Java源码示例:org.keycloak.models.GroupModel

示例1
@Override
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate) {
    LDAPGroupMapperMode mode = config.getMode();

    // For now, import LDAP group mappings just during create
    if (mode == LDAPGroupMapperMode.IMPORT && isCreate) {

        List<LDAPObject> ldapGroups = getLDAPGroupMappings(ldapUser);

        // Import role mappings from LDAP into Keycloak DB
        for (LDAPObject ldapGroup : ldapGroups) {

            GroupModel kcGroup = findKcGroupOrSyncFromLDAP(realm, ldapGroup, user);
            if (kcGroup != null) {
                logger.debugf("User '%s' joins group '%s' during import from LDAP", user.getUsername(), kcGroup.getName());
                user.joinGroup(kcGroup);
            }
        }
    }
}
 
示例2
@Override
public List<GroupModel> searchForGroupByName(RealmModel realm, String search, Integer first, Integer max) {
    TypedQuery<String> query = em.createNamedQuery("getGroupIdsByNameContaining", String.class)
            .setParameter("realm", realm.getId())
            .setParameter("search", search);
    if(Objects.nonNull(first) && Objects.nonNull(max)) {
        query= query.setFirstResult(first).setMaxResults(max);
    }
    List<String> groups =  query.getResultList();
    if (Objects.isNull(groups)) return Collections.EMPTY_LIST;
    List<GroupModel> list = new ArrayList<>();
    for (String id : groups) {
        GroupModel groupById = session.realms().getGroupById(id, realm);
        while(Objects.nonNull(groupById.getParentId())) {
            groupById = session.realms().getGroupById(groupById.getParentId(), realm);
        }
        if(!list.contains(groupById)) {
            list.add(groupById);
        }
    }
    list.sort(Comparator.comparing(GroupModel::getName));

    return Collections.unmodifiableList(list);
}
 
示例3
public static Collection<String> resolveAttribute(UserModel user, String name, boolean aggregateAttrs) {
    List<String> values = user.getAttribute(name);
    Set<String> aggrValues = new HashSet<String>();
    if (!values.isEmpty()) {
        if (!aggregateAttrs) {
            return values;
        }
        aggrValues.addAll(values);
    }
    for (GroupModel group : user.getGroups()) {
        values = resolveAttribute(group, name);
        if (values != null && !values.isEmpty()) {
            if (!aggregateAttrs) {
                return values;
            }
            aggrValues.addAll(values);
        }
    }
    return aggrValues;
}
 
示例4
private static GroupModel findSubGroup(String[] segments, int index, GroupModel parent) {
    for (GroupModel group : parent.getSubGroups()) {
        String groupName = group.getName();
        String[] pathSegments = formatPathSegments(segments, index, groupName);

        if (groupName.equals(pathSegments[index])) {
            if (pathSegments.length == index + 1) {
                return group;
            }
            else {
                if (index + 1 < pathSegments.length) {
                    GroupModel found = findSubGroup(pathSegments, index + 1, group);
                    if (found != null) return found;
                } else {
                    return null;
                }
            }

        }
    }
    return null;
}
 
示例5
private void syncNonExistingGroup(RealmModel realm, Map.Entry<String, LDAPObject> groupEntry,
                                  SynchronizationResult syncResult, Set<String> visitedGroupIds, String groupName) {
    try {
        // Create each non-existing group to be synced in its own inner transaction to prevent race condition when
        // the group intended to be created was already created via other channel in the meantime
        KeycloakModelUtils.runJobInTransaction(ldapProvider.getSession().getKeycloakSessionFactory(), session -> {
            RealmModel innerTransactionRealm = session.realms().getRealm(realm.getId());
            GroupModel kcGroup = createKcGroup(innerTransactionRealm, groupName, null);
            updateAttributesOfKCGroup(kcGroup, groupEntry.getValue());
            syncResult.increaseAdded();
            visitedGroupIds.add(kcGroup.getId());
        });
    } catch (ModelException me) {
        logger.error(String.format("Failed to sync group %s from LDAP: ", groupName), me);
        syncResult.increaseFailed();
    }
}
 
示例6
/**
 * Adds the group membership information to the {@link IDToken#otherClaims}.
 * @param token
 * @param mappingModel
 * @param userSession
 */
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) {

    List<String> membership = new LinkedList<>();
    boolean fullPath = useFullPath(mappingModel);
    for (GroupModel group : userSession.getUser().getGroups()) {
        if (fullPath) {
            membership.add(ModelToRepresentation.buildGroupPath(group));
        } else {
            membership.add(group.getName());
        }
    }
    String protocolClaim = mappingModel.getConfig().get(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME);

    token.getOtherClaims().put(protocolClaim, membership);
}
 
示例7
@Override
public GroupModel createGroup(RealmModel realm, String id, String name, GroupModel toParent) {
    if (id == null) {
        id = KeycloakModelUtils.generateId();
    } else if (GroupEntity.TOP_PARENT_ID.equals(id)) {
        // maybe it's impossible but better ensure this doesn't happen
        throw new ModelException("The ID of the new group is equals to the tag used for top level groups");
    }
    GroupEntity groupEntity = new GroupEntity();
    groupEntity.setId(id);
    groupEntity.setName(name);
    RealmEntity realmEntity = em.getReference(RealmEntity.class, realm.getId());
    groupEntity.setRealm(realmEntity.getId());
    groupEntity.setParentId(toParent == null? GroupEntity.TOP_PARENT_ID : toParent.getId());
    em.persist(groupEntity);
    em.flush();
    realmEntity.getGroups().add(groupEntity);

    GroupAdapter adapter = new GroupAdapter(realm, em, groupEntity);
    return adapter;
}
 
示例8
@Override
public List<UserModel> getGroupMembers(RealmModel realm, GroupModel kcGroup, int firstResult, int maxResults) {
    if (config.getMode() == LDAPGroupMapperMode.IMPORT) {
        // only results from Keycloak should be returned, or imported LDAP and KC items will duplicate
        return Collections.emptyList();
    }

    // TODO: with ranged search in AD we can improve the search using the specific range (not done for the moment)
    LDAPObject ldapGroup = loadLDAPGroupByName(kcGroup.getName());
    if (ldapGroup == null) {
        return Collections.emptyList();
    }

    MembershipType membershipType = config.getMembershipTypeLdapAttribute();
    return membershipType.getGroupMembers(realm, this, ldapGroup, firstResult, maxResults);
}
 
示例9
/**
 * Return List of Groups that have the specified role name 
 *
 *
 * @param roleName
 * @param firstResult
 * @param maxResults
 * @param briefRepresentation if false, return a full representation of the GroupRepresentation objects
 * @return
 */
@Path("{role-name}/groups")
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public  List<GroupRepresentation> getGroupsInRole(final @PathParam("role-name") String roleName, 
                                                @QueryParam("first") Integer firstResult,
                                                @QueryParam("max") Integer maxResults,
                                                @QueryParam("briefRepresentation") @DefaultValue("true") boolean briefRepresentation) {
    
    auth.roles().requireView(roleContainer);
    firstResult = firstResult != null ? firstResult : 0;
    maxResults = maxResults != null ? maxResults : Constants.DEFAULT_MAX_RESULTS;
    
    RoleModel role = roleContainer.getRole(roleName);
    
    if (role == null) {
        throw new NotFoundException("Could not find role");
    }
    
    List<GroupModel> groupsModel = session.realms().getGroupsByRole(realm, role, firstResult, maxResults);

    return groupsModel.stream()
    		.map(g -> ModelToRepresentation.toRepresentation(g, !briefRepresentation))
    		.collect(Collectors.toList());
}
 
示例10
@Override
public List<UserModel> getGroupMembers(final RealmModel realm, final GroupModel group, int firstResult, int maxResults) {
    List<UserModel> results = query((provider, first, max) -> {
        if (provider instanceof UserQueryProvider) {
            return ((UserQueryProvider)provider).getGroupMembers(realm, group, first, max);

        } else if (provider instanceof UserFederatedStorageProvider) {
            List<String> ids = ((UserFederatedStorageProvider)provider).getMembership(realm, group, first, max);
            List<UserModel> rs = new LinkedList<UserModel>();
            for (String id : ids) {
                UserModel user = getUserById(id, realm);
                if (user != null) rs.add(user);
            }
            return rs;

        }
        return Collections.EMPTY_LIST;
    }, realm, firstResult, maxResults);
    return importValidation(realm, results);
}
 
示例11
@Override
public Set<GroupModel> getGroups() {
    if (updated != null) return updated.getGroups();
    Set<GroupModel> groups = new LinkedHashSet<>();
    for (String id : cached.getGroups(modelSupplier)) {
        GroupModel groupModel = keycloakSession.realms().getGroupById(id, realm);
        if (groupModel == null) {
            // chance that role was removed, so just delete to persistence and get user invalidated
            getDelegateForUpdate();
            return updated.getGroups();
        }
        groups.add(groupModel);

    }
    return groups;
}
 
示例12
@Override
public Set<GroupModel> getGroups() {
    Set<GroupModel> set = new HashSet<>();
    if (appendDefaultGroups()) set.addAll(realm.getDefaultGroups());
    set.addAll(getGroupsInternal());
    return set;
}
 
示例13
/**
 *
 *
 * @param user
 * @param name
 * @return
 */
public static String resolveFirstAttribute(UserModel user, String name) {
    String value = user.getFirstAttribute(name);
    if (value != null) return value;
    for (GroupModel group : user.getGroups()) {
        value = resolveFirstAttribute(group, name);
        if (value != null) return value;
    }
    return null;

}
 
示例14
@Override
public void removeChild(GroupModel subGroup) {
    if (subGroup.getId().equals(getId())) {
        return;
    }
    subGroup.setParent(null);
}
 
示例15
public static void createGroups(UserRepresentation userRep, RealmModel newRealm, UserModel user) {
    if (userRep.getGroups() != null) {
        for (String path : userRep.getGroups()) {
            GroupModel group = KeycloakModelUtils.findGroupByPath(newRealm, path);
            if (group == null) {
                throw new RuntimeException("Unable to find group specified by path: " + path);

            }
            user.joinGroup(group);
        }
    }
}
 
示例16
/**
 * Provides a list of all KC sub groups from given parent group or from groups path.
 */
protected Collection<GroupModel> getKcSubGroups(RealmModel realm, GroupModel parentGroup) {

    // If no parent group given then use groups path
    if (parentGroup == null) {
        parentGroup = getKcGroupsPathGroup(realm);
    }
    return parentGroup == null ? realm.getTopLevelGroups() : parentGroup.getSubGroups();
}
 
示例17
private boolean hasPermission(GroupModel group, EvaluationContext context, String... scopes) {
    ResourceServer server = root.realmResourceServer();

    if (server == null) {
        return false;
    }

    Resource resource =  resourceStore.findByName(getGroupResourceName(group), server.getId());

    if (resource == null) {
        return false;
    }

    return hasPermission(resource, context, scopes);
}
 
示例18
@Override
public void preRemove(RealmModel realm, GroupModel group) {
    localStorage().preRemove(realm, group);
    if (getFederatedStorage() != null) {
        getFederatedStorage().preRemove(realm, group);
        for (UserStorageProvider provider : getEnabledStorageProviders(session, realm, UserStorageProvider.class)) {
            provider.preRemove(realm, group);
        }
    }
}
 
示例19
@Override
public List<GroupModel> getTopLevelGroups(RealmModel realm) {
    RealmEntity ref = em.getReference(RealmEntity.class, realm.getId());

    return ref.getGroups().stream()
            .filter(g -> GroupEntity.TOP_PARENT_ID.equals(g.getParentId()))
            .map(g -> session.realms().getGroupById(g.getId(), realm))
            .sorted(Comparator.comparing(GroupModel::getName))
            .collect(Collectors.collectingAndThen(
                    Collectors.toList(), Collections::unmodifiableList));
}
 
示例20
@Override
public boolean isMemberOf(GroupModel group) {
    if (groupIds == null) return false;
    if (groupIds.contains(group.getId())) return true;
    Set<GroupModel> groups = getGroups();
    return RoleUtils.isMember(groups, group);
}
 
示例21
@Override
public void joinGroup(GroupModel group) {
    if (!isMemberOf(group)) {
        delegate.joinGroup(group);
    }

}
 
示例22
public static void setupDeleteTest(KeycloakSession session )  {
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel removedRole = realm.addRole("removedRole");
    ClientModel client = realm.addClient("removedClient");
    RoleModel removedClientRole = client.addRole("removedClientRole");
    GroupModel removedGroup = realm.createGroup("removedGroup");
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    management.roles().setPermissionsEnabled(removedRole, true);
    management.roles().setPermissionsEnabled(removedClientRole, true);
    management.groups().setPermissionsEnabled(removedGroup, true);
    management.clients().setPermissionsEnabled(client, true);
    management.users().setPermissionsEnabled(true);
}
 
示例23
@Override
public void setParent(GroupModel parent) {
    if (parent == null) {
        group.setParentId(GroupEntity.TOP_PARENT_ID);
    } else if (!parent.getId().equals(getId())) {
        GroupEntity parentEntity = toEntity(parent, em);
        group.setParentId(parentEntity.getId());
    }
}
 
示例24
/**
 * create or add a top level realm groupSet or create child.  This will update the group and set the parent if it exists.  Create it and set the parent
 * if the group doesn't exist.
 *
 * @param rep
 */
@POST
@Consumes(MediaType.APPLICATION_JSON)
public Response addTopLevelGroup(GroupRepresentation rep) {
    auth.groups().requireManage();

    GroupModel child;
    Response.ResponseBuilder builder = Response.status(204);
    try {
        if (rep.getId() != null) {
            child = realm.getGroupById(rep.getId());
            if (child == null) {
                throw new NotFoundException("Could not find child by id");
            }
            realm.moveGroup(child, null);
            adminEvent.operation(OperationType.UPDATE).resourcePath(session.getContext().getUri());
        } else {
            child = realm.createGroup(rep.getName());
            GroupResource.updateGroup(rep, child);
            URI uri = session.getContext().getUri().getAbsolutePathBuilder()
                    .path(child.getId()).build();
            builder.status(201).location(uri);

            rep.setId(child.getId());
            adminEvent.operation(OperationType.CREATE).resourcePath(session.getContext().getUri(), child.getId());
        }
    } catch (ModelDuplicateException mde) {
        return ErrorResponse.exists("Top level group named '" + rep.getName() + "' already exists.");
    }

    adminEvent.representation(rep).success();
    return builder.build();
}
 
示例25
/**
 * Checks whether the {@code targetRole} is contained in any of the {@code groups} or their parents
 * (if requested)
 * @param groups
 * @param targetRole
 * @param checkParentGroup When {@code true}, also parent group is recursively checked for role
 * @return true if targetRole is in roles (directly or indirectly via composite role)
 */
public static boolean hasRoleFromGroup(Iterable<GroupModel> groups, RoleModel targetRole, boolean checkParentGroup) {
    if (groups == null) {
        return false;
    }

    return StreamSupport.stream(groups.spliterator(), false)
            .anyMatch(group -> hasRoleFromGroup(group, targetRole, checkParentGroup));
}
 
示例26
@Override
public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel config) throws ComponentValidationException {
    String groupName = config.getConfig().getFirst(HardcodedLDAPGroupStorageMapper.GROUP);
    if (groupName == null) {
        throw new ComponentValidationException("Group can't be null");
    }
    GroupModel group = KeycloakModelUtils.findGroupByPath(realm, groupName);
    if (group == null) {
        throw new ComponentValidationException("There is no group corresponding to configured value");
    }
}
 
示例27
@Test
public void test07_newUserDefaultGroupsImportModeTest() throws Exception {

    // Check user group memberships
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();

        ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "groupsMapper");
        LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.MODE, LDAPGroupMapperMode.IMPORT.toString());
        appRealm.updateComponent(mapperModel);

        UserModel david = session.users().addUser(appRealm, "davidkeycloak");

        GroupModel defaultGroup11 =  KeycloakModelUtils.findGroupByPath(appRealm, "/defaultGroup1/defaultGroup11");
        Assert.assertNotNull(defaultGroup11);

        GroupModel defaultGroup12 =  KeycloakModelUtils.findGroupByPath(appRealm, "/defaultGroup1/defaultGroup12");
        Assert.assertNotNull(defaultGroup12);

        GroupModel group31 = KeycloakModelUtils.findGroupByPath(appRealm, "/group3/group31");
        Assert.assertNotNull(group31);
        GroupModel group32 = KeycloakModelUtils.findGroupByPath(appRealm, "/group3/group32");
        Assert.assertNotNull(group32);
        GroupModel group4 =  KeycloakModelUtils.findGroupByPath(appRealm, "/group4");
        Assert.assertNotNull(group4);

        Set<GroupModel> groups = david.getGroups();
        Assert.assertTrue(groups.contains(defaultGroup11));
        Assert.assertTrue(groups.contains(defaultGroup12));
        Assert.assertFalse(groups.contains(group31));
        Assert.assertFalse(groups.contains(group32));
        Assert.assertFalse(groups.contains(group4));

    });
}
 
示例28
/**
 * Checks whether the {@code targetRole} is contained in the given group or its parents
 * (if requested)
 * @param group Group to check role for
 * @param targetRole
 * @param checkParentGroup When {@code true}, also parent group is recursively checked for role
 * @return true if targetRole is in roles (directly or indirectly via composite role)
 */
public static boolean hasRoleFromGroup(GroupModel group, RoleModel targetRole, boolean checkParentGroup) {
    if (group.hasRole(targetRole))
        return true;

    if (checkParentGroup) {
        GroupModel parent = group.getParent();
        return parent != null && hasRoleFromGroup(parent, targetRole, true);
    }

    return false;
}
 
示例29
@Before
public void before() {
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();

        String descriptionAttrName = LDAPTestUtils.getGroupDescriptionLDAPAttrName(ctx.getLdapProvider());

        // Add group mapper
        LDAPTestUtils.addOrUpdateGroupMapper(appRealm, ctx.getLdapModel(), LDAPGroupMapperMode.LDAP_ONLY, descriptionAttrName);

        // Remove all LDAP groups
        LDAPTestUtils.removeAllLDAPGroups(session, appRealm, ctx.getLdapModel(), "groupsMapper");

        // Add some groups for testing into Keycloak
        removeAllModelGroups(appRealm);

        GroupModel group1 = appRealm.createGroup("group1");
        group1.setSingleAttribute(descriptionAttrName, "group1 - description1");

        GroupModel group11 = appRealm.createGroup("group11", group1);

        GroupModel group12 = appRealm.createGroup("group12", group1);
        group12.setSingleAttribute(descriptionAttrName, "group12 - description12");

        GroupModel group2 = appRealm.createGroup("group2");

    });
}
 
示例30
/**
 *
 * @param groups
 * @param targetGroup
 * @return true if targetGroup is in groups (directly or indirectly via parent child relationship)
 */
public static boolean isMember(Set<GroupModel> groups, GroupModel targetGroup) {
    if (groups.contains(targetGroup)) return true;

    for (GroupModel mapping : groups) {
        GroupModel child = mapping;
        while(child.getParent() != null) {
            if (child.getParent().equals(targetGroup)) return true;
            child = child.getParent();
        }
    }
    return false;
}