Resolved GH-13: user data synced from LDAP were not encrypted

Author: MLukman

pom.xml

@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>my.unifi.eset</groupId>
     <artifactId>keycloak-pii-data-encryption</artifactId>
-    <version>2.4</version>
+    <version>2.5</version>
     <packaging>jar</packaging>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -28,6 +28,12 @@
             <version>${keycloak.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-ldap-federation</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-surefire-plugin</artifactId>

src/main/java/my/unifi/eset/keycloak/piidataencryption/ldap/EncryptedLDAPStorageProviderFactory.java

@@ -0,0 +1,30 @@
+package my.unifi.eset.keycloak.piidataencryption.ldap;
+
+import jakarta.persistence.EntityManager;
+import my.unifi.eset.keycloak.piidataencryption.utils.LogicUtils;
+import org.keycloak.component.ComponentModel;
+import org.keycloak.connections.jpa.JpaConnectionProvider;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.storage.ldap.LDAPStorageProviderFactory;
+import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
+import org.keycloak.storage.user.SynchronizationResult;
+
+public class EncryptedLDAPStorageProviderFactory extends LDAPStorageProviderFactory {
+
+    @Override
+    public int order() {
+        return 1000;
+    }
+
+    @Override
+    protected SynchronizationResult syncImpl(KeycloakSessionFactory sessionFactory, LDAPQuery userQuery, String realmId, ComponentModel fedModel) {
+        SynchronizationResult result = super.syncImpl(sessionFactory, userQuery, realmId, fedModel);
+        KeycloakSession session = sessionFactory.create();
+        EntityManager em = session.getProvider(JpaConnectionProvider.class).getEntityManager();
+        LogicUtils.encryptExistingUserEntities(session, em, session.realms().getRealm(realmId));
+        em.flush();
+        return result;
+    }
+
+}

src/main/java/my/unifi/eset/keycloak/piidataencryption/listeners/EntityListener.java

@@ -13,7 +13,6 @@
  * See the License for the specific language governing permissions and 
  * limitations under the License.
  */
-
 package my.unifi.eset.keycloak.piidataencryption.listeners;
 
 import my.unifi.eset.keycloak.piidataencryption.utils.EncryptionUtils;
@@ -77,7 +76,10 @@ protected void handlePreLoadEventUserEntity(PreLoadEvent ple, UserEntity ue) {
         if (eue != null) {
             Object[] states = ple.getState();
             Map<String, Integer> cols = collectColumnIndices(ple.getPersister().getEntityMetamodel().getPropertyNames());
-            if (validateHashValueVsEncryptedValue((String) states[cols.get("username")], eue.getUsername())) {
+            if (!LogicUtils.isHash((String) states[cols.get("username")])) {
+                // skip because the entity is already decrypted
+                logger.debugf("Event: USER_ALREADY_DECRYPTED, Realm: %s, User: %s", states[cols.get("realmId")], ue.getId());
+            } else if (validateHashValueVsEncryptedValue((String) states[cols.get("username")], eue.getUsername())) {
                 logger.debugf("Event: USER_DECRYPTION, Realm: %s, User: %s", states[cols.get("realmId")], ue.getId());
                 states[cols.get("username")] = EncryptionUtils.decryptValue(eue.getUsername());
                 states[cols.get("email")] = EncryptionUtils.decryptValue(eue.getEmail());

src/main/java/my/unifi/eset/keycloak/piidataencryption/utils/LogicUtils.java

@@ -13,7 +13,6 @@
  * See the License for the specific language governing permissions and 
  * limitations under the License.
  */
-
 package my.unifi.eset.keycloak.piidataencryption.utils;
 
 import jakarta.persistence.EntityManager;
@@ -97,12 +96,16 @@ public static boolean shouldEncryptAttribute(KeycloakSession ks, String realmId,
         if (attributeName.startsWith("pii-")) {
             return true;
         }
-        UserProfileProvider upp = ks.getProvider(UserProfileProvider.class);
-        if (upp instanceof DeclarativeUserProfileProvider dup) {
-            UPAttribute upa = dup.getConfiguration().getAttribute(attributeName);
-            if (upa != null && upa.getValidations().containsKey(PiiDataEncryptionValidatorProvider.ID)) {
-                return Boolean.parseBoolean(String.valueOf(upa.getValidations().get(PiiDataEncryptionValidatorProvider.ID).getOrDefault("enable", false)));
+        try {
+            UserProfileProvider upp = ks.getProvider(UserProfileProvider.class);
+            if (upp instanceof DeclarativeUserProfileProvider dup) {
+                UPAttribute upa = dup.getConfiguration().getAttribute(attributeName);
+                if (upa != null && upa.getValidations().containsKey(PiiDataEncryptionValidatorProvider.ID)) {
+                    return Boolean.parseBoolean(String.valueOf(upa.getValidations().get(PiiDataEncryptionValidatorProvider.ID).getOrDefault("enable", false)));
+                }
             }
+        } catch (Exception ex) {
+            return false;
         }
         return false;
     }
@@ -190,6 +193,7 @@ public static EncryptedUserAttributeEntity getEncryptedUserAttributeEntity(Entit
      */
     public static void encryptExistingUserEntities(KeycloakSession ks, EntityManager em, RealmModel realm) {
         List<UserEntity> realmUsers = em.createQuery("SELECT u FROM UserEntity u WHERE u.realmId = :realmId", UserEntity.class).setParameter("realmId", realm.getId()).getResultList();
+        logger.debugf("Event: REALM_USERS_ENCRYPTION, Realm: %s, Total Users: %s", realm.getId(), realmUsers.size());
         for (UserEntity user : realmUsers) {
             if (user.getServiceAccountClientLink() != null) {
                 continue; // skip service accounts
@@ -214,9 +218,8 @@ public static void encryptUserEntity(KeycloakSession ks, EntityManager em, UserE
             return;
         }
         EncryptedUserEntity eue = LogicUtils.getEncryptedUserEntity(em, ue, true);
-        if (ue.getUsername().length() == 40 && ue.getUsername().matches("^[0-9a-fA-F]+$")) {
+        if (isHash(ue.getUsername())) {
             // somehow the value is already hashed so we skip it to avoid double hash/encrypt
-            // we only need to check email because email has a specific string format
             return;
         }
         eue.setUsername(EncryptionUtils.encryptValue(ue.getUsername()));
@@ -249,7 +252,7 @@ public static void encryptUserEntity(KeycloakSession ks, EntityManager em, UserE
     public static void encryptUserAttributeEntity(KeycloakSession ks, EntityManager em, UserAttributeEntity uae) {
         if (shouldEncryptAttribute(ks, uae)) {
             String value = uae.getValue();
-            if (value.length() == 40 && value.matches("^[0-9a-fA-F]+$")) {
+            if (isHash(value)) {
                 // somehow the value is already hashed so we skip it to avoid double hash/encrypt
                 return;
             }
@@ -365,6 +368,10 @@ public static String hash(String raw) {
         return raw != null ? DigestUtils.sha1Hex(raw.trim().toLowerCase()) : null;
     }
 
+    public static boolean isHash(String value) {
+        return value.length() == 40 && value.matches("^[0-9a-fA-F]+$");
+    }
+
     // Makes this class un-instantiatable
     private LogicUtils() {
     }

src/main/resources/META-INF/services/org.keycloak.storage.UserStorageProviderFactory

@@ -0,0 +1 @@
+my.unifi.eset.keycloak.piidataencryption.ldap.EncryptedLDAPStorageProviderFactory