MigrateTo8_0_2.java

/*
 * Copyright 2019 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */

package org.keycloak.migration.migrators;

import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Collectors;

import org.jboss.logging.Logger;
import org.keycloak.migration.ModelVersion;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.idm.RealmRepresentation;

import static org.keycloak.models.AuthenticationExecutionModel.Requirement.*;

/**
 * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
 */
public class MigrateTo8_0_2 implements Migration {

    public static final ModelVersion VERSION = new ModelVersion("8.0.2");

    private static final Logger LOG = Logger.getLogger(MigrateTo8_0_2.class);

    @Override
    public ModelVersion getVersion() {
        return VERSION;
    }

    @Override
    public void migrate(KeycloakSession session) {
        session.realms().getRealmsStream().forEach(this::migrateAuthenticationFlowsWithAlternativeRequirements);
    }

    @Override
    public void migrateImport(KeycloakSession session, RealmModel realm, RealmRepresentation rep, boolean skipUserDependent) {
        migrateAuthenticationFlowsWithAlternativeRequirements(realm);
    }


    protected void migrateAuthenticationFlowsWithAlternativeRequirements(RealmModel realm) {
        for (AuthenticationFlowModel flow : realm.getAuthenticationFlowsStream().collect(Collectors.toList())) {
            List<AuthenticationExecutionModel> executions = realm.getAuthenticationExecutionsStream(flow.getId())
                    .collect(Collectors.toList());

            Set<AuthenticationExecutionModel.Requirement> requirements = executions.stream()
                    .map(AuthenticationExecutionModel::getRequirement)
                    .collect(Collectors.toSet());

            // This flow contains some REQUIRED and ALTERNATIVE at the same level. We will migrate ALTERNATIVES to separate subflows
            // to try to preserve same behaviour as in previous versions
            if (requirements.contains(REQUIRED) || requirements.contains(CONDITIONAL) && requirements.contains(ALTERNATIVE)) {

                // Suffix used just to avoid name conflicts
                AtomicInteger suffix = new AtomicInteger(0);
                LinkedList<AuthenticationExecutionModel> alternativesToMigrate = new LinkedList<>();
                for (AuthenticationExecutionModel execution: executions) {
                    if (AuthenticationExecutionModel.Requirement.ALTERNATIVE.equals(execution.getRequirement())) {
                        alternativesToMigrate.add(execution);
                    }

                    // If we have some REQUIRED then ALTERNATIVE and then REQUIRED/CONDITIONAL, we migrate the alternatives to the new subflow.
                    if (REQUIRED.equals(execution.getRequirement()) ||
                            CONDITIONAL.equals(execution.getRequirement())) {
                        if (!alternativesToMigrate.isEmpty()) {
                            migrateAlternatives(realm, flow, alternativesToMigrate, suffix.get());
                            suffix.addAndGet(1);
                            alternativesToMigrate.clear();
                        }
                    }
                }

                if (!alternativesToMigrate.isEmpty()) {
                    migrateAlternatives(realm, flow, alternativesToMigrate, suffix.get());
                }
            }
        }
    }


    private void migrateAlternatives(RealmModel realm, AuthenticationFlowModel parentFlow,
                                     LinkedList<AuthenticationExecutionModel> alternativesToMigrate, int suffix) {
        LOG.debugf("Migrating %d ALTERNATIVE executions in the flow '%s' of realm '%s' to separate subflow", alternativesToMigrate.size(),
                parentFlow.getAlias(), realm.getName());

        AuthenticationFlowModel newFlow = new AuthenticationFlowModel();
        newFlow.setTopLevel(false);
        newFlow.setBuiltIn(parentFlow.isBuiltIn());
        newFlow.setAlias(parentFlow.getAlias() + " - Alternatives - " + suffix);
        newFlow.setDescription("Subflow of " + parentFlow.getAlias() + " with alternative executions");
        newFlow.setProviderId("basic-flow");
        newFlow = realm.addAuthenticationFlow(newFlow);

        AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
        execution.setParentFlow(parentFlow.getId());
        execution.setRequirement(REQUIRED);
        execution.setFlowId(newFlow.getId());
        // Use same priority as the first ALTERNATIVE as new execution will defacto replace it in the parent flow
        execution.setPriority(alternativesToMigrate.getFirst().getPriority());
        execution.setAuthenticatorFlow(true);
        realm.addAuthenticatorExecution(execution);

        int priority = 0;
        for (AuthenticationExecutionModel ex : alternativesToMigrate) {
            priority += 10;
            ex.setParentFlow(newFlow.getId());
            ex.setPriority(priority);
            realm.updateAuthenticatorExecution(ex);
        }
    }

}