Search in sources :

Example 76 with KeycloakSession

use of org.keycloak.models.KeycloakSession in project keycloak by keycloak.

the class MapClientScopeProvider method removeClientScope.

@Override
public boolean removeClientScope(RealmModel realm, String id) {
    if (id == null)
        return false;
    ClientScopeModel clientScope = getClientScopeById(realm, id);
    if (clientScope == null)
        return false;
    session.users().preRemove(clientScope);
    realm.removeDefaultClientScope(clientScope);
    session.getKeycloakSessionFactory().publish(new ClientScopeModel.ClientScopeRemovedEvent() {

        @Override
        public KeycloakSession getKeycloakSession() {
            return session;
        }

        @Override
        public ClientScopeModel getClientScope() {
            return clientScope;
        }
    });
    tx.delete(id);
    return true;
}
Also used : KeycloakSession(org.keycloak.models.KeycloakSession) ClientScopeModel(org.keycloak.models.ClientScopeModel)

Example 77 with KeycloakSession

use of org.keycloak.models.KeycloakSession in project keycloak by keycloak.

the class MapClientProvider method removeClient.

@Override
public boolean removeClient(RealmModel realm, String id) {
    if (id == null) {
        return false;
    }
    LOG.tracef("removeClient(%s, %s)%s", realm, id, getShortStackTrace());
    // TODO: Sending an event (and client role removal) should be extracted to store layer
    final ClientModel client = getClientById(realm, id);
    if (client == null)
        return false;
    session.users().preRemove(realm, client);
    session.roles().removeRoles(client);
    session.getKeycloakSessionFactory().publish(new ClientModel.ClientRemovedEvent() {

        @Override
        public ClientModel getClient() {
            return client;
        }

        @Override
        public KeycloakSession getKeycloakSession() {
            return session;
        }
    });
    // TODO: ^^^^^^^ Up to here
    tx.delete(id);
    return true;
}
Also used : ClientModel(org.keycloak.models.ClientModel) KeycloakSession(org.keycloak.models.KeycloakSession)

Example 78 with KeycloakSession

use of org.keycloak.models.KeycloakSession in project keycloak by keycloak.

the class MigrateTo4_0_0 method migrateRealm.

protected void migrateRealm(KeycloakSession session, RealmModel realm, boolean json) {
    // Upgrade names of clientScopes to not contain space
    realm.getClientScopesStream().filter(clientScope -> clientScope.getName().contains(" ")).forEach(clientScope -> {
        LOG.debugf("Replacing spaces with underscores in the name of client scope '%s' of realm '%s'", clientScope.getName(), realm.getName());
        String replacedName = clientScope.getName().replaceAll(" ", "_");
        clientScope.setName(replacedName);
    });
    if (!json) {
        // Add default client scopes. But don't add them to existing clients. For JSON, they were already added
        LOG.debugf("Adding defaultClientScopes for realm '%s'", realm.getName());
        DefaultClientScopes.createDefaultClientScopes(session, realm, false);
    }
    // Upgrade configuration of "allowed-client-templates" client registration policy
    realm.getComponentsStream(realm.getId(), "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy").filter(component -> Objects.equals(component.getProviderId(), "allowed-client-templates")).forEach(component -> {
        List<String> configVal = component.getConfig().remove("allowed-client-templates");
        if (configVal != null) {
            component.getConfig().put("allowed-client-scopes", configVal);
        }
        component.put("allow-default-scopes", true);
        realm.updateComponent(component);
    });
    // If client has scope for offline_access role (either directly or through fullScopeAllowed), then add offline_access client
    // scope as optional scope to the client. If it's indirectly (no fullScopeAllowed), then remove role from the scoped roles
    RoleModel offlineAccessRole = realm.getRole(OAuth2Constants.OFFLINE_ACCESS);
    ClientScopeModel offlineAccessScope;
    if (offlineAccessRole == null) {
        LOG.infof("Role 'offline_access' not available in realm '%s'. Skip migration of offline_access client scope.", realm.getName());
    } else {
        offlineAccessScope = KeycloakModelUtils.getClientScopeByName(realm, OAuth2Constants.OFFLINE_ACCESS);
        if (offlineAccessScope == null) {
            LOG.infof("Client scope 'offline_access' not available in realm '%s'. Skip migration of offline_access client scope.", realm.getName());
        } else {
            realm.getClientsStream().filter(MigrationUtils::isOIDCNonBearerOnlyClient).filter(c -> c.hasScope(offlineAccessRole)).filter(c -> !c.getClientScopes(false).containsKey(OAuth2Constants.OFFLINE_ACCESS)).peek(c -> {
                LOG.debugf("Adding client scope 'offline_access' as optional scope to client '%s' in realm '%s'.", c.getClientId(), realm.getName());
                c.addClientScope(offlineAccessScope, false);
            }).filter(c -> !c.isFullScopeAllowed()).forEach(c -> {
                LOG.debugf("Removing role scope mapping for role 'offline_access' from client '%s' in realm '%s'.", c.getClientId(), realm.getName());
                c.deleteScopeMapping(offlineAccessRole);
            });
        }
    }
    // Clients with consentRequired, which don't have any client scopes will be added itself to require consent, so that consent screen is shown when users authenticate
    realm.getClientsStream().filter(ClientModel::isConsentRequired).filter(c -> c.getClientScopes(true).isEmpty()).forEach(c -> {
        LOG.debugf("Adding client '%s' of realm '%s' to display itself on consent screen", c.getClientId(), realm.getName());
        c.setDisplayOnConsentScreen(true);
        String consentText = c.getName() == null ? c.getClientId() : c.getName();
        c.setConsentScreenText(consentText);
    });
}
Also used : ClientModel(org.keycloak.models.ClientModel) ClientScopeModel(org.keycloak.models.ClientScopeModel) RealmModel(org.keycloak.models.RealmModel) KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils) Logger(org.jboss.logging.Logger) KeycloakSession(org.keycloak.models.KeycloakSession) RoleModel(org.keycloak.models.RoleModel) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) Objects(java.util.Objects) List(java.util.List) DefaultClientScopes(org.keycloak.models.utils.DefaultClientScopes) ModelVersion(org.keycloak.migration.ModelVersion) OAuth2Constants(org.keycloak.OAuth2Constants) ClientModel(org.keycloak.models.ClientModel) RoleModel(org.keycloak.models.RoleModel) ClientScopeModel(org.keycloak.models.ClientScopeModel)

Example 79 with KeycloakSession

use of org.keycloak.models.KeycloakSession in project keycloak by keycloak.

the class LocalDateValidator method doValidate.

@Override
protected void doValidate(String value, String inputHint, ValidationContext context, ValidatorConfig config) {
    UserModel user = (UserModel) context.getAttributes().get(UserModel.class.getName());
    KeycloakSession session = context.getSession();
    KeycloakContext keycloakContext = session.getContext();
    Locale locale = keycloakContext.resolveLocale(user);
    DateFormat formatter = DateFormat.getDateInstance(DateFormat.SHORT, locale);
    formatter.setLenient(false);
    try {
        formatter.parse(value);
    } catch (ParseException e) {
        context.addError(new ValidationError(ID, inputHint, MESSAGE_INVALID_DATE));
    }
}
Also used : UserModel(org.keycloak.models.UserModel) Locale(java.util.Locale) KeycloakContext(org.keycloak.models.KeycloakContext) KeycloakSession(org.keycloak.models.KeycloakSession) DateFormat(java.text.DateFormat) ParseException(java.text.ParseException) ValidationError(org.keycloak.validate.ValidationError)

Example 80 with KeycloakSession

use of org.keycloak.models.KeycloakSession in project keycloak by keycloak.

the class ProtectionService method createIdentity.

private KeycloakIdentity createIdentity(boolean checkProtectionScope) {
    KeycloakIdentity identity = new KeycloakIdentity(this.authorization.getKeycloakSession());
    ResourceServer resourceServer = getResourceServer(identity);
    KeycloakSession keycloakSession = authorization.getKeycloakSession();
    RealmModel realm = keycloakSession.getContext().getRealm();
    ClientModel client = realm.getClientById(resourceServer.getId());
    if (checkProtectionScope) {
        if (!identity.hasClientRole(client.getClientId(), "uma_protection")) {
            throw new ErrorResponseException(OAuthErrorException.INVALID_SCOPE, "Requires uma_protection scope.", Status.FORBIDDEN);
        }
    }
    return identity;
}
Also used : RealmModel(org.keycloak.models.RealmModel) ClientModel(org.keycloak.models.ClientModel) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) KeycloakSession(org.keycloak.models.KeycloakSession) ErrorResponseException(org.keycloak.services.ErrorResponseException) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Aggregations

KeycloakSession (org.keycloak.models.KeycloakSession)189 RealmModel (org.keycloak.models.RealmModel)136 UserModel (org.keycloak.models.UserModel)78 Test (org.junit.Test)76 ModelTest (org.keycloak.testsuite.arquillian.annotation.ModelTest)61 ClientModel (org.keycloak.models.ClientModel)58 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)53 List (java.util.List)34 AtomicReference (java.util.concurrent.atomic.AtomicReference)22 Collectors (java.util.stream.Collectors)21 IOException (java.io.IOException)20 Map (java.util.Map)19 UserSessionModel (org.keycloak.models.UserSessionModel)19 ArrayList (java.util.ArrayList)18 ClientScopeModel (org.keycloak.models.ClientScopeModel)18 RoleModel (org.keycloak.models.RoleModel)18 Set (java.util.Set)16 RealmManager (org.keycloak.services.managers.RealmManager)16 HashMap (java.util.HashMap)14 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)14