CredentialDeleteHelper.java

/*
 * Copyright 2024 Red Hat, Inc. and/or its affiliates
 *  and other contributors as indicated by the @author tags.
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 */

package org.keycloak.authentication.requiredactions.util;

import java.util.Map;
import java.util.function.Supplier;

import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.NotFoundException;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticatorUtil;
import org.keycloak.authentication.authenticators.util.LoAUtil;
import org.keycloak.credential.CredentialModel;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.CredentialTypeMetadata;
import org.keycloak.credential.CredentialTypeMetadataContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;

import static org.keycloak.models.Constants.NO_LOA;

/**
 * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
 */
public class CredentialDeleteHelper {

    private static final Logger logger = Logger.getLogger(CredentialDeleteHelper.class);

    /**
     * Removing credential of given ID of specified user. It does the necessary validation to validate if specified credential can be removed.
     * In case of step-up authentication enabled, it verifies if user authenticated with corresponding level in order to be able to remove this credential.
     *
     * For instance removing 2nd-factor credential require authentication with 2nd-factor as well for security reasons.
     *
     * @param session
     * @param user
     * @param credentialId
     * @param currentLoAProvider supplier of current authenticated level. Can be retrieved for instance from session or from the token
     * @return removed credential. It can return null if credential was not found or if it was legacy format of federated credential ID
     */
    public static CredentialModel removeCredential(KeycloakSession session, UserModel user, String credentialId, Supplier<Integer> currentLoAProvider) {
        CredentialModel credential = user.credentialManager().getStoredCredentialById(credentialId);
        if (credential == null) {
            // Backwards compatibility with account console 1 - When stored credential is not found, it may be federated credential.
            // In this case, it's ID needs to be something like "otp-id", which is returned by account REST GET endpoint as a placeholder
            // for federated credentials (See CredentialHelper.createUserStorageCredentialRepresentation )
            if (credentialId.endsWith("-id")) {
                String credentialType = credentialId.substring(0, credentialId.length() - 3);
                checkIfCanBeRemoved(session, user, credentialType, currentLoAProvider);
                user.credentialManager().disableCredentialType(credentialType);
                return null;
            }
            throw new NotFoundException("Credential not found");
        }
        checkIfCanBeRemoved(session, user, credential.getType(), currentLoAProvider);
        user.credentialManager().removeStoredCredentialById(credentialId);
        return credential;
    }

    private static void checkIfCanBeRemoved(KeycloakSession session, UserModel user, String credentialType, Supplier<Integer> currentLoAProvider) {
        CredentialProvider credentialProvider = AuthenticatorUtil.getCredentialProviders(session)
                .filter(credentialProvider1 -> credentialType.equals(credentialProvider1.getType()))
                .findAny().orElse(null);
        if (credentialProvider == null) {
            logger.warnf("Credential provider %s not found", credentialType);
            throw new NotFoundException("Credential provider not found");
        }
        CredentialTypeMetadataContext ctx = CredentialTypeMetadataContext.builder().user(user).build(session);
        CredentialTypeMetadata metadata = credentialProvider.getCredentialTypeMetadata(ctx);
        if (!metadata.isRemoveable()) {
            logger.warnf("Credential type %s cannot be removed", credentialType);
            throw new BadRequestException("Credential type cannot be removed");
        }

        // Check if current accessToken has permission to remove credential in case of step-up authentication was used
        checkAuthenticatedLoASufficientForCredentialRemove(session, credentialType, currentLoAProvider);
    }

    private static void checkAuthenticatedLoASufficientForCredentialRemove(KeycloakSession session, String credentialType, Supplier<Integer> currentLoAProvider) {
        int requestedLoaForCredentialRemove = getRequestedLoaForCredential(session, session.getContext().getRealm(), credentialType);

        int currentAuthenticatedLevel = currentLoAProvider.get();
        if (currentAuthenticatedLevel < requestedLoaForCredentialRemove) {
            throw new ForbiddenException("Insufficient level of authentication for removing credential of type '" + credentialType + "'.");
        }
    }

    private static int getRequestedLoaForCredential(KeycloakSession session, RealmModel realm, String credentialType) {
        Map<String, Integer> credentialTypesToLoa = LoAUtil.getCredentialTypesToLoAMap(session, realm, realm.getBrowserFlow());
        return credentialTypesToLoa.getOrDefault(credentialType, NO_LOA);
    }
}