Java源码示例:org.keycloak.models.GroupModel
示例1
@Override
public void onImportUserFromLDAP(LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate) {
LDAPGroupMapperMode mode = config.getMode();
// For now, import LDAP group mappings just during create
if (mode == LDAPGroupMapperMode.IMPORT && isCreate) {
List<LDAPObject> ldapGroups = getLDAPGroupMappings(ldapUser);
// Import role mappings from LDAP into Keycloak DB
for (LDAPObject ldapGroup : ldapGroups) {
GroupModel kcGroup = findKcGroupOrSyncFromLDAP(realm, ldapGroup, user);
if (kcGroup != null) {
logger.debugf("User '%s' joins group '%s' during import from LDAP", user.getUsername(), kcGroup.getName());
user.joinGroup(kcGroup);
}
}
}
}
示例2
@Override
public List<GroupModel> searchForGroupByName(RealmModel realm, String search, Integer first, Integer max) {
TypedQuery<String> query = em.createNamedQuery("getGroupIdsByNameContaining", String.class)
.setParameter("realm", realm.getId())
.setParameter("search", search);
if(Objects.nonNull(first) && Objects.nonNull(max)) {
query= query.setFirstResult(first).setMaxResults(max);
}
List<String> groups = query.getResultList();
if (Objects.isNull(groups)) return Collections.EMPTY_LIST;
List<GroupModel> list = new ArrayList<>();
for (String id : groups) {
GroupModel groupById = session.realms().getGroupById(id, realm);
while(Objects.nonNull(groupById.getParentId())) {
groupById = session.realms().getGroupById(groupById.getParentId(), realm);
}
if(!list.contains(groupById)) {
list.add(groupById);
}
}
list.sort(Comparator.comparing(GroupModel::getName));
return Collections.unmodifiableList(list);
}
示例3
public static Collection<String> resolveAttribute(UserModel user, String name, boolean aggregateAttrs) {
List<String> values = user.getAttribute(name);
Set<String> aggrValues = new HashSet<String>();
if (!values.isEmpty()) {
if (!aggregateAttrs) {
return values;
}
aggrValues.addAll(values);
}
for (GroupModel group : user.getGroups()) {
values = resolveAttribute(group, name);
if (values != null && !values.isEmpty()) {
if (!aggregateAttrs) {
return values;
}
aggrValues.addAll(values);
}
}
return aggrValues;
}
示例4
private static GroupModel findSubGroup(String[] segments, int index, GroupModel parent) {
for (GroupModel group : parent.getSubGroups()) {
String groupName = group.getName();
String[] pathSegments = formatPathSegments(segments, index, groupName);
if (groupName.equals(pathSegments[index])) {
if (pathSegments.length == index + 1) {
return group;
}
else {
if (index + 1 < pathSegments.length) {
GroupModel found = findSubGroup(pathSegments, index + 1, group);
if (found != null) return found;
} else {
return null;
}
}
}
}
return null;
}
示例5
private void syncNonExistingGroup(RealmModel realm, Map.Entry<String, LDAPObject> groupEntry,
SynchronizationResult syncResult, Set<String> visitedGroupIds, String groupName) {
try {
// Create each non-existing group to be synced in its own inner transaction to prevent race condition when
// the group intended to be created was already created via other channel in the meantime
KeycloakModelUtils.runJobInTransaction(ldapProvider.getSession().getKeycloakSessionFactory(), session -> {
RealmModel innerTransactionRealm = session.realms().getRealm(realm.getId());
GroupModel kcGroup = createKcGroup(innerTransactionRealm, groupName, null);
updateAttributesOfKCGroup(kcGroup, groupEntry.getValue());
syncResult.increaseAdded();
visitedGroupIds.add(kcGroup.getId());
});
} catch (ModelException me) {
logger.error(String.format("Failed to sync group %s from LDAP: ", groupName), me);
syncResult.increaseFailed();
}
}
示例6
/**
* Adds the group membership information to the {@link IDToken#otherClaims}.
* @param token
* @param mappingModel
* @param userSession
*/
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) {
List<String> membership = new LinkedList<>();
boolean fullPath = useFullPath(mappingModel);
for (GroupModel group : userSession.getUser().getGroups()) {
if (fullPath) {
membership.add(ModelToRepresentation.buildGroupPath(group));
} else {
membership.add(group.getName());
}
}
String protocolClaim = mappingModel.getConfig().get(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME);
token.getOtherClaims().put(protocolClaim, membership);
}
示例7
@Override
public GroupModel createGroup(RealmModel realm, String id, String name, GroupModel toParent) {
if (id == null) {
id = KeycloakModelUtils.generateId();
} else if (GroupEntity.TOP_PARENT_ID.equals(id)) {
// maybe it's impossible but better ensure this doesn't happen
throw new ModelException("The ID of the new group is equals to the tag used for top level groups");
}
GroupEntity groupEntity = new GroupEntity();
groupEntity.setId(id);
groupEntity.setName(name);
RealmEntity realmEntity = em.getReference(RealmEntity.class, realm.getId());
groupEntity.setRealm(realmEntity.getId());
groupEntity.setParentId(toParent == null? GroupEntity.TOP_PARENT_ID : toParent.getId());
em.persist(groupEntity);
em.flush();
realmEntity.getGroups().add(groupEntity);
GroupAdapter adapter = new GroupAdapter(realm, em, groupEntity);
return adapter;
}
示例8
@Override
public List<UserModel> getGroupMembers(RealmModel realm, GroupModel kcGroup, int firstResult, int maxResults) {
if (config.getMode() == LDAPGroupMapperMode.IMPORT) {
// only results from Keycloak should be returned, or imported LDAP and KC items will duplicate
return Collections.emptyList();
}
// TODO: with ranged search in AD we can improve the search using the specific range (not done for the moment)
LDAPObject ldapGroup = loadLDAPGroupByName(kcGroup.getName());
if (ldapGroup == null) {
return Collections.emptyList();
}
MembershipType membershipType = config.getMembershipTypeLdapAttribute();
return membershipType.getGroupMembers(realm, this, ldapGroup, firstResult, maxResults);
}
示例9
/**
* Return List of Groups that have the specified role name
*
*
* @param roleName
* @param firstResult
* @param maxResults
* @param briefRepresentation if false, return a full representation of the GroupRepresentation objects
* @return
*/
@Path("{role-name}/groups")
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public List<GroupRepresentation> getGroupsInRole(final @PathParam("role-name") String roleName,
@QueryParam("first") Integer firstResult,
@QueryParam("max") Integer maxResults,
@QueryParam("briefRepresentation") @DefaultValue("true") boolean briefRepresentation) {
auth.roles().requireView(roleContainer);
firstResult = firstResult != null ? firstResult : 0;
maxResults = maxResults != null ? maxResults : Constants.DEFAULT_MAX_RESULTS;
RoleModel role = roleContainer.getRole(roleName);
if (role == null) {
throw new NotFoundException("Could not find role");
}
List<GroupModel> groupsModel = session.realms().getGroupsByRole(realm, role, firstResult, maxResults);
return groupsModel.stream()
.map(g -> ModelToRepresentation.toRepresentation(g, !briefRepresentation))
.collect(Collectors.toList());
}
示例10
@Override
public List<UserModel> getGroupMembers(final RealmModel realm, final GroupModel group, int firstResult, int maxResults) {
List<UserModel> results = query((provider, first, max) -> {
if (provider instanceof UserQueryProvider) {
return ((UserQueryProvider)provider).getGroupMembers(realm, group, first, max);
} else if (provider instanceof UserFederatedStorageProvider) {
List<String> ids = ((UserFederatedStorageProvider)provider).getMembership(realm, group, first, max);
List<UserModel> rs = new LinkedList<UserModel>();
for (String id : ids) {
UserModel user = getUserById(id, realm);
if (user != null) rs.add(user);
}
return rs;
}
return Collections.EMPTY_LIST;
}, realm, firstResult, maxResults);
return importValidation(realm, results);
}
示例11
@Override
public Set<GroupModel> getGroups() {
if (updated != null) return updated.getGroups();
Set<GroupModel> groups = new LinkedHashSet<>();
for (String id : cached.getGroups(modelSupplier)) {
GroupModel groupModel = keycloakSession.realms().getGroupById(id, realm);
if (groupModel == null) {
// chance that role was removed, so just delete to persistence and get user invalidated
getDelegateForUpdate();
return updated.getGroups();
}
groups.add(groupModel);
}
return groups;
}
示例12
@Override
public Set<GroupModel> getGroups() {
Set<GroupModel> set = new HashSet<>();
if (appendDefaultGroups()) set.addAll(realm.getDefaultGroups());
set.addAll(getGroupsInternal());
return set;
}
示例13
/**
*
*
* @param user
* @param name
* @return
*/
public static String resolveFirstAttribute(UserModel user, String name) {
String value = user.getFirstAttribute(name);
if (value != null) return value;
for (GroupModel group : user.getGroups()) {
value = resolveFirstAttribute(group, name);
if (value != null) return value;
}
return null;
}
示例14
@Override
public void removeChild(GroupModel subGroup) {
if (subGroup.getId().equals(getId())) {
return;
}
subGroup.setParent(null);
}
示例15
public static void createGroups(UserRepresentation userRep, RealmModel newRealm, UserModel user) {
if (userRep.getGroups() != null) {
for (String path : userRep.getGroups()) {
GroupModel group = KeycloakModelUtils.findGroupByPath(newRealm, path);
if (group == null) {
throw new RuntimeException("Unable to find group specified by path: " + path);
}
user.joinGroup(group);
}
}
}
示例16
/**
* Provides a list of all KC sub groups from given parent group or from groups path.
*/
protected Collection<GroupModel> getKcSubGroups(RealmModel realm, GroupModel parentGroup) {
// If no parent group given then use groups path
if (parentGroup == null) {
parentGroup = getKcGroupsPathGroup(realm);
}
return parentGroup == null ? realm.getTopLevelGroups() : parentGroup.getSubGroups();
}
示例17
private boolean hasPermission(GroupModel group, EvaluationContext context, String... scopes) {
ResourceServer server = root.realmResourceServer();
if (server == null) {
return false;
}
Resource resource = resourceStore.findByName(getGroupResourceName(group), server.getId());
if (resource == null) {
return false;
}
return hasPermission(resource, context, scopes);
}
示例18
@Override
public void preRemove(RealmModel realm, GroupModel group) {
localStorage().preRemove(realm, group);
if (getFederatedStorage() != null) {
getFederatedStorage().preRemove(realm, group);
for (UserStorageProvider provider : getEnabledStorageProviders(session, realm, UserStorageProvider.class)) {
provider.preRemove(realm, group);
}
}
}
示例19
@Override
public List<GroupModel> getTopLevelGroups(RealmModel realm) {
RealmEntity ref = em.getReference(RealmEntity.class, realm.getId());
return ref.getGroups().stream()
.filter(g -> GroupEntity.TOP_PARENT_ID.equals(g.getParentId()))
.map(g -> session.realms().getGroupById(g.getId(), realm))
.sorted(Comparator.comparing(GroupModel::getName))
.collect(Collectors.collectingAndThen(
Collectors.toList(), Collections::unmodifiableList));
}
示例20
@Override
public boolean isMemberOf(GroupModel group) {
if (groupIds == null) return false;
if (groupIds.contains(group.getId())) return true;
Set<GroupModel> groups = getGroups();
return RoleUtils.isMember(groups, group);
}
示例21
@Override
public void joinGroup(GroupModel group) {
if (!isMemberOf(group)) {
delegate.joinGroup(group);
}
}
示例22
public static void setupDeleteTest(KeycloakSession session ) {
RealmModel realm = session.realms().getRealmByName(TEST);
RoleModel removedRole = realm.addRole("removedRole");
ClientModel client = realm.addClient("removedClient");
RoleModel removedClientRole = client.addRole("removedClientRole");
GroupModel removedGroup = realm.createGroup("removedGroup");
AdminPermissionManagement management = AdminPermissions.management(session, realm);
management.roles().setPermissionsEnabled(removedRole, true);
management.roles().setPermissionsEnabled(removedClientRole, true);
management.groups().setPermissionsEnabled(removedGroup, true);
management.clients().setPermissionsEnabled(client, true);
management.users().setPermissionsEnabled(true);
}
示例23
@Override
public void setParent(GroupModel parent) {
if (parent == null) {
group.setParentId(GroupEntity.TOP_PARENT_ID);
} else if (!parent.getId().equals(getId())) {
GroupEntity parentEntity = toEntity(parent, em);
group.setParentId(parentEntity.getId());
}
}
示例24
/**
* create or add a top level realm groupSet or create child. This will update the group and set the parent if it exists. Create it and set the parent
* if the group doesn't exist.
*
* @param rep
*/
@POST
@Consumes(MediaType.APPLICATION_JSON)
public Response addTopLevelGroup(GroupRepresentation rep) {
auth.groups().requireManage();
GroupModel child;
Response.ResponseBuilder builder = Response.status(204);
try {
if (rep.getId() != null) {
child = realm.getGroupById(rep.getId());
if (child == null) {
throw new NotFoundException("Could not find child by id");
}
realm.moveGroup(child, null);
adminEvent.operation(OperationType.UPDATE).resourcePath(session.getContext().getUri());
} else {
child = realm.createGroup(rep.getName());
GroupResource.updateGroup(rep, child);
URI uri = session.getContext().getUri().getAbsolutePathBuilder()
.path(child.getId()).build();
builder.status(201).location(uri);
rep.setId(child.getId());
adminEvent.operation(OperationType.CREATE).resourcePath(session.getContext().getUri(), child.getId());
}
} catch (ModelDuplicateException mde) {
return ErrorResponse.exists("Top level group named '" + rep.getName() + "' already exists.");
}
adminEvent.representation(rep).success();
return builder.build();
}
示例25
/**
* Checks whether the {@code targetRole} is contained in any of the {@code groups} or their parents
* (if requested)
* @param groups
* @param targetRole
* @param checkParentGroup When {@code true}, also parent group is recursively checked for role
* @return true if targetRole is in roles (directly or indirectly via composite role)
*/
public static boolean hasRoleFromGroup(Iterable<GroupModel> groups, RoleModel targetRole, boolean checkParentGroup) {
if (groups == null) {
return false;
}
return StreamSupport.stream(groups.spliterator(), false)
.anyMatch(group -> hasRoleFromGroup(group, targetRole, checkParentGroup));
}
示例26
@Override
public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel config) throws ComponentValidationException {
String groupName = config.getConfig().getFirst(HardcodedLDAPGroupStorageMapper.GROUP);
if (groupName == null) {
throw new ComponentValidationException("Group can't be null");
}
GroupModel group = KeycloakModelUtils.findGroupByPath(realm, groupName);
if (group == null) {
throw new ComponentValidationException("There is no group corresponding to configured value");
}
}
示例27
@Test
public void test07_newUserDefaultGroupsImportModeTest() throws Exception {
// Check user group memberships
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel appRealm = ctx.getRealm();
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "groupsMapper");
LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.MODE, LDAPGroupMapperMode.IMPORT.toString());
appRealm.updateComponent(mapperModel);
UserModel david = session.users().addUser(appRealm, "davidkeycloak");
GroupModel defaultGroup11 = KeycloakModelUtils.findGroupByPath(appRealm, "/defaultGroup1/defaultGroup11");
Assert.assertNotNull(defaultGroup11);
GroupModel defaultGroup12 = KeycloakModelUtils.findGroupByPath(appRealm, "/defaultGroup1/defaultGroup12");
Assert.assertNotNull(defaultGroup12);
GroupModel group31 = KeycloakModelUtils.findGroupByPath(appRealm, "/group3/group31");
Assert.assertNotNull(group31);
GroupModel group32 = KeycloakModelUtils.findGroupByPath(appRealm, "/group3/group32");
Assert.assertNotNull(group32);
GroupModel group4 = KeycloakModelUtils.findGroupByPath(appRealm, "/group4");
Assert.assertNotNull(group4);
Set<GroupModel> groups = david.getGroups();
Assert.assertTrue(groups.contains(defaultGroup11));
Assert.assertTrue(groups.contains(defaultGroup12));
Assert.assertFalse(groups.contains(group31));
Assert.assertFalse(groups.contains(group32));
Assert.assertFalse(groups.contains(group4));
});
}
示例28
/**
* Checks whether the {@code targetRole} is contained in the given group or its parents
* (if requested)
* @param group Group to check role for
* @param targetRole
* @param checkParentGroup When {@code true}, also parent group is recursively checked for role
* @return true if targetRole is in roles (directly or indirectly via composite role)
*/
public static boolean hasRoleFromGroup(GroupModel group, RoleModel targetRole, boolean checkParentGroup) {
if (group.hasRole(targetRole))
return true;
if (checkParentGroup) {
GroupModel parent = group.getParent();
return parent != null && hasRoleFromGroup(parent, targetRole, true);
}
return false;
}
示例29
@Before
public void before() {
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel appRealm = ctx.getRealm();
String descriptionAttrName = LDAPTestUtils.getGroupDescriptionLDAPAttrName(ctx.getLdapProvider());
// Add group mapper
LDAPTestUtils.addOrUpdateGroupMapper(appRealm, ctx.getLdapModel(), LDAPGroupMapperMode.LDAP_ONLY, descriptionAttrName);
// Remove all LDAP groups
LDAPTestUtils.removeAllLDAPGroups(session, appRealm, ctx.getLdapModel(), "groupsMapper");
// Add some groups for testing into Keycloak
removeAllModelGroups(appRealm);
GroupModel group1 = appRealm.createGroup("group1");
group1.setSingleAttribute(descriptionAttrName, "group1 - description1");
GroupModel group11 = appRealm.createGroup("group11", group1);
GroupModel group12 = appRealm.createGroup("group12", group1);
group12.setSingleAttribute(descriptionAttrName, "group12 - description12");
GroupModel group2 = appRealm.createGroup("group2");
});
}
示例30
/**
*
* @param groups
* @param targetGroup
* @return true if targetGroup is in groups (directly or indirectly via parent child relationship)
*/
public static boolean isMember(Set<GroupModel> groups, GroupModel targetGroup) {
if (groups.contains(targetGroup)) return true;
for (GroupModel mapping : groups) {
GroupModel child = mapping;
while(child.getParent() != null) {
if (child.getParent().equals(targetGroup)) return true;
child = child.getParent();
}
}
return false;
}