public void updateCredential(RealmModel realm, UserModel user, UserCredentialModel credential) {
if (credential.getType().equals(UserCredentialModel.PASSWORD)) {
if (realm.getPasswordPolicy() != null) {
PasswordPolicy.Error error =
realm.getPasswordPolicy().validate(user, credential.getValue());
if (error != null) throw new ModelException(error.getMessage(), error.getParameters());
}
}
user.updateCredential(credential);
}
/**
* Is the user configured to use this credential type
*
* @return
*/
public boolean configuredForCredentialType(String type, RealmModel realm, UserModel user) {
UserFederationProvider link = getFederationLink(realm, user);
if (link != null) {
Set<String> supportedCredentialTypes = link.getSupportedCredentialTypes(user);
if (supportedCredentialTypes.contains(type)) return true;
}
if (UserCredentialModel.isOtp(type)) {
if (!user.isOtpEnabled()) return false;
}
List<UserCredentialValueModel> creds = user.getCredentialsDirectly();
for (UserCredentialValueModel cred : creds) {
if (cred.getType().equals(type)) {
if (UserCredentialModel.isOtp(type)) {
OTPPolicy otpPolicy = realm.getOTPPolicy();
if (!cred.getAlgorithm().equals(otpPolicy.getAlgorithm())
|| cred.getDigits() != otpPolicy.getDigits()) {
return false;
}
if (type.equals(UserCredentialModel.TOTP) && cred.getPeriod() != otpPolicy.getPeriod()) {
return false;
}
}
return true;
}
}
return false;
}
@Override
public void preRemove(RealmModel realm, RoleModel role) {
for (UserFederationProviderModel federation : realm.getUserFederationProviders()) {
UserFederationProvider fed = getFederationProvider(federation);
fed.preRemove(realm, role);
}
session.userStorage().preRemove(realm, role);
}
protected UserFederationProvider getFederationLink(RealmModel realm, UserModel user) {
if (user.getFederationLink() == null) return null;
for (UserFederationProviderModel fed : realm.getUserFederationProviders()) {
if (fed.getId().equals(user.getFederationLink())) {
return getFederationProvider(fed);
}
}
return null;
}
@Override
public void config(
RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
UserModel user = appRealm.getUser("test-user@localhost");
ApplicationModel accountApp =
appRealm
.getApplicationNameMap()
.get(org.keycloak.models.Constants.ACCOUNT_APPLICATION);
for (String r : accountApp.getDefaultRoles()) {
accountApp.grantRole(user, accountApp.getRole(r));
}
UserModel user2 = appRealm.addUser("test-user-no-access@localhost");
user2.setEnabled(true);
UserCredentialModel creds = new UserCredentialModel();
creds.setType(CredentialRepresentation.PASSWORD);
creds.setValue("password");
appRealm.updateCredential(user2, creds);
}
protected UserModel registerWithFederation(RealmModel realm, UserModel user) {
for (UserFederationProviderModel federation : realm.getUserFederationProviders()) {
UserFederationProvider fed = getFederationProvider(federation);
if (fed.synchronizeRegistrations()) {
user.setFederationLink(federation.getId());
UserModel registered = fed.register(realm, user);
managedUsers.put(registered.getId(), registered);
return registered;
}
}
return user;
}
@Override
public UserModel getUserByEmail(String email, RealmModel realm) {
UserModel user = session.userStorage().getUserByEmail(email.toLowerCase(), realm);
if (user != null) {
user = validateAndProxyUser(realm, user);
if (user != null) return user;
}
for (UserFederationProviderModel federation : realm.getUserFederationProviders()) {
UserFederationProvider fed = getFederationProvider(federation);
user = fed.getUserByEmail(realm, email);
if (user != null) return user;
}
return user;
}
protected void deleteInvalidUser(RealmModel realm, UserModel user) {
KeycloakSession tx = session.getKeycloakSessionFactory().create();
try {
tx.getTransaction().begin();
RealmModel realmModel = tx.realms().getRealm(realm.getId());
if (realmModel == null) return;
UserModel deletedUser = tx.userStorage().getUserById(user.getId(), realmModel);
tx.userStorage().removeUser(realmModel, deletedUser);
logger.infof("Removed invalid user '%s'", user.getUsername());
tx.getTransaction().commit();
} finally {
tx.close();
}
}
public Set<RoleModel> getRealmScopeMappings() {
Set<RoleModel> roleMappings = getScopeMappings();
Set<RoleModel> appRoles = new HashSet<RoleModel>();
for (RoleModel role : roleMappings) {
RoleContainerModel container = role.getContainer();
if (container instanceof RealmModel) {
if (((RealmModel) container).getId().equals(cachedRealm.getId())) {
appRoles.add(role);
}
}
}
return appRoles;
}
@Override
public CredentialValidationOutput validCredentials(
RealmModel realm, UserCredentialModel... input) {
List<UserFederationProviderModel> fedProviderModels = realm.getUserFederationProviders();
List<UserFederationProvider> fedProviders = new ArrayList<UserFederationProvider>();
for (UserFederationProviderModel fedProviderModel : fedProviderModels) {
fedProviders.add(getFederationProvider(fedProviderModel));
}
CredentialValidationOutput result = null;
for (UserCredentialModel cred : input) {
UserFederationProvider providerSupportingCreds = null;
// Find first provider, which supports required credential type
for (UserFederationProvider fedProvider : fedProviders) {
if (fedProvider.getSupportedCredentialTypes().contains(cred.getType())) {
providerSupportingCreds = fedProvider;
break;
}
}
if (providerSupportingCreds == null) {
logger.warn("Don't have provider supporting credentials of type " + cred.getType());
return CredentialValidationOutput.failed();
}
logger.debug(
"Found provider ["
+ providerSupportingCreds
+ "] supporting credentials of type "
+ cred.getType());
CredentialValidationOutput currentResult =
providerSupportingCreds.validCredentials(realm, cred);
result = (result == null) ? currentResult : result.merge(currentResult);
}
// For now, validCredentials(realm, input) is not supported for local userProviders
return (result != null) ? result : CredentialValidationOutput.failed();
}
void federationLoad(RealmModel realm, Map<String, String> attributes) {
for (UserFederationProviderModel federation : realm.getUserFederationProviders()) {
UserFederationProvider fed = getFederationProvider(federation);
fed.searchByAttributes(attributes, realm, 30);
}
}
@Override
public void setClientId(String clientId) {
getDelegateForUpdate();
updated.setClientId(clientId);
cacheSession.registerRealmInvalidation(cachedRealm.getId());
}
