org.keycloak.credential.PasswordCredentialProvider クラス

org.keycloak.credential.PasswordCredentialProvider の継承関係図

org.keycloak.credential.PasswordCredentialProvider 連携図

公開メンバ関数
	PasswordCredentialProvider (KeycloakSession session)
CredentialModel	getPassword (RealmModel realm, UserModel user)
boolean	updateCredential (RealmModel realm, UserModel user, CredentialInput input)
void	disableCredentialType (RealmModel realm, UserModel user, String credentialType)
Set< String >	getDisableableCredentialTypes (RealmModel realm, UserModel user)
boolean	supportsCredentialType (String credentialType)
boolean	isConfiguredFor (RealmModel realm, UserModel user, String credentialType)
boolean	isValid (RealmModel realm, UserModel user, CredentialInput input)
void	onCache (RealmModel realm, CachedUserModel user, UserModel delegate)

静的公開変数類
static final String	PASSWORD_CACHE_KEY = PasswordCredentialProvider.class.getName() + "." + CredentialModel.PASSWORD

限定公開メンバ関数
UserCredentialStore	getCredentialStore ()
void	expirePassword (RealmModel realm, UserModel user, PasswordPolicy policy)
PasswordHashProvider	getHashProvider (PasswordPolicy policy)

限定公開変数類
KeycloakSession	session

静的非公開変数類
static final Logger	logger = Logger.getLogger(PasswordCredentialProvider.class)

詳解

著者

Bill Burke

バージョン

Revision

1

構築子と解体子

PasswordCredentialProvider()

org.keycloak.credential.PasswordCredentialProvider.PasswordCredentialProvider ( KeycloakSession  session )

inline

                                                               {
        this.session = session;
    }

関数詳解

disableCredentialType()

void org.keycloak.credential.PasswordCredentialProvider.disableCredentialType ( RealmModel  realm, UserModel  user, String  credentialType  )

inline

                                                                                               {
        if (!supportsCredentialType(credentialType)) return;
        PasswordPolicy policy = realm.getPasswordPolicy();
        expirePassword(realm, user, policy);
    }

expirePassword()

void org.keycloak.credential.PasswordCredentialProvider.expirePassword ( RealmModel  realm, UserModel  user, PasswordPolicy  policy  )

inlineprotected

                                                                                           {

        CredentialModel oldPassword = getPassword(realm, user);
        if (oldPassword == null) return;
        int expiredPasswordsPolicyValue = policy.getExpiredPasswords();
        if (expiredPasswordsPolicyValue > 1) {
            List<CredentialModel> list = getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.PASSWORD_HISTORY);
            // oldPassword will expire few lines below, and there is one active password,
            // hence (expiredPasswordsPolicyValue - 2) passwords should be left in history
            final int passwordsToLeave = expiredPasswordsPolicyValue - 2;
            if (list.size() > passwordsToLeave) {
                list.stream()
                  .sorted((o1, o2) -> { // sort by date descending
                      Long o1Date = o1.getCreatedDate() == null ? Long.MIN_VALUE : o1.getCreatedDate();
                      Long o2Date = o2.getCreatedDate() == null ? Long.MIN_VALUE : o2.getCreatedDate();
                      return (- o1Date.compareTo(o2Date));
                  })
                  .skip(passwordsToLeave)
                  .forEach(p -> getCredentialStore().removeStoredCredential(realm, user, p.getId()));
            }
            oldPassword.setType(CredentialModel.PASSWORD_HISTORY);
            getCredentialStore().updateCredential(realm, user, oldPassword);
        } else {
            session.userCredentialManager().removeStoredCredential(realm, user, oldPassword.getId());
        }

    }

getCredentialStore()

UserCredentialStore org.keycloak.credential.PasswordCredentialProvider.getCredentialStore ( )

inlineprotected

                                                       {
        return session.userCredentialManager();
    }

getDisableableCredentialTypes()

Set<String> org.keycloak.credential.PasswordCredentialProvider.getDisableableCredentialTypes ( RealmModel  realm, UserModel  user  )

inline

                                                                                       {
        if (!getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.PASSWORD).isEmpty()) {
            Set<String> set = new HashSet<>();
            set.add(CredentialModel.PASSWORD);
            return set;
        } else {
            return Collections.EMPTY_SET;
        }
    }

getHashProvider()

PasswordHashProvider org.keycloak.credential.PasswordCredentialProvider.getHashProvider ( PasswordPolicy  policy )

inlineprotected

                                                                          {
        PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class, policy.getHashAlgorithm());
        if (hash == null) {
            logger.warnv("Realm PasswordPolicy PasswordHashProvider {0} not found", policy.getHashAlgorithm());
            return session.getProvider(PasswordHashProvider.class, PasswordPolicy.HASH_ALGORITHM_DEFAULT);
        }
        return hash;
    }

getPassword()

CredentialModel org.keycloak.credential.PasswordCredentialProvider.getPassword ( RealmModel  realm, UserModel  user  )

inline

                                                                         {
        List<CredentialModel> passwords = null;
        if (user instanceof CachedUserModel && !((CachedUserModel)user).isMarkedForEviction()) {
            CachedUserModel cached = (CachedUserModel)user;
            passwords = (List<CredentialModel>)cached.getCachedWith().get(PASSWORD_CACHE_KEY);

        }
        // if the model was marked for eviction while passwords were initialized, override it from credentialStore
        if (! (user instanceof CachedUserModel) || ((CachedUserModel) user).isMarkedForEviction()) {
            passwords = getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.PASSWORD);
        }
        if (passwords == null || passwords.isEmpty()) return null;
        return passwords.get(0);
    }

isConfiguredFor()

boolean org.keycloak.credential.PasswordCredentialProvider.isConfiguredFor ( RealmModel  realm, UserModel  user, String  credentialType  )

inline

                                                                                            {
        return getPassword(realm, user) != null;
    }

isValid()

boolean org.keycloak.credential.PasswordCredentialProvider.isValid ( RealmModel  realm, UserModel  user, CredentialInput  input  )

inline

                                                                                    {
        if (! (input instanceof UserCredentialModel)) {
            logger.debug("Expected instance of UserCredentialModel for CredentialInput");
            return false;

        }
        UserCredentialModel cred = (UserCredentialModel)input;
        if (cred.getValue() == null) {
            logger.debugv("Input password was null for user {0} ", user.getUsername());
            return false;
        }
        CredentialModel password = getPassword(realm, user);
        if (password == null) {
            logger.debugv("No password cached or stored for user {0} ", user.getUsername());
            return false;
        }
        PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class, password.getAlgorithm());
        if (hash == null) {
            logger.debugv("PasswordHashProvider {0} not found for user {1} ", password.getAlgorithm(), user.getUsername());
            return false;
        }
        if (!hash.verify(cred.getValue(), password)) {
            logger.debugv("Failed password validation for user {0} ", user.getUsername());
            return false;
        }
        PasswordPolicy policy = realm.getPasswordPolicy();
        if (policy == null) {
            return true;
        }
        hash = getHashProvider(policy);
        if (hash == null) {
            return true;
        }
        if (hash.policyCheck(policy, password)) {
            return true;
        }

        CredentialModel newPassword = password.shallowClone();
        hash.encode(cred.getValue(), policy.getHashIterations(), newPassword);
        getCredentialStore().updateCredential(realm, user, newPassword);

        UserCache userCache = session.userCache();
        if (userCache != null) {
            userCache.evict(realm, user);
        }

        return true;
    }

onCache()

void org.keycloak.credential.PasswordCredentialProvider.onCache ( RealmModel  realm, CachedUserModel  user, UserModel  delegate  )

inline

                                                                                    {
        List<CredentialModel> passwords = getCredentialStore().getStoredCredentialsByType(realm, user, CredentialModel.PASSWORD);
        if (passwords != null) {
            user.getCachedWith().put(PASSWORD_CACHE_KEY, passwords);
        }

    }

supportsCredentialType()

boolean org.keycloak.credential.PasswordCredentialProvider.supportsCredentialType ( String  credentialType )

inline

                                                                 {
        return credentialType.equals(CredentialModel.PASSWORD);
    }

updateCredential()

boolean org.keycloak.credential.PasswordCredentialProvider.updateCredential ( RealmModel  realm, UserModel  user, CredentialInput  input  )

inline

                                                                                             {
        if (!supportsCredentialType(input.getType())) return false;

        if (!(input instanceof UserCredentialModel)) {
            logger.debug("Expected instance of UserCredentialModel for CredentialInput");
            return false;
        }
        UserCredentialModel cred = (UserCredentialModel)input;
        PasswordPolicy policy = realm.getPasswordPolicy();

        PolicyError error = session.getProvider(PasswordPolicyManagerProvider.class).validate(realm, user, cred.getValue());
        if (error != null) throw new ModelException(error.getMessage(), error.getParameters());


        PasswordHashProvider hash = getHashProvider(policy);
        if (hash == null) {
            return false;
        }
        CredentialModel oldPassword = getPassword(realm, user);

        expirePassword(realm, user, policy);
        CredentialModel newPassword = new CredentialModel();
        newPassword.setType(CredentialModel.PASSWORD);
        long createdDate = Time.currentTimeMillis();
        newPassword.setCreatedDate(createdDate);
        hash.encode(cred.getValue(), policy.getHashIterations(), newPassword);
        getCredentialStore().createCredential(realm, user, newPassword);
        UserCache userCache = session.userCache();
        if (userCache != null) {
            userCache.evict(realm, user);
        }
        return true;
    }

メンバ詳解

logger

final Logger org.keycloak.credential.PasswordCredentialProvider.logger = Logger.getLogger(PasswordCredentialProvider.class)

staticprivate

PASSWORD_CACHE_KEY

final String org.keycloak.credential.PasswordCredentialProvider.PASSWORD_CACHE_KEY = PasswordCredentialProvider.class.getName() + "." + CredentialModel.PASSWORD

static

session

KeycloakSession org.keycloak.credential.PasswordCredentialProvider.session

protected

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/credential/PasswordCredentialProvider.java