Search in sources :

Example 86 with RealmModel

use of org.keycloak.models.RealmModel in project keycloak by keycloak.

the class KeycloakModelUtils method getComponentModel.

public static ComponentModel getComponentModel(KeycloakSessionFactory factory, String realmId, String componentId) {
    AtomicReference<ComponentModel> cm = new AtomicReference<>();
    KeycloakModelUtils.runJobInTransaction(factory, session -> {
        RealmModel realm = session.realms().getRealm(realmId);
        cm.set(realm == null ? null : realm.getComponent(componentId));
    });
    return cm.get();
}
Also used : RealmModel(org.keycloak.models.RealmModel) ComponentModel(org.keycloak.component.ComponentModel) AtomicReference(java.util.concurrent.atomic.AtomicReference)

Example 87 with RealmModel

use of org.keycloak.models.RealmModel in project keycloak by keycloak.

the class OIDCWellKnownProvider method getConfig.

@Override
public Object getConfig() {
    UriInfo frontendUriInfo = session.getContext().getUri(UrlType.FRONTEND);
    UriInfo backendUriInfo = session.getContext().getUri(UrlType.BACKEND);
    RealmModel realm = session.getContext().getRealm();
    UriBuilder frontendUriBuilder = RealmsResource.protocolUrl(frontendUriInfo);
    UriBuilder backendUriBuilder = RealmsResource.protocolUrl(backendUriInfo);
    OIDCConfigurationRepresentation config = new OIDCConfigurationRepresentation();
    config.setIssuer(Urls.realmIssuer(frontendUriInfo.getBaseUri(), realm.getName()));
    config.setAuthorizationEndpoint(frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "auth").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setTokenEndpoint(backendUriBuilder.clone().path(OIDCLoginProtocolService.class, "token").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setIntrospectionEndpoint(backendUriBuilder.clone().path(OIDCLoginProtocolService.class, "token").path(TokenEndpoint.class, "introspect").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setUserinfoEndpoint(backendUriBuilder.clone().path(OIDCLoginProtocolService.class, "issueUserInfo").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setLogoutEndpoint(frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "logout").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setDeviceAuthorizationEndpoint(frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "auth").path(AuthorizationEndpoint.class, "authorizeDevice").path(DeviceEndpoint.class, "handleDeviceRequest").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    URI jwksUri = backendUriBuilder.clone().path(OIDCLoginProtocolService.class, "certs").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL);
    // NOTE: Don't hardcode HTTPS checks here. JWKS URI is exposed just in the development/testing environment. For the production environment, the OIDCWellKnownProvider
    // is not exposed over "http" at all.
    // if (isHttps(jwksUri)) {
    config.setJwksUri(jwksUri.toString());
    config.setCheckSessionIframe(frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "getLoginStatusIframe").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setRegistrationEndpoint(RealmsResource.clientRegistrationUrl(backendUriInfo).path(ClientRegistrationService.class, "provider").build(realm.getName(), OIDCClientRegistrationProviderFactory.ID).toString());
    config.setIdTokenSigningAlgValuesSupported(getSupportedSigningAlgorithms(false));
    config.setIdTokenEncryptionAlgValuesSupported(getSupportedEncryptionAlg(false));
    config.setIdTokenEncryptionEncValuesSupported(getSupportedEncryptionEnc(false));
    config.setUserInfoSigningAlgValuesSupported(getSupportedSigningAlgorithms(true));
    config.setRequestObjectSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(true));
    config.setRequestObjectEncryptionAlgValuesSupported(getSupportedEncryptionAlgorithms());
    config.setRequestObjectEncryptionEncValuesSupported(getSupportedContentEncryptionAlgorithms());
    config.setResponseTypesSupported(DEFAULT_RESPONSE_TYPES_SUPPORTED);
    config.setSubjectTypesSupported(DEFAULT_SUBJECT_TYPES_SUPPORTED);
    config.setResponseModesSupported(DEFAULT_RESPONSE_MODES_SUPPORTED);
    config.setGrantTypesSupported(DEFAULT_GRANT_TYPES_SUPPORTED);
    config.setAcrValuesSupported(getAcrValuesSupported(realm));
    config.setTokenEndpointAuthMethodsSupported(getClientAuthMethodsSupported());
    config.setTokenEndpointAuthSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(false));
    config.setIntrospectionEndpointAuthMethodsSupported(getClientAuthMethodsSupported());
    config.setIntrospectionEndpointAuthSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(false));
    config.setAuthorizationSigningAlgValuesSupported(getSupportedSigningAlgorithms(false));
    config.setAuthorizationEncryptionAlgValuesSupported(getSupportedEncryptionAlg(false));
    config.setAuthorizationEncryptionEncValuesSupported(getSupportedEncryptionEnc(false));
    config.setClaimsSupported(DEFAULT_CLAIMS_SUPPORTED);
    config.setClaimTypesSupported(DEFAULT_CLAIM_TYPES_SUPPORTED);
    config.setClaimsParameterSupported(true);
    // Include client scopes can be disabled in the environments with thousands of client scopes to avoid potentially expensive iteration over client scopes
    if (includeClientScopes) {
        List<String> scopeNames = realm.getClientScopesStream().filter(clientScope -> Objects.equals(OIDCLoginProtocol.LOGIN_PROTOCOL, clientScope.getProtocol())).map(ClientScopeModel::getName).collect(Collectors.toList());
        scopeNames.add(0, OAuth2Constants.SCOPE_OPENID);
        config.setScopesSupported(scopeNames);
    }
    config.setRequestParameterSupported(true);
    config.setRequestUriParameterSupported(true);
    config.setRequireRequestUriRegistration(true);
    // KEYCLOAK-7451 OAuth Authorization Server Metadata for Proof Key for Code Exchange
    config.setCodeChallengeMethodsSupported(DEFAULT_CODE_CHALLENGE_METHODS_SUPPORTED);
    // KEYCLOAK-6771 Certificate Bound Token
    // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.2
    config.setTlsClientCertificateBoundAccessTokens(true);
    URI revocationEndpoint = frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "revoke").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL);
    // NOTE: Don't hardcode HTTPS checks here. JWKS URI is exposed just in the development/testing environment. For the production environment, the OIDCWellKnownProvider
    // is not exposed over "http" at all.
    config.setRevocationEndpoint(revocationEndpoint.toString());
    config.setRevocationEndpointAuthMethodsSupported(getClientAuthMethodsSupported());
    config.setRevocationEndpointAuthSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(false));
    config.setBackchannelLogoutSupported(true);
    config.setBackchannelLogoutSessionSupported(true);
    config.setBackchannelTokenDeliveryModesSupported(CibaConfig.CIBA_SUPPORTED_MODES);
    config.setBackchannelAuthenticationEndpoint(CibaGrantType.authorizationUrl(backendUriInfo.getBaseUriBuilder()).build(realm.getName()).toString());
    config.setBackchannelAuthenticationRequestSigningAlgValuesSupported(getSupportedBackchannelAuthenticationRequestSigningAlgorithms());
    config.setPushedAuthorizationRequestEndpoint(ParEndpoint.parUrl(backendUriInfo.getBaseUriBuilder()).build(realm.getName()).toString());
    config.setRequirePushedAuthorizationRequests(Boolean.FALSE);
    MTLSEndpointAliases mtlsEndpointAliases = getMtlsEndpointAliases(config);
    config.setMtlsEndpointAliases(mtlsEndpointAliases);
    config = checkConfigOverride(config);
    return config;
}
Also used : RealmModel(org.keycloak.models.RealmModel) TokenEndpoint(org.keycloak.protocol.oidc.endpoints.TokenEndpoint) ClientRegistrationService(org.keycloak.services.clientregistration.ClientRegistrationService) MTLSEndpointAliases(org.keycloak.protocol.oidc.representations.MTLSEndpointAliases) DeviceEndpoint(org.keycloak.protocol.oidc.grants.device.endpoints.DeviceEndpoint) UriBuilder(javax.ws.rs.core.UriBuilder) URI(java.net.URI) UriInfo(javax.ws.rs.core.UriInfo) OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)

Example 88 with RealmModel

use of org.keycloak.models.RealmModel in project keycloak by keycloak.

the class DefaultLocaleUpdaterProvider method expireLocaleCookie.

@Override
public void expireLocaleCookie() {
    RealmModel realm = session.getContext().getRealm();
    UriInfo uriInfo = session.getContext().getUri();
    boolean secure = realm.getSslRequired().isRequired(session.getContext().getConnection());
    CookieHelper.addCookie(LocaleSelectorProvider.LOCALE_COOKIE, "", AuthenticationManager.getRealmCookiePath(realm, uriInfo), null, "Expiring cookie", 0, secure, true);
}
Also used : RealmModel(org.keycloak.models.RealmModel) UriInfo(javax.ws.rs.core.UriInfo)

Example 89 with RealmModel

use of org.keycloak.models.RealmModel in project keycloak by keycloak.

the class DefaultLocaleUpdaterProvider method updateLocaleCookie.

@Override
public void updateLocaleCookie(String locale) {
    RealmModel realm = session.getContext().getRealm();
    UriInfo uriInfo = session.getContext().getUri();
    boolean secure = realm.getSslRequired().isRequired(uriInfo.getRequestUri().getHost());
    CookieHelper.addCookie(LocaleSelectorProvider.LOCALE_COOKIE, locale, AuthenticationManager.getRealmCookiePath(realm, uriInfo), null, null, -1, secure, true);
    logger.debugv("Updating locale cookie to {0}", locale);
}
Also used : RealmModel(org.keycloak.models.RealmModel) UriInfo(javax.ws.rs.core.UriInfo)

Example 90 with RealmModel

use of org.keycloak.models.RealmModel in project keycloak by keycloak.

the class FineGrainAdminUnitTest method setupUsers.

public static void setupUsers(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    ClientModel client = realm.getClientByClientId(CLIENT_NAME);
    RoleModel realmRole = realm.getRole("realm-role");
    RoleModel realmRole2 = realm.getRole("realm-role2");
    RoleModel clientRole = client.getRole("client-role");
    RoleModel mapperRole = realm.getRole("mapper");
    RoleModel managerRole = realm.getRole("manager");
    RoleModel compositeRole = realm.getRole("composite-role");
    ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
    RoleModel adminRole = realmManagementClient.getRole(AdminRoles.REALM_ADMIN);
    RoleModel queryGroupsRole = realmManagementClient.getRole(AdminRoles.QUERY_GROUPS);
    RoleModel queryUsersRole = realmManagementClient.getRole(AdminRoles.QUERY_USERS);
    RoleModel queryClientsRole = realmManagementClient.getRole(AdminRoles.QUERY_CLIENTS);
    UserModel nomapAdmin = session.users().addUser(realm, "nomap-admin");
    nomapAdmin.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, nomapAdmin, UserCredentialModel.password("password"));
    nomapAdmin.grantRole(adminRole);
    UserModel anotherAdmin = session.users().addUser(realm, "anotherAdmin");
    anotherAdmin.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, anotherAdmin, UserCredentialModel.password("password"));
    anotherAdmin.grantRole(adminRole);
    UserModel authorizedUser = session.users().addUser(realm, "authorized");
    authorizedUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, authorizedUser, UserCredentialModel.password("password"));
    authorizedUser.grantRole(mapperRole);
    authorizedUser.grantRole(managerRole);
    UserModel authorizedComposite = session.users().addUser(realm, "authorizedComposite");
    authorizedComposite.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, authorizedComposite, UserCredentialModel.password("password"));
    authorizedComposite.grantRole(compositeRole);
    UserModel unauthorizedUser = session.users().addUser(realm, "unauthorized");
    unauthorizedUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, unauthorizedUser, UserCredentialModel.password("password"));
    UserModel unauthorizedMapper = session.users().addUser(realm, "unauthorizedMapper");
    unauthorizedMapper.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, unauthorizedMapper, UserCredentialModel.password("password"));
    unauthorizedMapper.grantRole(managerRole);
    UserModel user1 = session.users().addUser(realm, "user1");
    user1.setEnabled(true);
    // group management
    AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
    GroupModel group = KeycloakModelUtils.findGroupByPath(realm, "top");
    UserModel groupMember = session.users().addUser(realm, "groupMember");
    groupMember.joinGroup(group);
    groupMember.setEnabled(true);
    UserModel groupManager = session.users().addUser(realm, "groupManager");
    groupManager.grantRole(queryGroupsRole);
    groupManager.grantRole(queryUsersRole);
    groupManager.setEnabled(true);
    groupManager.grantRole(mapperRole);
    session.userCredentialManager().updateCredential(realm, groupManager, UserCredentialModel.password("password"));
    UserModel groupManagerNoMapper = session.users().addUser(realm, "noMapperGroupManager");
    groupManagerNoMapper.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, groupManagerNoMapper, UserCredentialModel.password("password"));
    groupManagerNoMapper.grantRole(queryGroupsRole);
    groupManagerNoMapper.grantRole(queryUsersRole);
    UserPolicyRepresentation groupManagerRep = new UserPolicyRepresentation();
    groupManagerRep.setName("groupManagers");
    groupManagerRep.addUser("groupManager");
    groupManagerRep.addUser("noMapperGroupManager");
    ResourceServer server = permissions.realmResourceServer();
    Policy groupManagerPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupManagerRep, server);
    permissions.groups().manageMembersPermission(group).addAssociatedPolicy(groupManagerPolicy);
    permissions.groups().manageMembershipPermission(group).addAssociatedPolicy(groupManagerPolicy);
    permissions.groups().viewPermission(group).addAssociatedPolicy(groupManagerPolicy);
    UserModel clientMapper = session.users().addUser(realm, "clientMapper");
    clientMapper.setEnabled(true);
    clientMapper.grantRole(managerRole);
    clientMapper.grantRole(queryUsersRole);
    session.userCredentialManager().updateCredential(realm, clientMapper, UserCredentialModel.password("password"));
    Policy clientMapperPolicy = permissions.clients().mapRolesPermission(client);
    UserPolicyRepresentation userRep = new UserPolicyRepresentation();
    userRep.setName("userClientMapper");
    userRep.addUser("clientMapper");
    Policy userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
    clientMapperPolicy.addAssociatedPolicy(userPolicy);
    UserModel clientManager = session.users().addUser(realm, "clientManager");
    clientManager.setEnabled(true);
    clientManager.grantRole(queryClientsRole);
    session.userCredentialManager().updateCredential(realm, clientManager, UserCredentialModel.password("password"));
    Policy clientManagerPolicy = permissions.clients().managePermission(client);
    userRep = new UserPolicyRepresentation();
    userRep.setName("clientManager");
    userRep.addUser("clientManager");
    userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
    clientManagerPolicy.addAssociatedPolicy(userPolicy);
    UserModel clientConfigurer = session.users().addUser(realm, "clientConfigurer");
    clientConfigurer.setEnabled(true);
    clientConfigurer.grantRole(queryClientsRole);
    session.userCredentialManager().updateCredential(realm, clientConfigurer, UserCredentialModel.password("password"));
    Policy clientConfigurePolicy = permissions.clients().configurePermission(client);
    userRep = new UserPolicyRepresentation();
    userRep.setName("clientConfigure");
    userRep.addUser("clientConfigurer");
    userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
    clientConfigurePolicy.addAssociatedPolicy(userPolicy);
    UserModel groupViewer = session.users().addUser(realm, "groupViewer");
    groupViewer.grantRole(queryGroupsRole);
    groupViewer.grantRole(queryUsersRole);
    groupViewer.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, groupViewer, UserCredentialModel.password("password"));
    UserPolicyRepresentation groupViewMembersRep = new UserPolicyRepresentation();
    groupViewMembersRep.setName("groupMemberViewers");
    groupViewMembersRep.addUser("groupViewer");
    Policy groupViewMembersPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupViewMembersRep, server);
    Policy groupViewMembersPermission = permissions.groups().viewMembersPermission(group);
    groupViewMembersPermission.addAssociatedPolicy(groupViewMembersPolicy);
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) Policy(org.keycloak.authorization.model.Policy) ClientModel(org.keycloak.models.ClientModel) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) GroupModel(org.keycloak.models.GroupModel) RoleModel(org.keycloak.models.RoleModel) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Aggregations

RealmModel (org.keycloak.models.RealmModel)591 Test (org.junit.Test)249 UserModel (org.keycloak.models.UserModel)225 KeycloakSession (org.keycloak.models.KeycloakSession)152 ClientModel (org.keycloak.models.ClientModel)149 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)90 ModelTest (org.keycloak.testsuite.arquillian.annotation.ModelTest)84 ComponentModel (org.keycloak.component.ComponentModel)83 RoleModel (org.keycloak.models.RoleModel)73 UserSessionModel (org.keycloak.models.UserSessionModel)64 LDAPObject (org.keycloak.storage.ldap.idm.model.LDAPObject)62 List (java.util.List)55 LDAPStorageProvider (org.keycloak.storage.ldap.LDAPStorageProvider)51 GroupModel (org.keycloak.models.GroupModel)47 HashMap (java.util.HashMap)38 Collectors (java.util.stream.Collectors)34 CachedUserModel (org.keycloak.models.cache.CachedUserModel)34 Path (javax.ws.rs.Path)30 AbstractAuthTest (org.keycloak.testsuite.AbstractAuthTest)30 Map (java.util.Map)29