Further fix LDAP sync not encrypted issue.

Also, the spi-user-provider flag is no longer needed.

Author: MLukman

Dockerfile

@@ -18,5 +18,5 @@ FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION
 COPY --from=provider-pii /app/target/*.jar /opt/keycloak/providers
 
 # Need to build after adding providers
-RUN /opt/keycloak/bin/kc.sh build --db=mysql --features="declarative-ui" --spi-user-provider=jpa-encrypted
+RUN /opt/keycloak/bin/kc.sh build --db=mysql --features="declarative-ui"
 

README.md

@@ -60,14 +60,13 @@ RUN /opt/keycloak/bin/kc.sh build --db=mysql --features="declarative-ui" --spi-u
 
 This provider requires the encryption key to be provided via environment variable **`KC_PII_ENCKEY`** and it needs to be **at least 16 characters long**. If the encryption key is not provided, however, there is a default fallback that uses MD5 hash of the database JDBC URL, either using configuration parameter `db-url` or environment variable `KC_DB_URL`. If you rely on this fallback and in the future need to migrate your Keycloak data into another databases that results in a different value of JDBC URL, you need to get the old value of JDBC URL, encode it using lowercased MD5 hash and set the value to the `KC_PII_ENCKEY` environment variable.
 
-### Enabling 'jpa-encrypted' user provider and 'declarative-ui' feature
+### Enabling 'declarative-ui' feature
 
-This provider requires the Keycloak instance to be either built or started with two flags:
+This provider requires the Keycloak instance to be either built or started with the following flag:
 
--  `--spi-user-provider=jpa-encrypted`
-- `--features="declarative-ui"`
+-  `--features="declarative-ui"`
 
-These flags can be added to the `build` command with a condition that the `start` command has the `--optimized` flag, or for `start` without that flag or `start-dev` command, the two flags are to be added to the `start` or `start-dev` commands.
+The flag can be added to the `build` command with a condition that the `start` command has the `--optimized` flag, or for `start` without that flag or `start-dev` command, the flag is to be added to the `start` or `start-dev` commands.
 
 Note: the "declarative-ui" flag is only necessary while the feature is still considered experimental. Once it is enabled by default in future Keycloak versions, the flag will no longer be necessary.
 

licenseheader.txt

@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) 2025 Muhammad Lukman Nasaruddin <lukman.nasaruddin@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at 
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software 
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and 
+ * limitations under the License.
+ */

nb-configuration.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project-shared-configuration>
+    <!--
+This file contains additional configuration written by modules in the NetBeans IDE.
+The configuration is intended to be shared among all the users of project and
+therefore it is assumed to be part of version control checkout.
+Without this configuration present, some functionality in the IDE may be limited or fail altogether.
+-->
+    <properties xmlns="http://www.netbeans.org/ns/maven-properties-data/1">
+        <!--
+Properties that influence various parts of the IDE, especially code formatting and the like. 
+You can copy and paste the single properties, into the pom.xml file and the IDE will pick them up.
+That way multiple projects can share the same settings (useful for formatting rules for example).
+Any value defined here will override the pom.xml file value but is only applicable to the current project.
+-->
+        <netbeans.hint.licensePath>${project.basedir}/licenseheader.txt</netbeans.hint.licensePath>
+    </properties>
+</project-shared-configuration>

pom.xml

@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>my.unifi.eset</groupId>
     <artifactId>keycloak-pii-data-encryption</artifactId>
-    <version>2.5</version>
+    <version>2.6</version>
     <packaging>jar</packaging>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

src/main/java/my/unifi/eset/keycloak/piidataencryption/jpa/EncryptedUserProvider.java

@@ -13,7 +13,6 @@
  * See the License for the specific language governing permissions and 
  * limitations under the License.
  */
-
 package my.unifi.eset.keycloak.piidataencryption.jpa;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
@@ -80,4 +79,13 @@ public Stream<UserModel> searchForUserStream(RealmModel realm, Map<String, Strin
         return super.searchForUserStream(realm, attributes, firstResult, maxResults);
     }
 
+    @Override
+    public UserModel addUser(RealmModel realm, String id, String username, boolean addDefaultRoles, boolean addDefaultRequiredActions) {
+        UserModel userModel = super.addUser(realm, id, username, addDefaultRoles, addDefaultRequiredActions);
+        LogicUtils.encryptUserEntity(ks, em, LogicUtils.getUserEntity(em, userModel.getId()));
+        em.flush();
+        logger.debugf("addUser (encrypted): " + username);
+        return userModel;
+    }
+
 }

src/main/java/my/unifi/eset/keycloak/piidataencryption/jpa/EncryptedUserProviderFactory.java

@@ -13,40 +13,25 @@
  * See the License for the specific language governing permissions and 
  * limitations under the License.
  */
-
 package my.unifi.eset.keycloak.piidataencryption.jpa;
 
 import jakarta.persistence.EntityManager;
-import org.keycloak.Config;
 import org.keycloak.connections.jpa.JpaConnectionProvider;
 import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.KeycloakSessionFactory;
-import org.keycloak.models.UserProviderFactory;
-import org.keycloak.provider.Provider;
+import org.keycloak.models.UserProvider;
+import org.keycloak.models.jpa.JpaUserProviderFactory;
 
-public class EncryptedUserProviderFactory implements UserProviderFactory {
+public class EncryptedUserProviderFactory extends JpaUserProviderFactory {
 
     @Override
-    public Provider create(KeycloakSession ks) {
+    public UserProvider create(KeycloakSession ks) {
         EntityManager em = ks.getProvider(JpaConnectionProvider.class).getEntityManager();
         return new EncryptedUserProvider(ks, em);
     }
 
     @Override
-    public void init(Config.Scope scope) {
-    }
-
-    @Override
-    public void postInit(KeycloakSessionFactory ksf) {
-    }
-
-    @Override
-    public void close() {
-    }
-
-    @Override
-    public String getId() {
-        return "jpa-encrypted";
+    public int order() {
+        return 1000;
     }
 
 }

src/main/java/my/unifi/eset/keycloak/piidataencryption/jpa/EncryptedUserProviderFactoryDeprecated.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2025 Muhammad Lukman Nasaruddin <lukman.nasaruddin@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at 
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software 
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and 
+ * limitations under the License.
+ */
+package my.unifi.eset.keycloak.piidataencryption.jpa;
+
+public class EncryptedUserProviderFactoryDeprecated extends EncryptedUserProviderFactory {
+
+    @Override
+    public String getId() {
+        return "jpa-encrypted";
+    }
+
+}

src/main/java/my/unifi/eset/keycloak/piidataencryption/ldap/EncryptedLDAPStorageProvider.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2025 Muhammad Lukman Nasaruddin <lukman.nasaruddin@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at 
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software 
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and 
+ * limitations under the License.
+ */
+package my.unifi.eset.keycloak.piidataencryption.ldap;
+
+import jakarta.persistence.EntityManager;
+import my.unifi.eset.keycloak.piidataencryption.utils.LogicUtils;
+import org.jboss.logging.Logger;
+import org.keycloak.component.ComponentModel;
+import org.keycloak.connections.jpa.JpaConnectionProvider;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.storage.ldap.LDAPStorageProvider;
+import org.keycloak.storage.ldap.LDAPStorageProviderFactory;
+import org.keycloak.storage.ldap.idm.model.LDAPObject;
+import org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore;
+
+public class EncryptedLDAPStorageProvider extends LDAPStorageProvider {
+
+    private static final Logger logger = Logger.getLogger(EncryptedLDAPStorageProvider.class);
+
+    public EncryptedLDAPStorageProvider(LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore) {
+        super(factory, session, model, ldapIdentityStore);
+    }
+
+    @Override
+    protected UserModel importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser, ImportType importType) {
+        logger.debugf("importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser, ImportType importType)");
+        UserModel userModel = super.importUserFromLDAP(session, realm, ldapUser, importType);
+        EntityManager em = session.getProvider(JpaConnectionProvider.class).getEntityManager();
+        LogicUtils.encryptUserEntity(session, em, LogicUtils.getUserEntity(em, userModel.getId()));
+        em.flush();
+        logger.debugf("importUserFromLDAP (encrypted): " + userModel.getUsername());
+        return userModel;
+    }
+
+}

src/main/java/my/unifi/eset/keycloak/piidataencryption/ldap/EncryptedLDAPStorageProviderFactory.java

@@ -1,30 +1,56 @@
+/*
+ * Copyright (C) 2025 Muhammad Lukman Nasaruddin <lukman.nasaruddin@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at 
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software 
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and 
+ * limitations under the License.
+ */
 package my.unifi.eset.keycloak.piidataencryption.ldap;
 
-import jakarta.persistence.EntityManager;
-import my.unifi.eset.keycloak.piidataencryption.utils.LogicUtils;
+import java.util.Map;
+import org.keycloak.Config;
 import org.keycloak.component.ComponentModel;
-import org.keycloak.connections.jpa.JpaConnectionProvider;
 import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.storage.ldap.LDAPIdentityStoreRegistry;
+import org.keycloak.storage.ldap.LDAPStorageProvider;
 import org.keycloak.storage.ldap.LDAPStorageProviderFactory;
-import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
-import org.keycloak.storage.user.SynchronizationResult;
+import org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore;
+import org.keycloak.storage.ldap.mappers.LDAPConfigDecorator;
 
 public class EncryptedLDAPStorageProviderFactory extends LDAPStorageProviderFactory {
 
+    LDAPIdentityStoreRegistry ldapStoreRegistryOverride;
+
     @Override
     public int order() {
         return 1000;
     }
 
     @Override
-    protected SynchronizationResult syncImpl(KeycloakSessionFactory sessionFactory, LDAPQuery userQuery, String realmId, ComponentModel fedModel) {
-        SynchronizationResult result = super.syncImpl(sessionFactory, userQuery, realmId, fedModel);
-        KeycloakSession session = sessionFactory.create();
-        EntityManager em = session.getProvider(JpaConnectionProvider.class).getEntityManager();
-        LogicUtils.encryptExistingUserEntities(session, em, session.realms().getRealm(realmId));
-        em.flush();
-        return result;
+    public void init(Config.Scope config) {
+        super.init(config);
+        this.ldapStoreRegistryOverride = new LDAPIdentityStoreRegistry();
+    }
+
+    @Override
+    public void close() {
+        super.close();
+        this.ldapStoreRegistryOverride = null;
+    }
+
+    @Override
+    public LDAPStorageProvider create(KeycloakSession session, ComponentModel model) {
+        Map<ComponentModel, LDAPConfigDecorator> configDecorators = getLDAPConfigDecorators(session, model);
+        LDAPIdentityStore ldapIdentityStore = this.ldapStoreRegistryOverride.getLdapStore(session, model, configDecorators);
+        return new EncryptedLDAPStorageProvider(this, session, model, ldapIdentityStore);
     }
 
 }