credential refactoring

core/src/main/java/org/keycloak/representations/idm/CredentialRepresentation.java

@@ -17,6 +17,10 @@
 
 package org.keycloak.representations.idm;
 
+import org.keycloak.common.util.MultivaluedHashMap;
+
+import java.util.Map;
+
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
  * @version $Revision: 1 $
@@ -45,6 +49,7 @@ public class CredentialRepresentation {
     private Integer digits;
     private Integer period;
     private Long createdDate;
+    private MultivaluedHashMap<String, String> config;
 
     // only used when updating a credential.  Might set required action
     protected Boolean temporary;
@@ -144,4 +149,12 @@ public Long getCreatedDate() {
     public void setCreatedDate(Long createdDate) {
         this.createdDate = createdDate;
     }
+
+    public MultivaluedHashMap<String, String> getConfig() {
+        return config;
+    }
+
+    public void setConfig(MultivaluedHashMap<String, String> config) {
+        this.config = config;
+    }
 }

examples/providers/authenticator/pom.xml

@@ -55,5 +55,15 @@
 
     <build>
         <finalName>authenticator-required-action-example</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>1.8</source>
+                    <target>1.8</target>
+                </configuration>
+            </plugin>
+        </plugins>
     </build>
 </project>

examples/providers/authenticator/src/main/java/org/keycloak/examples/authenticator/SecretQuestionAuthenticator.java

@@ -23,6 +23,7 @@
 import org.keycloak.models.AuthenticatorConfigModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserCredentialValueModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.services.util.CookieHelper;
@@ -96,15 +97,10 @@ protected void setCookie(AuthenticationFlowContext context) {
     protected boolean validateAnswer(AuthenticationFlowContext context) {
         MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
         String secret = formData.getFirst("secret_answer");
-        UserCredentialValueModel cred = null;
-        for (UserCredentialValueModel model : context.getUser().getCredentialsDirectly()) {
-            if (model.getType().equals(CREDENTIAL_TYPE)) {
-                cred = model;
-                break;
-            }
-        }
-
-        return cred.getValue().equals(secret);
+        UserCredentialModel input = new UserCredentialModel();
+        input.setType(SecretQuestionCredentialProvider.SECRET_QUESTION);
+        input.setValue(secret);
+        return context.getSession().userCredentialManager().isValid(context.getRealm(), context.getUser(), input);
     }
 
     @Override
@@ -114,7 +110,7 @@ public boolean requiresUser() {
 
     @Override
     public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
-        return session.users().configuredForCredentialType(CREDENTIAL_TYPE, realm, user);
+        return session.userCredentialManager().isConfiguredFor(realm, user, SecretQuestionCredentialProvider.SECRET_QUESTION);
     }
 
     @Override

examples/providers/authenticator/src/main/java/org/keycloak/examples/authenticator/SecretQuestionCredentialProvider.java

@@ -0,0 +1,117 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.examples.authenticator;
+
+import org.keycloak.common.util.Time;
+import org.keycloak.credential.CredentialInput;
+import org.keycloak.credential.CredentialInputUpdater;
+import org.keycloak.credential.CredentialInputValidator;
+import org.keycloak.credential.CredentialModel;
+import org.keycloak.credential.CredentialProvider;
+import org.keycloak.credential.PasswordCredentialProvider;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserCredentialModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.cache.CachedUserModel;
+import org.keycloak.models.cache.OnUserCache;
+
+import java.util.List;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class SecretQuestionCredentialProvider implements CredentialProvider, CredentialInputValidator, CredentialInputUpdater, OnUserCache {
+    public static final String SECRET_QUESTION = "SECRET_QUESTION";
+    public static final String CACHE_KEY = SecretQuestionCredentialProvider.class.getName() + "." + SECRET_QUESTION;
+
+    protected KeycloakSession session;
+
+    public SecretQuestionCredentialProvider(KeycloakSession session) {
+        this.session = session;
+    }
+
+    public CredentialModel getSecret(RealmModel realm, UserModel user) {
+        CredentialModel secret = null;
+        if (user instanceof CachedUserModel) {
+            CachedUserModel cached = (CachedUserModel)user;
+            secret = (CredentialModel)cached.getCachedWith().get(CACHE_KEY);
+
+        } else {
+            List<CredentialModel> creds = session.userCredentialManager().getStoredCredentialsByType(realm, user, SECRET_QUESTION);
+            if (!creds.isEmpty()) secret = creds.get(0);
+        }
+        return secret;
+    }
+
+
+    @Override
+    public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
+        if (!SECRET_QUESTION.equals(input.getType())) return false;
+        if (!(input instanceof UserCredentialModel)) return false;
+        UserCredentialModel credInput = (UserCredentialModel) input;
+        List<CredentialModel> creds = session.userCredentialManager().getStoredCredentialsByType(realm, user, SECRET_QUESTION);
+        if (creds.isEmpty()) {
+            CredentialModel secret = new CredentialModel();
+            secret.setType(SECRET_QUESTION);
+            secret.setValue(credInput.getValue());
+            secret.setCreatedDate(Time.toMillis(Time.currentTime()));
+            session.userCredentialManager().createCredential(realm ,user, secret);
+        } else {
+            creds.get(0).setValue(credInput.getValue());
+            session.userCredentialManager().updateCredential(realm, user, creds.get(0));
+        }
+        session.getUserCache().evict(realm, user);
+        return true;
+    }
+
+    @Override
+    public void disableCredentialType(RealmModel realm, UserModel user, String credentialType) {
+        if (!SECRET_QUESTION.equals(credentialType)) return;
+        session.userCredentialManager().disableCredential(realm, user, credentialType);
+        session.getUserCache().evict(realm, user);
+
+    }
+
+    @Override
+    public boolean supportsCredentialType(String credentialType) {
+        return SECRET_QUESTION.equals(credentialType);
+    }
+
+    @Override
+    public boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType) {
+        if (!SECRET_QUESTION.equals(credentialType)) return false;
+        return getSecret(realm, user) != null;
+    }
+
+    @Override
+    public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
+        if (!SECRET_QUESTION.equals(input.getType())) return false;
+        if (!(input instanceof UserCredentialModel)) return false;
+
+        String secret = getSecret(realm, user).getValue();
+
+        return secret != null && ((UserCredentialModel)input).getValue().equals(secret);
+    }
+
+    @Override
+    public void onCache(RealmModel realm, CachedUserModel user) {
+        List<CredentialModel> creds = session.userCredentialManager().getStoredCredentialsByType(realm, user, SECRET_QUESTION);
+        if (!creds.isEmpty()) user.getCachedWith().put(CACHE_KEY, creds.get(0));
+    }
+}

examples/providers/authenticator/src/main/java/org/keycloak/examples/authenticator/SecretQuestionCredentialProviderFactory.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.examples.authenticator;
+
+import org.keycloak.credential.CredentialProvider;
+import org.keycloak.credential.CredentialProviderFactory;
+import org.keycloak.models.KeycloakSession;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class SecretQuestionCredentialProviderFactory implements CredentialProviderFactory<SecretQuestionCredentialProvider> {
+    @Override
+    public String getId() {
+        return "secret-question";
+    }
+
+    @Override
+    public CredentialProvider create(KeycloakSession session) {
+        return new SecretQuestionCredentialProvider(session);
+    }
+}

examples/providers/authenticator/src/main/java/org/keycloak/examples/authenticator/SecretQuestionRequiredAction.java

@@ -19,6 +19,7 @@
 
 import org.keycloak.authentication.RequiredActionContext;
 import org.keycloak.authentication.RequiredActionProvider;
+import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserCredentialValueModel;
 
 import javax.ws.rs.core.Response;
@@ -45,10 +46,10 @@ public void requiredActionChallenge(RequiredActionContext context) {
     @Override
     public void processAction(RequiredActionContext context) {
         String answer = (context.getHttpRequest().getDecodedFormParameters().getFirst("secret_answer"));
-        UserCredentialValueModel model = new UserCredentialValueModel();
-        model.setValue(answer);
-        model.setType(SecretQuestionAuthenticator.CREDENTIAL_TYPE);
-        context.getUser().updateCredentialDirectly(model);
+        UserCredentialModel input = new UserCredentialModel();
+        input.setType(SecretQuestionCredentialProvider.SECRET_QUESTION);
+        input.setValue(answer);
+        context.getSession().userCredentialManager().updateCredential(context.getRealm(), context.getUser(), input);
         context.success();
     }
 

examples/providers/authenticator/src/main/resources/META-INF/services/org.keycloak.credential.CredentialProviderFactory

@@ -0,0 +1 @@
+ org.keycloak.examples.authenticator.SecretQuestionCredentialProviderFactory

examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/BasePropertiesFederationProvider.java

@@ -17,6 +17,7 @@
 
 package org.keycloak.examples.federation.properties;
 
+import org.keycloak.credential.CredentialInput;
 import org.keycloak.models.CredentialValidationOutput;
 import org.keycloak.models.GroupModel;
 import org.keycloak.models.KeycloakSession;
@@ -146,48 +147,29 @@ public boolean isValid(RealmModel realm, UserModel local) {
         return properties.containsKey(local.getUsername());
     }
 
-    /**
-     * hardcoded to only return PASSWORD
-     *
-     * @param user
-     * @return
-     */
     @Override
-    public Set<String> getSupportedCredentialTypes(UserModel user) {
+    public Set<String> getSupportedCredentialTypes() {
         return supportedCredentialTypes;
     }
 
     @Override
-    public Set<String> getSupportedCredentialTypes() {
-        return supportedCredentialTypes;
+    public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
+        if (!supportsCredentialType(input.getType()) || !(input instanceof UserCredentialModel)) return false;
+
+        UserCredentialModel cred = (UserCredentialModel)input;
+        String password = properties.getProperty(user.getUsername());
+        if (password == null) return false;
+        return password.equals(cred.getValue());
     }
 
     @Override
-    public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input) {
-        for (UserCredentialModel cred : input) {
-            if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
-                String password = properties.getProperty(user.getUsername());
-                if (password == null) return false;
-                return password.equals(cred.getValue());
-            } else {
-                return false; // invalid cred type
-            }
-        }
-        return false;
+    public boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType) {
+        return getSupportedCredentialTypes().contains(credentialType);
     }
 
     @Override
-    public boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input) {
-        for (UserCredentialModel cred : input) {
-            if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
-                String password = properties.getProperty(user.getUsername());
-                if (password == null) return false;
-                return password.equals(cred.getValue());
-            } else {
-                return false; // invalid cred type
-            }
-        }
-        return true;
+    public boolean supportsCredentialType(String credentialType) {
+        return getSupportedCredentialTypes().contains(credentialType);
     }
 
     @Override

examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/ClasspathPropertiesFederationProvider.java

@@ -17,8 +17,10 @@
 
 package org.keycloak.examples.federation.properties;
 
+import org.keycloak.credential.CredentialInput;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserFederationProviderModel;
 import org.keycloak.models.UserModel;
 
@@ -80,6 +82,13 @@ public boolean removeUser(RealmModel realm, UserModel user) {
         throw new IllegalStateException("Remove not supported");
     }
 
+    @Override
+    public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
+        return false;
+    }
 
+    @Override
+    public void disableCredentialType(RealmModel realm, UserModel user, String credentialType) {
 
+    }
 }

examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/FilePropertiesFederationProvider.java

@@ -17,8 +17,10 @@
 
 package org.keycloak.examples.federation.properties;
 
+import org.keycloak.credential.CredentialInput;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserFederationProviderModel;
 import org.keycloak.models.UserModel;
 
@@ -98,6 +100,13 @@ public boolean removeUser(RealmModel realm, UserModel user) {
         }
     }
 
+    @Override
+    public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
+        return false;
+    }
 
+    @Override
+    public void disableCredentialType(RealmModel realm, UserModel user, String credentialType) {
 
+    }
 }