/** * Called after successful kerberos authentication * * @param realm realm * @param username username without realm prefix * @return finded or newly created user */ protected UserModel findOrCreateAuthenticatedUser(RealmModel realm, String username) { UserModel user = session.userStorage().getUserByUsername(username, realm); if (user != null) { logger.debugf("Kerberos authenticated user [%s] found in Keycloak storage", username); if (!model.getId().equals(user.getFederationLink())) { logger.warnf( "User with username [%s] already exists, but is not linked to provider [%s]", username, model.getDisplayName()); return null; } else { LDAPObject ldapObject = loadAndValidateUser(realm, user); if (ldapObject != null) { return proxy(realm, user, ldapObject); } else { logger.warnf( "User with username [%s] aready exists and is linked to provider [%s] but is not valid. Stale LDAP_ID on local user is: %s", username, model.getDisplayName(), user.getFirstAttribute(LDAPConstants.LDAP_ID)); logger.warn("Will re-create user"); session.userStorage().removeUser(realm, user); } } } // Creating user to local storage logger.debugf( "Kerberos authenticated user [%s] not in Keycloak storage. Creating him", username); return getUserByUsername(realm, username); }
protected UserModel importUserFromLDAP( KeycloakSession session, RealmModel realm, LDAPObject ldapUser) { String ldapUsername = LDAPUtils.getUsername(ldapUser, ldapIdentityStore.getConfig()); LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig()); UserModel imported = session.userStorage().addUser(realm, ldapUsername); imported.setEnabled(true); Set<UserFederationMapperModel> federationMappers = realm.getUserFederationMappersByFederationProvider(getModel().getId()); for (UserFederationMapperModel mapperModel : federationMappers) { if (logger.isTraceEnabled()) { logger.tracef("Using mapper %s during import user from LDAP", mapperModel); } LDAPFederationMapper ldapMapper = getMapper(mapperModel); ldapMapper.onImportUserFromLDAP(mapperModel, this, ldapUser, imported, realm, true); } String userDN = ldapUser.getDn().toString(); imported.setFederationLink(model.getId()); imported.setSingleAttribute(LDAPConstants.LDAP_ID, ldapUser.getUuid()); imported.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, userDN); logger.debugf( "Imported new user from LDAP to Keycloak DB. Username: [%s], Email: [%s], LDAP_ID: [%s], LDAP Entry DN: [%s]", imported.getUsername(), imported.getEmail(), ldapUser.getUuid(), userDN); return proxy(realm, imported, ldapUser); }
protected void removeAllUsers() { KeycloakRule keycloakRule = getKeycloakRule(); KeycloakSession session = keycloakRule.startSession(); try { RealmManager manager = new RealmManager(session); RealmModel appRealm = manager.getRealm("test"); List<UserModel> users = session.userStorage().getUsers(appRealm, true); for (UserModel user : users) { if (!user.getUsername().equals(AssertEvents.DEFAULT_USERNAME)) { session.userStorage().removeUser(appRealm, user); } } Assert.assertEquals(1, session.userStorage().getUsers(appRealm, true).size()); } finally { keycloakRule.stopSession(session, true); } }
/** * Update the top-level information of the realm * * <p>Any user, roles or client information in the representation will be ignored. This will only * update top-level attributes of the realm. * * @param rep * @return */ @PUT @Consumes(MediaType.APPLICATION_JSON) public Response updateRealm(final RealmRepresentation rep) { auth.requireManage(); logger.debug("updating realm: " + realm.getName()); try { RepresentationToModel.updateRealm(rep, realm); if (rep.isRealmCacheEnabled() != null && session.realms() instanceof CacheRealmProvider) { CacheRealmProvider cacheRealmProvider = (CacheRealmProvider) session.realms(); cacheRealmProvider.setEnabled(rep.isRealmCacheEnabled()); } if (rep.isUserCacheEnabled() != null && session.userStorage() instanceof CacheUserProvider) { CacheUserProvider cache = (CacheUserProvider) session.userStorage(); cache.setEnabled(rep.isUserCacheEnabled()); } // Refresh periodic sync tasks for configured federationProviders List<UserFederationProviderModel> federationProviders = realm.getUserFederationProviders(); UsersSyncManager usersSyncManager = new UsersSyncManager(); for (final UserFederationProviderModel fedProvider : federationProviders) { usersSyncManager.refreshPeriodicSyncForProvider( session.getKeycloakSessionFactory(), session.getProvider(TimerProvider.class), fedProvider, realm.getId()); } adminEvent.operation(OperationType.UPDATE).representation(rep).success(); return Response.noContent().build(); } catch (PatternSyntaxException e) { return ErrorResponse.error( "Specified regex pattern(s) is invalid.", Response.Status.BAD_REQUEST); } catch (ModelDuplicateException e) { throw e; } catch (Exception e) { logger.error(e); return ErrorResponse.error( "Failed to update " + rep.getRealm() + " Realm.", Response.Status.INTERNAL_SERVER_ERROR); } }
public static UserModel addLocalUser( KeycloakSession session, RealmModel realm, String username, String email, String password) { UserModel user = session.userStorage().addUser(realm, username); user.setEmail(email); user.setEnabled(true); UserCredentialModel creds = new UserCredentialModel(); creds.setType(CredentialRepresentation.PASSWORD); creds.setValue(password); session.userCredentialManager().updateCredential(realm, user, creds); return user; }
/** * Get the top-level representation of the realm * * <p>It will not include nested information like User and Client representations. * * @return */ @GET @NoCache @Produces(MediaType.APPLICATION_JSON) public RealmRepresentation getRealm() { if (auth.hasView()) { RealmRepresentation rep = ModelToRepresentation.toRepresentation(realm, false); if (session.realms() instanceof CacheRealmProvider) { CacheRealmProvider cacheRealmProvider = (CacheRealmProvider) session.realms(); rep.setRealmCacheEnabled(cacheRealmProvider.isEnabled()); } if (session.userStorage() instanceof CacheUserProvider) { CacheUserProvider cache = (CacheUserProvider) session.userStorage(); rep.setUserCacheEnabled(cache.isEnabled()); } return rep; } else { auth.requireAny(); RealmRepresentation rep = new RealmRepresentation(); rep.setRealm(realm.getName()); return rep; } }
@Override public List<UserModel> searchByAttributes( Map<String, String> attributes, RealmModel realm, int maxResults) { List<UserModel> searchResults = new LinkedList<UserModel>(); List<LDAPObject> ldapUsers = searchLDAP(realm, attributes, maxResults); for (LDAPObject ldapUser : ldapUsers) { String ldapUsername = LDAPUtils.getUsername(ldapUser, this.ldapIdentityStore.getConfig()); if (session.userStorage().getUserByUsername(ldapUsername, realm) == null) { UserModel imported = importUserFromLDAP(session, realm, ldapUser); searchResults.add(imported); } } return searchResults; }
@Override public UserModel getUserByEmail(RealmModel realm, String email) { LDAPObject ldapUser = queryByEmail(realm, email); if (ldapUser == null) { return null; } // Check here if user already exists String ldapUsername = LDAPUtils.getUsername(ldapUser, ldapIdentityStore.getConfig()); if (session.userStorage().getUserByUsername(ldapUsername, realm) != null) { throw new ModelDuplicateException( "User with username '" + ldapUsername + "' already exists in Keycloak. It conflicts with LDAP user with email '" + email + "'"); } return importUserFromLDAP(session, realm, ldapUser); }