Handle exceptions and UI errors when user is read only. Some sync issues

2014-08-26 12:54:05 +02:00 · 2014-08-26 12:54:05 +02:00 · fd9d2ba4d5
commit fd9d2ba4d5
parent 75bc633a33
8 changed files with 70 additions and 27 deletions
--- a/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java
+++ b/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java
@ -311,8 +311,7 @@ public class LDAPFederationProvider implements UserFederationProvider {
                    currentUser.setLastName(picketlinkUser.getLastName());
                    logger.infof("Updated user from LDAP: " + currentUser.getUsername());
                } else {
-                    // TODO: We have local user of same username like LDAP user, but not linked. What to do? Delete him and import again?
-                    throw new IllegalStateException("User " + username + " has invalid LDAP ID or doesn't have federation link");
+                    logger.warnf("User '%s' is not updated during sync as he is not linked to federation provider '%s'", username, fedModel.getDisplayName());
                }
            }
        }
--- a/federation/ldap/src/main/java/org/keycloak/federation/ldap/ReadonlyLDAPUserModelDelegate.java
+++ b/federation/ldap/src/main/java/org/keycloak/federation/ldap/ReadonlyLDAPUserModelDelegate.java
@ -1,6 +1,6 @@
 package org.keycloak.federation.ldap;

-import org.jboss.logging.Logger;
+import org.keycloak.models.ModelReadOnlyException;
 import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.utils.UserModelDelegate;
@ -10,7 +10,6 @@ import org.keycloak.models.utils.UserModelDelegate;
 * @version $Revision: 1 $
 */
 public class ReadonlyLDAPUserModelDelegate extends UserModelDelegate implements UserModel {
-    private static final Logger logger = Logger.getLogger(ReadonlyLDAPUserModelDelegate.class);

    protected LDAPFederationProvider provider;

@ -21,30 +20,30 @@ public class ReadonlyLDAPUserModelDelegate extends UserModelDelegate implements

    @Override
    public void setUsername(String username) {
-        throw new IllegalStateException("Federated storage is not writable");
+        throw new ModelReadOnlyException("Federated storage is not writable");
    }

    @Override
    public void setLastName(String lastName) {
-        throw new IllegalStateException("Federated storage is not writable");
+        throw new ModelReadOnlyException("Federated storage is not writable");
    }

    @Override
    public void setFirstName(String first) {
-        throw new IllegalStateException("Federated storage is not writable");
+        throw new ModelReadOnlyException("Federated storage is not writable");
    }

    @Override
    public void updateCredential(UserCredentialModel cred) {
        if (provider.getSupportedCredentialTypes(delegate).contains(cred.getType())) {
-            throw new IllegalStateException("Federated storage is not writable");
+            throw new ModelReadOnlyException("Federated storage is not writable");
        }
        delegate.updateCredential(cred);
    }

    @Override
    public void setEmail(String email) {
-        throw new IllegalStateException("Federated storage is not writable");
+        throw new ModelReadOnlyException("Federated storage is not writable");
    }

 }
--- a/forms/common-themes/src/main/resources/theme/account/base/messages/messages.properties
+++ b/forms/common-themes/src/main/resources/theme/account/base/messages/messages.properties
@ -19,6 +19,8 @@ missingTotp=Please specify authenticator code
 invalidPasswordExisting=Invalid existing password
 invalidPasswordConfirm=Password confirmation doesn't match
 invalidTotp=Invalid authenticator code
+readOnlyUser=You can't update your account as it is read only
+readOnlyPassword=You can't update your password as your account is read only

 successTotp=Google authenticator configured.
 successTotpRemoved=Google authenticator removed.
--- a/model/api/src/main/java/org/keycloak/models/ModelReadOnlyException.java
+++ b/model/api/src/main/java/org/keycloak/models/ModelReadOnlyException.java
@ -0,0 +1,22 @@
+package org.keycloak.models;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class ModelReadOnlyException extends ModelException {
+
+    public ModelReadOnlyException() {
+    }
+
+    public ModelReadOnlyException(String message) {
+        super(message);
+    }
+
+    public ModelReadOnlyException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public ModelReadOnlyException(Throwable cause) {
+        super(cause);
+    }
+}
--- a/services/src/main/java/org/keycloak/services/messages/Messages.java
+++ b/services/src/main/java/org/keycloak/services/messages/Messages.java
@ -37,6 +37,10 @@ public class Messages {

    public static final String INVALID_USER = "invalidUser";

+    public static final String READ_ONLY_USER = "readOnlyUser";
+
+    public static final String READ_ONLY_PASSWORD = "readOnlyPassword";
+
    public static final String MISSING_EMAIL = "missingEmail";

    public static final String MISSING_FIRST_NAME = "missingFirstName";
--- a/services/src/main/java/org/keycloak/services/resources/AccountService.java
+++ b/services/src/main/java/org/keycloak/services/resources/AccountService.java
@ -39,6 +39,7 @@ import org.keycloak.models.ClientModel;
 import org.keycloak.models.ClientSessionModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.ModelReadOnlyException;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.SocialLinkModel;
 import org.keycloak.models.UserCredentialModel;
@ -342,6 +343,7 @@ public class AccountService {
            return account.setError(error).createResponse(AccountPages.ACCOUNT);
        }

+        try {
            user.setFirstName(formData.getFirst("firstName"));
            user.setLastName(formData.getFirst("lastName"));

@ -359,6 +361,10 @@ public class AccountService {
            }
            setReferrerOnPage();
            return account.setSuccess("accountUpdated").createResponse(AccountPages.ACCOUNT);
+        } catch (ModelReadOnlyException roe) {
+            setReferrerOnPage();
+            return account.setError(Messages.READ_ONLY_USER).createResponse(AccountPages.ACCOUNT);
+        }
    }

    @Path("totp-remove")
@ -510,6 +516,9 @@ public class AccountService {

        try {
            session.users().updateCredential(realm, user, UserCredentialModel.password(passwordNew));
+        } catch (ModelReadOnlyException mre) {
+            setReferrerOnPage();
+            return account.setError(Messages.READ_ONLY_PASSWORD).createResponse(AccountPages.PASSWORD);
        } catch (Exception ape) {
            logger.error("Failed to update password", ape);
            setReferrerOnPage();
--- a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java
@ -13,6 +13,7 @@ import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.ModelDuplicateException;
+import org.keycloak.models.ModelReadOnlyException;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.SocialLinkModel;
@ -118,6 +119,8 @@ public class UsersResource {
            return Response.noContent().build();
        } catch (ModelDuplicateException e) {
            return Flows.errors().exists("User exists with same username or email");
+        } catch (ModelReadOnlyException re) {
+            return Flows.errors().exists("User is read only!");
        }
    }

@ -779,7 +782,11 @@ public class UsersResource {
        }

        UserCredentialModel cred = RepresentationToModel.convertCredential(pass);
+        try {
            session.users().updateCredential(realm, user, cred);
+        } catch (ModelReadOnlyException mre) {
+            throw new BadRequestException("Can't reset password as account is read only");
+        }
        if (pass.isTemporary()) user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
    }

--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/FederationProvidersIntegrationTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/FederationProvidersIntegrationTest.java
@ -14,6 +14,7 @@ import org.keycloak.federation.ldap.LDAPFederationProvider;
 import org.keycloak.federation.ldap.LDAPFederationProviderFactory;
 import org.keycloak.federation.ldap.LDAPUtils;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.ModelReadOnlyException;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserCredentialValueModel;
@ -252,26 +253,26 @@ public class FederationProvidersIntegrationTest {
            try {
                user.setEmail("error@error.com");
                Assert.fail("should fail");
-            } catch (Exception e) {
+            } catch (ModelReadOnlyException e) {

            }
            try {
                user.setLastName("Berk");
                Assert.fail("should fail");
-            } catch (Exception e) {
+            } catch (ModelReadOnlyException e) {

            }
            try {
                user.setFirstName("Bilbo");
                Assert.fail("should fail");
-            } catch (Exception e) {
+            } catch (ModelReadOnlyException e) {

            }
            try {
                UserCredentialModel cred = UserCredentialModel.password("poop");
                user.updateCredential(cred);
                Assert.fail("should fail");
-            } catch (Exception e) {
+            } catch (ModelReadOnlyException e) {

            }
        } finally {