Enable MapUserProvider storing username with the letter case signific…

…ance

Closes keycloak#10245
Closes keycloak#11602

model/map-hot-rod/src/main/java/org/keycloak/models/map/storage/hotRod/IckleQueryMapModelCriteriaBuilder.java

@@ -68,6 +68,8 @@ public class IckleQueryMapModelCriteriaBuilder<E extends AbstractHotRodEntity, M
 
         INFINISPAN_NAME_OVERRIDES.put(RoleModel.SearchableFields.IS_CLIENT_ROLE, "clientRole");
 
+        INFINISPAN_NAME_OVERRIDES.put(UserModel.SearchableFields.USERNAME_CASE_INSENSITIVE, "usernameLowercase");
+        INFINISPAN_NAME_OVERRIDES.put(UserModel.SearchableFields.USERNAME, "username");
         INFINISPAN_NAME_OVERRIDES.put(UserModel.SearchableFields.SERVICE_ACCOUNT_CLIENT, "serviceAccountClientLink");
         INFINISPAN_NAME_OVERRIDES.put(UserModel.SearchableFields.CONSENT_FOR_CLIENT, "userConsents.clientId");
         INFINISPAN_NAME_OVERRIDES.put(UserModel.SearchableFields.CONSENT_WITH_CLIENT_SCOPE, "userConsents.grantedClientScopesIds");

model/map-hot-rod/src/main/java/org/keycloak/models/map/storage/hotRod/IckleQueryWhereClauses.java

@@ -25,6 +25,7 @@
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.models.map.storage.CriterionNotSupportedException;
 import org.keycloak.models.map.storage.ModelCriteriaBuilder;
+import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.storage.SearchableModelField;
 import org.keycloak.storage.StorageId;
 import org.keycloak.util.EnumWithStableIndex;
@@ -62,6 +63,7 @@ public class IckleQueryWhereClauses {
         WHERE_CLAUSE_PRODUCER_OVERRIDES.put(UserModel.SearchableFields.ATTRIBUTE, IckleQueryWhereClauses::whereClauseForAttributes);
         WHERE_CLAUSE_PRODUCER_OVERRIDES.put(UserModel.SearchableFields.IDP_AND_USER, IckleQueryWhereClauses::whereClauseForUserIdpAlias);
         WHERE_CLAUSE_PRODUCER_OVERRIDES.put(UserModel.SearchableFields.CONSENT_CLIENT_FEDERATION_LINK, IckleQueryWhereClauses::whereClauseForConsentClientFederationLink);
+        WHERE_CLAUSE_PRODUCER_OVERRIDES.put(UserModel.SearchableFields.USERNAME_CASE_INSENSITIVE, IckleQueryWhereClauses::whereClauseForUsernameCaseInsensitive);
         WHERE_CLAUSE_PRODUCER_OVERRIDES.put(UserSessionModel.SearchableFields.CORRESPONDING_SESSION_ID, IckleQueryWhereClauses::whereClauseForCorrespondingSessionId);
         WHERE_CLAUSE_PRODUCER_OVERRIDES.put(Policy.SearchableFields.CONFIG, IckleQueryWhereClauses::whereClauseForPolicyConfig);
         WHERE_CLAUSE_PRODUCER_OVERRIDES.put(Event.SearchableFields.EVENT_TYPE, IckleQueryWhereClauses::whereClauseForEnumWithStableIndex);
@@ -226,4 +228,14 @@ private static String whereClauseForEnumWithStableIndex(String modelFieldName, M
 
         return produceWhereClause(modelFieldName, op, values, parameters);
     }
+
+    private static String whereClauseForUsernameCaseInsensitive(String modelFieldName, ModelCriteriaBuilder.Operator op, Object[] values, Map<String, Object> parameters) {
+        for (int i = 0; i < values.length; i++) {
+            if (values[i] instanceof String) {
+                values[i] = KeycloakModelUtils.toLowerCaseSafe((String) values[i]);
+            }
+        }
+
+        return produceWhereClause(modelFieldName, op == ModelCriteriaBuilder.Operator.ILIKE ? ModelCriteriaBuilder.Operator.LIKE : op, values, parameters);
+    }
 }

model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/Constants.java

@@ -35,7 +35,7 @@ public interface Constants {
     public static final Integer CURRENT_SCHEMA_VERSION_ROOT_AUTH_SESSION = 1;
     public static final Integer CURRENT_SCHEMA_VERSION_SINGLE_USE_OBJECT = 1;
     public static final Integer CURRENT_SCHEMA_VERSION_USER_LOGIN_FAILURE = 1;
-    public static final Integer CURRENT_SCHEMA_VERSION_USER = 1;
+    public static final Integer CURRENT_SCHEMA_VERSION_USER = 2;
     public static final Integer CURRENT_SCHEMA_VERSION_USER_CONSENT = 1;
     public static final Integer CURRENT_SCHEMA_VERSION_USER_FEDERATED_IDENTITY = 1;
     public static final Integer CURRENT_SCHEMA_VERSION_USER_SESSION = 1;

model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/JpaPredicateFunction.java

@@ -17,8 +17,6 @@
 
 package org.keycloak.models.map.storage.jpa;
 
-import org.keycloak.models.map.storage.jpa.JpaSubqueryProvider;
-
 import javax.persistence.criteria.CriteriaBuilder;
 import javax.persistence.criteria.Predicate;
 import javax.persistence.criteria.Root;

model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/hibernate/jsonb/migration/JpaUserMigration.java

@@ -16,10 +16,12 @@
  */
 package org.keycloak.models.map.storage.jpa.hibernate.jsonb.migration;
 
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import java.util.Arrays;
 import java.util.List;
 import java.util.function.Function;
+import org.keycloak.models.utils.KeycloakModelUtils;
 
 /**
  * Migration functions for users.
@@ -29,6 +31,13 @@
 public class JpaUserMigration {
 
     public static final List<Function<ObjectNode, ObjectNode>> MIGRATORS = Arrays.asList(
-            o -> o // no migration yet
+            o -> o,
+            JpaUserMigration::migrateTreeFrom1To2
     );
+
+    // adds lower-case variant of username into json 
+    private static ObjectNode migrateTreeFrom1To2(ObjectNode node) {
+        JsonNode usernameNode = node.path("fUsername");
+        return node.put("usernameLowerCase", KeycloakModelUtils.toLowerCaseSafe(usernameNode.asText()));
+    }
 }

model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/user/JpaUserModelCriteriaBuilder.java

@@ -54,8 +54,31 @@ private JpaUserModelCriteriaBuilder(final JpaPredicateFunction<JpaUserEntity> pr
     public JpaUserModelCriteriaBuilder compare(SearchableModelField<? super UserModel> modelField, Operator op, Object... value) {
         switch(op) {
             case EQ:
-                if (modelField == UserModel.SearchableFields.REALM_ID ||
-                    modelField == UserModel.SearchableFields.USERNAME ||
+                if (modelField == UserModel.SearchableFields.USERNAME_CASE_INSENSITIVE) {
+
+                    validateValue(value, modelField, op, String.class);
+
+                    return new JpaUserModelCriteriaBuilder((cb, query, root) ->
+                        cb.or(
+                            cb.and(
+                                cb.equal(root.get("usernameLowerCase"), value[0].toString().toLowerCase()),
+                                cb.ge(root.get("entityVersion"), 2)
+                            ),
+                            cb.and(
+                                cb.equal(root.get("username"), value[0].toString().toLowerCase()),
+                                cb.le(root.get("entityVersion"), 1)
+                            )
+                        )
+                    );
+
+                } else if (modelField == UserModel.SearchableFields.USERNAME) {
+                    validateValue(value, modelField, op, String.class);
+
+                    return new JpaUserModelCriteriaBuilder((cb, query, root) ->
+                            cb.equal(root.get("username"), value[0])
+                    );
+
+                } else if (modelField == UserModel.SearchableFields.REALM_ID ||
                     modelField == UserModel.SearchableFields.EMAIL ||
                     modelField == UserModel.SearchableFields.FEDERATION_LINK) {
 
@@ -152,14 +175,43 @@ public JpaUserModelCriteriaBuilder compare(SearchableModelField<? super UserMode
                     throw new CriterionNotSupportedException(modelField, op);
                 }
             case ILIKE:
-                if (modelField == UserModel.SearchableFields.USERNAME ||
-                    modelField == UserModel.SearchableFields.FIRST_NAME ||
+                if (modelField == UserModel.SearchableFields.FIRST_NAME ||
                     modelField == UserModel.SearchableFields.LAST_NAME ||
                     modelField == UserModel.SearchableFields.EMAIL) {
 
                     validateValue(value, modelField, op, String.class);
                     return new JpaUserModelCriteriaBuilder((cb, query, root) ->
                             cb.like(cb.lower(root.get(modelField.getName())), value[0].toString().toLowerCase()));
+
+                } else if (modelField == UserModel.SearchableFields.USERNAME_CASE_INSENSITIVE) {
+
+                    validateValue(value, modelField, op, String.class);
+
+                    return new JpaUserModelCriteriaBuilder((cb, query, root) ->
+                        cb.or(
+                            cb.and(
+                                cb.like(root.get("usernameLowerCase"), value[0].toString().toLowerCase()),
+                                cb.ge(root.get("entityVersion"), 2)
+                            ),
+                            cb.and(
+                                cb.like(root.get("username"), value[0].toString().toLowerCase()),
+                                cb.le(root.get("entityVersion"), 1)
+                            )
+                        )
+                    );
+
+                } else {
+                    throw new CriterionNotSupportedException(modelField, op);
+                }
+            case LIKE:
+                if (modelField == UserModel.SearchableFields.USERNAME) {
+
+                    validateValue(value, modelField, op, String.class);
+
+                    return new JpaUserModelCriteriaBuilder((cb, query, root) ->
+                            cb.like(root.get("username"), value[0].toString())
+                    );
+
                 } else {
                     throw new CriterionNotSupportedException(modelField, op);
                 }

model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/user/entity/JpaUserEntity.java

@@ -96,6 +96,10 @@ public class JpaUserEntity extends MapUserEntity.AbstractUserEntity implements J
     @Basic(fetch = FetchType.LAZY)
     private String username;
 
+    @Column(insertable = false, updatable = false)
+    @Basic(fetch = FetchType.LAZY)
+    private String usernameLowerCase;
+
     @Column(insertable = false, updatable = false)
     @Basic(fetch = FetchType.LAZY)
     private String firstName;
@@ -237,6 +241,7 @@ public String getUsername() {
     @Override
     public void setUsername(String username) {
         this.metadata.setUsername(username);
+        this.metadata.setUsernameLowerCase(username);
     }
 
     @Override

model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/user/entity/JpaUserMetadata.java

@@ -20,6 +20,7 @@
 
 import org.keycloak.models.map.common.DeepCloner;
 import org.keycloak.models.map.user.MapUserEntityImpl;
+import org.keycloak.models.utils.KeycloakModelUtils;
 
 /**
  * Class that contains all the user metadata that is written as JSON into the database.
@@ -37,6 +38,7 @@ public JpaUserMetadata(final DeepCloner cloner) {
     }
 
     private Integer entityVersion;
+    private String usernameLowerCase;
 
     public Integer getEntityVersion() {
         return entityVersion;
@@ -45,4 +47,8 @@ public Integer getEntityVersion() {
     public void setEntityVersion(Integer entityVersion) {
         this.entityVersion = entityVersion;
     }
+
+    public void setUsernameLowerCase(String username) {
+        this.usernameLowerCase = KeycloakModelUtils.toLowerCaseSafe(username);
+    }
 }

model/map-jpa/src/main/resources/META-INF/jpa-users-changelog.xml

@@ -19,4 +19,5 @@ limitations under the License.
 
 <databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
     <include file="META-INF/users/jpa-users-changelog-1.xml"/>
+    <include file="META-INF/users/jpa-users-changelog-2.xml"/>
 </databaseChangeLog>

model/map-jpa/src/main/resources/META-INF/users/jpa-users-changelog-2.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Copyright 2022 Red Hat, Inc. and/or its affiliates
+and other contributors as indicated by the @author tags.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xmlns:ext="http://www.liquibase.org/xml/ns/dbchangelog-ext"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd
+                    http://www.liquibase.org/xml/ns/dbchangelog-ext http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-ext.xsd">
+
+    <changeSet author="keycloak" id="users-10245">
+
+        <ext:addGeneratedColumn tableName="kc_user">
+            <ext:column name="usernamelowercase" type="VARCHAR(255)" jsonColumn="metadata" jsonProperty="usernameLowerCase"/>
+        </ext:addGeneratedColumn>
+        <createIndex tableName="kc_user" indexName="user_username_lower_case_realmid">
+            <column name="usernamelowercase"/>
+            <column name="realmid"/>
+        </createIndex>
+
+    </changeSet>
+
+</databaseChangeLog>

model/map/src/main/java/org/keycloak/models/map/storage/chm/MapFieldPredicates.java

@@ -24,7 +24,6 @@
 import org.keycloak.events.Event;
 import org.keycloak.events.admin.AdminEvent;
 import org.keycloak.models.ActionTokenValueModel;
-import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.ClientScopeModel;
 import org.keycloak.models.GroupModel;
@@ -51,6 +50,7 @@
 import org.keycloak.models.map.singleUseObject.MapSingleUseObjectEntity;
 import org.keycloak.models.map.storage.QueryParameters;
 import org.keycloak.models.map.user.MapUserConsentEntity;
+import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.storage.SearchableModelField;
 
 import java.util.Comparator;
@@ -59,7 +59,6 @@
 import org.keycloak.models.map.storage.chm.MapModelCriteriaBuilder.UpdatePredicatesFunc;
 import org.keycloak.models.map.storage.ModelCriteriaBuilder.Operator;
 import org.keycloak.models.map.user.MapUserEntity;
-import org.keycloak.models.map.userSession.MapAuthenticatedClientSessionEntity;
 import org.keycloak.models.map.userSession.MapUserSessionEntity;
 import org.keycloak.sessions.RootAuthenticationSessionModel;
 import org.keycloak.storage.StorageId;
@@ -134,6 +133,7 @@ public class MapFieldPredicates {
 
         put(USER_PREDICATES, UserModel.SearchableFields.REALM_ID,                 MapUserEntity::getRealmId);
         put(USER_PREDICATES, UserModel.SearchableFields.USERNAME,                 MapUserEntity::getUsername);
+        put(USER_PREDICATES, UserModel.SearchableFields.USERNAME_CASE_INSENSITIVE, MapFieldPredicates::usernameCaseInsensitive);
         put(USER_PREDICATES, UserModel.SearchableFields.FIRST_NAME,               MapUserEntity::getFirstName);
         put(USER_PREDICATES, UserModel.SearchableFields.LAST_NAME,                MapUserEntity::getLastName);
         put(USER_PREDICATES, UserModel.SearchableFields.EMAIL,                    MapUserEntity::getEmail);
@@ -306,6 +306,18 @@ private static MapModelCriteriaBuilder<Object, MapGroupEntity, GroupModel> check
         return mcb.fieldCompare(Boolean.TRUE::equals, getter);
     }
 
+    private static MapModelCriteriaBuilder<Object, MapUserEntity, UserModel> usernameCaseInsensitive(MapModelCriteriaBuilder<Object, MapUserEntity, UserModel> mcb, Operator op, Object[] values) {
+    for (int i = 0; i < values.length; i++) {
+        if (values[i] instanceof String) {
+            values[i] = KeycloakModelUtils.toLowerCaseSafe((String) values[i]);
+        }
+    }
+
+    Predicate<Object> valueComparator = CriteriaOperator.predicateFor(op, values);
+    Function<MapUserEntity, ?> getter = ue -> valueComparator.test(KeycloakModelUtils.toLowerCaseSafe(ue.getUsername()));
+    return mcb.fieldCompare(Boolean.TRUE::equals, getter);
+}
+
     private static MapModelCriteriaBuilder<Object, MapUserEntity, UserModel> getUserConsentClientFederationLink(MapModelCriteriaBuilder<Object, MapUserEntity, UserModel> mcb, Operator op, Object[] values) {
         String providerId = ensureEqSingleValue(UserModel.SearchableFields.CONSENT_CLIENT_FEDERATION_LINK, "provider_id", op, values);
         String providerIdS = new StorageId((String) providerId, "").getId();

model/map/src/main/java/org/keycloak/models/map/user/MapUserAdapter.java

@@ -54,7 +54,6 @@ public String getUsername() {
 
     @Override
     public void setUsername(String username) {
-        username = KeycloakModelUtils.toLowerCaseSafe(username);
         // Do not continue if current username of entity is the requested username
         if (username != null && username.equals(entity.getUsername())) return;