- ${msg("doRevoke")} -
- ${msg("resourceNoPermissionsGrantingAccess")} -
- -
-
-
-
-

- ${msg("shareWithOthers")} -

-
-
-
-
-
- -
- * -
-
-
-
- -
-
-
- <#list authorization.resource.scopes as scope> - - -
-
-
- ${msg("share")} -
-
-
-
-
-
-
- diff --git a/themes/src/main/resources/theme/base/account/resources.ftl b/themes/src/main/resources/theme/base/account/resources.ftl deleted file mode 100755 index d86e8bc323..0000000000 --- a/themes/src/main/resources/theme/base/account/resources.ftl +++ /dev/null @@ -1,403 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.mainLayout active='authorization' bodyClass='authorization'; section> - - -
-
-

- ${msg("myResources")} -

-
-
- - <#if authorization.resourcesWaitingApproval?size != 0> -
-
-

- ${msg("needMyApproval")} -

-
-
-
-
- - - - - - - - - - - <#list authorization.resourcesWaitingApproval as resource> - <#list resource.permissions as permission> - - - - - - - - - - - - - - -
${msg("resource")}${msg("requestor")}${msg("permissionRequestion")}${msg("action")}
- <#if resource.displayName??>${resource.displayName}<#else>${resource.name} - - <#if permission.requester.email??>${permission.requester.email}<#else>${permission.requester.username} - - <#list permission.scopes as scope> - <#if scope.scope??> -
- <#if scope.scope.displayName??> - ${scope.scope.displayName} - <#else> - ${scope.scope.name} - - - -
- <#else> - ${msg("anyPermission")} - - - 		- ${msg("doApprove")} - ${msg("doDeny")} -
-
-
- - -
-
-

- ${msg("myResourcesSub")} -

-
-
-
-
- - - - - - - - - - - <#if authorization.resources?size != 0> - <#list authorization.resources as resource> - - - - - - - <#else> - - - - - -
${msg("resource")}${msg("application")}${msg("peopleSharingThisResource")}
- - <#if resource.displayName??>${resource.displayName}<#else>${resource.name} - - - <#if resource.resourceServer.baseUri??> - ${resource.resourceServer.name} - <#else> - ${resource.resourceServer.name} - - - <#if resource.shares?size != 0> - ${resource.shares?size} - <#else> - ${msg("notBeingShared")} - -
${msg("notHaveAnyResource")}
-
-
- -
-
-

- ${msg("resourcesSharedWithMe")} -

-
-
-
-
-
- - - - - - - - - - - - - - <#if authorization.sharedResources?size != 0> - <#list authorization.sharedResources as resource> - - - - - - - - - - <#else> - - - - - -
disabled="true" - ${msg("resource")}${msg("owner")}${msg("application")}${msg("permission")}${msg("date")}
- - - <#if resource.displayName??>${resource.displayName}<#else>${resource.name} - - ${resource.ownerName} - - <#if resource.resourceServer.baseUri??> - ${resource.resourceServer.name} - <#else> - ${resource.resourceServer.name} - - - <#if resource.permissions?size != 0> -
    - <#list resource.permissions as permission> - <#list permission.scopes as scope> - <#if scope.granted && scope.scope??> -
  • - <#if scope.scope.displayName??> - ${scope.scope.displayName} - <#else> - ${scope.scope.name} - -
    • - <#else> - ${msg("anyPermission")} - - - -
- <#else> - Any action - - 		- ${resource.permissions[0].grantedDate?datetime} -
${msg("noResourcesSharedWithYou")}
-
-
- <#if authorization.sharedResources?size != 0> -
- ${msg("doRemoveSharing")} -
- -
- - <#if authorization.resourcesWaitingOthersApproval?size != 0> -
-
-
-

- ${msg("requestsWaitingApproval")} -

-
-
-
-
- ${msg("havePermissionRequestsWaitingForApproval",authorization.resourcesWaitingOthersApproval?size)} - ${msg("clickHereForDetails")} -
-
-
-
-
-
-
-
-
- -
-
- - - \ No newline at end of file diff --git a/themes/src/main/resources/theme/base/account/sessions.ftl b/themes/src/main/resources/theme/base/account/sessions.ftl deleted file mode 100755 index 89dbf65480..0000000000 --- a/themes/src/main/resources/theme/base/account/sessions.ftl +++ /dev/null @@ -1,44 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.mainLayout active='sessions' bodyClass='sessions'; section> - -
-
-

${msg("sessionsHtmlTitle")}

-
-
- - - - - - - - - - - - - - <#list sessions.sessions as session> - - - - - - - - - - -
${msg("ip")}${msg("started")}${msg("lastAccess")}${msg("expires")}${msg("clients")}
${session.ipAddress}${session.started?datetime}${session.lastAccess?datetime}${session.expires?datetime} - <#list session.clients as client> - ${client}
- -
- -
- - -
- - diff --git a/themes/src/main/resources/theme/base/account/template.ftl b/themes/src/main/resources/theme/base/account/template.ftl deleted file mode 100644 index da2ec134d0..0000000000 --- a/themes/src/main/resources/theme/base/account/template.ftl +++ /dev/null @@ -1,88 +0,0 @@ -<#macro mainLayout active bodyClass> - - lang="${locale.currentLanguageTag}"> - - - - - - ${msg("accountManagementTitle")} - - <#if properties.stylesCommon?has_content> - <#list properties.stylesCommon?split(' ') as style> - - - - <#if properties.styles?has_content> - <#list properties.styles?split(' ') as style> - - - - <#if properties.scripts?has_content> - <#list properties.scripts?split(' ') as script> - - - - - - -
- -
- -
-
- -
- -
- <#if message?has_content> -
- <#if message.type=='success' > - <#if message.type=='error' > - -
- - - <#nested "content"> -
-
- - - - \ No newline at end of file diff --git a/themes/src/main/resources/theme/base/account/totp.ftl b/themes/src/main/resources/theme/base/account/totp.ftl deleted file mode 100755 index d7a02e6765..0000000000 --- a/themes/src/main/resources/theme/base/account/totp.ftl +++ /dev/null @@ -1,141 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.mainLayout active='totp' bodyClass='totp'; section> - -
-
-

${msg("authenticatorTitle")}

-
- <#if totp.otpCredentials?size == 0> -
- * ${msg("requiredFields")} -
- -
- - <#if totp.enabled> - - - <#if totp.otpCredentials?size gt 1> - - - - <#else> - - - - - - - <#list totp.otpCredentials as credential> - - - <#if totp.otpCredentials?size gt 1> - - - - - - - -
${msg("configureAuthenticators")}
${msg("configureAuthenticators")}
${msg("mobile")}${credential.id}${credential.userLabel!} -
- - - - -
-
- <#else> - -
- -
    -
  1. -

    ${msg("totpStep1")}

    - -
      - <#list totp.supportedApplications as app> -
    • ${msg(app)}
      • - -
    -
    2. - - <#if mode?? && mode = "manual"> -
  2. -

    ${msg("totpManualStep2")}

    -

    ${totp.totpSecretEncoded}

    -

    ${msg("totpScanBarcode")}

    -
    3. -
  3. -

    ${msg("totpManualStep3")}

    -
      -
    • ${msg("totpType")}: ${msg("totp." + totp.policy.type)}
      • -
    • ${msg("totpAlgorithm")}: ${totp.policy.getAlgorithmKey()}
      • -
    • ${msg("totpDigits")}: ${totp.policy.digits}
      • - <#if totp.policy.type = "totp"> -
    • ${msg("totpInterval")}: ${totp.policy.period}
      • - <#elseif totp.policy.type = "hotp"> -
    • ${msg("totpCounter")}: ${totp.policy.initialCounter}
      • - -
    -
    4. - <#else> -
  4. -

    ${msg("totpStep2")}

    -

    Figure: Barcode

    -

    ${msg("totpUnableToScan")}

    -
    5. - -
  5. -

    ${msg("totpStep3")}

    -

    ${msg("totpStep3DeviceName")}

    -
    6. -
- -
- -
- -
-
- * -
- -
- - -
- - -
- -
-
- <#if totp.otpCredentials?size gte 1>* -
- -
- -
-
- -
-
-
- - -
-
-
-
- - - diff --git a/themes/src/main/resources/theme/keycloak/account/resources/css/account.css b/themes/src/main/resources/theme/keycloak/account/resources/css/account.css deleted file mode 100644 index 3878e43ac8..0000000000 --- a/themes/src/main/resources/theme/keycloak/account/resources/css/account.css +++ /dev/null @@ -1,277 +0,0 @@ -html { - height: 100%; -} - -body { - background-color: #F9F9F9; - margin: 0; - padding: 0; - height: 100%; -} - -header .navbar { - margin-bottom: 0; - min-height: inherit; -} - -.header .container { - position: relative; -} - -.navbar-title { - background-image: url('../img/logo.png'); - height: 25px; - background-repeat: no-repeat; - width: 123px; - margin: 3px 10px 5px; - text-indent: -99999px; -} - -.navbar-pf .navbar-utility { - right: 20px; - top: -34px; - font-size: 12px; -} - -.navbar-pf .navbar-utility > li > a { - color: #fff !important; - padding-bottom: 12px; - padding-top: 11px; - border-left: medium none; -} - -.container { - height: 100%; -} - -.content-area { - background-color: #fff; - border-color: #CECECE; - border-style: solid; - border-width: 0 1px; - height: 100%; - padding: 0 30px; -} - -.margin-bottom { - margin-bottom: 10px; -} - -/* Sidebar */ - -.bs-sidebar { - background-color: #f9f9f9; - padding-top: 44px; - padding-right: 0; - padding-left: 0; - z-index: 20; -} -.bs-sidebar ul { - list-style: none; - padding-left: 12px; -} - -.bs-sidebar ul li { - margin-bottom: 0.5em; - margin-left: -1em; -} -.bs-sidebar ul li a { - font-size: 14px; - padding-left: 25px; - color: #4d5258; - line-height: 28px; - display: block; - border-width: 1px 0 1px 1px; - border-style: solid; - border-color: #f9f9f9; -} -.bs-sidebar ul li a:hover, -.bs-sidebar ul li a:focus { - text-decoration: none; - color: #777777; - border-right: 2px solid #aaa; -} -.bs-sidebar ul li.active a { - background-color: #c7e5f0; - border-color: #56bae0; - font-weight: bold; - background-image: url(../img/icon-sidebar-active.png); - background-repeat: no-repeat; - background-position: right center; -} - -.bs-sidebar ul li.active a:hover { - border-right: none; -} - - -.content-area h2 { - font-family: "Open Sans", sans-serif; - font-weight: 100; - font-size: 24px; - margin-bottom: 25px; - margin-top: 25px; -} - -.subtitle { - text-align: right; - margin-top: 30px; - color: #909090; -} - -.required { - color: #CB2915; -} - - -.alert { - margin-top: 30px; - margin-bottom: 0; -} - -.feedback-aligner .alert { - background-position: 1.27273em center; - background-repeat: no-repeat; - border-radius: 2px; - border-width: 1px; - color: #4D5258; - display: inline-block; - font-size: 1.1em; - line-height: 1.4em; - margin: 0; - padding: 0.909091em 3.63636em; - position: relative; - text-align: left; -} -.alert.alert-success { - background-color: #E4F1E1; - border-color: #4B9E39; -} -.alert.alert-error { - background-color: #F8E7E7; - border-color: #B91415; -} -.alert.alert-warning { - background-color: #FEF1E9; - border-color: #F17528; -} -.alert.alert-info { - background-color: #E4F3FA; - border-color: #5994B2; -} - -.form-horizontal { - border-top: 1px solid #E9E8E8; - padding-top: 23px; -} - -.form-horizontal .control-label { - color: #909090; - line-height: 1.4em; - padding-top: 5px; - position: relative; - text-align: right; - width: 100%; -} - -.form-group { - position: relative; -} - -.control-label + .required { - position: absolute; - right: -2px; - top: 0; -} - -#kc-form-buttons { - text-align: right; - margin-top: 10px; -} - -#kc-form-buttons .btn-primary { - float: right; - margin-left: 8px; -} - -/* Authenticator page */ - -ol { - padding-left: 40px; -} - -ol li { - font-size: 13px; - margin-bottom: 10px; - position: relative; -} - -ol li img { - margin-top: 15px; - margin-bottom: 5px; - border: 1px solid #eee; -} - -hr + .form-horizontal { - border: none; - padding-top: 0; -} - -.kc-dropdown{ - position: relative; -} -.kc-dropdown > a{ - display:block; - padding: 11px 10px 12px; - line-height: 12px; - font-size: 12px; - color: #fff !important; - text-decoration: none; -} -.kc-dropdown > a::after{ - content: "\2c5"; - margin-left: 4px; -} -.kc-dropdown:hover > a{ - background-color: rgba(0,0,0,0.2); -} -.kc-dropdown ul li a{ - padding: 1px 11px; - font-size: 12px; - color: #000 !important; - border: 1px solid #fff; - text-decoration: none; - display:block; - line-height: 20px; -} -.kc-dropdown ul li a:hover{ - color: #4d5258; - background-color: #d4edfa; - border-color: #b3d3e7; -} -.kc-dropdown ul{ - position: absolute; - z-index: 2000; - list-style:none; - display:none; - padding: 5px 0px; - margin: 0px; - background-color: #fff !important; - border: 1px solid #b6b6b6; - border-radius: 1px; - -webkit-box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175); - box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175); - background-clip: padding-box; - min-width: 100px; -} -.kc-dropdown:hover ul{ - display:block; -} - - -#kc-totp-secret-key { - border: 1px solid #eee; - font-size: 16px; - padding: 10px; - margin: 50px 0; -} \ No newline at end of file diff --git a/themes/src/main/resources/theme/keycloak/account/resources/img/icon-sidebar-active.png b/themes/src/main/resources/theme/keycloak/account/resources/img/icon-sidebar-active.png deleted file mode 100644 index e7b9b082836b728286e1962f7d2efc81ddbe0b71..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 202 zcmeAS@N?(olHy`uVBq!ia0vp^;y}#D!3HFcd~W{?q$EpRBT9nv(@M${i&7aJQ}UBi z6+Ckj(^G>|6H_V+Po~-c73FxkIEGZ*N=jIun2<7~^e}_RcjiI`=UK zVCeYHtShu&-DyXLq!)E7W+-p1Ilz&A@c@&Xh}=}&gd+kA7qR+CC9YLuAP#kTzP zOOabP0l+XkKxNbyD diff --git a/themes/src/main/resources/theme/keycloak/account/resources/img/keycloak-logo.png b/themes/src/main/resources/theme/keycloak/account/resources/img/keycloak-logo.png deleted file mode 100644 index 955574855d493cc248e112b7d755a95d641613f8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5213 zcmaJ_cT^MW_6;H;A{{Ig2}nmmLJ1`F5)_dlMWjee0)&ua5}GuDDd;Q004kV_lCCd z$(VTZ2%kN3@~%d%Rh$f$DTuoi6M`ef!=8i&XrKrVXrM06-U)4twnus0Z$~Qw0JK6F z)4P7-%Op7um(2nhVUq`w07 z_5c4+9PaOEGQ}AEU%mfGOg8l*qNR<|WP%$Bd2(=$SAVA>!nH_fdkTSMN+7uY)kPy` z0);?!CJ=#ICQzW5zC99y|GgppCqiEzu8SvA?D0snuC|Kc2?q#+LBX|UWWZoeZ72)@ zg+L$(Sr|k|3!$T^2!(*XZGXTKaqpPi9>N&b(&ER87tvY^vYr8#_^(_0gHjoST ztL*JvNpJBQXJ6LA>U7*SmPZn6gY;%Trx`1aEF{92?&t|>aF*R{Lt@SgJ>)!V1r*rV zk!imrQ*pdX5}8OI6Ox70rM3C2eKY9ZOCcZs`qG`k`c^$GbCZ_eDAAa~Q(z<|dG_Ty zb^s^9kJj2LufQBClr7P8K}4)?!{+w1&14>G{=#Q~$0_9xRY(ID##RI-@^ z|8ACygkMTDWj5lc#T@!u`Sacx@>ax_W*55PN8yj^fUQr%>;eA}c(ZUZ*Iv_iYR5Gs+>vonoU5g>S zt*a{%H2>WA*AoGiWUIxOLvo21kL|k9M2}o%nmW1F)KnDMoGn2jFTd~)5_u!kCEsl2 zio?s}MChGmXF#t+0d@yjLw`EVVfj=l^U4G7O7KvsLv4y*gUp$;m-ox*oFm)5G^Mal zxAd*c*JpTT?MG)YtIH(4^7aJO?loTZzwyOzJIDaKRy^ zS$c^q9uPm{Wv6!^DT$^W3*R)*3i*UnXVnC?PGP#TOq{6)k7LcP4e(cN@=Jn`DJHa* zdHtqZY>h_;Se#PH4=LjO7wwq!CwMyg;|7E;^Ad5zw4kqlxAmpHF9u1HFdKehR{D8l zYDMQr$JR9zhs4`(sHxplfd?Ch0IweJ^|+7igz$Me_?_OgTB}uC3ki6;^mBDKtE#dx zx%FGj<*a>^`eHUYsA|BG*LK)BF+{rl;kBcLPR9pcSQ*^TcL46eJAsj<46zR1Zunm85wPJ0O|mSWx#K=Z~fbFhw(o|XkxXhG-s{^JC-faw;d8h&mW z4!eE%;~Ul zt&Qm@7&N8x;vQ>n9SG84`L6Gq3BN5~Zq?dr_W-jo+5UY7A1y+!Kdq^_MNqApzxW)!@(|3!{l%?*?%D$P2r zTb*lYK6*4}{d1d`MTb>QKZriJr+j!m!KG`k)Vmt!wYBA@(&t!fYApec;!pK`uc)LTd*Qw963t}nZelff%`S@Mto_3F3IF0Ww zJHkj}^6=6(ru&on4*trI+GFlTc|p_V$+oV)TvJMoEG@&l>Ie6nmqf*UGX<^R+ksZk zVy_kC4QbwkpB{*S1brVs<|d_dPPWECLCLoU?i|GxUobP$u!wUpP!P)Q|KiB9md0%foVFL z=5MU}@U*P&^qP!r-Tf|Y)Gvm}eBtfZ)YGev&c{7q3{oySRg~aX7Hk!IzsMmOXkT4^ z*?VX(YRSVs0+(Fy=IwA)P!}Xk=?RsSK4Xl|mosJGf$i{$oxgSdzV_05#ck1s1|A~G z)Rm>$#*zUj*Ijdley1;dL!_^_PQ|%pB%WhP!*8N|rEIU1PgbT(4SiM?O~kT`OM^ z_x6kKjPmWMeau%S?{;hRNx4Bca&{#{lNpYFbPzRDRLw1AksFbfWsz!Q<3cgBGMNdi zd%aj6Ncx;iLDbZ|e0>w5ko0X*&uvDV*huzF@4B1kcM(;ZZm`OEHQNk_#;KHQCE2`I zdI%#^MpFhBCWxaz)U5NNK|d@>=Qx$QZ8y69KR7dXRh ztt(wuxTzJ4we`;2xEnAXTieRw96cZ9@pj`9qt$NvwXQ*-9j~vUF?=~DPi@wIZr2Un ztY81Y@>+CH$kj+EvVAkMlFf3X%AymZ+4}Ue$f6GltX?Om)S1bLp+y+f#>x#Clvqa^ zm4Tr5lU_witBrWsPP8OGEswoEGm{maHcpk?Syy1M|ACS~To3MTZmbob(Ntx6yr7As z*VdBVHhr7jmZB0`K<$P-d2D@`u$*~|O1(Uxsw%3j_8dCLF`!*)my{N;5eD7+pnRqi zY5ztXd#l=Ot>9) zvKAYjsZ7f`kSg2<4*A|Q%z~sKkHxR`vS?_~xv}--W(Fip1N%joRuGKChfHjF7xgdY zpV6wPX*e1R7FGVx)8jeY64^2TQ9L+uWZ3eYO}7H?mRo=Ij))<`wnn&B@i~|on|Ivn zA|HDX6=Ewo>e}vle{<7J$yu%rGm2EXI=kLfjlZ#6tq@Z%ptn}6d2EfNX}LyH?*?y{ zXr;BT@1}3Et|ckdyN1I1s?>IX{j-%n_b27qNI9dvWaghRqjy$wcR; zjFJ?MhE!I{&T!$+@|QxFB^@MT^M z?QH+b+v$I4*as4v1U}~5{W@2ou(;{X<}1R0lVicDvbPWDJW&`e)lma=Uu(@8=S&e> z%TyeW#qjJAI2#+CH&evW+sk#*$?ojjw-_fBz(?~V!$00X?o+DYNwk@G_Y~UFlOwhN zq<@gDY!T+v6cv<7buJ28DlmDDS&u*D?6irpkA3|U@+GR-dy)zZo?7^ZMi(Zg z^+GbR4fQe6#kXkb6t43j*oUFlA#)?2h9>U_B^c-MMO#~Zj}d90wsGs}8cETGy)g)X z!h#-fxray;(&J6|9IC-H+2LNya`t@TBkO~QR6X@YX&*UQ<5K=S?K_HX>9%I)`g?GK z{;gN}Y-85<27QKK7kRh0eo`;sPk0qGx^t)CtqwNkX|K}yo9{{bdf(fsJx8|>v^d9M z$!Ud(J5C{16;@ru8K_nsZU)`vU>R3W<5(DZRb@6m{ayTPo+`pY_7JH zO;=Y7f9}n>GMqQ{hB=~^v2(udkE4USVacL$HI^$(sxNDP6-~xOPGuP7@M#bAobdy-KSQ4a|9$Omt{j}fk zdsx^BIu7MrQPz^cZ*Jq&jqJQEFbg+)4j%I^(4C>sTT*u(q2Bchlj|&Gjwlr<08MAOBVKg2JRYd6*G6v^$#WAObvg#?#6cSOLPwJ z$n4pePe>=E>yYL_&H^vw-O}-T;*R~1?Dp4(LSJMyPwWB;VOVZS+~l#x3}roKz_CBt z>g(u~>G(BUE?39pyIWIxHQQapj}W3Hnp)?Ra^YZge{py&_#-95&fm5}vN(O_^YHgR z+oOnSktZ)5cJN$lRV~U#GLd1+2FD%ZK)u?yGryj^OrtETe?3xtRg$g0FYDYiAPeh2 z(bUqEZXbafk0s;cW7oc1V(72JqKt^d%dmD3iTGD zAHA30s^{QkpFW*%Rh^^VQZ*Fqw2}8h>4WG)?@_^OY1ubC0ZT3#S*Cqe-5CK~0 zfP36pr50(3z(?fbsyWwse7O*nXxintDlAGF1<297V-yU0e6hrWrHrp=B(q0yS9o*( z?HA{9lL4Mo*G;R)?WI@iKg15=Y55J(u6s2WRg2&4iFRygUd4BvXJC}NubF!Yt>LME zSU#g(&8|8_hu#RdB~0ojp?!_>mszTX7Lw}^#a_KCT@xr3yf5Gx!Et$#WrY3mZGs5D zaka|MWJmQlJr1b1TNW6RSDHSBU-N48ZZHgrG|=|(SKnYw)YGG<*o54VjX1^@s65&Kat00004b3#c}2nYxW zd-{Qv*}8FWQhbW?9;ba!ELWdL_~cP?peYja~^ zaAhuUa%Y?FJQ@H154lN1K~!jg?OJ_sRYjKnoxbZ*79oIc%s&gnj<`!%5jl$MrWVy!&@Agd*w^Pt8U z(|6;>jo}~AwiQ1SR7(VF?OgmYLjyo($8mo11KYOZCjvEBIdbI4K>*%siT*v|TWf#5 zVZ(;1A0eX^7ZB&H>@j1;H~^l(k25p?1eH>Aex!_6TtGNYD|+?nbsvBU>2-$+i}7)f zD{;JIA=(lnv!O0UJ9=p`qBoC4^18JCl`*PrLQU>2?K(6!yjb!D9f5FM8_)uz%3)ILQRv`4WUn%D~yVjXDsK zrzcIC6!@tp(u)5ZjkfCb>(}q<)~(xsk2>$7}gdzPC@)aPU9|B3jl~lV+aIXSZkxfV2}g=1P~F?+RrH{C|C{P65p7> zRRacGNfc)RfDb?X@M#gbMQa^YN_~FKHP@8v*s)^)K&5~HN?EJ*DPwFVAVJ^vl~Ss~ zahxZNFc`CaiRwB4uSKKL z2g=LKPdC>t6bfZ!WMo!)o|j2P-iZ_66)#@A*lWsHUS9ql1Kmla{;8*)`dK>dp_wz6 zlgI#TS&Xs!Q!9J*>eZ!1#l-{i^Yf7`yKNBfpNt~YQ8<2aF95*gd`6Fg_Q=oA$F-eu zFsdDc88~j@p7TECqAsTs^78U=(M6q*pP!Eo9XhmW*REY=PP=xQIXUezb8~arY}>ZY z6_M+-)&s?Iarz)X_@MG}0KX=p-j3sRF~&>-03y2Daa5s*6dK>Z)LMHLv+WO{x8pcH znfVH>bGjiR%y`E5dc5!JB5Q4T zBKd8~*hNJ}s}!AG=uvI()V^=xv~HboRAt~|S8#70H|p%+4i;@l@L?3_?ietD6%Cm% z)}(ld2qHKK#uz0cNb44rm6iWOB*|l&5Ydq9ufKjj09b3op67#^AwtKDv7ZB|wwCuO zrK&{auu|&tTW`JfjEKyXc&Aif-|$*eer|62Wg-X|qany8y6u?W=Qgb8}N?Y7xQG zLp7+b_s}sjhRczt%Gf+X$+Riw|@Lt_hsob*Q=A zp2$u2g38K|#)z2bhzQIgfQ%V9aNzc|apffCFq@l)4lUW;oB{w~=+L1H-g;}(!%C@( z9Y+;y+O+8wX8u%b^AE;o0MOal*)v{w<&`1K{Evz8SOT8-_~Vafg+d_)fR!s(c2-Kg z2dH2m;M~ztf9Y7VWJxE0<}%xaSeknO{r4|U($}n6Gx^B3-@Ylr!vHwG)^7mlo1{Pa z3unlV?56T5xD>`efso!*qDm5DwE;Q%%5Kg0P5Li zpUo~VE`Gq;_`p~MH4QN=IamV#=+?bEB5-hJCSyc9NlJh*2FW)6oa3XbD>$No4v2f> zTV5t&jW&U^){e(YK!Ap1U1eou31D9#B3R3?*8FavhuWTQXaFcHE3;lKb_W2HXwYZ&?AhIubfwfIM#n{y<7`gIfwgkZ zMU{wTD-~aX)22U=Z2ZO=87cXACIVHFEWtY7b37q($Yy)x_j%^t-H4*%RBG9kj{70O*d^8kzFEy z=Xu?&<$eG`1mE3u+ig!L*i!jIMljguB$CAB$&>Yj2@}pFzpb^I%oY&g=J<`#Ln*NZ zIgV;}9_8ibr-_`@uBB99C;&YE_~VyrZLR_UA{7SnaDa|_UJP1$gUidyFHM&tA`}P& zAtK6JyEah^0Q2U}o3}EZSM~1I>lcX$AR3M0SbY@hzCH;>3VnO_z{nh6VjiOpd5C#2 z#9~ostznG;^Vzu$%hDLar_f)YMj#SKWz50qh71_XaeiwdiGD~>MY6zk?nuUB5y?pM9zTBk ztETPG2Wc)50YD^O<4(=+eg9C4?MXgO`|1#H>r@z{2>{4ZvqPZ}TjAwOIdB{o$x}u; zm~ApnrgUblJx3Snz<~qXqR}XPKc4vHWw;p8H5UVV7UEN6;addpk;%jt#)U~3%`%@8 zgg4iO@$UYE*mtN3yKEZ(z@1q!s05oa2GK|aT5D+Sqq@2pMASxW4LUcV_uRR2=kJ-Jl3eK$!bqGZ=H3R)Y8$YvrMl{U5q zw{PFx=nN|&I=T9-wWTE`CB-ErCB;J%rKF_fpPE-IzZdUML45GfeASbU~_hM_H+?AzOUi?K78N* z4Ks&~F;miXpdyi2%7|L~nT`|Ba~;>+2d(w_l-(?v z*+CGA)X&m7d7P79tz5P0u}~hgx{P_##rH7?Oixzbh!B%FQ#mq3qZVrdTb;j8HeBXoCev2Uj0F3cx;;grk?|T5? z<+X4B_X`)!Uu`YF>UlAU2r1>R3xz`QdxNBa|Ea8OXqTOx1prDph+2ygN3!sZAq>f4 zgxyT!lf}PhpM;xshCc2Ylx{zah+z~L6=Anzp(vp7`|R%^+&F(pH_$upywhg*@ZpC= z)G6;AmKc4>Yh!Wb0!AWtj z(QCZA7gn7>#4vhwD!?Aef+Ao>*6DLLx#m`tF(xV^a9uZ@kD2*KW6T+A4YbxHw`|$+ zD*#YLgsTfe*#xg z1fCG;qcH%$1}_U=*PcQ+9L7gSPhvw&7>X3k#oZwQZnU-NSa%esPMyN(a2Vn68Pqp4 z_@_^wZiqyqu}CBuYiNi@Z@A$GBO(WwdB0L>Z@Tga4I1>V=Xv9Nt@l}DKR4FiBO+w2 zt)w__HGpansTPrHrBsztYM)Z-OW&A%O^s=-KBBeWXN-S9YhB%xPDFC&op(N9tt}S8 za-~$2<2bcMbV?xWT-O~uY0{)yrcRye#pRg;%s9Zz)k-;^6VV=PxytjrYTx&(Mf3>( zc<{joSJu|nc61!)caGzJqLd0N<$kSwe;W~vtEi~x9SVgGheDxzfKEG(TODxS&9i6E z-rRJI05E&@?AMLa|LwYNH4&V#W5?#iV%`B?`_)RRgXz4_J@?#ao)^2<^J06o)`wZ- zkw(j{w6wInwYCaC$7J1^{La{R$D(RxzVrgfX~hM=InR<3_rlWvw4D2YKls+#hkvAuR$M?d`?_@9x^>$D zy!s<$&u@Kf__u`?pAtKc^DuzO50qPDjCt}0wr#~vg#QKf*2_tH