Package org.keycloak.models.utils

Class KeycloakModelUtils

java.lang.Object
org.keycloak.models.utils.KeycloakModelUtils
public final class KeycloakModelUtils extends Object
Set of helper methods, which are useful in various model implementations.
Author:
Marek Posolda, Daniel Fesenmeyer

  • Field Details

  • Method Details

    • generateId

      public static String generateId()

    • getPublicKey

      public static PublicKey getPublicKey(String publicKeyPem)

    • getCertificate

      public static X509Certificate getCertificate(String cert)

    • getPrivateKey

      public static PrivateKey getPrivateKey(String privateKeyPem)

    • getSecretKey

      public static Key getSecretKey(String secret)

    • getPemFromKey

      public static String getPemFromKey(Key key)

    • getPemFromCertificate

      public static String getPemFromCertificate(X509Certificate certificate)

    • generateKeyPairCertificate

      public static CertificateRepresentation generateKeyPairCertificate(String subject)

    • generateSecret

      public static String generateSecret(ClientModel client)

    • getDefaultClientAuthenticatorType

      public static String getDefaultClientAuthenticatorType()

    • generateCodeSecret

      public static String generateCodeSecret()

    • createManagementClient

      public static ClientModel createManagementClient(RealmModel realm, String name)

    • createPublicClient

      public static ClientModel createPublicClient(RealmModel realm, String name)

    • searchFor

      public static boolean searchFor(RoleModel role, RoleModel composite, Set<String> visited)
      Deep search if given role is descendant of composite role
      Parameters:
      role - role to check
      composite - composite role
      visited - set of already visited roles (used for recursion)
      Returns:
      true if "role" is descendant of "composite"

    • findUserByNameOrEmail

      public static UserModel findUserByNameOrEmail(KeycloakSession session, RealmModel realm, String username)
      Try to find user by username or email for authentication
      Parameters:
      realm - realm
      username - username or email of user
      Returns:
      found user

    • runJobInTransaction

      public static void runJobInTransaction(KeycloakSessionFactory factory, KeycloakSessionTask task)
      Wrap given runnable job into KeycloakTransaction.
      Parameters:
      factory - The session factory to use
      task - The task to execute

    • runJobInTransaction

      public static void runJobInTransaction(KeycloakSessionFactory factory, KeycloakContext context, KeycloakSessionTask task)
      Wrap given runnable job into KeycloakTransaction.
      Parameters:
      factory - The session factory to use
      context - The context from the previous session
      task - The task to execute

    • cloneContextRealmClientToSession

      public static void cloneContextRealmClientToSession(KeycloakContext origContext, KeycloakSession targetSession)
      Sets up the context for the specified session with the RealmModel.
      Parameters:
      origContext - The original context to propagate
      targetSession - The new target session to propagate the context to

    • cloneContextRealmClientSessionToSession

      public static void cloneContextRealmClientSessionToSession(KeycloakContext origContext, KeycloakSession targetSession)
      Sets up the context for the specified session with the RealmModel, clientModel and AuthenticatedSessionModel.
      Parameters:
      origContext - The original context to propagate
      targetSession - The new target session to propagate the context to

    • runJobInTransactionWithResult

      public static <V> V runJobInTransactionWithResult(KeycloakSessionFactory factory, KeycloakSessionTaskWithResult<V> callable)
      Wrap a given callable job into a KeycloakTransaction.
      Type Parameters:
      V - The type for the result
      Parameters:
      factory - The session factory
      callable - The callable to execute
      Returns:
      The return value from the callable

    • runJobInTransactionWithResult

      public static <V> V runJobInTransactionWithResult(KeycloakSessionFactory factory, KeycloakContext context, KeycloakSessionTaskWithResult<V> callable)
      Wrap a given callable job into a KeycloakTransaction.
      Type Parameters:
      V - The type for the result
      Parameters:
      factory - The session factory
      context - The context from the previous session to use
      callable - The callable to execute
      Returns:
      The return value from the callable

    • runJobInRetriableTransaction

      public static <V> V runJobInRetriableTransaction(KeycloakSessionFactory factory, KeycloakSessionTaskWithResult<V> callable, int attemptsCount, int retryIntervalMillis)
      Creates a new KeycloakSession and runs the specified callable in a new transaction. If the transaction fails with a SQL retriable error, the method re-executes the specified callable until it either succeeds or the maximum number of attempts is reached, leaving some increasing random delay milliseconds between the invocations. It uses the exponential backoff + jitter algorithm to compute the delay, which is limited to attemptsCount * retryIntervalMillis. More details https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/
      Type Parameters:
      V - the type returned by the callable.
      Parameters:
      factory - a reference to the KeycloakSessionFactory.
      callable - a reference to the KeycloakSessionTaskWithResult that will be executed in a retriable way.
      attemptsCount - the maximum number of attempts to execute the callable.
      retryIntervalMillis - the base interval value in millis used to compute the delay.
      Returns:
      the value computed by the callable.

    • isExceptionRetriable

      public static boolean isExceptionRetriable(Throwable exception)
      Checks if the specified exception is retriable or not. A retriable exception must be an instance of SQLException and must have a 40001 SQL retriable state. This is a standard SQL state as defined in SQL standard, and across the implementations its meaning boils down to "deadlock" (applies to Postgres, MSSQL, Oracle, MySQL, and others).
      Parameters:
      exception - the exception to be checked.
      Returns:
      true if the exception is retriable; false otherwise.

    • runJobInTransactionWithTimeout

      public static void runJobInTransactionWithTimeout(KeycloakSessionFactory factory, KeycloakSessionTask task, int timeoutInSeconds)
      Wrap given runnable job into KeycloakTransaction. Set custom timeout for the JTA transaction (in case we're in the environment with JTA enabled)
      Parameters:
      factory -
      task -
      timeoutInSeconds -

    • setTransactionLimit

      public static void setTransactionLimit(KeycloakSessionFactory factory, int timeoutInSeconds)

    • componentModelGetter

      public static Function<KeycloakSessionFactory,ComponentModel> componentModelGetter(String realmId, String componentId)

    • getComponentModel

      public static ComponentModel getComponentModel(KeycloakSessionFactory factory, String realmId, String componentId)

    • getComponentFactory

      public static <T extends Provider> ProviderFactory<T> getComponentFactory(KeycloakSessionFactory factory, Class<T> providerClass, Config.Scope config, String spiName)

    • getMasterRealmAdminApplicationClientId

      public static String getMasterRealmAdminApplicationClientId(String realmName)

    • createComponentModel

      public static ComponentModel createComponentModel(String name, String parentId, String providerId, String providerType, String... config)

    • toLowerCaseSafe

      public static String toLowerCaseSafe(String str)

    • setupDefaultRole

      public static void setupDefaultRole(RealmModel realm, String defaultRoleName)
      Creates default role for particular realm with the given name.
      Parameters:
      realm - Realm
      defaultRoleName - Name of the newly created defaultRole

    • setupOfflineRole

      public static RoleModel setupOfflineRole(RealmModel realm)

    • setupDeleteAccount

      public static void setupDeleteAccount(ClientModel accountClient)

    • deepFindAuthenticationExecutions

      public static void deepFindAuthenticationExecutions(RealmModel realm, AuthenticationFlowModel flow, List<AuthenticationExecutionModel> result)
      Recursively find all AuthenticationExecutionModel from specified flow or all it's subflows
      Parameters:
      realm -
      flow -
      result - input should be empty list. At the end will be all executions added to this list

    • resolveAttribute

      public static Collection<String> resolveAttribute(GroupModel group, String name, boolean aggregateAttrs)

    • resolveAttribute

      public static Collection<String> resolveAttribute(UserModel user, String name, boolean aggregateAttrs)

    • findGroupByPath

      public static GroupModel findGroupByPath(GroupProvider groupProvider, RealmModel realm, String path)

    • findGroupByPath

      @Deprecated public static GroupModel findGroupByPath(RealmModel realm, String path)
      Deprecated.
      please use findGroupByPath(GroupProvider, RealmModel, String) instead

    • buildGroupPath

      public static String buildGroupPath(GroupModel group)

    • buildGroupPath

      public static String buildGroupPath(GroupModel group, GroupModel otherParentGroup)

    • normalizeGroupPath

      public static String normalizeGroupPath(String groupPath)

    • getClientScopeMappingsStream

      public static Stream<RoleModel> getClientScopeMappingsStream(ClientModel client, ScopeContainerModel container)

    • getRoleFromString

      public static RoleModel getRoleFromString(RealmModel realm, String roleName)

    • parseRole

      public static String[] parseRole(String role)

    • buildRoleQualifier

      public static String buildRoleQualifier(String clientId, String roleName)

    • isFlowUsed

      public static boolean isFlowUsed(RealmModel realm, AuthenticationFlowModel model)
      Check to see if a flow is currently in use
      Parameters:
      realm -
      model -
      Returns:

    • deepDeleteAuthenticationFlow

      public static void deepDeleteAuthenticationFlow(RealmModel realm, AuthenticationFlowModel authFlow, Runnable flowUnavailableHandler, Runnable builtinFlowHandler)
      Recursively remove authentication flow (including all subflows and executions) from the model storage
      Parameters:
      realm -
      authFlow - flow to delete
      flowUnavailableHandler - Will be executed when flow or some of it's subflow is null
      builtinFlowHandler - will be executed when flow is built-in flow

    • getClientScopeByName

      public static ClientScopeModel getClientScopeByName(RealmModel realm, String clientScopeName)

    • findClientScopeById

      public static ClientScopeModel findClientScopeById(RealmModel realm, ClientModel client, String clientScopeId)
      Lookup clientScope OR client by id. Method is useful if you know just ID, but you don't know if underlying model is clientScope or client

    • convertClientScopeName

      public static String convertClientScopeName(String previousName)
      Replace spaces in the name with underscore, so that scope name can be used as value of scope parameter

    • setupAuthorizationServices

      public static void setupAuthorizationServices(RealmModel realm)

    • suspendJtaTransaction

      public static void suspendJtaTransaction(KeycloakSessionFactory factory, Runnable runnable)

    • getIdentityProviderDisplayName

      public static String getIdentityProviderDisplayName(KeycloakSession session, IdentityProviderModel provider)

    • isRealmProviderJpa

      public static boolean isRealmProviderJpa(KeycloakSession session)
      Returns:
      true if implementation of realmProvider is "jpa" . Which is always the case in standard Keycloak installations.

    • getSecretLengthByAuthenticationType

      public static int getSecretLengthByAuthenticationType(String clientAuthenticatorType, String signingAlg)
      Parameters:
      clientAuthenticatorType -
      Returns:
      secret size based on authentication type

    • isUsernameCaseSensitive

      public static boolean isUsernameCaseSensitive(RealmModel realm)
      Returns true if given realm has attribute Constants.REALM_ATTR_USERNAME_CASE_SENSITIVE set and its value is true. Otherwise default value of it is returned. The default setting can be seen at Constants.REALM_ATTR_USERNAME_CASE_SENSITIVE_DEFAULT.
      Parameters:
      realm -
      Returns:
      See the description
      Throws:
      NullPointerException - if realm is null