use of org.keycloak.models.KeycloakSession in project keycloak by keycloak.
the class MapClientScopeProvider method removeClientScope.
@Override
public boolean removeClientScope(RealmModel realm, String id) {
if (id == null)
return false;
ClientScopeModel clientScope = getClientScopeById(realm, id);
if (clientScope == null)
return false;
session.users().preRemove(clientScope);
realm.removeDefaultClientScope(clientScope);
session.getKeycloakSessionFactory().publish(new ClientScopeModel.ClientScopeRemovedEvent() {
@Override
public KeycloakSession getKeycloakSession() {
return session;
}
@Override
public ClientScopeModel getClientScope() {
return clientScope;
}
});
tx.delete(id);
return true;
}
use of org.keycloak.models.KeycloakSession in project keycloak by keycloak.
the class MapClientProvider method removeClient.
@Override
public boolean removeClient(RealmModel realm, String id) {
if (id == null) {
return false;
}
LOG.tracef("removeClient(%s, %s)%s", realm, id, getShortStackTrace());
// TODO: Sending an event (and client role removal) should be extracted to store layer
final ClientModel client = getClientById(realm, id);
if (client == null)
return false;
session.users().preRemove(realm, client);
session.roles().removeRoles(client);
session.getKeycloakSessionFactory().publish(new ClientModel.ClientRemovedEvent() {
@Override
public ClientModel getClient() {
return client;
}
@Override
public KeycloakSession getKeycloakSession() {
return session;
}
});
// TODO: ^^^^^^^ Up to here
tx.delete(id);
return true;
}
use of org.keycloak.models.KeycloakSession in project keycloak by keycloak.
the class MigrateTo4_0_0 method migrateRealm.
protected void migrateRealm(KeycloakSession session, RealmModel realm, boolean json) {
// Upgrade names of clientScopes to not contain space
realm.getClientScopesStream().filter(clientScope -> clientScope.getName().contains(" ")).forEach(clientScope -> {
LOG.debugf("Replacing spaces with underscores in the name of client scope '%s' of realm '%s'", clientScope.getName(), realm.getName());
String replacedName = clientScope.getName().replaceAll(" ", "_");
clientScope.setName(replacedName);
});
if (!json) {
// Add default client scopes. But don't add them to existing clients. For JSON, they were already added
LOG.debugf("Adding defaultClientScopes for realm '%s'", realm.getName());
DefaultClientScopes.createDefaultClientScopes(session, realm, false);
}
// Upgrade configuration of "allowed-client-templates" client registration policy
realm.getComponentsStream(realm.getId(), "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy").filter(component -> Objects.equals(component.getProviderId(), "allowed-client-templates")).forEach(component -> {
List<String> configVal = component.getConfig().remove("allowed-client-templates");
if (configVal != null) {
component.getConfig().put("allowed-client-scopes", configVal);
}
component.put("allow-default-scopes", true);
realm.updateComponent(component);
});
// If client has scope for offline_access role (either directly or through fullScopeAllowed), then add offline_access client
// scope as optional scope to the client. If it's indirectly (no fullScopeAllowed), then remove role from the scoped roles
RoleModel offlineAccessRole = realm.getRole(OAuth2Constants.OFFLINE_ACCESS);
ClientScopeModel offlineAccessScope;
if (offlineAccessRole == null) {
LOG.infof("Role 'offline_access' not available in realm '%s'. Skip migration of offline_access client scope.", realm.getName());
} else {
offlineAccessScope = KeycloakModelUtils.getClientScopeByName(realm, OAuth2Constants.OFFLINE_ACCESS);
if (offlineAccessScope == null) {
LOG.infof("Client scope 'offline_access' not available in realm '%s'. Skip migration of offline_access client scope.", realm.getName());
} else {
realm.getClientsStream().filter(MigrationUtils::isOIDCNonBearerOnlyClient).filter(c -> c.hasScope(offlineAccessRole)).filter(c -> !c.getClientScopes(false).containsKey(OAuth2Constants.OFFLINE_ACCESS)).peek(c -> {
LOG.debugf("Adding client scope 'offline_access' as optional scope to client '%s' in realm '%s'.", c.getClientId(), realm.getName());
c.addClientScope(offlineAccessScope, false);
}).filter(c -> !c.isFullScopeAllowed()).forEach(c -> {
LOG.debugf("Removing role scope mapping for role 'offline_access' from client '%s' in realm '%s'.", c.getClientId(), realm.getName());
c.deleteScopeMapping(offlineAccessRole);
});
}
}
// Clients with consentRequired, which don't have any client scopes will be added itself to require consent, so that consent screen is shown when users authenticate
realm.getClientsStream().filter(ClientModel::isConsentRequired).filter(c -> c.getClientScopes(true).isEmpty()).forEach(c -> {
LOG.debugf("Adding client '%s' of realm '%s' to display itself on consent screen", c.getClientId(), realm.getName());
c.setDisplayOnConsentScreen(true);
String consentText = c.getName() == null ? c.getClientId() : c.getName();
c.setConsentScreenText(consentText);
});
}
use of org.keycloak.models.KeycloakSession in project keycloak by keycloak.
the class LocalDateValidator method doValidate.
@Override
protected void doValidate(String value, String inputHint, ValidationContext context, ValidatorConfig config) {
UserModel user = (UserModel) context.getAttributes().get(UserModel.class.getName());
KeycloakSession session = context.getSession();
KeycloakContext keycloakContext = session.getContext();
Locale locale = keycloakContext.resolveLocale(user);
DateFormat formatter = DateFormat.getDateInstance(DateFormat.SHORT, locale);
formatter.setLenient(false);
try {
formatter.parse(value);
} catch (ParseException e) {
context.addError(new ValidationError(ID, inputHint, MESSAGE_INVALID_DATE));
}
}
use of org.keycloak.models.KeycloakSession in project keycloak by keycloak.
the class ProtectionService method createIdentity.
private KeycloakIdentity createIdentity(boolean checkProtectionScope) {
KeycloakIdentity identity = new KeycloakIdentity(this.authorization.getKeycloakSession());
ResourceServer resourceServer = getResourceServer(identity);
KeycloakSession keycloakSession = authorization.getKeycloakSession();
RealmModel realm = keycloakSession.getContext().getRealm();
ClientModel client = realm.getClientById(resourceServer.getId());
if (checkProtectionScope) {
if (!identity.hasClientRole(client.getClientId(), "uma_protection")) {
throw new ErrorResponseException(OAuthErrorException.INVALID_SCOPE, "Requires uma_protection scope.", Status.FORBIDDEN);
}
}
return identity;
}
Aggregations