keycloak
diff --git a/‎model/jpa/pom.xml‎
Lines changed: 37 additions & 0 deletions b/‎model/jpa/pom.xml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎model/jpa/src/main/antlr4/org/keycloak/models/workflow/conditions/expression/BooleanCondition.g4‎
Lines changed: 30 additions & 0 deletions b/‎model/jpa/src/main/antlr4/org/keycloak/models/workflow/conditions/expression/BooleanCondition.g4‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/ExpressionWorkflowConditionFactory.java‎
Lines changed: 45 additions & 0 deletions b/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/ExpressionWorkflowConditionFactory.java‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/ExpressionWorkflowConditionProvider.java‎
Lines changed: 82 additions & 0 deletions b/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/ExpressionWorkflowConditionProvider.java‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/GroupMembershipWorkflowConditionFactory.java‎
Lines changed: 5 additions & 0 deletions b/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/GroupMembershipWorkflowConditionFactory.java‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/IdentityProviderWorkflowConditionFactory.java‎
Lines changed: 5 additions & 0 deletions b/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/IdentityProviderWorkflowConditionFactory.java‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/RoleWorkflowConditionFactory.java‎
Lines changed: 5 additions & 0 deletions b/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/RoleWorkflowConditionFactory.java‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/UserAttributeWorkflowConditionFactory.java‎
Lines changed: 17 additions & 0 deletions b/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/UserAttributeWorkflowConditionFactory.java‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/expression/BooleanConditionEvaluator.java‎
Lines changed: 83 additions & 0 deletions b/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/expression/BooleanConditionEvaluator.java‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/expression/ErrorListener.java‎
Lines changed: 29 additions & 0 deletions b/‎model/jpa/src/main/java/org/keycloak/models/workflow/conditions/expression/ErrorListener.java‎
Lines changed: 29 additions & 0 deletions
@@ -87,6 +87,11 @@
             <artifactId>jackson-core</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.antlr</groupId>
+            <artifactId>antlr4-runtime</artifactId>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
@@ -134,6 +139,38 @@
                     </systemPropertyVariables>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.antlr</groupId>
+                <artifactId>antlr4-maven-plugin</artifactId>
+                <configuration>
+                    <visitor>true</visitor>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>antlr4</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>add-source</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>add-source</goal>
+                        </goals>
+                        <configuration>
+                            <sources>
+                                <source>${project.build.directory}/generated-sources/antlr4</source>
+                            </sources>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 </project>
@@ -0,0 +1,30 @@
+grammar BooleanCondition;
+
+// Parser Rules
+evaluator : expression EOF;
+
+expression : expression OR andExpression | andExpression;
+andExpression : andExpression AND notExpression | notExpression;
+notExpression : '!' notExpression | atom;
+
+atom : LPAREN expression RPAREN
+     | conditionCall
+     ;
+
+conditionCall : Identifier LPAREN parameterList? RPAREN ;
+parameterList : StringLiteral (COMMA StringLiteral)* ;
+
+// Lexer Rules
+OR : 'OR';
+AND : 'AND';
+NOT : '!';
+
+Identifier : [a-zA-Z_][a-zA-Z_0-9-]*;
+StringLiteral : '"' ( ~'"' | '""' )* '"' ;
+
+// Explicitly defined tokens for the characters
+LPAREN : '(';
+RPAREN : ')';
+COMMA : ',';
+
+WS : [ \t\r\n]+ -> skip;
@@ -0,0 +1,45 @@
+package org.keycloak.models.workflow.conditions;
+
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.models.workflow.WorkflowConditionProviderFactory;
+
+import java.util.List;
+import java.util.Map;
+
+public class ExpressionWorkflowConditionFactory implements WorkflowConditionProviderFactory<ExpressionWorkflowConditionProvider> {
+
+    public static final String ID = "expression";
+    public static final String EXPRESSION = "expression";
+
+    @Override
+    public ExpressionWorkflowConditionProvider create(KeycloakSession session, Map<String, List<String>> config) {
+        return new ExpressionWorkflowConditionProvider(session, config.getOrDefault(EXPRESSION, List.of()).stream().findFirst().orElse(""));
+    }
+
+    @Override
+    public ExpressionWorkflowConditionProvider create(KeycloakSession session, List<String> configParameters) {
+        if (configParameters.size() > 1) {
+            throw new IllegalArgumentException("Expected single configuration parameter (expression)");
+        }
+        return create(session, Map.of(EXPRESSION, configParameters));
+    }
+
+    @Override
+    public String getId() {
+        return ID;
+    }
+
+    @Override
+    public void init(org.keycloak.Config.Scope config) {
+    }
+
+    @Override
+    public void postInit(KeycloakSessionFactory factory) {
+    }
+
+    @Override
+    public void close() {
+    }
+
+}
@@ -0,0 +1,82 @@
+package org.keycloak.models.workflow.conditions;
+
+import jakarta.persistence.criteria.CriteriaBuilder;
+import jakarta.persistence.criteria.CriteriaQuery;
+import jakarta.persistence.criteria.Predicate;
+import jakarta.persistence.criteria.Root;
+import org.antlr.v4.runtime.CharStream;
+import org.antlr.v4.runtime.CharStreams;
+import org.antlr.v4.runtime.CommonTokenStream;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.workflow.WorkflowConditionProvider;
+import org.keycloak.models.workflow.WorkflowEvent;
+import org.keycloak.models.workflow.WorkflowInvalidStateException;
+import org.keycloak.models.workflow.conditions.expression.BooleanConditionEvaluator;
+import org.keycloak.models.workflow.conditions.expression.BooleanConditionLexer;
+import org.keycloak.models.workflow.conditions.expression.BooleanConditionParser;
+import org.keycloak.models.workflow.conditions.expression.BooleanConditionParser.EvaluatorContext;
+import org.keycloak.models.workflow.conditions.expression.ErrorListener;
+import org.keycloak.models.workflow.conditions.expression.PredicateConditionEvaluator;
+
+import java.util.stream.Collectors;
+
+public class ExpressionWorkflowConditionProvider implements WorkflowConditionProvider {
+
+    private final String expression;
+    private final KeycloakSession session;
+    private EvaluatorContext evaluatorContext;
+
+    public ExpressionWorkflowConditionProvider(KeycloakSession session, String expression) {
+        this.session = session;
+        this.expression = expression;
+    }
+
+    @Override
+    public boolean evaluate(WorkflowEvent event) {
+        validate();
+        BooleanConditionEvaluator evaluator = new BooleanConditionEvaluator(session, event);
+        return evaluator.visit(this.evaluatorContext);
+    }
+
+    @Override
+    public Predicate toPredicate(CriteriaBuilder cb, CriteriaQuery<String> query, Root<?> userRoot) {
+        validate();
+        PredicateConditionEvaluator evaluator = new PredicateConditionEvaluator(session, cb, query, userRoot);
+        return evaluator.visit(this.evaluatorContext);
+    }
+
+    @Override
+    public void validate() {
+        // to properly validate the expression, we need to parse it. We then cache the parsed context if the expression is valid
+        // so we don't to parse it again if validate is called again on the same instance of the provider
+        if (this.evaluatorContext == null) {
+            CharStream charStream = CharStreams.fromString(expression);
+            BooleanConditionLexer lexer = new BooleanConditionLexer(charStream);
+            CommonTokenStream tokens = new CommonTokenStream(lexer);
+            BooleanConditionParser parser = new BooleanConditionParser(tokens);
+
+            // this replaces the standard error listener, storing all parsing errors if the expressions is malformed
+            ErrorListener errorListener = new ErrorListener();
+            parser.removeErrorListeners();
+            parser.addErrorListener(errorListener);
+
+            // parse the expression and check for errors
+            EvaluatorContext context = parser.evaluator();
+            if (errorListener.hasErrors()) {
+                String lineSeparator = System.lineSeparator();
+                String errorDetails = errorListener.getErrorMessages().stream()
+                        .map(error -> "- " + error)
+                        .collect(Collectors.joining(lineSeparator));
+
+                throw new WorkflowInvalidStateException(String.format("Invalid expression: %s%sError details:%s%s",
+                        expression, lineSeparator, lineSeparator, errorDetails));
+            }
+            this.evaluatorContext = context;
+        }
+    }
+
+    @Override
+    public void close() {
+        // no-op, nothing to close
+    }
+}
@@ -17,6 +17,11 @@ public GroupMembershipWorkflowConditionProvider create(KeycloakSession session,
         return new GroupMembershipWorkflowConditionProvider(session, config.get(EXPECTED_GROUPS));
     }
 
+    @Override
+    public GroupMembershipWorkflowConditionProvider create(KeycloakSession session, List<String> configParameters) {
+        return new GroupMembershipWorkflowConditionProvider(session, configParameters);
+    }
+
     @Override
     public String getId() {
         return ID;
 
@@ -17,6 +17,11 @@ public IdentityProviderWorkflowConditionProvider create(KeycloakSession session,
         return new IdentityProviderWorkflowConditionProvider(session, config.get(EXPECTED_ALIASES));
     }
 
+    @Override
+    public IdentityProviderWorkflowConditionProvider create(KeycloakSession session, List<String> configParameters) {
+        return new IdentityProviderWorkflowConditionProvider(session, configParameters);
+    }
+
     @Override
     public String getId() {
         return ID;
 
@@ -17,6 +17,11 @@ public RoleWorkflowConditionProvider create(KeycloakSession session, Map<String,
         return new RoleWorkflowConditionProvider(session, config.get(EXPECTED_ROLES));
     }
 
+    @Override
+    public RoleWorkflowConditionProvider create(KeycloakSession session, List<String> configParameters) {
+        return new RoleWorkflowConditionProvider(session, configParameters);
+    }
+
     @Override
     public String getId() {
         return ID;
 
@@ -16,6 +16,23 @@ public UserAttributeWorkflowConditionProvider create(KeycloakSession session, Ma
         return new UserAttributeWorkflowConditionProvider(session, config);
     }
 
+    @Override
+    public UserAttributeWorkflowConditionProvider create(KeycloakSession session, List<String> configParameters) {
+        if (configParameters.size() % 2 != 0) {
+            throw new IllegalArgumentException("Expected even number of configuration parameters (attribute key/value pairs)");
+        }
+            // Convert list of parameters into map of expected attributes
+        Map<String, List<String>> expectedAttributes = new java.util.HashMap<>();
+        for (int i = 0; i < configParameters.size(); i += 2) {
+            String key = configParameters.get(i);
+            String value = configParameters.get(i + 1);
+            // value can have multiple values separated by comma
+            List<String> values = List.of(value.split(","));
+            expectedAttributes.put(key, values);
+        }
+        return create(session, expectedAttributes);
+    }
+
     @Override
     public String getId() {
         return ID;
 
@@ -0,0 +1,83 @@
+package org.keycloak.models.workflow.conditions.expression;
+
+import org.antlr.v4.runtime.tree.ParseTree;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.workflow.WorkflowConditionProvider;
+import org.keycloak.models.workflow.WorkflowConditionProviderFactory;
+import org.keycloak.models.workflow.WorkflowEvent;
+import org.keycloak.models.workflow.WorkflowsManager;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+public class BooleanConditionEvaluator extends BooleanConditionBaseVisitor<Boolean> {
+
+    private final KeycloakSession session;
+    private final WorkflowEvent event;
+    private final WorkflowsManager manager;
+
+    public BooleanConditionEvaluator(KeycloakSession session, WorkflowEvent event) {
+        this.session = session;
+        this.event = event;
+        this.manager = new  WorkflowsManager(session);
+    }
+
+    @Override
+    public Boolean visitEvaluator(BooleanConditionParser.EvaluatorContext ctx) {
+        return visit(ctx.expression());
+    }
+
+    @Override
+    public Boolean visitExpression(BooleanConditionParser.ExpressionContext ctx) {
+        if (ctx.expression() != null && ctx.OR() != null) {
+            return visit(ctx.expression()) || visit(ctx.andExpression());
+        }
+        return visit(ctx.andExpression());
+    }
+
+    @Override
+    public Boolean visitAndExpression(BooleanConditionParser.AndExpressionContext ctx) {
+        if (ctx.andExpression() != null && ctx.AND() != null) {
+            return visit(ctx.andExpression()) && visit(ctx.notExpression());
+        }
+        return visit(ctx.notExpression());
+    }
+
+    @Override
+    public Boolean visitNotExpression(BooleanConditionParser.NotExpressionContext ctx) {
+        if (ctx.NOT() != null) {
+            return !visit(ctx.notExpression());
+        }
+        return visit(ctx.atom());
+    }
+
+    @Override
+    public Boolean visitAtom(BooleanConditionParser.AtomContext ctx) {
+        if (ctx.conditionCall() != null) {
+            return visit(ctx.conditionCall());
+        }
+        return visit(ctx.expression());
+    }
+
+    @Override
+    public Boolean visitConditionCall(BooleanConditionParser.ConditionCallContext ctx) {
+        String conditionName = ctx.Identifier().getText();
+        WorkflowConditionProviderFactory<WorkflowConditionProvider> providerFactory = manager.getConditionProviderFactory(conditionName);
+        WorkflowConditionProvider conditionProvider = providerFactory.create(session, extractParameterList(ctx.parameterList()));
+        return conditionProvider.evaluate(event);
+    }
+
+    private List<String> extractParameterList(BooleanConditionParser.ParameterListContext ctx) {
+        if (ctx == null) {
+            return List.of();
+        }
+        return ctx.StringLiteral().stream()
+                .map(this::visitStringLiteral)
+                .collect(Collectors.toList());
+    }
+
+    private String visitStringLiteral(ParseTree ctx) {
+        String text = ctx.getText();
+        return text.substring(1, text.length() - 1).replace("\"\"", "\"");
+    }
+}
@@ -0,0 +1,29 @@
+package org.keycloak.models.workflow.conditions.expression;
+
+import org.antlr.v4.runtime.BaseErrorListener;
+import org.antlr.v4.runtime.RecognitionException;
+import org.antlr.v4.runtime.Recognizer;
+import java.util.ArrayList;
+import java.util.List;
+
+public class ErrorListener extends BaseErrorListener {
+    private boolean hasErrors = false;
+    private final List<String> errorMessages = new ArrayList<>();
+
+    @Override
+    public void syntaxError(Recognizer<?, ?> recognizer, Object offendingSymbol,
+                            int line, int charPositionInLine,
+                            String msg, RecognitionException e) {
+        hasErrors = true;
+        String error = String.format("Error at line %d:%d - %s", line, charPositionInLine, msg);
+        errorMessages.add(error);
+    }
+
+    public boolean hasErrors() {
+        return hasErrors;
+    }
+
+    public List<String> getErrorMessages() {
+        return errorMessages;
+    }
+}