use of org.keycloak.storage.UserStorageProviderModel in project keycloak by keycloak.
the class UserCacheSession method cacheUser.
protected UserModel cacheUser(RealmModel realm, UserModel delegate, Long revision) {
int notBefore = getDelegate().getNotBeforeOfUser(realm, delegate);
StorageId storageId = delegate.getFederationLink() != null ? new StorageId(delegate.getFederationLink(), delegate.getId()) : new StorageId(delegate.getId());
CachedUser cached = null;
UserAdapter adapter = null;
if (!storageId.isLocal()) {
ComponentModel component = realm.getComponent(storageId.getProviderId());
UserStorageProviderModel model = new UserStorageProviderModel(component);
if (!model.isEnabled()) {
return new ReadOnlyUserModelDelegate(delegate) {
@Override
public boolean isEnabled() {
return false;
}
};
}
UserStorageProviderModel.CachePolicy policy = model.getCachePolicy();
if (policy != null && policy == UserStorageProviderModel.CachePolicy.NO_CACHE) {
return delegate;
}
cached = new CachedUser(revision, realm, delegate, notBefore);
adapter = new UserAdapter(cached, this, session, realm);
onCache(realm, adapter, delegate);
long lifespan = model.getLifespan();
if (lifespan > 0) {
cache.addRevisioned(cached, startupRevision, lifespan);
} else {
cache.addRevisioned(cached, startupRevision);
}
} else {
cached = new CachedUser(revision, realm, delegate, notBefore);
adapter = new UserAdapter(cached, this, session, realm);
onCache(realm, adapter, delegate);
cache.addRevisioned(cached, startupRevision);
}
return adapter;
}
use of org.keycloak.storage.UserStorageProviderModel in project keycloak by keycloak.
the class GroupLDAPStorageMapperFactory method onUpdate.
@Override
public void onUpdate(KeycloakSession session, RealmModel realm, ComponentModel oldModel, ComponentModel newModel) {
ComponentModel parentModel = realm.getComponent(newModel.getParentId());
UserStorageProviderModel parent = new UserStorageProviderModel(parentModel);
onParentUpdate(realm, parent, parent, newModel);
setDefaultGroupsPath(realm, newModel);
}
use of org.keycloak.storage.UserStorageProviderModel in project keycloak by keycloak.
the class RoleLDAPStorageMapperFactory method getProps.
private static List<ProviderConfigProperty> getProps(ComponentModel parent) {
String roleObjectClasses = LDAPConstants.GROUP_OF_NAMES;
String mode = LDAPGroupMapperMode.LDAP_ONLY.toString();
String membershipUserAttribute = LDAPConstants.UID;
boolean importEnabled = true;
boolean isActiveDirectory = false;
if (parent != null) {
LDAPConfig config = new LDAPConfig(parent.getConfig());
roleObjectClasses = config.isActiveDirectory() ? LDAPConstants.GROUP : LDAPConstants.GROUP_OF_NAMES;
mode = config.getEditMode() == UserStorageProvider.EditMode.WRITABLE ? LDAPGroupMapperMode.LDAP_ONLY.toString() : LDAPGroupMapperMode.READ_ONLY.toString();
membershipUserAttribute = config.getUsernameLdapAttribute();
importEnabled = new UserStorageProviderModel(parent).isImportEnabled();
isActiveDirectory = config.isActiveDirectory();
}
ProviderConfigurationBuilder config = ProviderConfigurationBuilder.create().property().name(RoleMapperConfig.ROLES_DN).label("LDAP Roles DN").helpText("LDAP DN where are roles of this tree saved. For example 'ou=finance,dc=example,dc=org' ").type(ProviderConfigProperty.STRING_TYPE).add().property().name(RoleMapperConfig.ROLE_NAME_LDAP_ATTRIBUTE).label("Role Name LDAP Attribute").helpText("Name of LDAP attribute, which is used in role objects for name and RDN of role. Usually it will be 'cn' . In this case typical group/role object may have DN like 'cn=role1,ou=finance,dc=example,dc=org' ").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.CN).add().property().name(RoleMapperConfig.ROLE_OBJECT_CLASSES).label("Role Object Classes").helpText("Object class (or classes) of the role object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group' ").type(ProviderConfigProperty.STRING_TYPE).defaultValue(roleObjectClasses).add().property().name(RoleMapperConfig.MEMBERSHIP_LDAP_ATTRIBUTE).label("Membership LDAP Attribute").helpText("Name of LDAP attribute on role, which is used for membership mappings. Usually it will be 'member' ." + "However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid' .").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.MEMBER).add().property().name(RoleMapperConfig.MEMBERSHIP_ATTRIBUTE_TYPE).label("Membership Attribute Type").helpText("DN means that LDAP role has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . " + "UID means that LDAP role has it's members declared in form of pure user uids. For example 'memberUid: john' .").type(ProviderConfigProperty.LIST_TYPE).options(MEMBERSHIP_TYPES).defaultValue(MembershipType.DN.toString()).add().property().name(RoleMapperConfig.MEMBERSHIP_USER_LDAP_ATTRIBUTE).label("Membership User LDAP Attribute").helpText("Used just if Membership Attribute Type is UID. It is name of LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid' . For example if value of " + "'Membership User LDAP Attribute' is 'uid' and " + " LDAP group has 'memberUid: john', then it is expected that particular LDAP user will have attribute 'uid: john' .").type(ProviderConfigProperty.STRING_TYPE).defaultValue(membershipUserAttribute).add().property().name(RoleMapperConfig.ROLES_LDAP_FILTER).label("LDAP Filter").helpText("LDAP Filter adds additional custom filter to the whole query for retrieve LDAP roles. Leave this empty if no additional filtering is needed and you want to retrieve all roles from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'").type(ProviderConfigProperty.STRING_TYPE).add();
if (importEnabled) {
config.property().name(RoleMapperConfig.MODE).label("Mode").helpText("LDAP_ONLY means that all role mappings are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where role mappings are " + "retrieved from both LDAP and DB and merged together. New role grants are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where role mappings are retrieved from LDAP just at the time when user is imported from LDAP and then " + "they are saved to local keycloak DB.").type(ProviderConfigProperty.LIST_TYPE).options(MODES).defaultValue(mode).add();
} else {
config.property().name(RoleMapperConfig.MODE).label("Mode").helpText("LDAP_ONLY means that specified role mappings are writable to LDAP. READ_ONLY means LDAP is readonly.").type(ProviderConfigProperty.LIST_TYPE).options(NO_IMPORT_MODES).defaultValue(mode).add();
}
List<String> roleRetrievers = new LinkedList<>(userRolesStrategies.keySet());
String roleRetrieveHelpText = "Specify how to retrieve roles of user. LOAD_ROLES_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all roles where 'member' is our user. " + "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE means that roles of user will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute' . ";
if (isActiveDirectory) {
roleRetrieveHelpText = roleRetrieveHelpText + "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY is applicable just in Active Directory and it means that roles of user will be retrieved recursively with usage of LDAP_MATCHING_RULE_IN_CHAIN Ldap extension.";
} else {
// Option should be available just for the Active Directory
roleRetrievers.remove(RoleMapperConfig.LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY);
}
config.property().name(RoleMapperConfig.USER_ROLES_RETRIEVE_STRATEGY).label("User Roles Retrieve Strategy").helpText(roleRetrieveHelpText).type(ProviderConfigProperty.LIST_TYPE).options(roleRetrievers).defaultValue(RoleMapperConfig.LOAD_ROLES_BY_MEMBER_ATTRIBUTE).add().property().name(GroupMapperConfig.MEMBEROF_LDAP_ATTRIBUTE).label("Member-Of LDAP Attribute").helpText("Used just when 'User Roles Retrieve Strategy' is GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE . " + "It specifies the name of the LDAP attribute on the LDAP user, which contains the roles (LDAP Groups), which the user is member of. " + "Usually it will be 'memberOf' and that's also the default value.").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.MEMBER_OF).add().property().name(RoleMapperConfig.USE_REALM_ROLES_MAPPING).label("Use Realm Roles Mapping").helpText("If true, then LDAP role mappings will be mapped to realm role mappings in Keycloak. Otherwise it will be mapped to client role mappings").type(ProviderConfigProperty.BOOLEAN_TYPE).defaultValue("true").add().property().name(RoleMapperConfig.CLIENT_ID).label("Client ID").helpText("Client ID of client to which LDAP role mappings will be mapped. Applicable just if 'Use Realm Roles Mapping' is false").type(ProviderConfigProperty.CLIENT_LIST_TYPE).add();
return config.build();
}
use of org.keycloak.storage.UserStorageProviderModel in project keycloak by keycloak.
the class RoleLDAPStorageMapperFactory method onCreate.
@Override
public void onCreate(KeycloakSession session, RealmModel realm, ComponentModel model) {
ComponentModel parentModel = realm.getComponent(model.getParentId());
UserStorageProviderModel parent = new UserStorageProviderModel(parentModel);
onParentUpdate(realm, parent, parent, model);
}
use of org.keycloak.storage.UserStorageProviderModel in project keycloak by keycloak.
the class MigrateTo1_3_0 method migrateLDAPProviders.
private void migrateLDAPProviders(KeycloakSession session, RealmModel realm) {
realm.getUserStorageProvidersStream().forEachOrdered(fedProvider -> {
if (fedProvider.getProviderId().equals(LDAPConstants.LDAP_PROVIDER)) {
// copy don't want to muck with cache
fedProvider = new UserStorageProviderModel(fedProvider);
MultivaluedHashMap<String, String> config = fedProvider.getConfig();
// Update config properties for LDAP federation provider
if (config.get(LDAPConstants.SEARCH_SCOPE) == null) {
config.putSingle(LDAPConstants.SEARCH_SCOPE, String.valueOf(SearchControls.SUBTREE_SCOPE));
}
List<String> usersDn = config.remove("userDnSuffix");
if (usersDn != null && !usersDn.isEmpty() && config.getFirst(LDAPConstants.USERS_DN) == null) {
config.put(LDAPConstants.USERS_DN, usersDn);
}
String usernameLdapAttribute = config.getFirst(LDAPConstants.USERNAME_LDAP_ATTRIBUTE);
if (usernameLdapAttribute != null && config.getFirst(LDAPConstants.RDN_LDAP_ATTRIBUTE) == null) {
if (usernameLdapAttribute.equalsIgnoreCase(LDAPConstants.SAM_ACCOUNT_NAME)) {
config.putSingle(LDAPConstants.RDN_LDAP_ATTRIBUTE, LDAPConstants.CN);
} else {
config.putSingle(LDAPConstants.RDN_LDAP_ATTRIBUTE, usernameLdapAttribute);
}
}
if (config.getFirst(LDAPConstants.UUID_LDAP_ATTRIBUTE) == null) {
String uuidAttrName = LDAPConstants.getUuidAttributeName(config.getFirst(LDAPConstants.VENDOR));
config.putSingle(LDAPConstants.UUID_LDAP_ATTRIBUTE, uuidAttrName);
}
realm.updateComponent(fedProvider);
// Create default mappers for LDAP
if (realm.getComponentsStream(fedProvider.getId()).count() == 0) {
ProviderFactory ldapFactory = session.getKeycloakSessionFactory().getProviderFactory(UserStorageProvider.class, LDAPConstants.LDAP_PROVIDER);
if (ldapFactory != null) {
((ComponentFactory) ldapFactory).onCreate(session, realm, fedProvider);
}
}
}
});
}
Aggregations