JpaHashUtils.java
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.storage.jpa;
import org.keycloak.crypto.HashException;
import org.keycloak.crypto.JavaAlgorithm;
import org.keycloak.models.jpa.entities.UserEntity;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.function.BiPredicate;
/**
* Create hashes for long values stored in the database. Offers different variants for exact and lowercase search.
* Keycloak uses lowercase search to approximate a case-insensitive search.
* <p>
* The lowercase function always uses the English locale to avoid changing hashes due to changing locales which can be surprising
* and would be expensive to fix as all hashes would need to be re-calculated.
*
* @author Alexander Schwartz
*/
public class JpaHashUtils {
private static byte[] hash(byte[] inputBytes) {
try {
MessageDigest md = MessageDigest.getInstance(JavaAlgorithm.SHA512);
md.update(inputBytes);
return md.digest();
} catch (Exception e) {
throw new HashException("Error when creating token hash", e);
}
}
public static byte[] hashForAttributeValue(String value) {
return JpaHashUtils.hash(value.getBytes(StandardCharsets.UTF_8));
}
public static byte[] hashForAttributeValueLowerCase(String value) {
return JpaHashUtils.hash(value.toLowerCase(Locale.ENGLISH).getBytes(StandardCharsets.UTF_8));
}
public static boolean compareSourceValueLowerCase(String value1, String value2) {
return Objects.equals(value1.toLowerCase(Locale.ENGLISH), value2.toLowerCase(Locale.ENGLISH));
}
public static boolean compareSourceValue(String value1, String value2) {
return Objects.equals(value1, value2);
}
/**
* This method returns a predicate that returns true when user has all attributes specified in {@code customLongValueSearchAttributes} map
* <p />
* The check is performed by exact comparison on attribute name the value
* <p />
* This is necessary because database can return users without the searched attribute when a hash collision on long user attribute value occurs
*
* @param customLongValueSearchAttributes required attributes
* @param valueComparator comparator for comparing attribute values
* @return predicate for filtering users based on attributes map
*/
public static java.util.function.Predicate<UserEntity> predicateForFilteringUsersByAttributes(Map<String, String> customLongValueSearchAttributes, BiPredicate<String, String> valueComparator) {
return userEntity -> customLongValueSearchAttributes.isEmpty() || // are there some long attribute values
customLongValueSearchAttributes
.entrySet()
.stream()
.allMatch(longAttrEntry -> //for all long search attributes
userEntity
.getAttributes()
.stream()
.anyMatch(userAttribute -> //check whether the user indeed has the attribute
Objects.equals(longAttrEntry.getKey().toLowerCase(), userAttribute.getName().toLowerCase())
&& valueComparator.test(longAttrEntry.getValue(), userAttribute.getValue())
)
);
}
}