KEYCLOAK-4640: LDAP memberships are being replaced instead of being added or deleted

Author: rmartinc

federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java

@@ -38,6 +38,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import javax.naming.directory.SearchControls;
 
 /**
  * Allow to directly call some operations against LDAPIdentityStore.
@@ -167,30 +168,10 @@ public static LDAPObject createLDAPGroup(LDAPStorageProvider ldapProvider, Strin
      * @param memberChildAttrName used just if membershipType is UID. Usually 'uid'
      * @param ldapParent role or group
      * @param ldapChild usually user (or child group or child role)
-     * @param sendLDAPUpdateRequest if true, the method will send LDAP update request too. Otherwise it will skip it
      */
-    public static void addMember(LDAPStorageProvider ldapProvider, MembershipType membershipType, String memberAttrName, String memberChildAttrName, LDAPObject ldapParent, LDAPObject ldapChild, boolean sendLDAPUpdateRequest) {
-
-        Set<String> memberships = getExistingMemberships(memberAttrName, ldapParent);
-
-        // Remove membership placeholder if present
-        if (membershipType == MembershipType.DN) {
-            for (String membership : memberships) {
-                if (LDAPConstants.EMPTY_MEMBER_ATTRIBUTE_VALUE.equals(membership)) {
-                    memberships.remove(membership);
-                    break;
-                }
-            }
-        }
-
+    public static void addMember(LDAPStorageProvider ldapProvider, MembershipType membershipType, String memberAttrName, String memberChildAttrName, LDAPObject ldapParent, LDAPObject ldapChild) {
         String membership = getMemberValueOfChildObject(ldapChild, membershipType, memberChildAttrName);
-
-        memberships.add(membership);
-        ldapParent.setAttribute(memberAttrName, memberships);
-
-        if (sendLDAPUpdateRequest) {
-            ldapProvider.getLdapIdentityStore().update(ldapParent);
-        }
+        ldapProvider.getLdapIdentityStore().addMemberToGroup(ldapParent.getDn().toString(), memberAttrName, membership);
     }
 
     /**
@@ -204,29 +185,20 @@ public static void addMember(LDAPStorageProvider ldapProvider, MembershipType me
      * @param ldapChild usually user (or child group or child role)
      */
     public static void deleteMember(LDAPStorageProvider ldapProvider, MembershipType membershipType, String memberAttrName, String memberChildAttrName, LDAPObject ldapParent, LDAPObject ldapChild) {
-        Set<String> memberships = getExistingMemberships(memberAttrName, ldapParent);
-
         String userMembership = getMemberValueOfChildObject(ldapChild, membershipType, memberChildAttrName);
-
-        memberships.remove(userMembership);
-
-        // Some membership placeholder needs to be always here as "member" is mandatory attribute on some LDAP servers. But not on active directory! (Placeholder, which not matches any real object is not allowed here)
-        if (memberships.size() == 0 && membershipType== MembershipType.DN && !ldapProvider.getLdapIdentityStore().getConfig().isActiveDirectory()) {
-            memberships.add(LDAPConstants.EMPTY_MEMBER_ATTRIBUTE_VALUE);
-        }
-
-        ldapParent.setAttribute(memberAttrName, memberships);
-        ldapProvider.getLdapIdentityStore().update(ldapParent);
+        ldapProvider.getLdapIdentityStore().removeMemberFromGroup(ldapParent.getDn().toString(), memberAttrName, userMembership);
     }
 
     /**
      * Return all existing memberships (values of attribute 'member' ) from the given ldapRole or ldapGroup
      *
+     * @param ldapProvider The ldap provider
      * @param memberAttrName usually 'member'
      * @param ldapRole
      * @return
      */
-    public static Set<String> getExistingMemberships(String memberAttrName, LDAPObject ldapRole) {
+    public static Set<String> getExistingMemberships(LDAPStorageProvider ldapProvider, String memberAttrName, LDAPObject ldapRole) {
+        LDAPUtils.fillRangedAttribute(ldapProvider, ldapRole, memberAttrName);
         Set<String> memberships = ldapRole.getAttributeAsSet(memberAttrName);
         if (memberships == null) {
             memberships = new HashSet<>();
@@ -298,4 +270,27 @@ public static void validateCustomLdapFilter(String customFilter) throws Componen
             }
         }
     }
+
+    private static LDAPQuery createLdapQueryForRangeAttribute(LDAPStorageProvider ldapProvider, LDAPObject ldapObject, String name) {
+        LDAPQuery q = new LDAPQuery(ldapProvider);
+        q.setSearchDn(ldapObject.getDn().toString());
+        q.setSearchScope(SearchControls.OBJECT_SCOPE);
+        q.addReturningLdapAttribute(name + ";range=" + (ldapObject.getCurrentRange(name) + 1) + "-*");
+        return q;
+    }
+
+    /**
+     * Performs iterative searches over an LDAPObject to return an attribute that is ranged.
+     * @param ldapProvider The provider to use
+     * @param ldapObject The current object with the ranged attribute not complete
+     * @param name The attribute name
+     */
+    public static void fillRangedAttribute(LDAPStorageProvider ldapProvider, LDAPObject ldapObject, String name) {
+        LDAPObject newObject = ldapObject;
+        while (!newObject.isRangeComplete(name)) {
+            LDAPQuery q = createLdapQueryForRangeAttribute(ldapProvider, ldapObject, name);
+            newObject = q.getFirstResult();
+            ldapObject.populateRangedAttribute(newObject, name);
+        }
+    }
 }

federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPObject.java

@@ -48,6 +48,8 @@ public class LDAPObject {
     // Copy of "attributes" containing lower-cased keys
     private final Map<String, Set<String>> lowerCasedAttributes = new HashMap<>();
 
+    // range attributes are always read from 0 to max so just saving the top value
+    private final Map<String, Integer> rangedAttributes = new HashMap<>();
 
     public String getUuid() {
         return uuid;
@@ -123,6 +125,36 @@ public Set<String> getAttributeAsSet(String name) {
         return (values == null) ? null : new LinkedHashSet<>(values);
     }
 
+    public boolean isRangeComplete(String name) {
+        return !rangedAttributes.containsKey(name);
+    }
+
+    public int getCurrentRange(String name) {
+        return rangedAttributes.get(name);
+    }
+
+    public boolean isRangeCompleteForAllAttributes() {
+        return rangedAttributes.isEmpty();
+    }
+
+    public void addRangedAttribute(String name, int max) {
+        Integer current = rangedAttributes.get(name);
+        if (current == null || max > current) {
+            rangedAttributes.put(name, max);
+        }
+    }
+
+    public void populateRangedAttribute(LDAPObject obj, String name) {
+        Set<String> newValues = obj.getAttributes().get(name);
+        if (newValues != null && attributes.containsKey(name)) {
+            attributes.get(name).addAll(newValues);
+            if (!obj.isRangeComplete(name)) {
+                addRangedAttribute(name, obj.getCurrentRange(name));
+            } else {
+                rangedAttributes.remove(name);
+            }
+        }
+    }
 
     public Map<String, Set<String>> getAttributes() {
         return attributes;
@@ -152,6 +184,7 @@ public int hashCode() {
 
     @Override
     public String toString() {
-        return "LDAP Object [ dn: " + dn + " , uuid: " + uuid + ", attributes: " + attributes + ", readOnly attribute names: " + readOnlyAttributeNames + " ]";
+        return "LDAP Object [ dn: " + dn + " , uuid: " + uuid + ", attributes: " + attributes +
+                ", readOnly attribute names: " + readOnlyAttributeNames + ", ranges: " + rangedAttributes + " ]";
     }
 }

federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/IdentityStore.java

@@ -65,6 +65,22 @@ public interface IdentityStore {
      */
     void remove(LDAPObject ldapObject);
 
+    /**
+     * Adds a member to a group.
+     * @param groupDn The DN of the group object
+     * @param memberAttrName The member attribute name
+     * @param value The value (it can be uid or dn depending the group type)
+     */
+    public void addMemberToGroup(String groupDn, String memberAttrName, String value);
+
+    /**
+     * Removes a member from a group.
+     * @param groupDn The DN of the group object
+     * @param memberAttrName The member attribute name
+     * @param value The value (it can be uid or dn depending the group type)
+     */
+    public void removeMemberFromGroup(String groupDn, String memberAttrName, String value);
+
     // Identity query
 
     List<LDAPObject> fetchQueryResults(LDAPQuery LDAPQuery);

federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java

@@ -54,6 +54,11 @@
 import java.util.NoSuchElementException;
 import java.util.Set;
 import java.util.TreeSet;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.naming.directory.AttributeInUseException;
+import javax.naming.directory.NoSuchAttributeException;
+import javax.naming.directory.SchemaViolationException;
 
 /**
  * An IdentityStore implementation backed by an LDAP directory
@@ -65,6 +70,7 @@
 public class LDAPIdentityStore implements IdentityStore {
 
     private static final Logger logger = Logger.getLogger(LDAPIdentityStore.class);
+    private static final Pattern rangePattern = Pattern.compile("([^;]+);range=([0-9]+)-([0-9]+|\\*)");
 
     private final LDAPConfig config;
     private final LDAPOperationManager operationManager;
@@ -101,6 +107,44 @@ public void add(LDAPObject ldapObject) {
         }
     }
 
+    @Override
+    public void addMemberToGroup(String groupDn, String memberAttrName, String value) {
+        // do not check EMPTY_MEMBER_ATTRIBUTE_VALUE, we save one useless query
+        // the value will be there forever for objectclasses that enforces the attribute as MUST
+        BasicAttribute attr = new BasicAttribute(memberAttrName, value);
+        ModificationItem item = new ModificationItem(DirContext.ADD_ATTRIBUTE, attr);
+        try {
+            this.operationManager.modifyAttributesNaming(groupDn, new ModificationItem[]{item}, null);
+        } catch (AttributeInUseException e) {
+            logger.debugf("Group %s already contains the member %s", groupDn, value);
+        } catch (NamingException e) {
+            throw new ModelException("Could not modify attribute for DN [" + groupDn + "]", e);
+        }
+    }
+
+    @Override
+    public void removeMemberFromGroup(String groupDn, String memberAttrName, String value) {
+        BasicAttribute attr = new BasicAttribute(memberAttrName, value);
+        ModificationItem item = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, attr);
+        try {
+            this.operationManager.modifyAttributesNaming(groupDn, new ModificationItem[]{item}, null);
+        } catch (NoSuchAttributeException e) {
+            logger.debugf("Group %s does not contain the member %s", groupDn, value);
+        } catch (SchemaViolationException e) {
+            // schema violation removing one member => add the empty attribute, it cannot be other thing
+            logger.infof("Schema violation in group %s removing member %s. Trying adding empty member attribute.", groupDn, value);
+            try {
+                this.operationManager.modifyAttributesNaming(groupDn,
+                        new ModificationItem[]{item, new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute(memberAttrName, LDAPConstants.EMPTY_MEMBER_ATTRIBUTE_VALUE))},
+                        null);
+            } catch (NamingException ex) {
+                throw new ModelException("Could not modify attribute for DN [" + groupDn + "]", ex);
+            }
+        } catch (NamingException e) {
+            throw new ModelException("Could not modify attribute for DN [" + groupDn + "]", e);
+        }
+    }
+
     @Override
     public void update(LDAPObject ldapObject) {
         checkRename(ldapObject);
@@ -199,7 +243,8 @@ public List<LDAPObject> fetchQueryResults(LDAPQuery identityQuery) {
             }
 
             for (SearchResult result : search) {
-                if (!result.getNameInNamespace().equalsIgnoreCase(baseDN)) {
+                // don't add the branch in subtree search
+                if (identityQuery.getSearchScope() != SearchControls.SUBTREE_SCOPE || !result.getNameInNamespace().equalsIgnoreCase(baseDN)) {
                     results.add(populateAttributedType(result, identityQuery));
                 }
             }
@@ -351,6 +396,21 @@ private LDAPObject populateAttributedType(SearchResult searchResult, LDAPQuery l
 
                 String ldapAttributeName = ldapAttribute.getID();
 
+                // check for ranged attribute
+                Matcher m = rangePattern.matcher(ldapAttributeName);
+                if (m.matches()) {
+                    ldapAttributeName = m.group(1);
+                    // range=X-* means all the attributes returned
+                    if (!m.group(3).equals("*")) {
+                        try {
+                            int max = Integer.parseInt(m.group(3));
+                            ldapObject.addRangedAttribute(ldapAttributeName, max);
+                        } catch (NumberFormatException e) {
+                            logger.warnf("Invalid ranged expresion for attribute: %s", m.group(0));
+                        }
+                    }
+                }
+
                 if (ldapAttributeName.equalsIgnoreCase(getConfig().getUuidLDAPAttributeName())) {
                     Object uuidValue = ldapAttribute.get();
                     ldapObject.setUuid(this.operationManager.decodeEntryUUID(uuidValue));

federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java

@@ -528,50 +528,52 @@ public void authenticate(String dn, String password) throws AuthenticationExcept
         }
     }
 
-    public void modifyAttributes(final String dn, final ModificationItem[] mods, LDAPOperationDecorator decorator) {
-        try {
-            if (logger.isTraceEnabled()) {
-                logger.tracef("Modifying attributes for entry [%s]: [", dn);
-
-                for (ModificationItem item : mods) {
-                    Object values;
+    public void modifyAttributesNaming(final String dn, final ModificationItem[] mods, LDAPOperationDecorator decorator) throws NamingException {
+        if (logger.isTraceEnabled()) {
+            logger.tracef("Modifying attributes for entry [%s]: [", dn);
 
-                    if (item.getAttribute().size() > 0) {
-                        values = item.getAttribute().get();
-                    } else {
-                        values = "No values";
-                    }
+            for (ModificationItem item : mods) {
+                Object values;
 
-                    String attrName = item.getAttribute().getID().toUpperCase();
-                    if (attrName.contains("PASSWORD") || attrName.contains("UNICODEPWD")) {
-                        values = "********************";
-                    }
+                if (item.getAttribute().size() > 0) {
+                    values = item.getAttribute().get();
+                } else {
+                    values = "No values";
+                }
 
-                    logger.tracef("  Op [%s]: %s = %s", item.getModificationOp(), item.getAttribute().getID(), values);
+                String attrName = item.getAttribute().getID().toUpperCase();
+                if (attrName.contains("PASSWORD") || attrName.contains("UNICODEPWD")) {
+                    values = "********************";
                 }
 
-                logger.tracef("]");
+                logger.tracef("  Op [%s]: %s = %s", item.getModificationOp(), item.getAttribute().getID(), values);
             }
 
-            execute(new LdapOperation<Void>() {
+            logger.tracef("]");
+        }
 
-                @Override
-                public Void execute(LdapContext context) throws NamingException {
-                    context.modifyAttributes(new LdapName(dn), mods);
-                    return null;
-                }
+        execute(new LdapOperation<Void>() {
 
+            @Override
+            public Void execute(LdapContext context) throws NamingException {
+                context.modifyAttributes(new LdapName(dn), mods);
+                return null;
+            }
 
-                @Override
-                public String toString() {
-                    return new StringBuilder("LdapOperation: modify\n")
-                            .append(" dn: ").append(dn).append("\n")
-                            .append(" modificationsSize: ").append(mods.length)
-                            .toString();
-                }
+            @Override
+            public String toString() {
+                return new StringBuilder("LdapOperation: modify\n")
+                        .append(" dn: ").append(dn).append("\n")
+                        .append(" modificationsSize: ").append(mods.length)
+                        .toString();
+            }
 
+        }, null, decorator);
+    }
 
-            }, null, decorator);
+    public void modifyAttributes(final String dn, final ModificationItem[] mods, LDAPOperationDecorator decorator) {
+        try {
+            modifyAttributesNaming(dn, mods, decorator);
         } catch (NamingException e) {
             throw new ModelException("Could not modify attribute for DN [" + dn + "]", e);
         }

federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/MembershipType.java

@@ -50,12 +50,12 @@ public enum MembershipType {
         @Override
         public Set<LDAPDn> getLDAPSubgroups(GroupLDAPStorageMapper groupMapper, LDAPObject ldapGroup) {
             CommonLDAPGroupMapperConfig config = groupMapper.getConfig();
-            return getLDAPMembersWithParent(ldapGroup, config.getMembershipLdapAttribute(), LDAPDn.fromString(config.getLDAPGroupsDn()));
+            return getLDAPMembersWithParent(groupMapper.getLdapProvider(), ldapGroup, config.getMembershipLdapAttribute(), LDAPDn.fromString(config.getLDAPGroupsDn()));
         }
 
         // Get just those members of specified group, which are descendants of "requiredParentDn"
-        protected Set<LDAPDn> getLDAPMembersWithParent(LDAPObject ldapGroup, String membershipLdapAttribute, LDAPDn requiredParentDn) {
-            Set<String> allMemberships = LDAPUtils.getExistingMemberships(membershipLdapAttribute, ldapGroup);
+        protected Set<LDAPDn> getLDAPMembersWithParent(LDAPStorageProvider ldapProvider, LDAPObject ldapGroup, String membershipLdapAttribute, LDAPDn requiredParentDn) {
+            Set<String> allMemberships = LDAPUtils.getExistingMemberships(ldapProvider, membershipLdapAttribute, ldapGroup);
 
             // Filter and keep just descendants of requiredParentDn
             Set<LDAPDn> result = new HashSet<>();
@@ -74,7 +74,7 @@ public List<UserModel> getGroupMembers(RealmModel realm, GroupLDAPStorageMapper
             CommonLDAPGroupMapperConfig config = groupMapper.getConfig();
 
             LDAPDn usersDn = LDAPDn.fromString(ldapProvider.getLdapIdentityStore().getConfig().getUsersDn());
-            Set<LDAPDn> userDns = getLDAPMembersWithParent(ldapGroup, config.getMembershipLdapAttribute(), usersDn);
+            Set<LDAPDn> userDns = getLDAPMembersWithParent(ldapProvider, ldapGroup, config.getMembershipLdapAttribute(), usersDn);
 
             if (userDns == null) {
                 return Collections.emptyList();
@@ -139,7 +139,7 @@ public List<UserModel> getGroupMembers(RealmModel realm, GroupLDAPStorageMapper
             LDAPConfig ldapConfig = ldapProvider.getLdapIdentityStore().getConfig();
 
             String memberAttrName = groupMapper.getConfig().getMembershipLdapAttribute();
-            Set<String> memberUids = LDAPUtils.getExistingMemberships(memberAttrName, ldapGroup);
+            Set<String> memberUids = LDAPUtils.getExistingMemberships(ldapProvider, memberAttrName, ldapGroup);
 
             if (memberUids == null || memberUids.size() <= firstResult) {
                 return Collections.emptyList();