KEYCLOAK-1906 Customized LDAP filter. LDAP conditions improvements

federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPConfig.java

@@ -14,7 +14,6 @@
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  *
- * TODO: init properties at constructor instead of always compute them
  */
 public class LDAPConfig {
 
@@ -147,6 +146,18 @@ public String getRdnLdapAttribute() {
         return rdn;
     }
 
+
+    public String getCustomUserSearchFilter() {
+        String customFilter = config.get(LDAPConstants.CUSTOM_USER_SEARCH_FILTER);
+        if (customFilter != null) {
+            customFilter = customFilter.trim();
+            if (customFilter.length() > 0) {
+                return customFilter;
+            }
+        }
+        return null;
+    }
+
     public UserFederationProvider.EditMode getEditMode() {
         String editModeString = config.get(LDAPConstants.EDIT_MODE);
         if (editModeString == null) {

federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java

@@ -5,7 +5,6 @@
 import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
 import org.keycloak.federation.ldap.idm.model.LDAPObject;
 import org.keycloak.federation.ldap.idm.query.Condition;
-import org.keycloak.federation.ldap.idm.query.QueryParameter;
 import org.keycloak.federation.ldap.idm.query.internal.LDAPQuery;
 import org.keycloak.federation.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
 import org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore;
@@ -209,10 +208,10 @@ protected List<LDAPObject> searchLDAP(RealmModel realm, Map<String, String> attr
 
             // Mapper should replace parameter with correct LDAP mapped attributes
             if (attributes.containsKey(FIRST_NAME)) {
-                ldapQuery.where(conditionsBuilder.equal(new QueryParameter(FIRST_NAME), attributes.get(FIRST_NAME)));
+                ldapQuery.addWhereCondition(conditionsBuilder.equal(FIRST_NAME, attributes.get(FIRST_NAME)));
             }
             if (attributes.containsKey(LAST_NAME)) {
-                ldapQuery.where(conditionsBuilder.equal(new QueryParameter(LAST_NAME), attributes.get(LAST_NAME)));
+                ldapQuery.addWhereCondition(conditionsBuilder.equal(LAST_NAME, attributes.get(LAST_NAME)));
             }
 
             List<LDAPObject> ldapObjects = ldapQuery.getResultList();
@@ -287,8 +286,8 @@ protected LDAPObject queryByEmail(RealmModel realm, String email) {
         LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
 
         // Mapper should replace "email" in parameter name with correct LDAP mapped attribute
-        Condition emailCondition = conditionsBuilder.equal(new QueryParameter(UserModel.EMAIL), email);
-        ldapQuery.where(emailCondition);
+        Condition emailCondition = conditionsBuilder.equal(UserModel.EMAIL, email);
+        ldapQuery.addWhereCondition(emailCondition);
 
         return ldapQuery.getFirstResult();
     }
@@ -434,8 +433,8 @@ public LDAPObject loadLDAPUserByUsername(RealmModel realm, String username) {
         LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
 
         String usernameMappedAttribute = this.ldapIdentityStore.getConfig().getUsernameLdapAttribute();
-        Condition usernameCondition = conditionsBuilder.equal(new QueryParameter(usernameMappedAttribute), username);
-        ldapQuery.where(usernameCondition);
+        Condition usernameCondition = conditionsBuilder.equal(usernameMappedAttribute, username);
+        ldapQuery.addWhereCondition(usernameCondition);
 
         LDAPObject ldapUser = ldapQuery.getFirstResult();
         if (ldapUser == null) {

federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProviderFactory.java

@@ -8,7 +8,6 @@
 import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
 import org.keycloak.federation.ldap.idm.model.LDAPObject;
 import org.keycloak.federation.ldap.idm.query.Condition;
-import org.keycloak.federation.ldap.idm.query.QueryParameter;
 import org.keycloak.federation.ldap.idm.query.internal.LDAPQuery;
 import org.keycloak.federation.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
 import org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore;
@@ -21,7 +20,6 @@
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.KeycloakSessionTask;
 import org.keycloak.models.LDAPConstants;
-import org.keycloak.models.ModelDuplicateException;
 import org.keycloak.models.ModelException;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserFederationEventAwareProviderFactory;
@@ -211,12 +209,12 @@ public UserFederationSyncResult syncChangedUsers(KeycloakSessionFactory sessionF
 
         // Sync newly created and updated users
         LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
-        Condition createCondition = conditionsBuilder.greaterThanOrEqualTo(new QueryParameter(LDAPConstants.CREATE_TIMESTAMP), lastSync);
-        Condition modifyCondition = conditionsBuilder.greaterThanOrEqualTo(new QueryParameter(LDAPConstants.MODIFY_TIMESTAMP), lastSync);
+        Condition createCondition = conditionsBuilder.greaterThanOrEqualTo(LDAPConstants.CREATE_TIMESTAMP, lastSync);
+        Condition modifyCondition = conditionsBuilder.greaterThanOrEqualTo(LDAPConstants.MODIFY_TIMESTAMP, lastSync);
         Condition orCondition = conditionsBuilder.orCondition(createCondition, modifyCondition);
 
         LDAPQuery userQuery = createQuery(sessionFactory, realmId, model);
-        userQuery.where(orCondition);
+        userQuery.addWhereCondition(orCondition);
         UserFederationSyncResult result = syncImpl(sessionFactory, userQuery, realmId, model);
 
         logger.infof("Sync changed users finished: %s", result.getStatus());

federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPUtils.java

@@ -4,7 +4,9 @@
 
 import org.keycloak.federation.ldap.idm.model.LDAPDn;
 import org.keycloak.federation.ldap.idm.model.LDAPObject;
+import org.keycloak.federation.ldap.idm.query.Condition;
 import org.keycloak.federation.ldap.idm.query.internal.LDAPQuery;
+import org.keycloak.federation.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
 import org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore;
 import org.keycloak.federation.ldap.mappers.LDAPFederationMapper;
 import org.keycloak.models.ModelException;
@@ -51,6 +53,12 @@ public static LDAPQuery createQueryForUserSearch(LDAPFederationProvider ldapProv
         ldapQuery.setSearchDn(config.getUsersDn());
         ldapQuery.addObjectClasses(config.getUserObjectClasses());
 
+        String customFilter = config.getCustomUserSearchFilter();
+        if (customFilter != null) {
+            Condition customFilterCondition = new LDAPQueryConditionsBuilder().addCustomLDAPFilter(customFilter);
+            ldapQuery.addWhereCondition(customFilterCondition);
+        }
+
         Set<UserFederationMapperModel> mapperModels = realm.getUserFederationMappersByFederationProvider(ldapProvider.getModel().getId());
         ldapQuery.addMappers(mapperModels);
 

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/query/Condition.java

@@ -8,11 +8,9 @@
  */
 public interface Condition {
 
-    /**
-     * <p>The {@link QueryParameter} restricted by this condition.</p>
-     *
-     * @return
-     */
-    QueryParameter getParameter();
+    String getParameterName();
+    void setParameterName(String parameterName);
+
+    void applyCondition(StringBuilder filter);
 
 }

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/query/Sort.java

@@ -5,16 +5,16 @@
  */
 public class Sort {
 
-    private final QueryParameter parameter;
+    private final String paramName;
     private final boolean asc;
 
-    public Sort(QueryParameter parameter, boolean asc) {
-        this.parameter = parameter;
+    public Sort(String paramName, boolean asc) {
+        this.paramName = paramName;
         this.asc = asc;
     }
 
-    public QueryParameter getParameter() {
-        return this.parameter;
+    public String getParameter() {
+        return this.paramName;
     }
 
     public boolean isAscending() {

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/query/internal/BetweenCondition.java

@@ -1,33 +1,36 @@
 package org.keycloak.federation.ldap.idm.query.internal;
 
-import org.keycloak.federation.ldap.idm.query.Condition;
-import org.keycloak.federation.ldap.idm.query.QueryParameter;
+import java.util.Date;
+
+import org.keycloak.federation.ldap.idm.store.ldap.LDAPUtil;
 
 /**
  * @author Pedro Igor
  */
-public class BetweenCondition implements Condition {
+class BetweenCondition extends NamedParameterCondition {
 
     private final Comparable x;
     private final Comparable y;
-    private final QueryParameter parameter;
 
-    public BetweenCondition(QueryParameter parameter, Comparable x, Comparable y) {
-        this.parameter = parameter;
+    public BetweenCondition(String name, Comparable x, Comparable y) {
+        super(name);
         this.x = x;
         this.y = y;
     }
 
     @Override
-    public QueryParameter getParameter() {
-        return this.parameter;
-    }
+    public void applyCondition(StringBuilder filter) {
+        Comparable x = this.x;
+        Comparable y = this.y;
 
-    public Comparable getX() {
-        return this.x;
-    }
+        if (Date.class.isInstance(x)) {
+            x = LDAPUtil.formatDate((Date) x);
+        }
+
+        if (Date.class.isInstance(y)) {
+            y = LDAPUtil.formatDate((Date) y);
+        }
 
-    public Comparable getY() {
-        return this.y;
+        filter.append("(").append(x).append("<=").append(getParameterName()).append("<=").append(y).append(")");
     }
 }

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/query/internal/CustomLDAPFilter.java

@@ -0,0 +1,29 @@
+package org.keycloak.federation.ldap.idm.query.internal;
+
+import org.keycloak.federation.ldap.idm.query.Condition;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+class CustomLDAPFilter implements Condition {
+
+    private final String customFilter;
+
+    public CustomLDAPFilter(String customFilter) {
+        this.customFilter = customFilter;
+    }
+
+    @Override
+    public String getParameterName() {
+        return null;
+    }
+
+    @Override
+    public void setParameterName(String parameterName) {
+    }
+
+    @Override
+    public void applyCondition(StringBuilder filter) {
+        filter.append(customFilter);
+    }
+}

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/query/internal/EqualCondition.java

@@ -1,34 +1,40 @@
 package org.keycloak.federation.ldap.idm.query.internal;
 
-import org.keycloak.federation.ldap.idm.query.Condition;
-import org.keycloak.federation.ldap.idm.query.QueryParameter;
+import java.util.Date;
+
+import org.keycloak.federation.ldap.idm.store.ldap.LDAPUtil;
+import org.keycloak.models.LDAPConstants;
 
 /**
  * @author Pedro Igor
  */
-public class EqualCondition implements Condition {
+public class EqualCondition extends NamedParameterCondition {
 
-    private final QueryParameter parameter;
     private final Object value;
 
-    public EqualCondition(QueryParameter parameter, Object value) {
-        this.parameter = parameter;
+    public EqualCondition(String name, Object value) {
+        super(name);
         this.value = value;
     }
 
-    @Override
-    public QueryParameter getParameter() {
-        return this.parameter;
-    }
-
     public Object getValue() {
         return this.value;
     }
 
+    @Override
+    public void applyCondition(StringBuilder filter) {
+        Object parameterValue = value;
+        if (Date.class.isInstance(value)) {
+            parameterValue = LDAPUtil.formatDate((Date) parameterValue);
+        }
+
+        filter.append("(").append(getParameterName()).append(LDAPConstants.EQUAL).append(parameterValue).append(")");
+    }
+
     @Override
     public String toString() {
         return "EqualCondition{" +
-                "parameter=" + parameter.getName() +
+                "paramName=" + getParameterName() +
                 ", value=" + value +
                 '}';
     }

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/query/internal/GreaterThanCondition.java

@@ -1,34 +1,37 @@
 package org.keycloak.federation.ldap.idm.query.internal;
 
+import java.util.Date;
+
 import org.keycloak.federation.ldap.idm.query.Condition;
-import org.keycloak.federation.ldap.idm.query.QueryParameter;
+import org.keycloak.federation.ldap.idm.store.ldap.LDAPUtil;
 
 /**
  * @author Pedro Igor
  */
-public class GreaterThanCondition implements Condition {
+class GreaterThanCondition extends NamedParameterCondition {
 
     private final boolean orEqual;
 
-    private final QueryParameter parameter;
     private final Comparable value;
 
-    public GreaterThanCondition(QueryParameter parameter, Comparable value, boolean orEqual) {
-        this.parameter = parameter;
+    public GreaterThanCondition(String name, Comparable value, boolean orEqual) {
+        super(name);
         this.value = value;
         this.orEqual = orEqual;
     }
 
     @Override
-    public QueryParameter getParameter() {
-        return this.parameter;
-    }
-
-    public Comparable getValue() {
-        return this.value;
-    }
-
-    public boolean isOrEqual() {
-        return this.orEqual;
+    public void applyCondition(StringBuilder filter) {
+        Comparable parameterValue = value;
+
+        if (Date.class.isInstance(parameterValue)) {
+            parameterValue = LDAPUtil.formatDate((Date) parameterValue);
+        }
+
+        if (orEqual) {
+            filter.append("(").append(getParameterName()).append(">=").append(parameterValue).append(")");
+        } else {
+            filter.append("(").append(getParameterName()).append(">").append(parameterValue).append(")");
+        }
     }
 }