Merge pull request #11193 from IQSS/11157-builtin-users-oidc-auth

Keycloak SPI for Builtin Users Authentication

Author: ofahimIQSS

.gitignore

@@ -61,5 +61,6 @@ src/main/webapp/resources/images/cc0.png.thumb140
 src/main/webapp/resources/images/dataverseproject.png.thumb140
 
 # Docker development volumes
+/conf/keycloak/docker-dev-volumes
 /docker-dev-volumes
 /.vs

conf/keycloak/.env

@@ -0,0 +1,5 @@
+APP_IMAGE=gdcc/dataverse:unstable
+POSTGRES_VERSION=17
+DATAVERSE_DB_USER=dataverse
+SOLR_VERSION=9.8.0
+SKIP_DEPLOY=0

conf/keycloak/Dockerfile

@@ -0,0 +1,39 @@
+# ------------------------------------------
+# Stage 1: Build SPI with Maven
+# ------------------------------------------
+FROM maven:3.9.5-eclipse-temurin-17 AS builder
+
+WORKDIR /app
+
+# Copy SPI source code
+COPY ./builtin-users-spi /app
+
+# Build the SPI JAR
+RUN mvn clean package
+
+# ------------------------------------------
+# Stage 2: Build Keycloak Image
+# ------------------------------------------
+FROM quay.io/keycloak/keycloak:26.1.4
+
+# Add the Oracle JDBC jars
+ARG ORACLE_JDBC_VERSION=23.7.0.25.01
+ADD --chown=keycloak:keycloak https://repo1.maven.org/maven2/com/oracle/database/jdbc/ojdbc11/${ORACLE_JDBC_VERSION}/ojdbc11-${ORACLE_JDBC_VERSION}.jar /opt/keycloak/providers/ojdbc11.jar
+ADD --chown=keycloak:keycloak https://repo1.maven.org/maven2/com/oracle/database/nls/orai18n/${ORACLE_JDBC_VERSION}/orai18n-${ORACLE_JDBC_VERSION}.jar /opt/keycloak/providers/orai18n.jar
+
+# Health build parameter
+ENV KC_HEALTH_ENABLED=true
+
+# Copy SPI JAR from builder stage
+COPY --from=builder /app/target/keycloak-dv-builtin-users-authenticator-1.0-SNAPSHOT.jar /opt/keycloak/providers/
+
+# Copy additional configurations
+COPY ./builtin-users-spi/conf/quarkus.properties /opt/keycloak/conf/
+COPY ./test-realm.json /opt/keycloak/data/import/
+
+# Set the Keycloak command
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
+CMD ["start-dev", "--import-realm", "--http-port=8090"]
+
+# Expose port 8090
+EXPOSE 8090

conf/keycloak/builtin-users-spi/conf/quarkus.properties

@@ -0,0 +1,15 @@
+quarkus.datasource.user-store.db-kind=postgresql
+quarkus.datasource.user-store.jdbc.url=jdbc:postgresql://${DATAVERSE_DB_HOST}:${DATAVERSE_DB_PORT}/dataverse
+quarkus.datasource.user-store.username=${DATAVERSE_DB_USER}
+quarkus.datasource.user-store.password=${DATAVERSE_DB_PASSWORD}
+
+quarkus.datasource.user-store.jdbc.driver=org.postgresql.Driver
+quarkus.datasource.user-store.jdbc.transactions=disabled
+quarkus.transaction-manager.unsafe-multiple-last-resources=allow
+
+quarkus.datasource.user-store.jdbc.recovery.username=${DATAVERSE_DB_USER}
+quarkus.datasource.user-store.jdbc.recovery.password=${DATAVERSE_DB_PASSWORD}
+
+quarkus.datasource.user-store.jdbc.xa-properties.serverName=${DATAVERSE_DB_HOST}
+quarkus.datasource.user-store.jdbc.xa-properties.portNumber=${DATAVERSE_DB_PORT}
+quarkus.datasource.user-store.jdbc.xa-properties.databaseName=dataverse

conf/keycloak/builtin-users-spi/pom.xml

@@ -0,0 +1,110 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>edu.harvard.iq.keycloak</groupId>
+    <artifactId>keycloak-dv-builtin-users-authenticator</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <dependencies>
+        <!-- Keycloak Server SPI -->
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-server-spi</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Keycloak Server SPI Private -->
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-server-spi-private</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Keycloak Services -->
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-services</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Keycloak Model JPA -->
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-model-jpa</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Jakarta Persistence API -->
+        <dependency>
+            <groupId>jakarta.persistence</groupId>
+            <artifactId>jakarta.persistence-api</artifactId>
+            <version>${jakarta.persistence.version}</version>
+        </dependency>
+
+        <!-- jBCrypt -->
+        <dependency>
+            <groupId>org.mindrot</groupId>
+            <artifactId>jbcrypt</artifactId>
+            <version>${mindrot.jbcrypt.version}</version>
+            <scope>compile</scope>
+        </dependency>
+
+        <!-- TEST DEPENDENCIES -->
+
+        <!-- JUnit -->
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>${junit.jupiter.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <!-- Mockito -->
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>${mockito.version}</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>3.2.4</version>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>17</source>
+                    <target>17</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <properties>
+        <keycloak.version>26.1.4</keycloak.version>
+        <java.version>17</java.version>
+        <jakarta.persistence.version>3.2.0</jakarta.persistence.version>
+        <mindrot.jbcrypt.version>0.4</mindrot.jbcrypt.version>
+        <mockito.version>5.15.2</mockito.version>
+        <junit.jupiter.version>5.11.4</junit.jupiter.version>
+    </properties>
+</project>

conf/keycloak/builtin-users-spi/src/main/java/edu/harvard/iq/keycloak/auth/spi/adapters/DataverseUserAdapter.java

@@ -0,0 +1,67 @@
+package edu.harvard.iq.keycloak.auth.spi.adapters;
+
+import edu.harvard.iq.keycloak.auth.spi.models.DataverseUser;
+import org.keycloak.component.ComponentModel;
+import org.keycloak.models.GroupModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.storage.StorageId;
+import org.keycloak.storage.adapter.AbstractUserAdapterFederatedStorage;
+
+import java.util.stream.Stream;
+
+public class DataverseUserAdapter extends AbstractUserAdapterFederatedStorage {
+
+    protected DataverseUser dataverseUser;
+    protected String keycloakId;
+
+    public DataverseUserAdapter(KeycloakSession session, RealmModel realm, ComponentModel model, DataverseUser dataverseUser) {
+        super(session, realm, model);
+        this.dataverseUser = dataverseUser;
+        keycloakId = StorageId.keycloakId(model, dataverseUser.getBuiltinUser().getId().toString());
+    }
+
+    @Override
+    public void setUsername(String s) {
+    }
+
+    @Override
+    public String getUsername() {
+        return dataverseUser.getBuiltinUser().getUsername();
+    }
+
+    @Override
+    public String getEmail() {
+        return dataverseUser.getAuthenticatedUser().getEmail();
+    }
+
+    @Override
+    public String getFirstName() {
+        return dataverseUser.getAuthenticatedUser().getFirstName();
+    }
+
+    @Override
+    public String getLastName() {
+        return dataverseUser.getAuthenticatedUser().getLastName();
+    }
+
+    @Override
+    public Stream<GroupModel> getGroupsStream(String search, Integer first, Integer max) {
+        return super.getGroupsStream(search, first, max);
+    }
+
+    @Override
+    public long getGroupsCount() {
+        return super.getGroupsCount();
+    }
+
+    @Override
+    public long getGroupsCountByNameContaining(String search) {
+        return super.getGroupsCountByNameContaining(search);
+    }
+
+    @Override
+    public String getId() {
+        return keycloakId;
+    }
+}

conf/keycloak/builtin-users-spi/src/main/java/edu/harvard/iq/keycloak/auth/spi/models/DataverseAuthenticatedUser.java

@@ -0,0 +1,48 @@
+package edu.harvard.iq.keycloak.auth.spi.models;
+
+import jakarta.persistence.*;
+
+@NamedQueries({
+        @NamedQuery(name = "DataverseAuthenticatedUser.findByEmail",
+                query = "select au from DataverseAuthenticatedUser au WHERE LOWER(au.email)=LOWER(:email)"),
+        @NamedQuery(name = "DataverseAuthenticatedUser.findByIdentifier",
+                query = "select au from DataverseAuthenticatedUser au WHERE LOWER(au.userIdentifier)=LOWER(:identifier)"),
+})
+@Entity
+@Table(name = "authenticateduser")
+public class DataverseAuthenticatedUser {
+    @Id
+    private Integer id;
+    private String email;
+    private String lastName;
+    private String firstName;
+    private String userIdentifier;
+
+    public void setId(Integer id) {
+        this.id = id;
+    }
+
+    public void setEmail(String email) {
+        this.email = email;
+    }
+
+    public void setUserIdentifier(String userIdentifier) {
+        this.userIdentifier = userIdentifier;
+    }
+
+    public String getEmail() {
+        return email;
+    }
+
+    public String getLastName() {
+        return lastName;
+    }
+
+    public String getFirstName() {
+        return firstName;
+    }
+
+    public String getUserIdentifier() {
+        return userIdentifier;
+    }
+}

conf/keycloak/builtin-users-spi/src/main/java/edu/harvard/iq/keycloak/auth/spi/models/DataverseBuiltinUser.java

@@ -0,0 +1,48 @@
+package edu.harvard.iq.keycloak.auth.spi.models;
+
+import jakarta.persistence.*;
+
+@NamedQueries({
+        @NamedQuery(name = "DataverseBuiltinUser.findByUsername",
+                query = "SELECT u FROM DataverseBuiltinUser u WHERE LOWER(u.username)=LOWER(:username)")
+})
+@Entity
+@Table(name = "builtinuser")
+public class DataverseBuiltinUser {
+    @Id
+    private Integer id;
+
+    private String username;
+
+    private String encryptedPassword;
+
+    private Integer passwordEncryptionVersion;
+
+    public void setId(Integer id) {
+        this.id = id;
+    }
+
+    public void setUsername(String username) {
+        this.username = username;
+    }
+
+    public Integer getId() {
+        return id;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public Integer getPasswordEncryptionVersion() {
+        return passwordEncryptionVersion;
+    }
+
+    public void setEncryptedPassword(String encryptedPassword) {
+        this.encryptedPassword = encryptedPassword;
+    }
+
+    public String getEncryptedPassword() {
+        return encryptedPassword;
+    }
+}

conf/keycloak/builtin-users-spi/src/main/java/edu/harvard/iq/keycloak/auth/spi/models/DataverseUser.java

@@ -0,0 +1,20 @@
+package edu.harvard.iq.keycloak.auth.spi.models;
+
+public class DataverseUser {
+
+    private final DataverseAuthenticatedUser authenticatedUser;
+    private final DataverseBuiltinUser builtinUser;
+
+    public DataverseUser(DataverseAuthenticatedUser authenticatedUser, DataverseBuiltinUser builtinUser) {
+        this.authenticatedUser = authenticatedUser;
+        this.builtinUser = builtinUser;
+    }
+
+    public DataverseAuthenticatedUser getAuthenticatedUser() {
+        return authenticatedUser;
+    }
+
+    public DataverseBuiltinUser getBuiltinUser() {
+        return builtinUser;
+    }
+}