Search in sources :

Example 11 with RequiredActionProviderModel

use of org.keycloak.models.RequiredActionProviderModel in project keycloak by keycloak.

the class LDAPStorageProvider method addUser.

@Override
public UserModel addUser(RealmModel realm, String username) {
    if (!synchronizeRegistrations()) {
        return null;
    }
    UserModel user = null;
    if (model.isImportEnabled()) {
        user = session.userLocalStorage().addUser(realm, username);
        user.setFederationLink(model.getId());
    } else {
        user = new InMemoryUserAdapter(session, realm, new StorageId(model.getId(), username).getId());
        user.setUsername(username);
    }
    LDAPObject ldapUser = LDAPUtils.addUserToLDAP(this, realm, user);
    LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig());
    user.setSingleAttribute(LDAPConstants.LDAP_ID, ldapUser.getUuid());
    user.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, ldapUser.getDn().toString());
    // Add the user to the default groups and add default required actions
    UserModel proxy = proxy(realm, user, ldapUser, true);
    proxy.grantRole(realm.getDefaultRole());
    realm.getDefaultGroupsStream().forEach(proxy::joinGroup);
    realm.getRequiredActionProvidersStream().filter(RequiredActionProviderModel::isEnabled).filter(RequiredActionProviderModel::isDefaultAction).map(RequiredActionProviderModel::getAlias).forEachOrdered(proxy::addRequiredAction);
    return proxy;
}
Also used : CachedUserModel(org.keycloak.models.cache.CachedUserModel) UserModel(org.keycloak.models.UserModel) RequiredActionProviderModel(org.keycloak.models.RequiredActionProviderModel) InMemoryUserAdapter(org.keycloak.storage.adapter.InMemoryUserAdapter) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) StorageId(org.keycloak.storage.StorageId)

Example 12 with RequiredActionProviderModel

use of org.keycloak.models.RequiredActionProviderModel in project keycloak by keycloak.

the class AuthenticationManagementResource method removeRequiredAction.

/**
 * Delete required action
 * @param alias Alias of required action
 */
@Path("required-actions/{alias}")
@DELETE
public void removeRequiredAction(@PathParam("alias") String alias) {
    auth.realm().requireManageRealm();
    RequiredActionProviderModel model = realm.getRequiredActionProviderByAlias(alias);
    if (model == null) {
        throw new NotFoundException("Failed to find required action.");
    }
    realm.removeRequiredActionProvider(model);
    adminEvent.operation(OperationType.DELETE).resource(ResourceType.REQUIRED_ACTION).resourcePath(session.getContext().getUri()).success();
}
Also used : RequiredActionProviderModel(org.keycloak.models.RequiredActionProviderModel) NotFoundException(javax.ws.rs.NotFoundException) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE)

Example 13 with RequiredActionProviderModel

use of org.keycloak.models.RequiredActionProviderModel in project keycloak by keycloak.

the class AuthenticationManagementResource method getRequiredAction.

/**
 * Get required action for alias
 * @param alias Alias of required action
 */
@Path("required-actions/{alias}")
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public RequiredActionProviderRepresentation getRequiredAction(@PathParam("alias") String alias) {
    auth.realm().requireViewRealm();
    RequiredActionProviderModel model = realm.getRequiredActionProviderByAlias(alias);
    if (model == null) {
        throw new NotFoundException("Failed to find required action");
    }
    return toRepresentation(model);
}
Also used : RequiredActionProviderModel(org.keycloak.models.RequiredActionProviderModel) NotFoundException(javax.ws.rs.NotFoundException) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) NoCache(org.jboss.resteasy.annotations.cache.NoCache)

Example 14 with RequiredActionProviderModel

use of org.keycloak.models.RequiredActionProviderModel in project keycloak by keycloak.

the class MigrateTo2_1_0 method migrateDefaultRequiredAction.

// KEYCLOAK-3244: Required Action "Configure Totp" should be "Configure OTP"
private void migrateDefaultRequiredAction(RealmModel realm) {
    RequiredActionProviderModel otpAction = realm.getRequiredActionProviderByAlias(UserModel.RequiredAction.CONFIGURE_TOTP.name());
    MigrationUtils.updateOTPRequiredAction(otpAction);
    realm.updateRequiredActionProvider(otpAction);
}
Also used : RequiredActionProviderModel(org.keycloak.models.RequiredActionProviderModel)

Example 15 with RequiredActionProviderModel

use of org.keycloak.models.RequiredActionProviderModel in project keycloak by keycloak.

the class RepresentationToModel method importRealm.

public static void importRealm(KeycloakSession session, RealmRepresentation rep, RealmModel newRealm, boolean skipUserDependent) {
    convertDeprecatedSocialProviders(rep);
    convertDeprecatedApplications(session, rep);
    convertDeprecatedClientTemplates(rep);
    newRealm.setName(rep.getRealm());
    if (rep.getDisplayName() != null)
        newRealm.setDisplayName(rep.getDisplayName());
    if (rep.getDisplayNameHtml() != null)
        newRealm.setDisplayNameHtml(rep.getDisplayNameHtml());
    if (rep.isEnabled() != null)
        newRealm.setEnabled(rep.isEnabled());
    if (rep.isUserManagedAccessAllowed() != null)
        newRealm.setUserManagedAccessAllowed(rep.isUserManagedAccessAllowed());
    if (rep.isBruteForceProtected() != null)
        newRealm.setBruteForceProtected(rep.isBruteForceProtected());
    if (rep.isPermanentLockout() != null)
        newRealm.setPermanentLockout(rep.isPermanentLockout());
    if (rep.getMaxFailureWaitSeconds() != null)
        newRealm.setMaxFailureWaitSeconds(rep.getMaxFailureWaitSeconds());
    if (rep.getMinimumQuickLoginWaitSeconds() != null)
        newRealm.setMinimumQuickLoginWaitSeconds(rep.getMinimumQuickLoginWaitSeconds());
    if (rep.getWaitIncrementSeconds() != null)
        newRealm.setWaitIncrementSeconds(rep.getWaitIncrementSeconds());
    if (rep.getQuickLoginCheckMilliSeconds() != null)
        newRealm.setQuickLoginCheckMilliSeconds(rep.getQuickLoginCheckMilliSeconds());
    if (rep.getMaxDeltaTimeSeconds() != null)
        newRealm.setMaxDeltaTimeSeconds(rep.getMaxDeltaTimeSeconds());
    if (rep.getFailureFactor() != null)
        newRealm.setFailureFactor(rep.getFailureFactor());
    if (rep.isEventsEnabled() != null)
        newRealm.setEventsEnabled(rep.isEventsEnabled());
    if (rep.getEnabledEventTypes() != null)
        newRealm.setEnabledEventTypes(new HashSet<>(rep.getEnabledEventTypes()));
    if (rep.getEventsExpiration() != null)
        newRealm.setEventsExpiration(rep.getEventsExpiration());
    if (rep.getEventsListeners() != null)
        newRealm.setEventsListeners(new HashSet<>(rep.getEventsListeners()));
    if (rep.isAdminEventsEnabled() != null)
        newRealm.setAdminEventsEnabled(rep.isAdminEventsEnabled());
    if (rep.isAdminEventsDetailsEnabled() != null)
        newRealm.setAdminEventsDetailsEnabled(rep.isAdminEventsDetailsEnabled());
    if (rep.getNotBefore() != null)
        newRealm.setNotBefore(rep.getNotBefore());
    if (rep.getDefaultSignatureAlgorithm() != null)
        newRealm.setDefaultSignatureAlgorithm(rep.getDefaultSignatureAlgorithm());
    else
        newRealm.setDefaultSignatureAlgorithm(Constants.DEFAULT_SIGNATURE_ALGORITHM);
    if (rep.getRevokeRefreshToken() != null)
        newRealm.setRevokeRefreshToken(rep.getRevokeRefreshToken());
    else
        newRealm.setRevokeRefreshToken(false);
    if (rep.getRefreshTokenMaxReuse() != null)
        newRealm.setRefreshTokenMaxReuse(rep.getRefreshTokenMaxReuse());
    else
        newRealm.setRefreshTokenMaxReuse(0);
    if (rep.getAccessTokenLifespan() != null)
        newRealm.setAccessTokenLifespan(rep.getAccessTokenLifespan());
    else
        newRealm.setAccessTokenLifespan(300);
    if (rep.getAccessTokenLifespanForImplicitFlow() != null)
        newRealm.setAccessTokenLifespanForImplicitFlow(rep.getAccessTokenLifespanForImplicitFlow());
    else
        newRealm.setAccessTokenLifespanForImplicitFlow(Constants.DEFAULT_ACCESS_TOKEN_LIFESPAN_FOR_IMPLICIT_FLOW_TIMEOUT);
    if (rep.getSsoSessionIdleTimeout() != null)
        newRealm.setSsoSessionIdleTimeout(rep.getSsoSessionIdleTimeout());
    else
        newRealm.setSsoSessionIdleTimeout(1800);
    if (rep.getSsoSessionMaxLifespan() != null)
        newRealm.setSsoSessionMaxLifespan(rep.getSsoSessionMaxLifespan());
    else
        newRealm.setSsoSessionMaxLifespan(36000);
    if (rep.getSsoSessionMaxLifespanRememberMe() != null)
        newRealm.setSsoSessionMaxLifespanRememberMe(rep.getSsoSessionMaxLifespanRememberMe());
    if (rep.getSsoSessionIdleTimeoutRememberMe() != null)
        newRealm.setSsoSessionIdleTimeoutRememberMe(rep.getSsoSessionIdleTimeoutRememberMe());
    if (rep.getOfflineSessionIdleTimeout() != null)
        newRealm.setOfflineSessionIdleTimeout(rep.getOfflineSessionIdleTimeout());
    else
        newRealm.setOfflineSessionIdleTimeout(Constants.DEFAULT_OFFLINE_SESSION_IDLE_TIMEOUT);
    // KEYCLOAK-7688 Offline Session Max for Offline Token
    if (rep.getOfflineSessionMaxLifespanEnabled() != null)
        newRealm.setOfflineSessionMaxLifespanEnabled(rep.getOfflineSessionMaxLifespanEnabled());
    else
        newRealm.setOfflineSessionMaxLifespanEnabled(false);
    if (rep.getOfflineSessionMaxLifespan() != null)
        newRealm.setOfflineSessionMaxLifespan(rep.getOfflineSessionMaxLifespan());
    else
        newRealm.setOfflineSessionMaxLifespan(Constants.DEFAULT_OFFLINE_SESSION_MAX_LIFESPAN);
    if (rep.getClientSessionIdleTimeout() != null)
        newRealm.setClientSessionIdleTimeout(rep.getClientSessionIdleTimeout());
    if (rep.getClientSessionMaxLifespan() != null)
        newRealm.setClientSessionMaxLifespan(rep.getClientSessionMaxLifespan());
    if (rep.getClientOfflineSessionIdleTimeout() != null)
        newRealm.setClientOfflineSessionIdleTimeout(rep.getClientOfflineSessionIdleTimeout());
    if (rep.getClientOfflineSessionMaxLifespan() != null)
        newRealm.setClientOfflineSessionMaxLifespan(rep.getClientOfflineSessionMaxLifespan());
    if (rep.getAccessCodeLifespan() != null)
        newRealm.setAccessCodeLifespan(rep.getAccessCodeLifespan());
    else
        newRealm.setAccessCodeLifespan(60);
    if (rep.getAccessCodeLifespanUserAction() != null)
        newRealm.setAccessCodeLifespanUserAction(rep.getAccessCodeLifespanUserAction());
    else
        newRealm.setAccessCodeLifespanUserAction(300);
    if (rep.getAccessCodeLifespanLogin() != null)
        newRealm.setAccessCodeLifespanLogin(rep.getAccessCodeLifespanLogin());
    else
        newRealm.setAccessCodeLifespanLogin(1800);
    if (rep.getActionTokenGeneratedByAdminLifespan() != null)
        newRealm.setActionTokenGeneratedByAdminLifespan(rep.getActionTokenGeneratedByAdminLifespan());
    else
        newRealm.setActionTokenGeneratedByAdminLifespan(12 * 60 * 60);
    if (rep.getActionTokenGeneratedByUserLifespan() != null)
        newRealm.setActionTokenGeneratedByUserLifespan(rep.getActionTokenGeneratedByUserLifespan());
    else
        newRealm.setActionTokenGeneratedByUserLifespan(newRealm.getAccessCodeLifespanUserAction());
    // OAuth 2.0 Device Authorization Grant
    OAuth2DeviceConfig deviceConfig = newRealm.getOAuth2DeviceConfig();
    deviceConfig.setOAuth2DeviceCodeLifespan(rep.getOAuth2DeviceCodeLifespan());
    deviceConfig.setOAuth2DevicePollingInterval(rep.getOAuth2DevicePollingInterval());
    if (rep.getSslRequired() != null)
        newRealm.setSslRequired(SslRequired.valueOf(rep.getSslRequired().toUpperCase()));
    if (rep.isRegistrationAllowed() != null)
        newRealm.setRegistrationAllowed(rep.isRegistrationAllowed());
    if (rep.isRegistrationEmailAsUsername() != null)
        newRealm.setRegistrationEmailAsUsername(rep.isRegistrationEmailAsUsername());
    if (rep.isRememberMe() != null)
        newRealm.setRememberMe(rep.isRememberMe());
    if (rep.isVerifyEmail() != null)
        newRealm.setVerifyEmail(rep.isVerifyEmail());
    if (rep.isLoginWithEmailAllowed() != null)
        newRealm.setLoginWithEmailAllowed(rep.isLoginWithEmailAllowed());
    if (rep.isDuplicateEmailsAllowed() != null)
        newRealm.setDuplicateEmailsAllowed(rep.isDuplicateEmailsAllowed());
    if (rep.isResetPasswordAllowed() != null)
        newRealm.setResetPasswordAllowed(rep.isResetPasswordAllowed());
    if (rep.isEditUsernameAllowed() != null)
        newRealm.setEditUsernameAllowed(rep.isEditUsernameAllowed());
    if (rep.getLoginTheme() != null)
        newRealm.setLoginTheme(rep.getLoginTheme());
    if (rep.getAccountTheme() != null)
        newRealm.setAccountTheme(rep.getAccountTheme());
    if (rep.getAdminTheme() != null)
        newRealm.setAdminTheme(rep.getAdminTheme());
    if (rep.getEmailTheme() != null)
        newRealm.setEmailTheme(rep.getEmailTheme());
    // todo remove this stuff as its all deprecated
    if (rep.getRequiredCredentials() != null) {
        for (String requiredCred : rep.getRequiredCredentials()) {
            newRealm.addRequiredCredential(requiredCred);
        }
    } else {
        newRealm.addRequiredCredential(CredentialRepresentation.PASSWORD);
    }
    if (rep.getPasswordPolicy() != null)
        newRealm.setPasswordPolicy(PasswordPolicy.parse(session, rep.getPasswordPolicy()));
    if (rep.getOtpPolicyType() != null)
        newRealm.setOTPPolicy(toPolicy(rep));
    else
        newRealm.setOTPPolicy(OTPPolicy.DEFAULT_POLICY);
    WebAuthnPolicy webAuthnPolicy = getWebAuthnPolicyTwoFactor(rep);
    newRealm.setWebAuthnPolicy(webAuthnPolicy);
    webAuthnPolicy = getWebAuthnPolicyPasswordless(rep);
    newRealm.setWebAuthnPolicyPasswordless(webAuthnPolicy);
    updateCibaSettings(rep, newRealm);
    updateParSettings(rep, newRealm);
    Map<String, String> mappedFlows = importAuthenticationFlows(newRealm, rep);
    if (rep.getRequiredActions() != null) {
        for (RequiredActionProviderRepresentation action : rep.getRequiredActions()) {
            RequiredActionProviderModel model = toModel(action);
            MigrationUtils.updateOTPRequiredAction(model);
            newRealm.addRequiredActionProvider(model);
        }
        DefaultRequiredActions.addDeleteAccountAction(newRealm);
    } else {
        DefaultRequiredActions.addActions(newRealm);
    }
    importIdentityProviders(rep, newRealm, session);
    importIdentityProviderMappers(rep, newRealm);
    Map<String, ClientScopeModel> clientScopes = new HashMap<>();
    if (rep.getClientScopes() != null) {
        clientScopes = createClientScopes(session, rep.getClientScopes(), newRealm);
    }
    if (rep.getDefaultDefaultClientScopes() != null) {
        for (String clientScopeName : rep.getDefaultDefaultClientScopes()) {
            ClientScopeModel clientScope = clientScopes.get(clientScopeName);
            if (clientScope != null) {
                newRealm.addDefaultClientScope(clientScope, true);
            } else {
                logger.warnf("Referenced client scope '%s' doesn't exist", clientScopeName);
            }
        }
    }
    if (rep.getDefaultOptionalClientScopes() != null) {
        for (String clientScopeName : rep.getDefaultOptionalClientScopes()) {
            ClientScopeModel clientScope = clientScopes.get(clientScopeName);
            if (clientScope != null) {
                newRealm.addDefaultClientScope(clientScope, false);
            } else {
                logger.warnf("Referenced client scope '%s' doesn't exist", clientScopeName);
            }
        }
    }
    Map<String, ClientModel> createdClients = new HashMap<>();
    if (rep.getClients() != null) {
        createdClients = createClients(session, rep, newRealm, mappedFlows);
    }
    importRoles(rep.getRoles(), newRealm);
    convertDeprecatedDefaultRoles(rep, newRealm);
    if (rep.getClientScopeMappings() != null) {
        for (Map.Entry<String, List<ScopeMappingRepresentation>> entry : rep.getClientScopeMappings().entrySet()) {
            ClientModel app = createdClients.computeIfAbsent(entry.getKey(), k -> newRealm.getClientByClientId(entry.getKey()));
            if (app == null) {
                throw new RuntimeException("Unable to find client role mappings for client: " + entry.getKey());
            }
            createClientScopeMappings(newRealm, app, entry.getValue());
        }
    }
    if (rep.getScopeMappings() != null) {
        Map<String, RoleModel> roleModelMap = newRealm.getRolesStream().collect(Collectors.toMap(RoleModel::getId, Function.identity()));
        for (ScopeMappingRepresentation scope : rep.getScopeMappings()) {
            ScopeContainerModel scopeContainer = getScopeContainerHavingScope(newRealm, scope);
            for (String roleString : scope.getRoles()) {
                final String roleStringTrimmed = roleString.trim();
                RoleModel role = roleModelMap.computeIfAbsent(roleStringTrimmed, k -> newRealm.getRole(roleStringTrimmed));
                if (role == null) {
                    role = newRealm.addRole(roleString);
                    roleModelMap.put(role.getId(), role);
                }
                scopeContainer.addScopeMapping(role);
            }
        }
    }
    if (rep.getSmtpServer() != null) {
        newRealm.setSmtpConfig(new HashMap(rep.getSmtpServer()));
    }
    if (rep.getBrowserSecurityHeaders() != null) {
        newRealm.setBrowserSecurityHeaders(rep.getBrowserSecurityHeaders());
    } else {
        newRealm.setBrowserSecurityHeaders(BrowserSecurityHeaders.realmDefaultHeaders);
    }
    if (rep.getComponents() != null) {
        MultivaluedHashMap<String, ComponentExportRepresentation> components = rep.getComponents();
        String parentId = newRealm.getId();
        importComponents(newRealm, components, parentId);
    }
    importUserFederationProvidersAndMappers(session, rep, newRealm);
    if (rep.getGroups() != null) {
        importGroups(newRealm, rep);
        if (rep.getDefaultGroups() != null) {
            for (String path : rep.getDefaultGroups()) {
                GroupModel found = KeycloakModelUtils.findGroupByPath(newRealm, path);
                if (found == null)
                    throw new RuntimeException("default group in realm rep doesn't exist: " + path);
                newRealm.addDefaultGroup(found);
            }
        }
    }
    if (rep.getUsers() != null) {
        for (UserRepresentation userRep : rep.getUsers()) {
            createUser(session, newRealm, userRep);
        }
    }
    if (rep.getFederatedUsers() != null) {
        for (UserRepresentation userRep : rep.getFederatedUsers()) {
            importFederatedUser(session, newRealm, userRep);
        }
    }
    if (!skipUserDependent) {
        importRealmAuthorizationSettings(rep, newRealm, session);
    }
    if (rep.isInternationalizationEnabled() != null) {
        newRealm.setInternationalizationEnabled(rep.isInternationalizationEnabled());
    }
    if (rep.getSupportedLocales() != null) {
        newRealm.setSupportedLocales(new HashSet<String>(rep.getSupportedLocales()));
    }
    if (rep.getDefaultLocale() != null) {
        newRealm.setDefaultLocale(rep.getDefaultLocale());
    }
    if (rep.getAttributes() != null) {
        for (Map.Entry<String, String> attr : rep.getAttributes().entrySet()) {
            newRealm.setAttribute(attr.getKey(), attr.getValue());
        }
    }
    if (newRealm.getComponentsStream(newRealm.getId(), KeyProvider.class.getName()).count() == 0) {
        if (rep.getPrivateKey() != null) {
            DefaultKeyProviders.createProviders(newRealm, rep.getPrivateKey(), rep.getCertificate());
        } else {
            DefaultKeyProviders.createProviders(newRealm);
        }
    }
}
Also used : KeyProvider(org.keycloak.keys.KeyProvider) OAuth2DeviceConfig(org.keycloak.models.OAuth2DeviceConfig) ScopeContainerModel(org.keycloak.models.ScopeContainerModel) MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap) HashMap(java.util.HashMap) ScopeMappingRepresentation(org.keycloak.representations.idm.ScopeMappingRepresentation) GroupModel(org.keycloak.models.GroupModel) ClientScopeModel(org.keycloak.models.ClientScopeModel) RoleModel(org.keycloak.models.RoleModel) ArtifactBindingUtils.computeArtifactBindingIdentifierString(org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString) ArrayList(java.util.ArrayList) List(java.util.List) LinkedList(java.util.LinkedList) HashSet(java.util.HashSet) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) RequiredActionProviderRepresentation(org.keycloak.representations.idm.RequiredActionProviderRepresentation) RequiredActionProviderModel(org.keycloak.models.RequiredActionProviderModel) ComponentExportRepresentation(org.keycloak.representations.idm.ComponentExportRepresentation) ClientModel(org.keycloak.models.ClientModel) WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy) Map(java.util.Map) MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap) HashMap(java.util.HashMap)

Aggregations

RequiredActionProviderModel (org.keycloak.models.RequiredActionProviderModel)19 Path (javax.ws.rs.Path)7 NotFoundException (javax.ws.rs.NotFoundException)6 NoCache (org.jboss.resteasy.annotations.cache.NoCache)5 POST (javax.ws.rs.POST)4 Consumes (javax.ws.rs.Consumes)3 HashMap (java.util.HashMap)2 LinkedList (java.util.LinkedList)2 List (java.util.List)2 Map (java.util.Map)2 AtomicInteger (java.util.concurrent.atomic.AtomicInteger)2 DELETE (javax.ws.rs.DELETE)2 GET (javax.ws.rs.GET)2 PUT (javax.ws.rs.PUT)2 Produces (javax.ws.rs.Produces)2 UserModel (org.keycloak.models.UserModel)2 ArrayList (java.util.ArrayList)1 Collections (java.util.Collections)1 HashSet (java.util.HashSet)1 Objects (java.util.Objects)1