Package org.keycloak.models.utils
Class KeycloakModelUtils
java.lang.Object
org.keycloak.models.utils.KeycloakModelUtils
Set of helper methods, which are useful in various model implementations.
- Author:
- Marek Posolda, Daniel Fesenmeyer
-
Field Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic String
buildGroupPath
(boolean escapeSlashes, String... names) static String
buildGroupPath
(GroupModel group) static String
buildGroupPath
(GroupModel group, GroupModel otherParentGroup) static String
buildRoleQualifier
(String clientId, String roleName) static void
cloneContextRealmClientSessionToSession
(KeycloakContext origContext, KeycloakSession targetSession) Sets up the context for the specified session with the RealmModel, clientModel and AuthenticatedSessionModel.static void
cloneContextRealmClientToSession
(KeycloakContext origContext, KeycloakSession targetSession) Sets up the context for the specified session with the RealmModel.componentModelGetter
(String realmId, String componentId) static String
convertClientScopeName
(String previousName) Replace spaces in the name with underscore, so that scope name can be used as value of scope parameterstatic ComponentModel
createComponentModel
(String name, String parentId, String providerId, String providerType, String... config) static ClientModel
createManagementClient
(RealmModel realm, String name) static ClientModel
createPublicClient
(RealmModel realm, String name) static void
deepDeleteAuthenticationExecutor
(KeycloakSession session, RealmModel realm, AuthenticationExecutionModel authExecutor, Runnable flowUnavailableHandler, Runnable builtinFlowHandler) Recursively remove authentication executor (including sub-flows and configs) from the model storagestatic void
deepDeleteAuthenticationFlow
(KeycloakSession session, RealmModel realm, AuthenticationFlowModel authFlow, Runnable flowUnavailableHandler, Runnable builtinFlowHandler) Recursively remove authentication flow (including all subflows and executions) from the model storagestatic void
deepFindAuthenticationExecutions
(RealmModel realm, AuthenticationFlowModel flow, List<AuthenticationExecutionModel> result) Recursively find all AuthenticationExecutionModel from specified flow or all it's subflowsstatic boolean
escapeSlashesInGroupPath
(KeycloakSession session) Helper to get from the session if group path slashes should be escaped or not.static ClientScopeModel
findClientScopeById
(RealmModel realm, ClientModel client, String clientScopeId) Lookup clientScope OR client by id.static GroupModel
findGroupByPath
(KeycloakSession session, RealmModel realm, String path) Finds group by path.static GroupModel
findGroupByPath
(KeycloakSession session, RealmModel realm, String[] path) Finds group by path.static UserModel
findUserByNameOrEmail
(KeycloakSession session, RealmModel realm, String username) Try to find user by username or email for authenticationstatic String
static String
Return an ID generated using the UUID java class.static CertificateRepresentation
generateKeyPairCertificate
(String subject) static String
generateSecret
(ClientModel client) static String
Return an ID generated using the UUID class but using base64 URL encoding with the two longs (msb+lsb).static String
generateShortId
(UUID uuid) Generates a short ID representation for the UUID.static X509Certificate
getCertificate
(String cert) static ClientScopeModel
getClientScopeByName
(RealmModel realm, String clientScopeName) getClientScopeMappingsStream
(ClientModel client, ScopeContainerModel container) static <T extends Provider>
ProviderFactory<T>getComponentFactory
(KeycloakSessionFactory factory, Class<T> providerClass, Config.Scope config, String spiName) static ComponentModel
getComponentModel
(KeycloakSessionFactory factory, String realmId, String componentId) static String
static String
getIdentityProviderDisplayName
(KeycloakSession session, IdentityProviderModel provider) static String
getMasterRealmAdminApplicationClientId
(String realmName) static String
getPemFromCertificate
(X509Certificate certificate) static String
getPemFromKey
(Key key) static PrivateKey
getPrivateKey
(String privateKeyPem) static PublicKey
getPublicKey
(String publicKeyPem) static RoleModel
getRoleFromString
(RealmModel realm, String roleName) static Key
getSecretKey
(String secret) static int
getSecretLengthByAuthenticationType
(String clientAuthenticatorType, String signingAlg) static boolean
static boolean
isFlowUsed
(KeycloakSession session, RealmModel realm, AuthenticationFlowModel model) Check to see if a flow is currently in usestatic String
normalizeGroupPath
(String groupPath) static String[]
static Collection<String>
resolveAttribute
(GroupModel group, String name, boolean aggregateAttrs) static Collection<String>
resolveAttribute
(UserModel user, String name, boolean aggregateAttrs) static void
runJobInTransaction
(KeycloakSessionFactory factory, KeycloakContext context, KeycloakSessionTask task) Wrap given runnable job into KeycloakTransaction.static void
runJobInTransaction
(KeycloakSessionFactory factory, KeycloakSessionTask task) Wrap given runnable job into KeycloakTransaction.static <V> V
runJobInTransactionWithResult
(KeycloakSessionFactory factory, KeycloakContext context, KeycloakSessionTaskWithResult<V> callable, boolean useExistingSession, String taskName) Wrap a given callable job into a KeycloakTransaction.static <V> V
runJobInTransactionWithResult
(KeycloakSessionFactory factory, KeycloakSessionTaskWithResult<V> callable) Wrap a given callable job into a KeycloakTransaction.static void
runJobInTransactionWithTimeout
(KeycloakSessionFactory factory, KeycloakSessionTask task, int timeoutInSeconds) Wrap given runnable job into KeycloakTransaction.static boolean
Deep search if given role is descendant of composite rolestatic void
setDefaultGroups
(KeycloakSession session, RealmModel realm, Stream<String> groups) Sets the default groups on the realmstatic void
setTransactionLimit
(KeycloakSessionFactory factory, int timeoutInSeconds) static void
static void
setupDefaultRole
(RealmModel realm, String defaultRoleName) Creates default role for particular realm with the given name.static void
setupDeleteAccount
(ClientModel accountClient) static RoleModel
setupOfflineRole
(RealmModel realm) static String[]
Splits a group path than can be escaped for slashes.static void
suspendJtaTransaction
(KeycloakSessionFactory factory, Runnable runnable) static String
toLowerCaseSafe
(String str)
-
Field Details
-
AUTH_TYPE_CLIENT_SECRET
- See Also:
-
AUTH_TYPE_CLIENT_SECRET_JWT
- See Also:
-
GROUP_PATH_SEPARATOR
- See Also:
-
GROUP_PATH_ESCAPE
- See Also:
-
-
Method Details
-
generateId
Return an ID generated using the UUID java class.- Returns:
- The ID using UUID.toString (36 chars)
-
generateShortId
Return an ID generated using the UUID class but using base64 URL encoding with the two longs (msb+lsb).- Returns:
- The ID getting msb and lsb from UUID and encoding them in base64 URL without padding (22 chars)
-
generateShortId
Generates a short ID representation for the UUID. The representation is the base64 url encoding of the msb+lsb of the UUID.- Parameters:
uuid
- The UUID to represent- Returns:
- The string representation in 22 characters
-
getPublicKey
-
getCertificate
-
getPrivateKey
-
getSecretKey
-
getPemFromKey
-
getPemFromCertificate
-
generateKeyPairCertificate
-
generateSecret
-
getDefaultClientAuthenticatorType
-
generateCodeSecret
-
createManagementClient
-
createPublicClient
-
searchFor
Deep search if given role is descendant of composite role- Parameters:
role
- role to checkcomposite
- composite rolevisited
- set of already visited roles (used for recursion)- Returns:
- true if "role" is descendant of "composite"
-
findUserByNameOrEmail
public static UserModel findUserByNameOrEmail(KeycloakSession session, RealmModel realm, String username) Try to find user by username or email for authentication- Parameters:
realm
- realmusername
- username or email of user- Returns:
- found user
-
runJobInTransaction
Wrap given runnable job into KeycloakTransaction.- Parameters:
factory
- The session factory to usetask
- The task to execute
-
runJobInTransaction
public static void runJobInTransaction(KeycloakSessionFactory factory, KeycloakContext context, KeycloakSessionTask task) Wrap given runnable job into KeycloakTransaction.- Parameters:
factory
- The session factory to usecontext
- The context from the previous sessiontask
- The task to execute
-
cloneContextRealmClientToSession
public static void cloneContextRealmClientToSession(KeycloakContext origContext, KeycloakSession targetSession) Sets up the context for the specified session with the RealmModel.- Parameters:
origContext
- The original context to propagatetargetSession
- The new target session to propagate the context to
-
cloneContextRealmClientSessionToSession
public static void cloneContextRealmClientSessionToSession(KeycloakContext origContext, KeycloakSession targetSession) Sets up the context for the specified session with the RealmModel, clientModel and AuthenticatedSessionModel.- Parameters:
origContext
- The original context to propagatetargetSession
- The new target session to propagate the context to
-
runJobInTransactionWithResult
public static <V> V runJobInTransactionWithResult(KeycloakSessionFactory factory, KeycloakSessionTaskWithResult<V> callable) Wrap a given callable job into a KeycloakTransaction.- Type Parameters:
V
- The type for the result- Parameters:
factory
- The session factorycallable
- The callable to execute- Returns:
- The return value from the callable
-
runJobInTransactionWithResult
public static <V> V runJobInTransactionWithResult(KeycloakSessionFactory factory, KeycloakContext context, KeycloakSessionTaskWithResult<V> callable, boolean useExistingSession, String taskName) Wrap a given callable job into a KeycloakTransaction.- Type Parameters:
V
- The type for the result- Parameters:
factory
- The session factorycontext
- The context from the previous session to usecallable
- The callable to executeuseExistingSession
- if the existing session should be usedtaskName
- Name of the task. Can be useful for logging purposes- Returns:
- The return value from the callable
-
runJobInTransactionWithTimeout
public static void runJobInTransactionWithTimeout(KeycloakSessionFactory factory, KeycloakSessionTask task, int timeoutInSeconds) Wrap given runnable job into KeycloakTransaction. Set custom timeout for the JTA transaction (in case we're in the environment with JTA enabled)- Parameters:
factory
-task
-timeoutInSeconds
-
-
setTransactionLimit
-
componentModelGetter
public static Function<KeycloakSessionFactory,ComponentModel> componentModelGetter(String realmId, String componentId) -
getComponentModel
public static ComponentModel getComponentModel(KeycloakSessionFactory factory, String realmId, String componentId) -
getComponentFactory
public static <T extends Provider> ProviderFactory<T> getComponentFactory(KeycloakSessionFactory factory, Class<T> providerClass, Config.Scope config, String spiName) -
getMasterRealmAdminApplicationClientId
-
createComponentModel
-
toLowerCaseSafe
-
setupDefaultRole
Creates default role for particular realm with the given name.- Parameters:
realm
- RealmdefaultRoleName
- Name of the newly created defaultRole
-
setupOfflineRole
-
setupDeleteAccount
-
deepFindAuthenticationExecutions
public static void deepFindAuthenticationExecutions(RealmModel realm, AuthenticationFlowModel flow, List<AuthenticationExecutionModel> result) Recursively find all AuthenticationExecutionModel from specified flow or all it's subflows- Parameters:
realm
-flow
-result
- input should be empty list. At the end will be all executions added to this list
-
resolveAttribute
public static Collection<String> resolveAttribute(GroupModel group, String name, boolean aggregateAttrs) -
resolveAttribute
public static Collection<String> resolveAttribute(UserModel user, String name, boolean aggregateAttrs) -
escapeSlashesInGroupPath
Helper to get from the session if group path slashes should be escaped or not.- Parameters:
session
- The session- Returns:
- true or false
-
findGroupByPath
Finds group by path. Path is separated by '/' character. For example: /group/subgroup/subsubgroup The method takes into consideration also groups with '/' in their name. For example: /group/sub/group/subgroup This method allows escaping of slashes for example: /parent\/group/child which is a two level path for ["parent/group", "child"].- Parameters:
session
- Keycloak sessionrealm
- The realmpath
- Path that will be searched among groups- Returns:
GroupModel
corresponding to the givenpath
ornull
if no group was found
-
findGroupByPath
Finds group by path. Variant when you have the path already separated by group names.- Parameters:
session
- Keycloak sessionrealm
- The realmpath
- Path The path hierarchy of groups- Returns:
GroupModel
corresponding to the givenpath
ornull
if no group was found
-
splitPath
Splits a group path than can be escaped for slashes.- Parameters:
path
- The group pathescapedSlashes
- true if slashes are escaped in the path- Returns:
-
buildGroupPath
-
buildGroupPath
-
buildGroupPath
-
normalizeGroupPath
-
getClientScopeMappingsStream
public static Stream<RoleModel> getClientScopeMappingsStream(ClientModel client, ScopeContainerModel container) -
getRoleFromString
-
parseRole
-
buildRoleQualifier
-
isFlowUsed
public static boolean isFlowUsed(KeycloakSession session, RealmModel realm, AuthenticationFlowModel model) Check to see if a flow is currently in use- Parameters:
realm
-model
-- Returns:
-
deepDeleteAuthenticationFlow
public static void deepDeleteAuthenticationFlow(KeycloakSession session, RealmModel realm, AuthenticationFlowModel authFlow, Runnable flowUnavailableHandler, Runnable builtinFlowHandler) Recursively remove authentication flow (including all subflows and executions) from the model storage- Parameters:
session
- The keycloak sessionrealm
- The realmauthFlow
- flow to deleteflowUnavailableHandler
- Will be executed when flow, sub-flow or executor is nullbuiltinFlowHandler
- will be executed when flow is built-in flow
-
deepDeleteAuthenticationExecutor
public static void deepDeleteAuthenticationExecutor(KeycloakSession session, RealmModel realm, AuthenticationExecutionModel authExecutor, Runnable flowUnavailableHandler, Runnable builtinFlowHandler) Recursively remove authentication executor (including sub-flows and configs) from the model storage- Parameters:
session
- The keycloak sessionrealm
- The realmauthExecutor
- The authentication executor to removeflowUnavailableHandler
- Handler that will be executed when flow, sub-flow or executor is nullbuiltinFlowHandler
- Handler that will be executed when flow is built-in flow
-
getClientScopeByName
-
findClientScopeById
public static ClientScopeModel findClientScopeById(RealmModel realm, ClientModel client, String clientScopeId) Lookup clientScope OR client by id. Method is useful if you know just ID, but you don't know if underlying model is clientScope or client -
convertClientScopeName
Replace spaces in the name with underscore, so that scope name can be used as value of scope parameter -
setupAuthorizationServices
-
suspendJtaTransaction
-
getIdentityProviderDisplayName
public static String getIdentityProviderDisplayName(KeycloakSession session, IdentityProviderModel provider) -
getSecretLengthByAuthenticationType
public static int getSecretLengthByAuthenticationType(String clientAuthenticatorType, String signingAlg) - Parameters:
clientAuthenticatorType
-- Returns:
- secret size based on authentication type
-
setDefaultGroups
public static void setDefaultGroups(KeycloakSession session, RealmModel realm, Stream<String> groups) Sets the default groups on the realm- Parameters:
session
-realm
-groups
-- Throws:
RuntimeException
- if a group does not exist
-
isAdminPermissionsEnabled
-