org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore クラス

org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore の継承関係図

org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore 連携図

公開メンバ関数
	LDAPIdentityStore (LDAPConfig config)
LDAPConfig	getConfig ()
void	add (LDAPObject ldapObject)
void	update (LDAPObject ldapObject)
void	remove (LDAPObject ldapObject)
List< LDAPObject >	fetchQueryResults (LDAPQuery identityQuery)
int	countQueryResults (LDAPQuery identityQuery)
void	validatePassword (LDAPObject user, String password) throws AuthenticationException
void	updatePassword (LDAPObject user, String password, LDAPOperationDecorator passwordUpdateDecorator)

限定公開メンバ関数
void	checkRename (LDAPObject ldapObject)
StringBuilder	createIdentityTypeSearchFilter (final LDAPQuery identityQuery)
BasicAttributes	extractAttributes (LDAPObject ldapObject, boolean isCreate)
String	getEntryIdentifier (final LDAPObject ldapObject)

非公開メンバ関数
void	updateADPassword (String userDN, String password, LDAPOperationDecorator passwordUpdateDecorator)
StringBuilder	getObjectClassesFilter (Collection< String > objectClasses)
LDAPObject	populateAttributedType (SearchResult searchResult, LDAPQuery ldapQuery)

非公開変数類
final LDAPConfig	config
final LDAPOperationManager	operationManager

静的非公開変数類
static final Logger	logger = Logger.getLogger(LDAPIdentityStore.class)

詳解

An IdentityStore implementation backed by an LDAP directory

著者

Shane Bryzak

Anil Saldhana

Pedro Silva

構築子と解体子

LDAPIdentityStore()

org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.LDAPIdentityStore ( LDAPConfig  config )

inline

                                                {
        this.config = config;

        try {
            this.operationManager = new LDAPOperationManager(config);
        } catch (NamingException e) {
            throw new ModelException("Couldn't init operation manager", e);
        }
    }

関数詳解

add()

void org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.add ( LDAPObject  ldapObject )

inline

org.keycloak.storage.ldap.idm.store.IdentityStoreを実装しています。

                                           {
        // id will be assigned by the ldap server
        if (ldapObject.getUuid() != null) {
            throw new ModelException("Can't add object with already assigned uuid");
        }

        String entryDN = ldapObject.getDn().toString();
        BasicAttributes ldapAttributes = extractAttributes(ldapObject, true);
        this.operationManager.createSubContext(entryDN, ldapAttributes);
        ldapObject.setUuid(getEntryIdentifier(ldapObject));

        if (logger.isDebugEnabled()) {
            logger.debugf("Type with identifier [%s] and dn [%s] successfully added to LDAP store.", ldapObject.getUuid(), entryDN);
        }
    }

checkRename()

void org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.checkRename ( LDAPObject  ldapObject )

inlineprotected

                                                      {
        String rdnAttrName = ldapObject.getRdnAttributeName();
        if (ldapObject.getReadOnlyAttributeNames().contains(rdnAttrName.toLowerCase())) {
            return;
        }

        String rdnAttrVal = ldapObject.getAttributeAsString(rdnAttrName);

        // Could be the case when RDN attribute of the target object is not included in Keycloak mappers
        if (rdnAttrVal == null) {
            return;
        }

        String oldRdnAttrVal = ldapObject.getDn().getFirstRdnAttrValue();
        if (!oldRdnAttrVal.equals(rdnAttrVal)) {
            LDAPDn newLdapDn = ldapObject.getDn().getParentDn();
            newLdapDn.addFirst(rdnAttrName, rdnAttrVal);

            String oldDn = ldapObject.getDn().toString();
            String newDn = newLdapDn.toString();

            if (logger.isDebugEnabled()) {
                logger.debugf("Renaming LDAP Object. Old DN: [%s], New DN: [%s]", oldDn, newDn);
            }

            // In case, that there is conflict (For example already existing "CN=John Anthony"), the different DN is returned
            newDn = this.operationManager.renameEntry(oldDn, newDn, true);

            ldapObject.setDn(LDAPDn.fromString(newDn));
        }
    }

countQueryResults()

int org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.countQueryResults ( LDAPQuery  identityQuery )

inline

org.keycloak.storage.ldap.idm.store.IdentityStoreを実装しています。

                                                          {
        int limit = identityQuery.getLimit();
        int offset = identityQuery.getOffset();

        identityQuery.setLimit(0);
        identityQuery.setOffset(0);

        int resultCount = identityQuery.getResultList().size();

        identityQuery.setLimit(limit);
        identityQuery.setOffset(offset);

        return resultCount;
    }

createIdentityTypeSearchFilter()

StringBuilder org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.createIdentityTypeSearchFilter ( final LDAPQuery  identityQuery )

inlineprotected

                                                                                          {
        StringBuilder filter = new StringBuilder();

        for (Condition condition : identityQuery.getConditions()) {
            condition.applyCondition(filter);
        }

        filter.insert(0, "(&");
        filter.append(getObjectClassesFilter(identityQuery.getObjectClasses()));
        filter.append(")");

        if (logger.isTraceEnabled()) {
            logger.tracef("Using filter for LDAP search: %s . Searching in DN: %s", filter, identityQuery.getSearchDn());
        }
        return filter;
    }

extractAttributes()

BasicAttributes org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.extractAttributes ( LDAPObject  ldapObject, boolean  isCreate  )

inlineprotected

                                                                                         {
        BasicAttributes entryAttributes = new BasicAttributes();

        for (Map.Entry<String, Set<String>> attrEntry : ldapObject.getAttributes().entrySet()) {
            String attrName = attrEntry.getKey();
            Set<String> attrValue = attrEntry.getValue();

            // ldapObject.getReadOnlyAttributeNames() are lower-cased
            if (!ldapObject.getReadOnlyAttributeNames().contains(attrName.toLowerCase()) && (isCreate || !ldapObject.getRdnAttributeName().equalsIgnoreCase(attrName))) {

                if (attrValue == null) {
                    // Shouldn't happen
                    logger.warnf("Attribute '%s' is null on LDAP object '%s' . Using empty value to be saved to LDAP", attrName, ldapObject.getDn().toString());
                    attrValue = Collections.emptySet();
                }

                // Ignore empty attributes during create
                if (isCreate && attrValue.isEmpty()) {
                    continue;
                }

                BasicAttribute attr = new BasicAttribute(attrName);
                for (String val : attrValue) {
                    if (val == null || val.toString().trim().length() == 0) {
                        val = LDAPConstants.EMPTY_ATTRIBUTE_VALUE;
                    }

                    if (getConfig().getBinaryAttributeNames().contains(attrName)) {
                        // Binary attribute
                        try {
                            byte[] bytes = Base64.decode(val);
                            attr.add(bytes);
                        } catch (IOException ioe) {
                            logger.warnf("Wasn't able to Base64 decode the attribute value. Ignoring attribute update. LDAP DN: %s, Attribute: %s, Attribute value: %s" + ldapObject.getDn(), attrName, attrValue);
                        }
                    } else {
                        attr.add(val);
                    }
                }

                entryAttributes.put(attr);
            }
        }

        // Don't extract object classes for update
        if (isCreate) {
            BasicAttribute objectClassAttribute = new BasicAttribute(LDAPConstants.OBJECT_CLASS);

            for (String objectClassValue : ldapObject.getObjectClasses()) {
                objectClassAttribute.add(objectClassValue);

                if ((objectClassValue.equalsIgnoreCase(LDAPConstants.GROUP_OF_NAMES)
                        || objectClassValue.equalsIgnoreCase(LDAPConstants.GROUP_OF_ENTRIES)
                        || objectClassValue.equalsIgnoreCase(LDAPConstants.GROUP_OF_UNIQUE_NAMES)) &&
                        (entryAttributes.get(LDAPConstants.MEMBER) == null)) {
                    entryAttributes.put(LDAPConstants.MEMBER, LDAPConstants.EMPTY_MEMBER_ATTRIBUTE_VALUE);
                }
            }

            entryAttributes.put(objectClassAttribute);
        }

        return entryAttributes;
    }

fetchQueryResults()

List<LDAPObject> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults ( LDAPQuery  identityQuery )

inline

org.keycloak.storage.ldap.idm.store.IdentityStoreを実装しています。

                                                                       {
        if (identityQuery.getSorting() != null && !identityQuery.getSorting().isEmpty()) {
            throw new ModelException("LDAP Identity Store does not yet support sorted queries.");
        }

        List<LDAPObject> results = new ArrayList<>();

        try {
            String baseDN = identityQuery.getSearchDn();

            for (Condition condition : identityQuery.getConditions()) {

                // Check if we are searching by ID
                String uuidAttrName = getConfig().getUuidLDAPAttributeName();
                if (condition instanceof EqualCondition) {
                    EqualCondition equalCondition = (EqualCondition) condition;
                    if (equalCondition.getParameterName().equalsIgnoreCase(uuidAttrName)) {
                        SearchResult search = this.operationManager
                                .lookupById(baseDN, equalCondition.getValue().toString(), identityQuery.getReturningLdapAttributes());

                        if (search != null) {
                            results.add(populateAttributedType(search, identityQuery));
                        }

                        return results;
                    }
                }
            }


            StringBuilder filter = createIdentityTypeSearchFilter(identityQuery);

            List<SearchResult> search;
            if (getConfig().isPagination() && identityQuery.getLimit() > 0) {
                search = this.operationManager.searchPaginated(baseDN, filter.toString(), identityQuery);
            } else {
                search = this.operationManager.search(baseDN, filter.toString(), identityQuery.getReturningLdapAttributes(), identityQuery.getSearchScope());
            }

            for (SearchResult result : search) {
                if (!result.getNameInNamespace().equalsIgnoreCase(baseDN)) {
                    results.add(populateAttributedType(result, identityQuery));
                }
            }
        } catch (Exception e) {
            throw new ModelException("Querying of LDAP failed " + identityQuery, e);
        }

        return results;
    }

getConfig()

LDAPConfig org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.getConfig ( )

inline

org.keycloak.storage.ldap.idm.store.IdentityStoreを実装しています。

                                  {
        return this.config;
    }

getEntryIdentifier()

String org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.getEntryIdentifier ( final LDAPObject  ldapObject )

inlineprotected

                                                                     {
        try {
            // we need this to retrieve the entry's identifier from the ldap server
            String uuidAttrName = getConfig().getUuidLDAPAttributeName();

            String rdn = ldapObject.getDn().getFirstRdn();
            String filter = "(" + EscapeStrategy.DEFAULT.escape(rdn) + ")";
            List<SearchResult> search = this.operationManager.search(ldapObject.getDn().toString(), filter, Arrays.asList(uuidAttrName), SearchControls.OBJECT_SCOPE);
            Attribute id = search.get(0).getAttributes().get(getConfig().getUuidLDAPAttributeName());

            if (id == null) {
                throw new ModelException("Could not retrieve identifier for entry [" + ldapObject.getDn().toString() + "].");
            }

            return this.operationManager.decodeEntryUUID(id.get());
        } catch (NamingException ne) {
            throw new ModelException("Could not retrieve identifier for entry [" + ldapObject.getDn().toString() + "].");
        }
    }

getObjectClassesFilter()

StringBuilder org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.getObjectClassesFilter ( Collection< String >  objectClasses )

inlineprivate

                                                                                   {
        StringBuilder builder = new StringBuilder();

        if (!objectClasses.isEmpty()) {
            for (String objectClass : objectClasses) {
                builder.append("(").append(LDAPConstants.OBJECT_CLASS).append(LDAPConstants.EQUAL).append(objectClass).append(")");
            }
        } else {
            builder.append("(").append(LDAPConstants.OBJECT_CLASS).append(LDAPConstants.EQUAL).append("*").append(")");
        }

        return builder;
    }

populateAttributedType()

LDAPObject org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.populateAttributedType ( SearchResult  searchResult, LDAPQuery  ldapQuery  )

inlineprivate

                                                                                              {
        Set<String> readOnlyAttrNames = ldapQuery.getReturningReadOnlyLdapAttributes();
        Set<String> lowerCasedAttrNames = new TreeSet<>();
        for (String attrName : ldapQuery.getReturningLdapAttributes()) {
            lowerCasedAttrNames.add(attrName.toLowerCase());
        }

        try {
            String entryDN = searchResult.getNameInNamespace();
            Attributes attributes = searchResult.getAttributes();

            LDAPObject ldapObject = new LDAPObject();
            LDAPDn dn = LDAPDn.fromString(entryDN);
            ldapObject.setDn(dn);
            ldapObject.setRdnAttributeName(dn.getFirstRdnAttrName());

            NamingEnumeration<? extends Attribute> ldapAttributes = attributes.getAll();

            while (ldapAttributes.hasMore()) {
                Attribute ldapAttribute = ldapAttributes.next();

                try {
                    ldapAttribute.get();
                } catch (NoSuchElementException nsee) {
                    continue;
                }

                String ldapAttributeName = ldapAttribute.getID();

                if (ldapAttributeName.equalsIgnoreCase(getConfig().getUuidLDAPAttributeName())) {
                    Object uuidValue = ldapAttribute.get();
                    ldapObject.setUuid(this.operationManager.decodeEntryUUID(uuidValue));
                }

                // Note: UUID is normally not populated here. It's populated just in case that it's used for name of other attribute as well
                if (!ldapAttributeName.equalsIgnoreCase(getConfig().getUuidLDAPAttributeName()) || (lowerCasedAttrNames.contains(ldapAttributeName.toLowerCase()))) {
                    Set<String> attrValues = new LinkedHashSet<>();
                    NamingEnumeration<?> enumm = ldapAttribute.getAll();
                    while (enumm.hasMoreElements()) {
                        Object val = enumm.next();

                        if (val instanceof byte[]) { // byte[]
                            String attrVal = Base64.encodeBytes((byte[]) val);
                            attrValues.add(attrVal);
                        } else { // String
                            String attrVal = val.toString().trim();
                            attrValues.add(attrVal);
                        }
                    }

                    if (ldapAttributeName.equalsIgnoreCase(LDAPConstants.OBJECT_CLASS)) {
                        ldapObject.setObjectClasses(attrValues);
                    } else {
                        ldapObject.setAttribute(ldapAttributeName, attrValues);

                        // readOnlyAttrNames are lower-cased
                        if (readOnlyAttrNames.contains(ldapAttributeName.toLowerCase())) {
                            ldapObject.addReadOnlyAttributeName(ldapAttributeName);
                        }
                    }
                }
            }

            if (logger.isTraceEnabled()) {
                logger.tracef("Found ldap object and populated with the attributes. LDAP Object: %s", ldapObject.toString());
            }
            return ldapObject;

        } catch (Exception e) {
            throw new ModelException("Could not populate attribute type " + searchResult.getNameInNamespace() + ".", e);
        }
    }

remove()

void org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.remove ( LDAPObject  ldapObject )

inline

org.keycloak.storage.ldap.idm.store.IdentityStoreを実装しています。

                                              {
        this.operationManager.removeEntry(ldapObject.getDn().toString());

        if (logger.isDebugEnabled()) {
            logger.debugf("Type with identifier [%s] and DN [%s] successfully removed from LDAP store.", ldapObject.getUuid(), ldapObject.getDn().toString());
        }
    }

update()

void org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update ( LDAPObject  ldapObject )

inline

org.keycloak.storage.ldap.idm.store.IdentityStoreを実装しています。

                                              {
        checkRename(ldapObject);

        BasicAttributes updatedAttributes = extractAttributes(ldapObject, false);
        NamingEnumeration<Attribute> attributes = updatedAttributes.getAll();

        String entryDn = ldapObject.getDn().toString();
        this.operationManager.modifyAttributes(entryDn, attributes);

        if (logger.isDebugEnabled()) {
            logger.debugf("Type with identifier [%s] and DN [%s] successfully updated to LDAP store.", ldapObject.getUuid(), entryDn);
        }
    }

updateADPassword()

void org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.updateADPassword ( String  userDN, String  password, LDAPOperationDecorator  passwordUpdateDecorator  )

inlineprivate

                                                                                                                  {
        try {
            // Replace the "unicdodePwd" attribute with a new value
            // Password must be both Unicode and a quoted string
            String newQuotedPassword = "\"" + password + "\"";
            byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");

            BasicAttribute unicodePwd = new BasicAttribute("unicodePwd", newUnicodePassword);

            List<ModificationItem> modItems = new ArrayList<ModificationItem>();
            modItems.add(new ModificationItem(DirContext.REPLACE_ATTRIBUTE, unicodePwd));

            operationManager.modifyAttributes(userDN, modItems.toArray(new ModificationItem[] {}), passwordUpdateDecorator);
        } catch (ModelException me) {
            throw me;
        } catch (Exception e) {
            throw new ModelException(e);
        }
    }

updatePassword()

void org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.updatePassword ( LDAPObject  user, String  password, LDAPOperationDecorator  passwordUpdateDecorator  )

inline

org.keycloak.storage.ldap.idm.store.IdentityStoreを実装しています。

                                                                                                                 {
        String userDN = user.getDn().toString();

        if (logger.isDebugEnabled()) {
            logger.debugf("Using DN [%s] for updating LDAP password of user", userDN);
        }

        if (getConfig().isActiveDirectory()) {
            updateADPassword(userDN, password, passwordUpdateDecorator);
        } else {
            ModificationItem[] mods = new ModificationItem[1];

            try {
                BasicAttribute mod0 = new BasicAttribute(LDAPConstants.USER_PASSWORD_ATTRIBUTE, password);

                mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, mod0);

                operationManager.modifyAttributes(userDN, mods, passwordUpdateDecorator);
            } catch (ModelException me) {
                throw me;
            } catch (Exception e) {
                throw new ModelException("Error updating password.", e);
            }
        }
    }

validatePassword()

void org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.validatePassword ( LDAPObject  user, String  password  ) throws AuthenticationException

inline

org.keycloak.storage.ldap.idm.store.IdentityStoreを実装しています。

                                                                                                  {
        String userDN = user.getDn().toString();

        if (logger.isTraceEnabled()) {
            logger.tracef("Using DN [%s] for authentication of user", userDN);
        }

        operationManager.authenticate(userDN, password);
    }

メンバ詳解

config

final LDAPConfig org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.config

private

logger

final Logger org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.logger = Logger.getLogger(LDAPIdentityStore.class)

staticprivate

operationManager

final LDAPOperationManager org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.operationManager

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/federation/src/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java