org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory の継承関係図

org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory 連携図

公開メンバ関数
void	onParentUpdate (RealmModel realm, UserStorageProviderModel oldParent, UserStorageProviderModel newParent, ComponentModel mapperModel)

void	onCreate (KeycloakSession session, RealmModel realm, ComponentModel model)

void	onUpdate (KeycloakSession session, RealmModel realm, ComponentModel oldModel, ComponentModel newModel)

String	getHelpText ()

List< ProviderConfigProperty >	getConfigProperties ()

List< ProviderConfigProperty >	getConfigProperties (RealmModel realm, ComponentModel parent)

String	getId ()

Map< String, Object >	getTypeMetadata ()

void	validateConfiguration (KeycloakSession session, RealmModel realm, ComponentModel config) throws ComponentValidationException

void	init (Config.Scope config)

LDAPStorageMapper	create (KeycloakSession session, ComponentModel model)

void	postInit (KeycloakSessionFactory factory)

void	close ()

静的公開メンバ関数
static ProviderConfigProperty	createConfigProperty (String name, String label, String helpText, String type, List< String > options)

静的公開変数類
static final String	PROVIDER_ID = "role-ldap-mapper"

限定公開メンバ関数
AbstractLDAPStorageMapper	createMapper (ComponentModel mapperModel, LDAPStorageProvider federationProvider)

UserRolesRetrieveStrategy	getUserRolesRetrieveStrategy (String strategyKey)

void	checkMandatoryConfigAttribute (String name, String displayName, ComponentModel mapperModel) throws ComponentValidationException

静的限定公開変数類
static final List< ProviderConfigProperty >	configProperties

static final Map< String, UserRolesRetrieveStrategy >	userRolesStrategies = new LinkedHashMap<>()

static final List< String >	MEMBERSHIP_TYPES = new LinkedList<>()

static final List< String >	MODES = new LinkedList<>()

static final List< String >	NO_IMPORT_MODES = new LinkedList<>()

static final List< String >	roleRetrievers

静的関数
	[static initializer]

静的非公開メンバ関数
static List< ProviderConfigProperty >	getProps (ComponentModel parent)

詳解

著者: Marek Posolda

関数詳解

◆ [static initializer]()

org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.[static initializer] ( )

inlinestaticpackage

◆ checkMandatoryConfigAttribute()

void org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapperFactory.checkMandatoryConfigAttribute	(	String	name,
		String	displayName,
		ComponentModel	mapperModel
	)		throws ComponentValidationException

inlineprotectedinherited

                                                                                                                                                   {
         String attrConfigValue = mapperModel.getConfig().getFirst(name);
         if (attrConfigValue == null || attrConfigValue.trim().isEmpty()) {
             throw new ComponentValidationException("Missing configuration for '" + displayName + "'");
         }
     }

◆ close()

void org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapperFactory.close ( )

inlineinherited

67 {

68 }

◆ create()

LDAPStorageMapper org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapperFactory.create	(	KeycloakSession	session,
		ComponentModel	model
	)

inlineinherited

                                                                                    {
         // LDAPStorageProvider is in the session already as mappers are always called from it
         String ldapProviderModelId = model.getParentId();
         LDAPStorageProvider ldapProvider = (LDAPStorageProvider) session.getAttribute(ldapProviderModelId);
 
         return createMapper(model, ldapProvider);
     }

◆ createConfigProperty()

static ProviderConfigProperty org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapperFactory.createConfigProperty	(	String	name,
		String	label,
		String	helpText,
		String	type,
		List< String >	options
	)

inlinestaticinherited

                                                                                                                                              {
         ProviderConfigProperty configProperty = new ProviderConfigProperty();
         configProperty.setName(name);
         configProperty.setLabel(label);
         configProperty.setHelpText(helpText);
         configProperty.setType(type);
         configProperty.setOptions(options);
         return configProperty;
     }

◆ createMapper()

AbstractLDAPStorageMapper org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.createMapper	(	ComponentModel	mapperModel,
		LDAPStorageProvider	federationProvider
	)

inlineprotected

                                                                                                                          {
         return new RoleLDAPStorageMapper(mapperModel, federationProvider, this);
     }

◆ getConfigProperties() [1/2]

List<ProviderConfigProperty> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.getConfigProperties ( )

inline

                                                               {
         return configProperties;
     }

◆ getConfigProperties() [2/2]

List<ProviderConfigProperty> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.getConfigProperties	(	RealmModel	realm,
		ComponentModel	parent
	)

inline

                                                                                                      {
         return getProps(parent);
     }

◆ getHelpText()

String org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.getHelpText ( )

inline

                                 {
         return "Used to map role mappings of roles from some LDAP DN to Keycloak role mappings of either realm roles or client roles of particular client";
     }

◆ getId()

String org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.getId ( )

inline

                           {
         return PROVIDER_ID;
     }

◆ getProps()

static List<ProviderConfigProperty> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.getProps ( ComponentModel parent )

inlinestaticprivate

                                                                                 {
         String roleObjectClasses = LDAPConstants.GROUP_OF_NAMES;
         String mode = LDAPGroupMapperMode.LDAP_ONLY.toString();
         String membershipUserAttribute = LDAPConstants.UID;
         boolean importEnabled = true;
         if (parent != null) {
             LDAPConfig config = new LDAPConfig(parent.getConfig());
             roleObjectClasses = config.isActiveDirectory() ? LDAPConstants.GROUP : LDAPConstants.GROUP_OF_NAMES;
             mode = config.getEditMode() == UserStorageProvider.EditMode.WRITABLE ? LDAPGroupMapperMode.LDAP_ONLY.toString() : LDAPGroupMapperMode.READ_ONLY.toString();
             membershipUserAttribute = config.getUsernameLdapAttribute();
             importEnabled = new UserStorageProviderModel(parent).isImportEnabled();
 
         }
 
         ProviderConfigurationBuilder config = ProviderConfigurationBuilder.create()
                 .property().name(RoleMapperConfig.ROLES_DN)
                 .label("LDAP Roles DN")
                 .helpText("LDAP DN where are roles of this tree saved. For example 'ou=finance,dc=example,dc=org' ")
                 .type(ProviderConfigProperty.STRING_TYPE)
                 .add()
                 .property().name(RoleMapperConfig.ROLE_NAME_LDAP_ATTRIBUTE)
                 .label("Role Name LDAP Attribute")
                 .helpText("Name of LDAP attribute, which is used in role objects for name and RDN of role. Usually it will be 'cn' . In this case typical group/role object may have DN like 'cn=role1,ou=finance,dc=example,dc=org' ")
                 .type(ProviderConfigProperty.STRING_TYPE)
                 .defaultValue(LDAPConstants.CN)
                 .add()
                 .property().name(RoleMapperConfig.ROLE_OBJECT_CLASSES)
                 .label("Role Object Classes")
                 .helpText("Object class (or classes) of the role object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group' ")
                 .type(ProviderConfigProperty.STRING_TYPE)
                 .defaultValue(roleObjectClasses)
                 .add()
                 .property().name(RoleMapperConfig.MEMBERSHIP_LDAP_ATTRIBUTE)
                 .label("Membership LDAP Attribute")
                 .helpText("Name of LDAP attribute on role, which is used for membership mappings. Usually it will be 'member' ." +
                         "However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid' .")
                 .type(ProviderConfigProperty.STRING_TYPE)
                 .defaultValue(LDAPConstants.MEMBER)
                 .add()
                 .property().name(RoleMapperConfig.MEMBERSHIP_ATTRIBUTE_TYPE)
                 .label("Membership Attribute Type")
                 .helpText("DN means that LDAP role has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . " +
                         "UID means that LDAP role has it's members declared in form of pure user uids. For example 'memberUid: john' .")
                 .type(ProviderConfigProperty.LIST_TYPE)
                 .options(MEMBERSHIP_TYPES)
                 .defaultValue(MembershipType.DN.toString())
                 .add()
                 .property().name(RoleMapperConfig.MEMBERSHIP_USER_LDAP_ATTRIBUTE)
                 .label("Membership User LDAP Attribute")
                 .helpText("Used just if Membership Attribute Type is UID. It is name of LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid' . For example if value of " +
                         "'Membership User LDAP Attribute' is 'uid' and " +
                         " LDAP group has  'memberUid: john', then it is expected that particular LDAP user will have attribute 'uid: john' .")
                 .type(ProviderConfigProperty.STRING_TYPE)
                 .defaultValue(membershipUserAttribute)
                 .add()
                 .property().name(RoleMapperConfig.ROLES_LDAP_FILTER)
                 .label("LDAP Filter")
                 .helpText("LDAP Filter adds additional custom filter to the whole query for retrieve LDAP roles. Leave this empty if no additional filtering is needed and you want to retrieve all roles from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'")
                 .type(ProviderConfigProperty.STRING_TYPE)
                 .add();
 
         if (importEnabled) {
             config.property().name(RoleMapperConfig.MODE)
                     .label("Mode")
                     .helpText("LDAP_ONLY means that all role mappings are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where role mappings are " +
                             "retrieved from both LDAP and DB and merged together. New role grants are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where role mappings are retrieved from LDAP just at the time when user is imported from LDAP and then " +
                             "they are saved to local keycloak DB.")
                     .type(ProviderConfigProperty.LIST_TYPE)
                     .options(MODES)
                     .defaultValue(mode)
                     .add();
         } else {
             config.property().name(RoleMapperConfig.MODE)
                     .label("Mode")
                     .helpText("LDAP_ONLY means that specified role mappings are writable to LDAP. READ_ONLY means LDAP is readonly.")
                     .type(ProviderConfigProperty.LIST_TYPE)
                     .options(NO_IMPORT_MODES)
                     .defaultValue(mode)
                     .add();
 
         }
 
         config.property().name(RoleMapperConfig.USER_ROLES_RETRIEVE_STRATEGY)
                 .label("User Roles Retrieve Strategy")
                 .helpText("Specify how to retrieve roles of user. LOAD_ROLES_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all roles where 'member' is our user. " +
                         "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE means that roles of user will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute' . " +
                         "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY is applicable just in Active Directory and it means that roles of user will be retrieved recursively with usage of LDAP_MATCHING_RULE_IN_CHAIN Ldap extension.")
                 .type(ProviderConfigProperty.LIST_TYPE)
                 .options(roleRetrievers)
                 .defaultValue(RoleMapperConfig.LOAD_ROLES_BY_MEMBER_ATTRIBUTE)
                 .add()
                 .property().name(GroupMapperConfig.MEMBEROF_LDAP_ATTRIBUTE)
                 .label("Member-Of LDAP Attribute")
                 .helpText("Used just when 'User Roles Retrieve Strategy' is GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE . " +
                         "It specifies the name of the LDAP attribute on the LDAP user, which contains the roles (LDAP Groups), which the user is member of. " +
                         "Usually it will be 'memberOf' and that's also the default value.")
                 .type(ProviderConfigProperty.STRING_TYPE)
                 .defaultValue(LDAPConstants.MEMBER_OF)
                 .add()
                 .property().name(RoleMapperConfig.USE_REALM_ROLES_MAPPING)
                 .label("Use Realm Roles Mapping")
                 .helpText("If true, then LDAP role mappings will be mapped to realm role mappings in Keycloak. Otherwise it will be mapped to client role mappings")
                 .type(ProviderConfigProperty.BOOLEAN_TYPE)
                 .defaultValue("true")
                 .add()
                 .property().name(RoleMapperConfig.CLIENT_ID)
                 .label("Client ID")
                 .helpText("Client ID of client to which LDAP role mappings will be mapped. Applicable just if 'Use Realm Roles Mapping' is false")
                 .type(ProviderConfigProperty.CLIENT_LIST_TYPE)
                 .add();
         return config.build();
     }

◆ getTypeMetadata()

Map<String, Object> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.getTypeMetadata ( )

inline

                                                  {
         Map<String, Object> metadata = new HashMap<>();
         metadata.put("fedToKeycloakSyncSupported", true);
         metadata.put("fedToKeycloakSyncMessage", "sync-ldap-roles-to-keycloak");
         metadata.put("keycloakToFedSyncSupported", true);
         metadata.put("keycloakToFedSyncMessage", "sync-keycloak-roles-to-ldap");
 
         return metadata;
     }

◆ getUserRolesRetrieveStrategy()

UserRolesRetrieveStrategy org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.getUserRolesRetrieveStrategy ( String strategyKey )

inlineprotected

                                                                                          {
         return userRolesStrategies.get(strategyKey);
     }

◆ init()

void org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapperFactory.init ( Config.Scope config )

inlineinherited

38 {

39 }

◆ onCreate()

void org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.onCreate	(	KeycloakSession	session,
		RealmModel	realm,
		ComponentModel	model
	)

inline

                                                                                           {
         ComponentModel parentModel = realm.getComponent(model.getParentId());
         UserStorageProviderModel parent = new UserStorageProviderModel(parentModel);
         onParentUpdate(realm, parent, parent, model);
 
     }

◆ onParentUpdate()

void org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.onParentUpdate	(	RealmModel	realm,
		UserStorageProviderModel	oldParent,
		UserStorageProviderModel	newParent,
		ComponentModel	mapperModel
	)

inline

                                                                                                                                                      {
         if (!newParent.isImportEnabled()) {
             if (new RoleMapperConfig(mapperModel).getMode() == LDAPGroupMapperMode.IMPORT) {
                  mapperModel.getConfig().putSingle(RoleMapperConfig.MODE, LDAPGroupMapperMode.READ_ONLY.toString());
                  realm.updateComponent(mapperModel);
 
             }
         }
     }

◆ onUpdate()

void org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.onUpdate	(	KeycloakSession	session,
		RealmModel	realm,
		ComponentModel	oldModel,
		ComponentModel	newModel
	)

inline

                                                                                                                       {
         ComponentModel parentModel = realm.getComponent(newModel.getParentId());
         UserStorageProviderModel parent = new UserStorageProviderModel(parentModel);
         onParentUpdate(realm, parent, parent, newModel);
     }

◆ postInit()

void org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapperFactory.postInit ( KeycloakSessionFactory factory )

inlineinherited

54 {

55 }

◆ validateConfiguration()

void org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.validateConfiguration	(	KeycloakSession	session,
		RealmModel	realm,
		ComponentModel	config
	)		throws ComponentValidationException

inline

                                                                                                                                             {
         checkMandatoryConfigAttribute(RoleMapperConfig.ROLES_DN, "LDAP Roles DN", config);
         checkMandatoryConfigAttribute(RoleMapperConfig.MODE, "Mode", config);
 
         String realmMappings = config.getConfig().getFirst(RoleMapperConfig.USE_REALM_ROLES_MAPPING);
         boolean useRealmMappings = Boolean.parseBoolean(realmMappings);
         if (!useRealmMappings) {
             String clientId = config.getConfig().getFirst(RoleMapperConfig.CLIENT_ID);
             if (clientId == null || clientId.trim().isEmpty()) {
                 throw new ComponentValidationException("ldapErrorMissingClientId");
             }
         }
 
         LDAPUtils.validateCustomLdapFilter(config.getConfig().getFirst(RoleMapperConfig.ROLES_LDAP_FILTER));
     }

メンバ詳解

◆ configProperties

final List<ProviderConfigProperty> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.configProperties

staticprotected

◆ MEMBERSHIP_TYPES

final List<String> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.MEMBERSHIP_TYPES = new LinkedList<>()

staticprotected

◆ MODES

final List<String> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.MODES = new LinkedList<>()

staticprotected

◆ NO_IMPORT_MODES

final List<String> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.NO_IMPORT_MODES = new LinkedList<>()

staticprotected

◆ PROVIDER_ID

final String org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.PROVIDER_ID = "role-ldap-mapper"

static

◆ roleRetrievers

final List<String> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.roleRetrievers

staticprotected

◆ userRolesStrategies

final Map<String, UserRolesRetrieveStrategy> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapperFactory.userRolesStrategies = new LinkedHashMap<>()

staticprotected

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/storage/ldap/mappers/membership/role/RoleLDAPStorageMapperFactory.java

公開メンバ関数

静的公開メンバ関数

静的公開変数類

限定公開メンバ関数

静的限定公開変数類

静的関数

静的非公開メンバ関数

詳解

関数詳解

◆ [static initializer]()

◆ checkMandatoryConfigAttribute()

◆ close()

◆ create()

◆ createConfigProperty()

◆ createMapper()

◆ getConfigProperties() [1/2]

◆ getConfigProperties() [2/2]

◆ getHelpText()

◆ getId()

◆ getProps()

◆ getTypeMetadata()

◆ getUserRolesRetrieveStrategy()

◆ init()

◆ onCreate()

◆ onParentUpdate()

◆ onUpdate()

◆ postInit()

◆ validateConfiguration()

メンバ詳解

◆ configProperties

◆ MEMBERSHIP_TYPES

◆ MODES

◆ NO_IMPORT_MODES

◆ PROVIDER_ID

◆ roleRetrievers

◆ userRolesStrategies