Commit graph

2487 commits

Author SHA1 Message Date
Dimitri Papadopoulos Orfanos
64a145e960
Fix user-facing typos in error messages (#29326)
Update resource file and tests accordingly

Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
2024-05-16 09:55:41 +02:00
Stefan Guilhen
c4760b8188 Ensure that IDP's linked domains are remove when org is deleted or when the domain is removed from the org.
Closes #29481

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-14 15:39:18 -03:00
Martin Kanis
3985157f9f Make sure operations on a organization are based on realm they belong to
Closes #28841

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-14 10:47:39 -03:00
Pedro Igor
b4d231fd40 Fixing realm removal when removing groups and brokers associated with an organization
Closes #29495

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 14:29:27 +02:00
Alexander Schwartz
673e122443 Avoid sorting items returned from the database which are already stable
Closes #29319

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-13 16:15:38 +02:00
Alexander Schwartz
6cc8d653f3 Make SessionWrapper related fields immutable that are part of the equals method
The cache replace logic depends on it, as values returned by reference from a local cache must never be modified on those critical fields directly.

Closes #28906

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-13 09:59:50 +02:00
Pedro Igor
b50d481b10 Make sure organization groups can not be managed but when managing an organization
Closes #29431

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-10 21:28:11 -03:00
Stefan Guilhen
3186b6db8e Fix realm removal when orgs are enabled
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 17:23:08 -03:00
Stefan Guilhen
ceed7bc120 Add ability to search organizations by attribute
Closes #29411

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 16:45:41 -03:00
Alexander Schwartz
eaeffe95ac
Avoid conflicts when writing to session stores by checking for concurrent requests within the JVM (#29393)
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-05-09 08:24:43 +00:00
Pedro Ruivo
cbce548e71 Infinispan 15.0.3.Final
Closes #29068

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-05-08 17:18:39 +02:00
Martin Kanis
d4b7e1a7d9 Prevent to manage groups associated with organizations from different APIs
Closes #28734

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-07 11:16:40 -03:00
Stefan Guilhen
aa945d5636 Add description field to OrganizationEntity
Closes #29356

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-07 10:35:51 -03:00
Pedro Igor
c0325c9fdb Do not manage brokers through the Organization API
Closes #29268

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-07 09:15:25 -03:00
Alice W
584e92aaba Add support for organizational invites to new and existing users based on tokens
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-05-06 17:57:13 -03:00
Dimitri Papadopoulos Orfanos
cd8e0fd333
Fix user-facing typos in Javadoc (#28971)
Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-05-06 18:57:55 +00:00
Stefan Guilhen
dae1eada3d Add enabled field to OrganizationEntity
Closes #28891

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-06 14:46:56 -03:00
Pedro Ruivo
4c6f3ce35d Remove unused code from model/infinispan module
Closes #29137

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-05-06 18:53:23 +02:00
Pedro Ruivo
fe5bed6191
Retry fetching event from remote cache
Closes #28303

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-06 17:27:07 +02:00
Michal Hajas
128bba34d3 Remove PERSISTENT_USER_SESSIONS_No_CACHE feature
Closes #29264

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-05-06 08:53:39 +02:00
Michal Hajas
8b715d3a31 Do not use LastSessionRefreshPersister with persistent user sessions enabled
Closes #29144

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-05-06 08:49:48 +02:00
Pedro Igor
32d25f43d0 Support for mutiple identity providers
Closes #28840

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-04 16:19:27 +02:00
Pedro Ruivo
82a959fa78 Remove WildFly Clustering Marshaller
Closes #29135

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-05-03 12:31:47 +02:00
Alexander Schwartz
05b6f897ce
Execute persistent sessions tests in CI and fix deadlock (#29236)
* Execute persistent sessions tests in CI and fix deadlock in UserSessionConcurrencyTest 
The deadlock was caused by a switch to reactive handling of embedded Infinispan updates introduced here #28862
Closes #29235

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-03 10:42:34 +02:00
Michal Hajas
e93b7d4f3a
Use computeIfPresent also for Persistent sessions
Follow-up-on #29073

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-05-02 16:43:54 +00:00
Stefan Guilhen
45e5e6cbbf Introduce filtered (and paginated) search for organization members
Closes #28844

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-02 11:25:43 -03:00
Michal Hajas
4c17c6107e Merge offline and online sessions transactions
Closes #29139
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-04-30 18:03:17 +02:00
Michal Hajas
7c427e8d38 Remove offline sessions timeouts adjusters as with persistent session we have bounded caches and it is no longer necessary to adjust time in caches
Closes #29140
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-04-30 18:03:17 +02:00
Alexander Schwartz
d69872fa11
Batch writes originating from logins/logouts for persistent sessions
All writes for the sessions are handled by a background thread which batches them.

Closes #28862

Wait for persistent-store to contain update
instead of cache which has the change immediately since it is in memory + introduce new model-test profile

Closes #29141

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-04-30 14:07:35 +02:00
Pedro Igor
51352622aa Allow adding realm users as an organization member
Closes #29023

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-29 08:37:47 -03:00
Pedro Ruivo
17a700b6b9 Use cache.compute() method to improve the replace retry loop
Closes #29073

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-29 12:24:33 +02:00
Stefan Guilhen
bfabc291cc 28843 - Introduce filtered (and paginated) searches for organizations
Closes #28843

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-25 12:38:20 -03:00
vramik
c56f062416 Typo in Organization table
Closes #29054

Signed-off-by: vramik <vramik@redhat.com>
2024-04-24 11:23:44 -03:00
vramik
d65649d5c0 Make sure organization are only manageable by the admin users with the manage-realm role
Closes #28733

Signed-off-by: vramik <vramik@redhat.com>
2024-04-23 12:16:57 -03:00
Tero Saarni
64862d568e Convert database errors to 500 instead of 400.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2024-04-22 11:42:18 -03:00
Stefan Guilhen
f1532565b6 Don't use no-arg version of GroupModel.getSubGroupsStream() when fetching the subgroups from the GroupResource endpoint.
- prevents pre-loading all groups; instead use the stream from the JPA adapter to load subgroups one by one and then filter based on the user permissions.

Closes #28935

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-22 11:27:29 -03:00
Stefan Guilhen
8ca4bc77a1 Improve the performance of the queries used to find granted resources
- simplifies the queries to avoid unnecessary join
- creates two new indexes to speed up search time

Closes #28861

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-22 11:26:06 -03:00
Pedro Ruivo
3de5357091 CLI options to disable encryption and authentication to external Infinispan
Closes #28750

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-20 18:30:24 +02:00
Pedro Ruivo
3e0a185070 Remove deprecated EnvironmentDependentProviderFactory.isSupported method
Closes #26280

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-19 16:36:49 +02:00
mposolda
c427e65354 Secondary factor bypass in step-up authentication
closes #34

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit e632c03ec4dbfbb7c74c65b0627027390b2e605d)
2024-04-19 14:43:53 +02:00
Joerg Matysiak
76a5a27082 Refactored StripSecretsUtils in order to make it unit-testable, added unit tests for it
Don't mask secrets at realm export

Closes #21562

Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Pedro Igor
7483bae130 Make sure admin events are not referencing sensitive data from their representation
Closes #21562

Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Pedro Igor
1e3837421e Organization member onboarding using the organization identity provider
Closes #28273

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-17 07:24:01 -03:00
Alexander Schwartz
13af4f44f5
Defer updates of last session updates and batch them (#28502)
Defer updates of last session refreshes and batch them

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-04-17 09:25:05 +02:00
Martin Kanis
f764a9cb4a NPE when listing sessions in UI if associated user is gone
Closes #28801

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-04-16 11:53:36 -03:00
Pedro Ruivo
2494ad6950 Refactor and remove deprecated Infinispan methods from DefaultInfinispanConnectionProviderFactory
Closes #28752

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-16 10:51:57 +02:00
Stefan Guilhen
2ab8bf852d Add validation for the organization's internet domains.
Closes #28634

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-15 09:03:52 -03:00
Alexander Schwartz
004f419fd0 Leave a tombstone after the deletion of a cache entry
This captures the scenario of multiple deletion calls in the current session.

Closes #28672

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-12 17:00:19 +02:00
Pedro Igor
61b1eec504 Prevent members with an email other than the domain set to an organization
Closes #28644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-12 08:33:18 -03:00
Alexander Schwartz
b4cfebd8d5
Persistent sessions code also for offline sessions (#28319)
Persistent sessions code also for offline sessions

Closes #28318

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-12 13:15:02 +02:00
rmartinc
6d74e6b289 Escape slashes in full group path representation but disabled by default
Closes #23900

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-12 10:53:39 +02:00
Douglas Palmer
69ba92808d DefaultBruteForceProtector leverages a single thread to write success/failed events
Closes #14084

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-12 09:53:40 +02:00
Pedro Igor
8f8094408e Encapsulate the logic to set attributes into the domain model
Closes #28646

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-11 15:32:21 -03:00
ali_dandach
eb77220cca
Fix string comparison for action
Closes #28628

Signed-off-by: ali dandach <alidandach1995@gmail.com>
2024-04-11 17:59:57 +02:00
tqe1999
6e0fc8a774
fix integer overflow with explicit cast
Closes #28564

Signed-off-by: tqe1999 <tqe1999@gmail.com>
2024-04-11 10:58:44 +02:00
Stefan Guilhen
9a466f90ab Add ability to set one or more internet domain to an organization.
Closed #28274

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-10 13:18:12 -03:00
vramik
00ce3e34bd Manage a single identity provider for an organization
Closes #28272

Signed-off-by: vramik <vramik@redhat.com>
2024-04-10 09:47:51 -03:00
Martin Kanis
51fa054ba7 Manage organization attributes
Closes #28253

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-04-10 09:10:49 -03:00
Michal Hajas
1bb5e14134 Use ReentrantLock instead of synchronized to avoid thread pinning
+ since the runSerialized mechanism is currently on the best effort basis it is possible there are concurrent executions if T1 obtained a lock T2 removed the lock and T3 created a new lock before T1 called putIfAbsent therefore I added a debug log detecting this situation

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-04-09 14:55:21 +02:00
Alexander Schwartz
355901dfd8 Add a back-off period when replacing cache entries fails
Closes #28388

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-09 14:55:21 +02:00
Alexander Schwartz
63e7523a6d Avoid unnecessary updates to the sessions during refreshes of tokens
Closes #28388

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-09 14:55:21 +02:00
Alexander Schwartz
dc18bd4efb Avoid conflicts when writing to session stores by checking for concurrent requests within the JVM
Closes #28388

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-09 14:55:21 +02:00
Stijn Last
e9498079e0 LDAP: Show error message when groups synchronization fails
closes: #28436
Signed-off-by: Stijn Last <stijn.last@barco.com>
2024-04-09 09:10:19 -03:00
vibrown
3fffc5182e Added ClientType implementation from Marek's prototype
Signed-off-by: vibrown <vibrown@redhat.com>

More updates

Signed-off-by: vibrown <vibrown@redhat.com>

Added client type logic from Marek's prototype

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

Testing to see if skipRestart was cause of test failures in MR
2024-04-08 20:20:37 +02:00
Pedro Igor
52ba9b4b7f Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user
Closes #28248

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-08 09:05:16 -03:00
Garth
16770ffad8 updated organization table name to not conflict. fixes #28246
Signed-off-by: Garth <244253+xgp@users.noreply.github.com>
2024-04-03 17:57:26 -03:00
Pedro Igor
fefeb83588 Changes the contract to make it simpler and rely on the realm available from the current session
Closes #28403

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-03 14:45:31 +02:00
Giuseppe Graziano
fe06df67c2 New default client scope for 'basic' claims with 'auth_time' protocol mapper
Closes #27623

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-02 08:44:28 +02:00
Alexander Schwartz
c580c88c93
Persist online sessions to the database (#27977)
Adding two feature toggles for new code paths to store online sessions in the existing offline sessions table. Separate the code which is due to be changed in the next iteration in new classes/providers which used instead of the old one.

Closes #27976

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-03-28 09:17:07 +01:00
vramik
fa1571f231 Map organization metadata when issuing tokens for OIDC clients acting on behalf of an organization member
Closes #27993

Signed-off-by: vramik <vramik@redhat.com>
2024-03-26 14:02:09 -03:00
rmartinc
220564c7ba ORA-01450 error for index IDX_CLIENT_ATT_BY_NAME_VALUE in oracle when MAX_STRING_SIZE is EXTENDED
Closes #27967

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-22 08:48:01 -03:00
Steven Hawkins
35b9d8aa49
task: remove usage of resteasy-core-spi (#27387)
closes: #27242

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-21 15:28:34 +01:00
synth3
99478887a4 Remove custom Hibernate dialect detection
Closes #27954

Signed-off-by: synth3 <19573241+synth3@users.noreply.github.com>
2024-03-21 14:27:19 +01:00
Pedro Igor
32541f19a3 Allow managing members for an organization
Closes #27934

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-21 10:26:30 -03:00
Sebastian Schuster
0542554984 12671 querying by user attribute no longer forces case insensitivity for keys
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
2024-03-21 08:35:29 -03:00
Konstantinos Georgilakis
4bca804d5a Correct unique constraints for UserConsent entity
Closes #13045

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-03-19 22:16:42 +01:00
Alexander Schwartz
62d24216e3 Remove offline session preloading
Closes #27602

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-15 15:19:27 +01:00
Pedro Igor
7fc2269ba5 The bare minimum implementation for organization
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: vramik <vramik@redhat.com>
2024-03-15 11:06:43 -03:00
Stefan Guilhen
0e717f735e
Add realm to session context when exporting to prevent NPE when vault is enabled. (#27911)
Closes #22617

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-03-15 12:24:22 +01:00
Stefan Guilhen
970a78fe7a Set correct version for the federated user terms and conditions migration
Closes #27228

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-03-13 18:03:41 -03:00
PetkoNosal
3989cb5e90
Fix missing log argument in MigrateTo24_0_0
Closes #27779

Signed-off-by: Nosal, Peter (pn1895) <pn1895@att.com>
Co-authored-by: Nosal, Peter (pn1895) <pn1895@att.com>
2024-03-13 16:36:27 +00:00
Pedro Igor
9ad447390a Only remove attributes with empty values when updating user profile
Closes #27797

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-13 15:03:08 +01:00
Alexander Schwartz
f168b8cce9 Avoid invalidating the cache if removing an entry doesn't exist
Closes #27852

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-13 13:36:07 +01:00
Stefan Guilhen
1099f03fe6 Add migration for terms and conditions required action in FED_USER_REQUIRED_ACTION table
Closes #27228

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-03-13 08:43:11 -03:00
Pedro Igor
1e48cce3ae Make sure empty configuration resolves to the system default configuration
Closes #27611

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-11 09:01:38 -03:00
Alexander Schwartz
050acf0d94
Map Storage Removal: Remove deprecated model/legacy module (#27601)
Closes #26657

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-08 15:17:24 +00:00
Steve Hawkins
4091baf4c2 fix: accounting for the possibility of null flows from existing realms
closes: #23980

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-08 14:25:23 +01:00
rmartinc
ea4155bbcd Remove recursively when deleting an authentication executor
Closes #24795

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 14:43:23 +01:00
vramik
4fc7e3d607 Map Store Removal: Remove unnecessary check in Jpa Connection Provider
Closes #26406

Signed-off-by: vramik <vramik@redhat.com>
2024-03-04 14:00:54 +01:00
vramik
7adcc98c6c Map Store Removal: Remove obsolete KeycloakModelUtils.isRealmProviderJpa method
Closes #27445

Signed-off-by: vramik <vramik@redhat.com>
2024-03-04 12:22:04 +01:00
Steven Hawkins
8d9439913c
fix: removal of resteasy-core (#27032)
* fix: partial removal of resteasy-core

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* fix: fully removing resteasy-core

closes: #26315

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-29 11:43:13 +00:00
Pedro Igor
326d63ce74 Make sure group searches are cached and entries invalidate accordingly
Closes #26983

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-29 05:06:36 +09:00
Vlasta Ramik
ade3b31a91
Introduce new CLI config options for Infinispan remote store
Closes #25676

Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-02-28 15:49:19 +00:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm
Closes #25823

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-02-28 16:17:51 +01:00
rmartinc
2bd9f09e29 Re-index CLIENT_ATTRIBUTES using name and value
Closes #26618

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-28 11:07:03 +01:00
Alexander Schwartz
ee3a4a6e4f
Set expiry and maxidle when loading entries from the remote store (#26942)
Closes #26941

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-02-27 17:56:17 +01:00
Douglas Palmer
b0ef746f39 Permanently lock users out after X temporary lockouts during a brute force attack
Closes #26172

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-22 09:34:51 +01:00
Vlasta Ramik
76453550a5
User attribute value length extension
Closes #9758

Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-02-16 08:09:34 +01:00
Michal Hajas
f7f7f1bd10 Add caching for subGroupsCount
Closes #25731

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-15 19:46:04 +09:00
rmartinc
4ff4c3f897 Increase internal algorithm security using HS512 and 128 byte hmac keys
Closes #13080

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-15 08:16:45 +01:00
Alexander Schwartz
c7b51fc7f0
Use the appropriate database dialect to add quotes to the schema name (#26964)
Closes #25961

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-02-13 13:09:55 +01:00
Stefan Guilhen
2161e72872 Add migration for the useTruststoreSpi config property in LDAP user storage provider
- legacy `ldapsOnly` value now migrated to `always`.

Closes #25912

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-02-12 11:53:19 +01:00
Thomas Darimont
93fc6a6c54 Shorter lifespan for offline session cache entries in memory
Closes #26810

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Martin Kanis <mkanis@redhat.com>

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-02-09 19:44:04 +01:00
Douglas Palmer
66f0d2ff1d blah
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-07 15:55:06 -03:00
Douglas Palmer
d9d41b1a09 Brute Force Detection is disabled when updating frontenUrl via admin client
Closes #21409

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-07 15:55:06 -03:00
Stian Thorgersen
3e08a1713b
Ignore empty attribute values when retriveing boolean/int/long (#26729) (#26737)
Resolves #26597, resolves #26665

Signed-off-by: stianst <stianst@gmail.com>
2024-02-06 15:29:34 +01:00
Stefan Guilhen
fbeba83b87 Upgrade liquibase to version 4.25.1
Closes #26570

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-02-05 19:07:25 +01:00
Michal Hajas
00742a62dd
Remove RealmModel from authorization services interfaces (#26708)
Closes #26530
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-02 16:51:32 +01:00
Thomas Darimont
277af021d7 Improve ScheduledTask task-name handling
This PR introduces a String getTaskName() default method to
the ScheduledTask interface and adjusts call sites to use the
implementation derived task name where possible.

Previously, ScheduledTask names were passed around separately, which
lead to unhelpful debug messages.
We now give ScheduledTask implementations control over their task-name
which allows for more flexible naming.

Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database.
Ensure that Realm is already committed before updating sync via UserStorageSyncManager
Align Sync task name generation for cancellation to support SyncFederationTest
Only log a message if sync task was actually canceled.

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-02-02 09:57:03 -03:00
mposolda
cdc5d8fff8 Migrating Realm JSON with declarative user profile fails when scope selectors present on any attributes
closes #26266

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-01 09:54:09 +01:00
Martin Kanis
a3fcacdab7 Map Store Removal: deprecate model legacy module
Closes #26598

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-31 17:40:45 +01:00
Václav Muzikář
4096a2657e
Supported option to specify site name for multi-site deployments
Closes #26460

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-31 11:52:19 +00:00
Lex Cao
cf3f05a259
Skip grant role if exists for federated storage (#26508)
Closes #26507

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-26 17:08:47 +00:00
Martin Kanis
7797f778d1 Map Store Removal: Rename legacy modules
Closes #24107

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-25 16:29:16 +01:00
Martin Kanis
84603a9363
Map Store Removal: Rename Legacy* classes (#26273)
Closes #24105

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-23 13:50:31 +00:00
Alexander Schwartz
b9498b91cb
Deprecating the offline session preloading (#26160)
Closes #25300

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-16 09:29:01 +01:00
Alexander Schwartz
a8eca6add0
Changing to the Infinispan BOM to avoid mis-aligned Infinispan dependencies (#26137)
Closes #22922

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
2024-01-15 09:20:47 +01:00
mposolda
692aeee17d Enable user profile by default
closes #25151

Signed-off-by: mposolda <mposolda@gmail.com>
2024-01-11 12:48:44 -03:00
Réda Housni Alaoui
98230aa372 Add federated identity ProviderEvent(s)
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-10 11:56:38 -03:00
Alexander Schwartz
01939bcf34
Remove concurrent loading of remote sessions as at startup time only one node is up anyway. (#25709)
Closes #22082

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Martin Kanis <martin-kanis@users.noreply.github.com>
2024-01-09 16:55:22 +01:00
atharva kshirsagar
d7542c9344 Fix for empty realm name issue
Throw ModelException if name is empty when creating/updating a realm

Closes #17449

Signed-off-by: atharva kshirsagar <atharva4894@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-05 14:23:42 +01:00
Réda Housni Alaoui
5287500703 @NoCache is not considered anymore
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-02 09:06:55 -03:00
Pedro Igor
810ebf4efd Migration steps for enabling user profile by default
Closes #25528

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-19 10:19:45 -03:00
Alexander Schwartz
9e4fc3f491 Keep workaround permanently for concurrent shutdowns of embedded Infinispan
Closes #9871

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-15 10:58:22 +01:00
Alexander Schwartz
e01827693a Avoid shutdown of Infinispan when using cache
Closes #24508

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-13 15:46:37 +01:00
Alexander Schwartz
a8cff72ed0
Avoid logged warning about objects not present in the cache for tasks (#25324)
Closes #25322

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-08 13:10:14 +01:00
Alexander Schwartz
5b1b3ca11b
Allow concurrent remote cache operations (#25390)
Closes #25388

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-08 10:07:25 +01:00
Pedro Igor
ab1173182c Make sure realm is available from session when migrating to 23
Closes #25183

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-06 07:42:54 -03:00
Alexander Schwartz
e4be3ed244
Prevent client cache stampede after invalidation of a client or on startup (#25217)
Closes #24202

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-05 16:01:37 +01:00
Michal Hajas
ec061e77ed
Remove GlobalLockProviderSpi (#25206)
Closes #24103

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-12-01 16:40:56 +00:00
vramik
587cef7de4 Delete Profile.Feature.MAP_STORAGE
Signed-off-by: vramik <vramik@redhat.com>

Closes #24102
2023-11-30 13:04:39 +01:00
rmartinc
16afecd6b4 Allow automatic download of SAML certificates in the identity provider
Closes https://github.com/keycloak/keycloak/issues/24424

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 18:03:31 +01:00
Michal Hajas
2b2207af93
Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled
Closes #25077

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-29 11:06:41 +00:00
Pedro Igor
2c611cb8fc User profile configuration scoped to user-federation provider
closes #23878

Co-Authored-By: mposolda <mposolda@gmail.com>

Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-27 14:45:44 +01:00
Sebastian Schuster
030f42ec83
More efficient listing of assigned and available client role mappings
Closes #23404

Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2023-11-22 14:10:11 +01:00
Alexander Schwartz
a45934a762 Disable cache store and load only if a remote store is used
Closes #10803
Closes #24766

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: daviddelannoy <16318239+daviddelannoy@users.noreply.github.com>
2023-11-20 18:50:02 +01:00
Douglas Palmer
f9665acc29 KeycloakErrorHandler NullPointerException String.toLowerCase() because message is null
Closes #22958
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2023-11-16 18:06:33 +01:00
Réda Housni Alaoui
3f014c7299
Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients (#21058)
closes #21010 

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2023-11-13 19:13:01 +01:00
vramik
926be135e8 Remove map related modules
Signed-off-by: vramik <vramik@redhat.com>

Closes #24100
2023-11-13 12:34:52 +01:00
Alexander Schwartz
26e2fde115
Avoid reseting cachemanger to null to avoid a re-initialization (#24086)
Also follow best practices of using volatile variables for double-locking, and not using shutdown caches.

Closes #24085
2023-11-08 11:33:44 -05:00
vramik
6fa26d7ff4 Delete map dependencies from dependency management
Closes #24101
2023-11-08 13:53:17 +01:00
vramik
593c14cd26 Data too long for column 'DETAILS_JSON'
Closes #17258
2023-11-02 20:29:35 +01:00
rokkiter
e1735138cb
clean util * (#24174)
Signed-off-by: rokkiter <yongen.pan@daocloud.io>
2023-11-01 17:14:11 +01:00
ashwingroot
dee1cec290 fix to preload offline sessions faster
slow loading offline tokens during start up leads to connection timeout
closes #24295
2023-10-30 12:58:06 +01:00
Alice
69497382d8
Group scalability upgrades (#22700)
closes #22372 


Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-26 16:50:45 +02:00
Hynek Mlnarik
c036980c37 Add TRANSIENT_USERS feature flag 2023-10-25 12:02:35 +02:00
Hynek Mlnarik
26328a7c1e Support for transient sessions via lightweight users
Part-of: Add support for not importing brokered user into Keycloak database

Closes: #11334
2023-10-25 12:02:35 +02:00
Hynek Mlnarik
35a226f928 Expose InMemoryUserAdapter to services and model modules
Part-of: Add support for not importing brokered user into Keycloak database

Closes: #11334
2023-10-25 12:02:35 +02:00
Marek Posolda
1bd6aca629
Remove RegistrationProfile class and handle migration (#24215)
closes #24182


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-10-24 20:19:33 +02:00
Martin Kanis
10a2c96c72
Users in role Rest API returns empty when User federation used (#23318)
* Users in role Rest API returns empty when User federation used

Co-authored-by: Shankar Yadav <ET1024@neeyamoworks.com>
Co-authored-by: Martin Kanis <mkanis@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-24 11:10:20 -04:00
rmartinc
ad01ed1497 Do not reset the user profile configuration on disable
Closes https://github.com/keycloak/keycloak/issues/23527
2023-10-24 03:05:34 -07:00
Håvar Nøvik
bc55846809
Fixes a NullPointerException after import validation (#20151)
* Fixes a NullPointerException after import validation

If the import validation (when getting a user by email)
returns null, indicating that the user entity should be
removed from local storage, an email equality check results
in a NullPointerException.

This commit fixes this issue by explicitly checking for null.

Closes #20150

---------
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-23 17:19:25 -04:00
vramik
a0f04fa2be Declarative User Profile export
Closes #12062
Resolves #20885
2023-10-21 19:21:20 +02:00
JesseEstum
71777df3d9
Prevent stampede after realm cache invalidation
Closes #22988 

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-10-21 18:47:13 +02:00
Marek Posolda
829b7090fa
Avoid breaking change in UserSessionModel (#24134)
closes #24096


Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-20 18:06:07 +02:00
mposolda
04777299b0 After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly
closes #23880
2023-10-19 19:23:50 +02:00
Vlasta Ramik
f6d582c761
Import migration step for kc22
Closes #24031

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-10-19 09:00:49 +02:00
shigeyuki kabano
6112b25648 Enhancing Light Weight Token(#22148)
Closes #21183
2023-10-17 13:12:36 +02:00
Alice Wood
5a76ddfc2e Remove realm model storage from OAuth2DeviceConfig class to avoid persisting old session and entity manager in infinispan fixes keycloak/keycloak#23943 2023-10-16 16:18:31 +02:00
Lex Cao
eedc4ceb18 Fix unexpected expiration when import offline client session
Closes #23397
2023-10-13 15:45:07 +02:00
Charley Wu
31759f9c37
WebAuthn support for native applications. Support custom FIDO2 origin validation (#23156)
Closes #23155
2023-10-13 15:25:10 +02:00
Steve Hawkins
7c6f173d3a adds the ability to set the default groups via kcadm
Closes #19125
2023-10-06 17:30:24 +02:00
Martin Kanis
0853d484ec
Remove transaction in InfinispanSingleUseObjectProvider#remove (#23708)
Co-authored-by: mposolda <mposolda@gmail.com>
2023-10-06 10:00:04 +02:00
vramik
7f2f4aae67 Upgrade liquibase version to avoid a bug where a changeset is executed twice
Closes #23220
2023-10-05 13:35:05 +02:00
Michal Hajas
496c5ad989 Use new findGroupByPath implementation and remove the old one
Closes #23344

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-09-25 10:44:24 +02:00
mkrueger92
498be3d928
Reuse already fixed code to fetch offline user (#22429)
The problem is again the wrap(...) function.
In case the user is not found, then null is
returned. This can happen when a federated user
is deleted on the federation side but Keycloak
is not informed about it. In that case, the
session is still present but no UserModel can
be created.

Without this patch the stream contains null
values. Some downstream users can not cope well
with that.

The adjustment of the function getUserSessionsCount(...)
is slightly more expensive in execution, but
returns the correct number.

Closes #22428

Co-authored-by: Martin Krüger <mkrueger@mkru.de>
2023-09-21 20:19:09 +00:00
Bernd Bohmann
bb2f59df87
Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted (#8430)
Closes #14820 
---------
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-09-20 17:20:43 +02:00
Pedro Igor
217a09ce46 Switch to Resteasy Reactive
Closes #10713
2023-09-18 09:19:03 -03:00
Alexander Schwartz
798846df6f
Remove legacy code which isn't used anymore and was deprecated for some time (#23264)
Closes #23263
2023-09-18 11:04:02 +02:00
Jacek Kowalski
f5182deb30
Fix valid redirect URIs for built-in account-console client on realm rename (#20894)
Closes #9541

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-09-13 15:28:07 +02:00
vramik
dc9970f578 Introduce a workaround for liquibase bug to allow use database schema with a dash in its name
Closes #20870
2023-09-12 17:21:43 +02:00
Peter Skopek
ef272f7668 SAML Adapter fix for EAP8 and WF29
Signed-off-by: Peter Skopek <pskopek@redhat.com>
2023-09-07 13:32:25 +02:00
Marek Posolda
6f989fc132
Fallback to next LDAP/Kerberos provider when not able to find authenticated Kerberos principal (#22531)
closes #22352 #9422
2023-08-29 11:21:01 +00:00
Alexander Schwartz
dfc8c80264
Upgrade to Infinispan 14.0.14 (#22386)
Closes #21092
2023-08-16 14:43:03 +02:00
Razvan Petrescu
6db0bc5428
KEYCLOAK-21868 (#22373)
Add the realm Id as a param to named query getGoupIdsByParent in order to use (or make better use of) the SIBLING_NAMES index on KEYCLOAK_GROUP table.
    
Closes #21868
2023-08-10 22:26:02 +00:00
Todor Staykovski
dffa7a31cb
Add subgroups sorting (#22295)
* Review comments to add a test, update the API description and adjust the map storage.

Closes #19348

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-08-07 21:18:09 +02:00
Alexander Schwartz
5f95929092
Prevent concurrent session cleanup on different instances in the cluster (#22199)
Closes #22198
2023-08-07 14:58:41 +02:00
Thomas Darimont
82269f789a Avoid using deprecated junit APIs in tests
- Replaced usage of Assert.assertThat with static import
- Replaced static import org.junit.Assert.assertThat with org.hamcrest.MatcherAssert.assertThat

Fixes: #22111
2023-08-01 11:44:25 +02:00
mposolda
6f6b5e8e84 Fix authenticatorConfig for javascript providers
Closes #20005
2023-07-31 19:28:25 +02:00
Alexander Schwartz
cf911075af
Re-adding Infinispan workarounds to prevent deadlocks (#22058)
Relates to #9871
Closes #22057
2023-07-31 10:37:28 +02:00
Vlasta Ramik
29b67fc8df
Inconsistent Wildcard handling for JPA (#21671)
* Inconsistent Wildcard handling for JPA

Closes #20610

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-07-27 17:03:22 +02:00
Alexander Schwartz
23f3a1a872
Prevent EntityNotFoundException when ID doesn't exist in the DB (#21867)
This makes the behavior consistent with the other store implementations.

Closes #21866
2023-07-25 13:43:38 +02:00
Alexander Schwartz
bd0f87fc4d
Remove Infinispan workarounds introduced to prevent deadlocks (#21862)
This should no longer be necessary after the upgrade to Infinispan 14.0.13.Final and ISPN-13666 being resolved.

Closes #9871
2023-07-24 09:50:32 +02:00
ali_dandach
ef19e08814
Fix String comparisona (#21752)
Closes #21773
2023-07-21 10:37:24 +02:00
todor
897965f604 KEYCLOAK-20343 Add message bundle to export/import
Closes #20343
2023-07-20 23:00:28 +02:00
vramik
2f5a96351d Introduce re-try mechanism when deserializing during import for map store
Closes #21824
2023-07-20 18:01:50 +02:00
William Burns
de04684dd0
Do not cache a session that is already expired in listener (#21684)
Fixes part of #20983
2023-07-18 12:04:04 +02:00
Alexander Schwartz
9b3effb4b8 Prevent cache stampede on realms
Closes #21521
2023-07-15 09:03:53 +02:00
Patrick Jennings
399a23bd56
Find an appropriate key based on the given KID and JWA (#21160)
* keycloak-20847 Find an appropriate key based on the given KID and JWA. Prefers matching on both inputs but will match on partials if found. Or return the first key if a match is not found.

Mark Key as fallback if it is the singular client certificate to be used for signed JWT authentication.

* Update js/apps/admin-ui/public/locales/en/clients.json

Co-authored-by: Marek Posolda <mposolda@gmail.com>

* Updating boolean variable name based on suggestions by Marek.

* Adding integration test specifically for the JWT parameters for regression #20847.

---------

Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-07-10 13:28:55 +02:00
Pedro Igor
bde57ca839 Ignoring artifacts when running re-aug to isolate the current and new stores
Closes #20974
2023-07-05 07:56:49 -03:00
Stijn Last
91e543f415
Improve error messages when testing LDAP connection (#21013)
Closes #15434
2023-07-01 19:45:49 +02:00
Hynek Mlnarik
c092c76ae8 Remove ldapsOnly (Java)
In `LDAPConstants.java`, the function to set the Truststore SPI system property was removed, as this is now handled by the `shouldUseTruststoreSpi` method in `LdapUtil`.

Closes: #9313
2023-06-28 08:30:09 +02:00
Martin Kanis
db9b6c2152 Make awaitInitialTransfer for ISPN configurable
Closes #16671
2023-06-27 14:04:03 +02:00
Gilvan Filho
2493f11331 count users by custom user attribute
closes #14747
2023-06-21 11:56:22 -03:00
Stian Thorgersen
f82577a7f3
Removed old account console (#21098)
Co-authored-by: Jon Koops <jonkoops@gmail.com>

Closes #9864
2023-06-20 20:46:57 +02:00
Alexander Schwartz
f0f664dbb5 Prevent NPE on close() if postInit() hasn't been called
Closes #20977
2023-06-14 10:50:12 +02:00
Alexander Schwartz
e410a76c42 Avoid caching the list of clientscopes in two places
Closes #20426

Co-authored-by: Martin Kanis <mkanis@redhat.com>
2023-06-13 21:33:21 +02:00
vramik
535bba5792 Update UserQueryProvider methods
Closes #20438
2023-06-12 16:04:26 +02:00
Arnaud Martin
ae5a47d548 Impossible to update a federated user credential label
Closes #16613
2023-06-12 15:39:52 +02:00
Vlasta Ramik
ed473da22b
Clean-up of deprecated methods and interfaces
Fixes #20877

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-06-09 17:11:20 +00:00