Handle exceptions and UI errors when user is read only. Some sync issues
This commit is contained in:
parent
75bc633a33
commit
fd9d2ba4d5
8 changed files with 70 additions and 27 deletions
|
@ -311,8 +311,7 @@ public class LDAPFederationProvider implements UserFederationProvider {
|
|||
currentUser.setLastName(picketlinkUser.getLastName());
|
||||
logger.infof("Updated user from LDAP: " + currentUser.getUsername());
|
||||
} else {
|
||||
// TODO: We have local user of same username like LDAP user, but not linked. What to do? Delete him and import again?
|
||||
throw new IllegalStateException("User " + username + " has invalid LDAP ID or doesn't have federation link");
|
||||
logger.warnf("User '%s' is not updated during sync as he is not linked to federation provider '%s'", username, fedModel.getDisplayName());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
package org.keycloak.federation.ldap;
|
||||
|
||||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.models.ModelReadOnlyException;
|
||||
import org.keycloak.models.UserCredentialModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.models.utils.UserModelDelegate;
|
||||
|
@ -10,7 +10,6 @@ import org.keycloak.models.utils.UserModelDelegate;
|
|||
* @version $Revision: 1 $
|
||||
*/
|
||||
public class ReadonlyLDAPUserModelDelegate extends UserModelDelegate implements UserModel {
|
||||
private static final Logger logger = Logger.getLogger(ReadonlyLDAPUserModelDelegate.class);
|
||||
|
||||
protected LDAPFederationProvider provider;
|
||||
|
||||
|
@ -21,30 +20,30 @@ public class ReadonlyLDAPUserModelDelegate extends UserModelDelegate implements
|
|||
|
||||
@Override
|
||||
public void setUsername(String username) {
|
||||
throw new IllegalStateException("Federated storage is not writable");
|
||||
throw new ModelReadOnlyException("Federated storage is not writable");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setLastName(String lastName) {
|
||||
throw new IllegalStateException("Federated storage is not writable");
|
||||
throw new ModelReadOnlyException("Federated storage is not writable");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setFirstName(String first) {
|
||||
throw new IllegalStateException("Federated storage is not writable");
|
||||
throw new ModelReadOnlyException("Federated storage is not writable");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void updateCredential(UserCredentialModel cred) {
|
||||
if (provider.getSupportedCredentialTypes(delegate).contains(cred.getType())) {
|
||||
throw new IllegalStateException("Federated storage is not writable");
|
||||
throw new ModelReadOnlyException("Federated storage is not writable");
|
||||
}
|
||||
delegate.updateCredential(cred);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setEmail(String email) {
|
||||
throw new IllegalStateException("Federated storage is not writable");
|
||||
throw new ModelReadOnlyException("Federated storage is not writable");
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -19,6 +19,8 @@ missingTotp=Please specify authenticator code
|
|||
invalidPasswordExisting=Invalid existing password
|
||||
invalidPasswordConfirm=Password confirmation doesn't match
|
||||
invalidTotp=Invalid authenticator code
|
||||
readOnlyUser=You can't update your account as it is read only
|
||||
readOnlyPassword=You can't update your password as your account is read only
|
||||
|
||||
successTotp=Google authenticator configured.
|
||||
successTotpRemoved=Google authenticator removed.
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
package org.keycloak.models;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||
*/
|
||||
public class ModelReadOnlyException extends ModelException {
|
||||
|
||||
public ModelReadOnlyException() {
|
||||
}
|
||||
|
||||
public ModelReadOnlyException(String message) {
|
||||
super(message);
|
||||
}
|
||||
|
||||
public ModelReadOnlyException(String message, Throwable cause) {
|
||||
super(message, cause);
|
||||
}
|
||||
|
||||
public ModelReadOnlyException(Throwable cause) {
|
||||
super(cause);
|
||||
}
|
||||
}
|
|
@ -37,6 +37,10 @@ public class Messages {
|
|||
|
||||
public static final String INVALID_USER = "invalidUser";
|
||||
|
||||
public static final String READ_ONLY_USER = "readOnlyUser";
|
||||
|
||||
public static final String READ_ONLY_PASSWORD = "readOnlyPassword";
|
||||
|
||||
public static final String MISSING_EMAIL = "missingEmail";
|
||||
|
||||
public static final String MISSING_FIRST_NAME = "missingFirstName";
|
||||
|
|
|
@ -39,6 +39,7 @@ import org.keycloak.models.ClientModel;
|
|||
import org.keycloak.models.ClientSessionModel;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.ModelReadOnlyException;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.SocialLinkModel;
|
||||
import org.keycloak.models.UserCredentialModel;
|
||||
|
@ -342,23 +343,28 @@ public class AccountService {
|
|||
return account.setError(error).createResponse(AccountPages.ACCOUNT);
|
||||
}
|
||||
|
||||
user.setFirstName(formData.getFirst("firstName"));
|
||||
user.setLastName(formData.getFirst("lastName"));
|
||||
try {
|
||||
user.setFirstName(formData.getFirst("firstName"));
|
||||
user.setLastName(formData.getFirst("lastName"));
|
||||
|
||||
String email = formData.getFirst("email");
|
||||
String oldEmail = user.getEmail();
|
||||
boolean emailChanged = oldEmail != null ? !oldEmail.equals(email) : email != null;
|
||||
String email = formData.getFirst("email");
|
||||
String oldEmail = user.getEmail();
|
||||
boolean emailChanged = oldEmail != null ? !oldEmail.equals(email) : email != null;
|
||||
|
||||
user.setEmail(formData.getFirst("email"));
|
||||
user.setEmail(formData.getFirst("email"));
|
||||
|
||||
audit.event(EventType.UPDATE_PROFILE).client(auth.getClient()).user(auth.getUser()).success();
|
||||
audit.event(EventType.UPDATE_PROFILE).client(auth.getClient()).user(auth.getUser()).success();
|
||||
|
||||
if (emailChanged) {
|
||||
user.setEmailVerified(false);
|
||||
audit.clone().event(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, oldEmail).detail(Details.UPDATED_EMAIL, email).success();
|
||||
if (emailChanged) {
|
||||
user.setEmailVerified(false);
|
||||
audit.clone().event(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, oldEmail).detail(Details.UPDATED_EMAIL, email).success();
|
||||
}
|
||||
setReferrerOnPage();
|
||||
return account.setSuccess("accountUpdated").createResponse(AccountPages.ACCOUNT);
|
||||
} catch (ModelReadOnlyException roe) {
|
||||
setReferrerOnPage();
|
||||
return account.setError(Messages.READ_ONLY_USER).createResponse(AccountPages.ACCOUNT);
|
||||
}
|
||||
setReferrerOnPage();
|
||||
return account.setSuccess("accountUpdated").createResponse(AccountPages.ACCOUNT);
|
||||
}
|
||||
|
||||
@Path("totp-remove")
|
||||
|
@ -510,7 +516,10 @@ public class AccountService {
|
|||
|
||||
try {
|
||||
session.users().updateCredential(realm, user, UserCredentialModel.password(passwordNew));
|
||||
} catch (Exception ape) {
|
||||
} catch (ModelReadOnlyException mre) {
|
||||
setReferrerOnPage();
|
||||
return account.setError(Messages.READ_ONLY_PASSWORD).createResponse(AccountPages.PASSWORD);
|
||||
} catch (Exception ape) {
|
||||
logger.error("Failed to update password", ape);
|
||||
setReferrerOnPage();
|
||||
return account.setError(ape.getMessage()).createResponse(AccountPages.PASSWORD);
|
||||
|
|
|
@ -13,6 +13,7 @@ import org.keycloak.models.ClientModel;
|
|||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.ModelDuplicateException;
|
||||
import org.keycloak.models.ModelReadOnlyException;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.RoleModel;
|
||||
import org.keycloak.models.SocialLinkModel;
|
||||
|
@ -118,6 +119,8 @@ public class UsersResource {
|
|||
return Response.noContent().build();
|
||||
} catch (ModelDuplicateException e) {
|
||||
return Flows.errors().exists("User exists with same username or email");
|
||||
} catch (ModelReadOnlyException re) {
|
||||
return Flows.errors().exists("User is read only!");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -779,7 +782,11 @@ public class UsersResource {
|
|||
}
|
||||
|
||||
UserCredentialModel cred = RepresentationToModel.convertCredential(pass);
|
||||
session.users().updateCredential(realm, user, cred);
|
||||
try {
|
||||
session.users().updateCredential(realm, user, cred);
|
||||
} catch (ModelReadOnlyException mre) {
|
||||
throw new BadRequestException("Can't reset password as account is read only");
|
||||
}
|
||||
if (pass.isTemporary()) user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
|
||||
}
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@ import org.keycloak.federation.ldap.LDAPFederationProvider;
|
|||
import org.keycloak.federation.ldap.LDAPFederationProviderFactory;
|
||||
import org.keycloak.federation.ldap.LDAPUtils;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.ModelReadOnlyException;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.UserCredentialModel;
|
||||
import org.keycloak.models.UserCredentialValueModel;
|
||||
|
@ -252,26 +253,26 @@ public class FederationProvidersIntegrationTest {
|
|||
try {
|
||||
user.setEmail("error@error.com");
|
||||
Assert.fail("should fail");
|
||||
} catch (Exception e) {
|
||||
} catch (ModelReadOnlyException e) {
|
||||
|
||||
}
|
||||
try {
|
||||
user.setLastName("Berk");
|
||||
Assert.fail("should fail");
|
||||
} catch (Exception e) {
|
||||
} catch (ModelReadOnlyException e) {
|
||||
|
||||
}
|
||||
try {
|
||||
user.setFirstName("Bilbo");
|
||||
Assert.fail("should fail");
|
||||
} catch (Exception e) {
|
||||
} catch (ModelReadOnlyException e) {
|
||||
|
||||
}
|
||||
try {
|
||||
UserCredentialModel cred = UserCredentialModel.password("poop");
|
||||
user.updateCredential(cred);
|
||||
Assert.fail("should fail");
|
||||
} catch (Exception e) {
|
||||
} catch (ModelReadOnlyException e) {
|
||||
|
||||
}
|
||||
} finally {
|
||||
|
|
Loading…
Reference in a new issue