MigrateTo9_0_0.java

/*
 * Copyright 2019 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.keycloak.migration.migrators;

import org.jboss.logging.Logger;
import org.keycloak.migration.ModelVersion;
import org.keycloak.models.AccountRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.DefaultRequiredActions;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.RealmRepresentation;


/**
 * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
 */
public class MigrateTo9_0_0 implements Migration {

    public static final ModelVersion VERSION = new ModelVersion("9.0.0");

    private static final Logger LOG = Logger.getLogger(MigrateTo9_0_0.class);

    @Override
    public ModelVersion getVersion() {
        return VERSION;
    }

    @Override
    public void migrate(KeycloakSession session) {
        session.realms().getRealmsStream().forEach(this::migrateRealmCommon);
    }

    @Override
    public void migrateImport(KeycloakSession session, RealmModel realm, RealmRepresentation rep, boolean skipUserDependent) {
        migrateRealmCommon(realm);
    }

    protected void migrateRealmCommon(RealmModel realm) {
        addAccountConsoleClient(realm);
        addAccountApiRoles(realm);
        enablePkceAdminAccountClients(realm);
        DefaultRequiredActions.addUpdateLocaleAction(realm);
    }

    private void addAccountApiRoles(RealmModel realm) {
        ClientModel accountClient = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
        RoleModel viewAppRole = accountClient.addRole(AccountRoles.VIEW_APPLICATIONS);
        viewAppRole.setDescription("${role_" + AccountRoles.VIEW_APPLICATIONS + "}");
        LOG.debugf("Added the role %s to the '%s' client.", AccountRoles.VIEW_APPLICATIONS, Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
        RoleModel viewConsentRole = accountClient.addRole(AccountRoles.VIEW_CONSENT);
        viewConsentRole.setDescription("${role_" + AccountRoles.VIEW_CONSENT + "}");
        LOG.debugf("Added the role %s to the '%s' client.", AccountRoles.VIEW_CONSENT, Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
        RoleModel manageConsentRole = accountClient.addRole(AccountRoles.MANAGE_CONSENT);
        manageConsentRole.setDescription("${role_" + AccountRoles.MANAGE_CONSENT + "}");
        LOG.debugf("Added the role %s to the '%s' client.", AccountRoles.MANAGE_CONSENT, Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
        manageConsentRole.addCompositeRole(viewConsentRole);
        LOG.debugf("Added the %s role as a composite role to %s", AccountRoles.VIEW_CONSENT, AccountRoles.MANAGE_CONSENT);
    }

    protected void addAccountConsoleClient(RealmModel realm) {
        if (realm.getClientByClientId(Constants.ACCOUNT_CONSOLE_CLIENT_ID) == null) {
            ClientModel client = KeycloakModelUtils.createPublicClient(realm, Constants.ACCOUNT_CONSOLE_CLIENT_ID);
            client.setName("${client_" + Constants.ACCOUNT_CONSOLE_CLIENT_ID + "}");
            client.setEnabled(true);
            client.setFullScopeAllowed(false);
            client.setDirectAccessGrantsEnabled(false);

            client.setRootUrl(Constants.AUTH_BASE_URL_PROP);
            String baseUrl = "/realms/" + realm.getName() + "/account/";
            client.setBaseUrl(baseUrl);
            client.addRedirectUri(baseUrl + "*");

            client.setProtocol("openid-connect");

            RoleModel role = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(AccountRoles.MANAGE_ACCOUNT);
            if (role != null) client.addScopeMapping(role);

            ProtocolMapperModel audienceMapper = new ProtocolMapperModel();
            audienceMapper.setName("audience resolve");
            audienceMapper.setProtocol("openid-connect");
            audienceMapper.setProtocolMapper("oidc-audience-resolve-mapper");

            client.addProtocolMapper(audienceMapper);
        }
    }

    private void enablePkceAdminAccountClients(RealmModel realm) {
        ClientModel adminConsole = realm.getClientByClientId(Constants.ADMIN_CONSOLE_CLIENT_ID);
        if (adminConsole != null) {
            adminConsole.setAttribute("pkce.code.challenge.method", "S256");
        }

        ClientModel accountConsole = realm.getClientByClientId(Constants.ACCOUNT_CONSOLE_CLIENT_ID);
        if (accountConsole != null) {
            accountConsole.setAttribute("pkce.code.challenge.method", "S256");
        }
    }

}