UserAdapter.java
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.models.cache.infinispan;
import org.keycloak.common.util.CollectionUtil;
import org.keycloak.credential.CredentialModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.GroupModel.Type;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.SubjectCredentialManager;
import org.keycloak.models.UserModel;
import org.keycloak.models.cache.CachedUserModel;
import org.keycloak.models.cache.infinispan.entities.CachedUser;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RoleUtils;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class UserAdapter implements CachedUserModel {
private final Supplier<UserModel> modelSupplier;
protected final CachedUser cached;
protected final UserCacheSession userProviderCache;
protected final KeycloakSession keycloakSession;
protected final RealmModel realm;
protected volatile UserModel updated;
public UserAdapter(CachedUser cached, UserCacheSession userProvider, KeycloakSession keycloakSession, RealmModel realm) {
this.cached = cached;
this.userProviderCache = userProvider;
this.keycloakSession = keycloakSession;
this.realm = realm;
this.modelSupplier = this::getUserModel;
}
@Override
public String getFirstName() {
if (updated != null) return updated.getFirstName();
return getFirstAttribute(FIRST_NAME);
}
@Override
public void setFirstName(String firstName) {
setSingleAttribute(FIRST_NAME, firstName);
}
@Override
public String getLastName() {
if (updated != null) return updated.getLastName();
return getFirstAttribute(LAST_NAME);
}
@Override
public void setLastName(String lastName) {
setSingleAttribute(LAST_NAME, lastName);
}
@Override
public String getEmail() {
if (updated != null) return updated.getEmail();
return getFirstAttribute(EMAIL);
}
@Override
public void setEmail(String email) {
email = email == null ? null : email.toLowerCase();
setSingleAttribute(EMAIL, email);
}
@Override
public UserModel getDelegateForUpdate() {
if (updated == null) {
userProviderCache.registerUserInvalidation(cached);
updated = modelSupplier.get();
if (updated == null) throw new IllegalStateException("Not found in database");
}
return updated;
}
@Override
public boolean isMarkedForEviction() {
return updated != null;
}
@Override
public void invalidate() {
try {
getDelegateForUpdate();
} catch (IllegalStateException ex) { // Not found in database, thus "invalidated" in the underlying model by definition
// ignore
}
}
@Override
public long getCacheTimestamp() {
return cached.getCacheTimestamp();
}
@Override
public ConcurrentHashMap getCachedWith() {
return cached.getCachedWith();
}
@Override
public String getId() {
if (updated != null) return updated.getId();
return cached.getId();
}
@Override
public String getUsername() {
if (updated != null) return updated.getUsername();
return getFirstAttribute(UserModel.USERNAME);
}
@Override
public void setUsername(String username) {
username = username==null ? null : username.toLowerCase();
setSingleAttribute(UserModel.USERNAME, username);
}
@Override
public Long getCreatedTimestamp() {
// get from cached always as it is immutable
return cached.getCreatedTimestamp();
}
@Override
public void setCreatedTimestamp(Long timestamp) {
// nothing to do as this value is immutable
}
@Override
public boolean isEnabled() {
if (updated != null) return updated.isEnabled();
return cached.isEnabled();
}
@Override
public void setEnabled(boolean enabled) {
getDelegateForUpdate();
updated.setEnabled(enabled);
}
@Override
public void setSingleAttribute(String name, String value) {
if (UserModel.USERNAME.equals(name) || UserModel.EMAIL.equals(name)) {
value = KeycloakModelUtils.toLowerCaseSafe(value);
}
if (updated == null) {
Set<String> oldEntries = getAttributeStream(name).collect(Collectors.toSet());
Set<String> newEntries = value != null ? Set.of(value) : Collections.emptySet();
if (CollectionUtil.collectionEquals(oldEntries, newEntries)) {
return;
}
}
getDelegateForUpdate();
updated.setSingleAttribute(name, value);
}
@Override
public void setAttribute(String name, List<String> values) {
if (UserModel.USERNAME.equals(name) || UserModel.EMAIL.equals(name)) {
String lowerCasedFirstValue = KeycloakModelUtils.toLowerCaseSafe((values != null && values.size() > 0) ? values.get(0) : null);
if (lowerCasedFirstValue != null) values = Collections.singletonList(lowerCasedFirstValue);
}
if (updated == null) {
Set<String> oldEntries = getAttributeStream(name).collect(Collectors.toSet());
Set<String> newEntries;
if (values == null) {
newEntries = new HashSet<>();
} else {
newEntries = new HashSet<>(values);
}
if (CollectionUtil.collectionEquals(oldEntries, newEntries)) {
return;
}
}
getDelegateForUpdate();
updated.setAttribute(name, values);
}
@Override
public void removeAttribute(String name) {
if (getFirstAttribute(name) != null) {
getDelegateForUpdate();
updated.removeAttribute(name);
}
}
@Override
public String getFirstAttribute(String name) {
if (updated != null) return updated.getFirstAttribute(name);
return cached.getFirstAttribute(name, modelSupplier);
}
@Override
public Stream<String> getAttributeStream(String name) {
if (updated != null) return updated.getAttributeStream(name);
List<String> result = cached.getAttributes(modelSupplier).get(name);
return (result == null) ? Stream.empty() : result.stream();
}
@Override
public Map<String, List<String>> getAttributes() {
if (updated != null) return updated.getAttributes();
return cached.getAttributes(modelSupplier);
}
@Override
public Stream<String> getRequiredActionsStream() {
if (updated != null) return updated.getRequiredActionsStream();
return cached.getRequiredActions(modelSupplier).stream();
}
@Override
public void addRequiredAction(RequiredAction action) {
getDelegateForUpdate();
updated.addRequiredAction(action);
}
@Override
public void removeRequiredAction(RequiredAction action) {
if (getRequiredActionsStream().anyMatch(s -> Objects.equals(s, action.name()))) {
getDelegateForUpdate();
updated.removeRequiredAction(action);
}
}
@Override
public void addRequiredAction(String action) {
getDelegateForUpdate();
updated.addRequiredAction(action);
}
@Override
public void removeRequiredAction(String action) {
if (getRequiredActionsStream().anyMatch(s -> Objects.equals(s, action))) {
getDelegateForUpdate();
updated.removeRequiredAction(action);
}
}
@Override
public boolean isEmailVerified() {
if (updated != null) return updated.isEmailVerified();
return cached.isEmailVerified();
}
@Override
public void setEmailVerified(boolean verified) {
getDelegateForUpdate();
updated.setEmailVerified(verified);
}
@Override
public String getFederationLink() {
if (updated != null) return updated.getFederationLink();
return cached.getFederationLink();
}
@Override
public void setFederationLink(String link) {
getDelegateForUpdate();
updated.setFederationLink(link);
}
@Override
public String getServiceAccountClientLink() {
if (updated != null) return updated.getServiceAccountClientLink();
return cached.getServiceAccountClientLink();
}
@Override
public void setServiceAccountClientLink(String clientInternalId) {
getDelegateForUpdate();
updated.setServiceAccountClientLink(clientInternalId);
}
@Override
public SubjectCredentialManager credentialManager() {
// Instantiate a new LegacyUserCredentialManager that points to the instance that is wrapped by the cache
// this way it the cache will know if any of the credentials are modified during validation of CredentialInputs.
// This assumes that each implementation in the legacy world implements the LegacyUserCredentialManager and not something else.
return new SubjectCredentialManagerCacheAdapter(keycloakSession, realm, this) {
@Override
public CredentialModel getStoredCredentialById(String id) {
if (updated == null) {
return cached.getStoredCredentials(modelSupplier).stream().filter(credential ->
Objects.equals(id, credential.getId()))
.findFirst().orElse(null);
}
return super.getStoredCredentialById(id);
}
@Override
public Stream<CredentialModel> getStoredCredentialsStream() {
if (updated == null) {
return cached.getStoredCredentials(modelSupplier).stream();
}
return super.getStoredCredentialsStream();
}
@Override
public Stream<CredentialModel> getStoredCredentialsByTypeStream(String type) {
if (updated == null) {
return cached.getStoredCredentials(modelSupplier).stream().filter(credential -> Objects.equals(type, credential.getType()));
}
return super.getStoredCredentialsByTypeStream(type);
}
@Override
public CredentialModel getStoredCredentialByNameAndType(String name, String type) {
if (updated == null) {
return cached.getStoredCredentials(modelSupplier).stream().filter(credential ->
Objects.equals(type, credential.getType()) && Objects.equals(name, credential.getUserLabel()))
.findFirst().orElse(null);
}
return super.getStoredCredentialByNameAndType(name, type);
}
@Override
public void invalidateCacheForEntity() {
// This implies invalidation of the cached entry,
// and all future calls in this session for the user will go to the store instead of the cache.
getDelegateForUpdate();
}
};
}
@Override
public Stream<RoleModel> getRealmRoleMappingsStream() {
if (updated != null) return updated.getRealmRoleMappingsStream();
return getRoleMappingsStream().filter(r -> RoleUtils.isRealmRole(r, realm));
}
@Override
public Stream<RoleModel> getClientRoleMappingsStream(ClientModel app) {
if (updated != null) return updated.getClientRoleMappingsStream(app);
return getRoleMappingsStream().filter(r -> RoleUtils.isClientRole(r, app));
}
@Override
public boolean hasDirectRole(RoleModel role) {
if (updated != null) return updated.hasDirectRole(role);
return cached.getRoleMappings(modelSupplier).contains(role.getId());
}
@Override
public boolean hasRole(RoleModel role) {
if (updated != null) return updated.hasRole(role);
return cached.getRoleMappings(modelSupplier).contains(role.getId()) ||
getRoleMappingsStream().anyMatch(r -> r.hasRole(role)) ||
RoleUtils.hasRoleFromGroup(getGroupsStream(), role, true);
}
@Override
public void grantRole(RoleModel role) {
getDelegateForUpdate();
updated.grantRole(role);
}
@Override
public Stream<RoleModel> getRoleMappingsStream() {
if (updated != null) return updated.getRoleMappingsStream();
Set<RoleModel> roles = new HashSet<>();
for (String id : cached.getRoleMappings(modelSupplier)) {
RoleModel roleById = keycloakSession.roles().getRoleById(realm, id);
if (roleById == null) {
// chance that role was removed, so just delete to persistence and get user invalidated
getDelegateForUpdate();
return updated.getRoleMappingsStream();
}
roles.add(roleById);
}
return roles.stream();
}
@Override
public void deleteRoleMapping(RoleModel role) {
getDelegateForUpdate();
updated.deleteRoleMapping(role);
}
@Override
public Stream<GroupModel> getGroupsStream() {
Stream<GroupModel> result = Stream.empty();
if (updated != null) {
result = updated.getGroupsStream();
} else {
Set<GroupModel> groups = null;
for (String id : cached.getGroups(modelSupplier)) {
GroupModel groupModel = keycloakSession.groups().getGroupById(realm, id);
if (groupModel == null) {
// chance that role was removed, so just delegate to persistence and get user invalidated
getDelegateForUpdate();
result = updated.getGroupsStream();
break;
} else {
if (groups == null) {
groups = new HashSet<>();
}
groups.add(groupModel);
}
}
if (groups != null) {
result = groups.stream();
}
}
return result.filter(g -> Type.REALM.equals(g.getType())).sorted(Comparator.comparing(GroupModel::getName));
}
@Override
public long getGroupsCountByNameContaining(String search) {
if (updated != null) return updated.getGroupsCountByNameContaining(search);
return modelSupplier.get().getGroupsCountByNameContaining(search);
}
@Override
public void joinGroup(GroupModel group) {
getDelegateForUpdate();
updated.joinGroup(group);
}
@Override
public void leaveGroup(GroupModel group) {
getDelegateForUpdate();
updated.leaveGroup(group);
}
@Override
public boolean isMemberOf(GroupModel group) {
if (updated != null) return updated.isMemberOf(group);
return cached.getGroups(modelSupplier).contains(group.getId()) || RoleUtils.isMember(getGroupsStream(), group);
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (!(o instanceof UserModel)) return false;
UserModel that = (UserModel) o;
return that.getId().equals(getId());
}
@Override
public int hashCode() {
return getId().hashCode();
}
private UserModel getUserModel() {
return userProviderCache.getDelegate().getUserById(realm, cached.getId());
}
}