-
Notifications
You must be signed in to change notification settings - Fork 137
/
Copy pathLegacyProvider.java
170 lines (143 loc) · 6.36 KB
/
LegacyProvider.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
package com.danielfrak.code.keycloak.providers.rest;
import com.danielfrak.code.keycloak.providers.rest.remote.LegacyUser;
import com.danielfrak.code.keycloak.providers.rest.remote.LegacyUserService;
import com.danielfrak.code.keycloak.providers.rest.remote.UserModelFactory;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialInputUpdater;
import org.keycloak.credential.CredentialInputValidator;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.PasswordCredentialModel;
import org.keycloak.policy.PasswordPolicyManagerProvider;
import org.keycloak.policy.PolicyError;
import org.keycloak.storage.UserStorageProvider;
import org.keycloak.storage.user.UserLookupProvider;
import java.util.Collections;
import java.util.Optional;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Stream;
/**
* Provides legacy user migration functionality
*/
public class LegacyProvider implements UserStorageProvider,
UserLookupProvider,
CredentialInputUpdater,
CredentialInputValidator {
private static final Logger LOG = Logger.getLogger(LegacyProvider.class);
private static final Set<String> supportedCredentialTypes = Collections.singleton(PasswordCredentialModel.TYPE);
private final KeycloakSession session;
private final LegacyUserService legacyUserService;
private final UserModelFactory userModelFactory;
private final ComponentModel model;
public LegacyProvider(KeycloakSession session, LegacyUserService legacyUserService,
UserModelFactory userModelFactory, ComponentModel model) {
this.session = session;
this.legacyUserService = legacyUserService;
this.userModelFactory = userModelFactory;
this.model = model;
}
private UserModel getUserModel(RealmModel realm, String username, Supplier<Optional<LegacyUser>> user) {
return user.get()
.filter(u -> {
// Make sure we're not trying to migrate users if they have changed their username
boolean duplicate = userModelFactory.isDuplicateUserId(u, realm);
if (duplicate) {
LOG.warnf("User with the same user id already exists: %s", u.getId());
}
return !duplicate;
})
.map(u -> userModelFactory.create(u, realm))
.orElseGet(() -> {
LOG.warnf("User not found in external repository: %s", username);
return null;
});
}
@Override
public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput input) {
if (!supportsCredentialType(input.getType())) {
return false;
}
var userIdentifier = getUserIdentifier(userModel);
if (!legacyUserService.isPasswordValid(userIdentifier, input.getChallengeResponse())) {
return false;
}
if (passwordDoesNotBreakPolicy(realmModel, userModel, input.getChallengeResponse())) {
userModel.credentialManager().updateCredential(input);
} else {
addUpdatePasswordAction(userModel, userIdentifier);
}
return true;
}
private String getUserIdentifier(UserModel userModel) {
var userIdConfig = model.getConfig().getFirst(ConfigurationProperties.USE_USER_ID_FOR_CREDENTIAL_VERIFICATION);
var useUserId = Boolean.parseBoolean(userIdConfig);
return useUserId ? userModel.getId() : userModel.getUsername();
}
private boolean passwordDoesNotBreakPolicy(RealmModel realmModel, UserModel userModel, String password) {
PasswordPolicyManagerProvider passwordPolicyManagerProvider = session.getProvider(
PasswordPolicyManagerProvider.class);
PolicyError error = passwordPolicyManagerProvider
.validate(realmModel, userModel, password);
return error == null;
}
private void addUpdatePasswordAction(UserModel userModel, String userIdentifier) {
if (updatePasswordActionMissing(userModel)) {
LOG.infof("Could not use legacy password for user %s due to password policy." +
" Adding UPDATE_PASSWORD action.",
userIdentifier);
userModel.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
}
}
private boolean updatePasswordActionMissing(UserModel userModel) {
return userModel.getRequiredActionsStream()
.noneMatch(s -> s.contains(UserModel.RequiredAction.UPDATE_PASSWORD.name()));
}
@Override
public boolean supportsCredentialType(String s) {
return supportedCredentialTypes.contains(s);
}
@Override
public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String s) {
return false;
}
@Override
public void close() {
// Not needed
}
@Override
public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
severFederationLink(user);
return false;
}
private void severFederationLink(UserModel user) {
LOG.info("Severing federation link for " + user.getUsername());
String link = user.getFederationLink();
if (link != null && !link.isBlank()) {
user.setFederationLink(null);
}
}
@Override
public void disableCredentialType(RealmModel realm, UserModel user, String credentialType) {
// Not needed
}
@Override
public Stream<String> getDisableableCredentialTypesStream(RealmModel realmModel, UserModel userModel) {
return Stream.empty();
}
@Override
public UserModel getUserById(RealmModel realmModel, String s) {
throw new UnsupportedOperationException("User lookup by id not implemented");
}
@Override
public UserModel getUserByUsername(RealmModel realmModel, String username) {
return getUserModel(realmModel, username, () -> legacyUserService.findByUsername(username));
}
@Override
public UserModel getUserByEmail(RealmModel realmModel, String email) {
return getUserModel(realmModel, email, () -> legacyUserService.findByEmail(email));
}
}