feat: allow partial profile updates

Author: Neunerlei

README.md

@@ -183,6 +183,19 @@ Supported query parameters:
 
 Required roles: `hawk-manage-profile-data`
 
+#### PATCH User Profile Data
+`/realms/{realm}/hawk/profile/{userId}`
+
+This endpoint works similar to the `PUT` variant, but also accepts partial updates.
+Only the fields that are provided in the request body will be validated and updated.
+
+The body of the request should be a [UserRepresentation](https://www.keycloak.org/docs-api/latest/rest-api/index.html#UserRepresentation)
+
+Supported query parameters:
+* **mode** - user|admin - If set to "admin" the update will be done as an admin, otherwise as the user itself
+
+Required roles: `hawk-manage-profile-data`
+
 #### GET Cache Buster
 `/realms/{realm}/hawk/cache-buster`
 

src/main/java/com/hawk/keycloak/ApiRoot.java

@@ -164,7 +164,6 @@ public Stream<String> getRoleMembers(
             @Parameter(description = "Pagination offset") @QueryParam("first") Integer firstResult,
             @Parameter(description = "Maximum results size (defaults to 100)") @QueryParam("max") Integer maxResults
     ) {
-
         return requestHandlerFactory
                 .rolesRequestHandler(authenticate())
                 .handleRoleMembersRequest(
@@ -210,13 +209,30 @@ public AbstractUserRepresentation getUserProfile(
     @Path("profile/{user}")
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
-    public Response updateUserProfile(
+    public Response putUserProfile(
+            @Parameter(description = "The id of the user to update the profile for") @PathParam("user") String userId,
+            @Parameter(description = "Defines the requesting role. Can be 'user' (default) to update the profile as the user, or 'admin' to update the profile as admin") @QueryParam("mode") String mode,
+            UserRepresentation rep
+    ) {
+        return requestHandlerFactory.profileDataRequestHandler(authenticate())
+                .handleProfilePutRequest(
+                        session.users().getUserById(session.getContext().getRealm(), userId),
+                        ProfileMode.fromString(mode),
+                        rep
+                );
+    }
+
+    @PATCH
+    @Path("profile/{user}")
+    @Consumes(MediaType.APPLICATION_JSON)
+    @Produces(MediaType.APPLICATION_JSON)
+    public Response patchUserProfile(
             @Parameter(description = "The id of the user to update the profile for") @PathParam("user") String userId,
             @Parameter(description = "Defines the requesting role. Can be 'user' (default) to update the profile as the user, or 'admin' to update the profile as admin") @QueryParam("mode") String mode,
             UserRepresentation rep
     ) {
         return requestHandlerFactory.profileDataRequestHandler(authenticate())
-                .handleProfileUpdateRequest(
+                .handleProfilePatchRequest(
                         session.users().getUserById(session.getContext().getRealm(), userId),
                         ProfileMode.fromString(mode),
                         rep

src/main/java/com/hawk/keycloak/profiles/PartialUpdateUserProfileProvider.java

@@ -0,0 +1,80 @@
+package com.hawk.keycloak.profiles;
+
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.UserModel;
+import org.keycloak.representations.idm.UserRepresentation;
+import org.keycloak.userprofile.Attributes;
+import org.keycloak.userprofile.DeclarativeUserProfileProvider;
+import org.keycloak.userprofile.UserProfileContext;
+import org.keycloak.userprofile.UserProfileMetadata;
+
+import java.util.Map;
+
+public class PartialUpdateUserProfileProvider extends DeclarativeUserProfileProvider {
+    private UserRepresentation partialRep;
+
+    public PartialUpdateUserProfileProvider(
+            KeycloakSession session,
+            PartialUpdateUserProfileProviderFactory factory
+    ) {
+        super(session, factory);
+    }
+
+    /**
+     * Setting this will make the provider only write fields that are present in the provided representation.
+     * This allows for partial updates of user profiles.
+     * @param rep The given update request.
+     */
+    public void onlyWriteFieldsOf(UserRepresentation rep) {
+        partialRep = rep;
+    }
+
+    /**
+     * Overrides the default attribute creation, by defining all attributes that are not present in the partial representation as read-only.
+     */
+    @Override
+    protected Attributes createAttributes(UserProfileContext context, Map<String, ?> attributes, UserModel user, UserProfileMetadata metadata) {
+        if (partialRep == null) {
+            return super.createAttributes(context, attributes, user, metadata);
+        }
+
+        UserProfileMetadata metadataClone = metadata.clone();
+        metadataClone.getAttributes().forEach((value) -> {
+            switch (value.getName()) {
+                case "emailVerified":
+                    if (partialRep.isEmailVerified() == null) {
+                        value.addWriteCondition(context1 -> false);
+                    }
+                    break;
+                case "username":
+                    if (partialRep.getUsername() == null || partialRep.getUsername().isEmpty()) {
+                        value.addWriteCondition(context1 -> false);
+                    }
+                    break;
+                case "email":
+                    if (partialRep.getEmail() == null || partialRep.getEmail().isEmpty()) {
+                        value.addWriteCondition(context1 -> false);
+                    }
+                    break;
+                case "firstName":
+                    if (partialRep.getFirstName() == null || partialRep.getFirstName().isEmpty()) {
+                        value.addWriteCondition(context1 -> false);
+                    }
+                    break;
+                case "lastName":
+                    if (partialRep.getLastName() == null || partialRep.getLastName().isEmpty()) {
+                        value.addWriteCondition(context1 -> false);
+                    }
+                    break;
+                default:
+                    if (!partialRep.getAttributes().containsKey(value.getName())) {
+                        value.addWriteCondition(context1 -> false);
+                    }
+                    break;
+            }
+
+        });
+
+        return super.createAttributes(context, attributes, user, metadataClone);
+    }
+}

src/main/java/com/hawk/keycloak/profiles/PartialUpdateUserProfileProviderFactory.java

@@ -0,0 +1,17 @@
+package com.hawk.keycloak.profiles;
+
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.userprofile.DeclarativeUserProfileProvider;
+import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;
+
+public class PartialUpdateUserProfileProviderFactory extends DeclarativeUserProfileProviderFactory {
+    @Override
+    public int order() {
+        return 10;
+    }
+
+    @Override
+    public DeclarativeUserProfileProvider create(KeycloakSession session) {
+        return new PartialUpdateUserProfileProvider(session, this);
+    }
+}

src/main/java/com/hawk/keycloak/profiles/ProfileDataRequestHandler.java

@@ -19,6 +19,8 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.function.BiFunction;
+import java.util.function.Supplier;
 
 @RequiredArgsConstructor
 public class ProfileDataRequestHandler {
@@ -28,34 +30,50 @@ public class ProfileDataRequestHandler {
 
     public AbstractUserRepresentation handleProfileRequest(UserModel user, ProfileMode mode) {
         auth.admin().users().requireView();
-
-        if(user == null){
+        if (user == null) {
             throw new NotFoundException("User not found");
         }
+        return getProfileForRead(user, mode).toRepresentation();
+    }
 
-        return getProfile(user, mode, null).toRepresentation();
+    public Response handleProfilePutRequest(UserModel user, ProfileMode mode, UserRepresentation rep) {
+        return handleProfileUpdateRequest(
+                user,
+                () -> getProfileForWrite(user, mode, rep),
+                (profile, event) -> {
+                    profile.update(new EventAuditingAttributeChangeListener(getProfileForRead(user, mode), event));
+                    return null;
+                });
     }
 
-    public Response handleProfileUpdateRequest(UserModel user, ProfileMode mode, UserRepresentation rep) {
-        auth.requireManageProfileData();
+    public Response handleProfilePatchRequest(UserModel user, ProfileMode mode, UserRepresentation rep) {
+        return handleProfileUpdateRequest(
+                user,
+                () -> getProfileForPartialWrite(user, mode, rep),
+                (profile, event) -> {
+                    profile.update(true, new EventAuditingAttributeChangeListener(getProfileForRead(user, mode), event));
+                    return null;
+                }
+        );
+    }
 
-        if(user == null){
+    private Response handleProfileUpdateRequest(
+            UserModel user,
+            Supplier<UserProfile> getProfile,
+            BiFunction<UserProfile, EventBuilder, Void> callback) {
+        auth.requireManageProfileData();
+        if (user == null) {
             throw new NotFoundException("User not found");
         }
-
+        UserProfile profile = getProfile.get();
         event.event(EventType.UPDATE_PROFILE).detail(Details.CONTEXT, UserProfileContext.ACCOUNT.name());
-
-        UserProfile profile = getProfile(user, mode, rep);
-
         try {
-            profile.update(new EventAuditingAttributeChangeListener(profile, event));
-
+            callback.apply(profile, event);
             event.success();
-
             return Response.noContent().build();
         } catch (ValidationException pve) {
             List<ErrorRepresentation> errors = new ArrayList<>();
-            for(ValidationException.Error err: pve.getErrors()) {
+            for (ValidationException.Error err : pve.getErrors()) {
                 errors.add(new ErrorRepresentation(err.getAttribute(), err.getMessage(), validationErrorParamsToString(err.getMessageParameters(), profile.getAttributes())));
             }
             throw ErrorResponse.errors(errors, pve.getStatusCode(), false);
@@ -64,28 +82,43 @@ public Response handleProfileUpdateRequest(UserModel user, ProfileMode mode, Use
         }
     }
 
-    private UserProfile getProfile(UserModel user, ProfileMode mode, UserRepresentation rep) {
+    private UserProfile getProfileForRead(UserModel user, ProfileMode mode) {
         UserProfileContext context = mode == ProfileMode.USER ? UserProfileContext.ACCOUNT : UserProfileContext.USER_API;
         UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
+        return profileProvider.create(context, user);
+    }
 
-        if(rep == null){
-            return profileProvider.create(context, user);
-        }
+    private UserProfile getProfileForWrite(UserModel user, ProfileMode mode, UserRepresentation rep) {
+        UserProfileContext context = mode == ProfileMode.USER ? UserProfileContext.ACCOUNT : UserProfileContext.USER_API;
+        UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
+        return profileProvider.create(context, rep.getRawAttributes(), user);
+    }
 
+    private UserProfile getProfileForPartialWrite(UserModel user, ProfileMode mode, UserRepresentation rep) {
+        UserProfileContext context = mode == ProfileMode.USER ? UserProfileContext.ACCOUNT : UserProfileContext.USER_API;
+        UserProfileProvider profileProvider = session.getProvider(UserProfileProvider.class);
+        if (profileProvider instanceof PartialUpdateUserProfileProvider) {
+            try {
+                ((PartialUpdateUserProfileProvider) profileProvider).onlyWriteFieldsOf(rep);
+                return profileProvider.create(context, rep.getRawAttributes(), user);
+            } finally {
+                ((PartialUpdateUserProfileProvider) profileProvider).onlyWriteFieldsOf(null);
+            }
+        }
         return profileProvider.create(context, rep.getRawAttributes(), user);
     }
 
     private String[] validationErrorParamsToString(Object[] messageParameters, Attributes userProfileAttributes) {
-        if(messageParameters == null)
+        if (messageParameters == null)
             return null;
         String[] ret = new String[messageParameters.length];
         int i = 0;
-        for(Object p: messageParameters) {
-            if(p != null) {
+        for (Object p : messageParameters) {
+            if (p != null) {
                 //first parameter is user profile attribute name, we have to take Display Name for it
-                if(i==0) {
+                if (i == 0) {
                     AttributeMetadata am = userProfileAttributes.getMetadata(p.toString());
-                    if(am != null)
+                    if (am != null)
                         ret[i++] = am.getAttributeDisplayName();
                     else
                         ret[i++] = p.toString();
@@ -98,5 +131,4 @@ private String[] validationErrorParamsToString(Object[] messageParameters, Attri
         }
         return ret;
     }
-
 }

src/main/resources/META-INF/services/org.keycloak.userprofile.UserProfileProviderFactory

@@ -0,0 +1 @@
+com.hawk.keycloak.profiles.PartialUpdateUserProfileProviderFactory