KEYCLOAK-2242

Remove built-in admin account

docbook/auth-server-docs/reference/en/en-US/modules/server-installation.xml

@@ -130,15 +130,14 @@ cd <WILDFLY_HOME>/bin
         <section>
             <title>Admin User</title>
             <para>
-                To access the admin console you need an account to login. Currently, there's a default account added
-                with the username <literal>admin</literal> and password <literal>admin</literal>. You will be required
-                to change the password on first login. We are planning on removing the built-in account soon and will
-                instead have an initial step to create the user.
+                To access the admin console to configure Keycloak you need an account to login. There is no built in user,
+                instead you have to first create an admin account. This can done either by opening <ulink url="http://localhost:8080/auth">http://localhost:8080/auth</ulink>
+                (creating a user through the browser can only be done through localhost) or you can use the add-user script from
+                the command-line.
             </para>
             <para>
-                You can also create a user with the <literal>add-user</literal> script found in <literal>bin</literal>.
-                This script will create a temporary file with the details of the user, which are imported at startup.
-                To add a user with this script run:
+                The <literal>add-user</literal> script creates a temporary file with the details of the user,
+                which are imported at startup. To add a user with this script run:
 <programlisting><![CDATA[
 bin/add-user.[sh|bat] -r master -u <username> -p <password>
 ]]></programlisting>

forms/common-themes/src/main/resources/theme/keycloak/welcome/resources/index.html → forms/common-themes/src/main/resources/theme/keycloak/welcome/index.ftl

@@ -26,6 +26,28 @@
     <title>Welcome to Keycloak</title>
     <link rel="shortcut icon" href="welcome-content/favicon.ico" type="image/x-icon">
     <link rel="StyleSheet" href="welcome-content/keycloak.css" type="text/css">
+    <style>
+        label {
+            display: inline-block;
+            width: 200px;
+            text-align: right;
+            margin-right: 10px;
+        }
+
+        button {
+            margin-left: 215px;
+        }
+
+        form {
+            background-color: #eee;
+            border: 1px solid #666;
+            padding-bottom: 1em;
+        }
+
+        .error {
+            color: #a30000;
+        }
+    </style>
 </head>
 
 <body>
@@ -36,7 +58,41 @@
         </div>
         <h1>Welcome to Keycloak</h1>
 
-        <h3>Your Keycloak is running.</h3>
+        <#if successMessage?has_content>
+            <p>${successMessage}</p>
+        <#elseif errorMessage?has_content>
+            <p class="error">${errorMessage}</p>
+        <#elseif bootstrap>
+            <#if localUser>
+                <p>Please create an initial admin user to get started.</p>
+            <#else>
+                <p>
+                    You need local access to create the initial admin user. Open <a href="http://localhost:8080/auth">http://localhost:8080/auth</a>
+                    or use the add-user script.
+                </p>
+            </#if>
+        </#if>
+
+        <#if bootstrap && localUser>
+            <form method="post">
+                <p>
+                    <label for="username">Username</label>
+                    <input id="username" name="username" />
+                </p>
+
+                <p>
+                    <label for="password">Password</label>
+                    <input id="password" name="password" type="password" />
+                </p>
+
+                <p>
+                    <label for="passwordConfirmation">Password confirmation</label>
+                    <input id="passwordConfirmation" name="passwordConfirmation" type="password" />
+                </p>
+
+                <button id="create-button" type="submit">Create</button>
+            </form>
+        </#if>
 
         <p><a href="http://www.keycloak.org/docs">Documentation</a> | <a href="admin/">Administration Console</a> </p>
 

services/src/main/java/org/keycloak/exportimport/ExportImportManager.java

@@ -2,10 +2,9 @@
 
 
 import org.jboss.logging.Logger;
-import org.keycloak.Config;
 import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.KeycloakSessionFactory;
-import org.keycloak.services.managers.ApplianceBootstrap;
+
+import java.io.IOException;
 
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
@@ -14,76 +13,82 @@ public class ExportImportManager {
 
     private static final Logger logger = Logger.getLogger(ExportImportManager.class);
 
-    public void checkExportImport(KeycloakSessionFactory sessionFactory, String contextPath) {
+    private KeycloakSession session;
+
+    private final String realmName;
+
+    private ExportProvider exportProvider;
+    private ImportProvider importProvider;
+
+    public ExportImportManager(KeycloakSession session) {
+        this.session = session;
+
+        realmName = ExportImportConfig.getRealmName();
+
+        String providerId = ExportImportConfig.getProvider();
         String exportImportAction = ExportImportConfig.getAction();
-        String realmName = ExportImportConfig.getRealmName();
 
-        boolean export = false;
-        boolean importt = false;
         if (ExportImportConfig.ACTION_EXPORT.equals(exportImportAction)) {
-            export = true;
+            exportProvider = session.getProvider(ExportProvider.class, providerId);
+            if (exportProvider == null) {
+                throw new RuntimeException("Export provider not found");
+            }
         } else if (ExportImportConfig.ACTION_IMPORT.equals(exportImportAction)) {
-            importt = true;
+            importProvider = session.getProvider(ImportProvider.class, providerId);
+            if (importProvider == null) {
+                throw new RuntimeException("Import provider not found");
+            }
+        }
+    }
+
+    public boolean isRunImport() {
+        return importProvider != null;
+    }
+
+    public boolean isImportMasterIncluded() {
+        if (!isRunImport()) {
+            throw new IllegalStateException("Import not enabled");
+        }
+        try {
+            return importProvider.isMasterRealmExported();
+        } catch (IOException e) {
+            throw new RuntimeException(e);
         }
+    }
+
+    public boolean isRunExport() {
+        return exportProvider != null;
+    }
 
-        if (export || importt) {
-            String exportImportProviderId = ExportImportConfig.getProvider();
-            logger.debug("Will use provider: " + exportImportProviderId);
-            KeycloakSession session = sessionFactory.create();
-
-            try {
-                if (export) {
-                    ExportProvider exportProvider = session.getProvider(ExportProvider.class, exportImportProviderId);
-
-                    if (exportProvider == null) {
-                        logger.errorf("Invalid Export Provider %s", exportImportProviderId);
-                    } else {
-                        if (realmName == null) {
-                            logger.info("Full model export requested");
-                            exportProvider.exportModel(sessionFactory);
-                        } else {
-                            logger.infof("Export of realm '%s' requested", realmName);
-                            exportProvider.exportRealm(sessionFactory, realmName);
-                        }
-                        logger.info("Export finished successfully");
-                    }
-                } else {
-                    ImportProvider importProvider = session.getProvider(ImportProvider.class, exportImportProviderId);
-
-                    if (importProvider == null) {
-                    	logger.errorf("Invalid Import Provider %s", exportImportProviderId);
-                    } else {
-
-	                    Strategy strategy = ExportImportConfig.getStrategy();
-	                    if (realmName == null) {
-	                        logger.infof("Full model import requested. Strategy: %s", strategy.toString());
-
-	                        // Check if master realm was exported. If it's not, then it needs to be created before other realms are imported
-	                        if (!importProvider.isMasterRealmExported()) {
-	                            ApplianceBootstrap.setupDefaultRealm(sessionFactory, contextPath);
-                                ApplianceBootstrap.setupDefaultUser(sessionFactory);
-	                        }
-
-	                        importProvider.importModel(sessionFactory, strategy);
-	                    } else {
-	                        logger.infof("Import of realm '%s' requested. Strategy: %s", realmName, strategy.toString());
-
-	                        if (!realmName.equals(Config.getAdminRealm())) {
-	                            // Check if master realm exists. If it's not, then it needs to be created before other realm is imported
-                                ApplianceBootstrap.setupDefaultRealm(sessionFactory, contextPath);
-                                ApplianceBootstrap.setupDefaultUser(sessionFactory);
-	                        }
-
-	                        importProvider.importRealm(sessionFactory, realmName, strategy);
-	                    }
-	                    logger.info("Import finished successfully");
-                    }
-                }
-            } catch (Throwable ioe) {
-                logger.error("Error during export/import", ioe);
-            } finally {
-                session.close();
+    public void runImport() {
+        try {
+            Strategy strategy = ExportImportConfig.getStrategy();
+            if (realmName == null) {
+                logger.infof("Full model import requested. Strategy: %s", strategy.toString());
+                importProvider.importModel(session.getKeycloakSessionFactory(), strategy);
+            } else {
+                logger.infof("Import of realm '%s' requested. Strategy: %s", realmName, strategy.toString());
+                importProvider.importRealm(session.getKeycloakSessionFactory(), realmName, strategy);
             }
+            logger.info("Import finished successfully");
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to run import", e);
         }
     }
+
+    public void runExport() {
+        try {
+            if (realmName == null) {
+                logger.info("Full model export requested");
+                exportProvider.exportModel(session.getKeycloakSessionFactory());
+            } else {
+                logger.infof("Export of realm '%s' requested", realmName);
+                exportProvider.exportRealm(session.getKeycloakSessionFactory(), realmName);
+            }
+            logger.info("Export finished successfully");
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to run export");
+        }
+    }
+
 }

services/src/main/java/org/keycloak/services/managers/ApplianceBootstrap.java

@@ -4,15 +4,7 @@
 import org.keycloak.Config;
 import org.keycloak.common.Version;
 import org.keycloak.common.enums.SslRequired;
-import org.keycloak.models.AdminRoles;
-import org.keycloak.models.ClientModel;
-import org.keycloak.models.Constants;
-import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.KeycloakSessionFactory;
-import org.keycloak.models.RealmModel;
-import org.keycloak.models.RoleModel;
-import org.keycloak.models.UserCredentialModel;
-import org.keycloak.models.UserModel;
+import org.keycloak.models.*;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.representations.idm.CredentialRepresentation;
 
@@ -23,17 +15,34 @@
 public class ApplianceBootstrap {
 
     private static final Logger logger = Logger.getLogger(ApplianceBootstrap.class);
+    private final KeycloakSession session;
 
-    public static boolean setupDefaultRealm(KeycloakSessionFactory sessionFactory, String contextPath) {
-        KeycloakSession session = sessionFactory.create();
-        session.getTransaction().begin();
+    public ApplianceBootstrap(KeycloakSession session) {
+        this.session = session;
+    }
+
+    public boolean isNewInstall() {
+        if (session.realms().getRealms().size() > 0) {
+            return false;
+        } else {
+            return true;
+        }
+    }
 
+    public boolean isNoMasterUser() {
+        RealmModel realm = session.realms().getRealm(Config.getAdminRealm());
+        return session.users().getUsersCount(realm) == 0;
+    }
+
+    public boolean createMasterRealm(String contextPath) {
+        if (!isNewInstall()) {
+            throw new IllegalStateException("Can't create default realm as realms already exists");
+        }
+
+        KeycloakSession session = this.session.getKeycloakSessionFactory().create();
         try {
+            session.getTransaction().begin();
             String adminRealmName = Config.getAdminRealm();
-            if (session.realms().getRealm(adminRealmName) != null) {
-                return false;
-            }
-
             logger.info("Initializing " + adminRealmName + " realm");
 
             RealmManager manager = new RealmManager(session);
@@ -58,41 +67,29 @@ public static boolean setupDefaultRealm(KeycloakSessionFactory sessionFactory, S
             KeycloakModelUtils.generateRealmKeys(realm);
 
             session.getTransaction().commit();
-            return true;
         } finally {
             session.close();
         }
-    }
 
-    public static boolean setupDefaultUser(KeycloakSessionFactory sessionFactory) {
-        KeycloakSession session = sessionFactory.create();
-        session.getTransaction().begin();
+        return true;
+    }
 
-        try {
-            RealmModel realm = session.realms().getRealm(Config.getAdminRealm());
-            if (session.users().getUserByUsername("admin", realm) == null) {
-                UserModel adminUser = session.users().addUser(realm, "admin");
-
-                adminUser.setEnabled(true);
-                UserCredentialModel usrCredModel = new UserCredentialModel();
-                usrCredModel.setType(UserCredentialModel.PASSWORD);
-                usrCredModel.setValue("admin");
-                session.users().updateCredential(realm, adminUser, usrCredModel);
-                adminUser.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
-
-                RoleModel adminRole = realm.getRole(AdminRoles.ADMIN);
-                adminUser.grantRole(adminRole);
-
-                ClientModel accountApp = realm.getClientNameMap().get(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
-                for (String r : accountApp.getDefaultRoles()) {
-                    adminUser.grantRole(accountApp.getRole(r));
-                }
-            }
-            session.getTransaction().commit();
-            return true;
-        } finally {
-            session.close();
+    public void createMasterRealmUser(KeycloakSession session, String username, String password) {
+        RealmModel realm = session.realms().getRealm(Config.getAdminRealm());
+        if (session.users().getUsersCount(realm) > 0) {
+            throw new IllegalStateException("Can't create initial user as users already exists");
         }
+
+        UserModel adminUser = session.users().addUser(realm, username);
+        adminUser.setEnabled(true);
+
+        UserCredentialModel usrCredModel = new UserCredentialModel();
+        usrCredModel.setType(UserCredentialModel.PASSWORD);
+        usrCredModel.setValue(password);
+        session.users().updateCredential(realm, adminUser, usrCredModel);
+
+        RoleModel adminRole = realm.getRole(AdminRoles.ADMIN);
+        adminUser.grantRole(adminRole);
     }
 
 }