[RLM] Provide a action to notify users by email based on a configurable time

Closes keycloak#41788

Signed-off-by: Martin Kanis <[email protected]>

Author: martin-kanis

core/src/main/java/org/keycloak/representations/resources/policies/ResourcePolicyActionRepresentation.java

@@ -77,6 +77,15 @@ public Builder after(Duration duration) {
             return this;
         }
 
+        public Builder before(ResourcePolicyActionRepresentation targetAction, Duration timeBeforeTarget) {
+            // Calculate absolute time: targetAction.after - timeBeforeTarget
+            String targetAfter = targetAction.getConfig().get(AFTER_KEY).get(0);
+            long targetTime = Long.parseLong(targetAfter);
+            long thisTime = targetTime - timeBeforeTarget.toMillis();
+            action.setAfter(thisTime);
+            return this;
+        }
+
         public Builder withConfig(String key, String value) {
             action.setConfig(key, value);
             return this;

services/src/main/java/org/keycloak/models/policy/NotifyUserActionProvider.java

@@ -17,16 +17,27 @@
 
 package org.keycloak.models.policy;
 
+import java.time.Duration;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
+
 import org.jboss.logging.Logger;
 
 import org.keycloak.component.ComponentModel;
+import org.keycloak.email.EmailException;
+import org.keycloak.email.EmailTemplateProvider;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 
 public class NotifyUserActionProvider implements ResourceActionProvider {
 
+    private static final String ACCOUNT_DISABLE_NOTIFICATION_SUBJECT = "accountDisableNotificationSubject";
+    private static final String ACCOUNT_DELETE_NOTIFICATION_SUBJECT = "accountDeleteNotificationSubject";
+    private static final String ACCOUNT_DISABLE_NOTIFICATION_BODY = "accountDisableNotificationBody";
+    private static final String ACCOUNT_DELETE_NOTIFICATION_BODY = "accountDeleteNotificationBody";
+
     private final KeycloakSession session;
     private final ComponentModel actionModel;
     private final Logger log = Logger.getLogger(NotifyUserActionProvider.class);
@@ -43,23 +54,142 @@ public void close() {
     @Override
     public void run(List<String> userIds) {
         RealmModel realm = session.getContext().getRealm();
+        EmailTemplateProvider emailProvider = session.getProvider(EmailTemplateProvider.class).setRealm(realm);
+
+        String subjectKey = getSubjectKey();
+        String bodyTemplate = getBodyTemplate();
+        Map<String, Object> bodyAttributes = getBodyAttributes();
 
         for (String id : userIds) {
             UserModel user = session.users().getUserById(realm, id);
 
-            if (user != null) {
-                log.debugv("Disabling user {0} ({1})", user.getUsername(), user.getId());
-                user.setSingleAttribute(getMessageKey(), getMessage());
+            if (user != null && user.getEmail() != null) {
+                try {
+                    emailProvider.setUser(user).send(subjectKey, bodyTemplate, bodyAttributes);
+                    log.debugv("Notification email sent to user {0} ({1})", user.getUsername(), user.getEmail());
+                } catch (EmailException e) {
+                    log.errorv(e, "Failed to send notification email to user {0} ({1})", user.getUsername(), user.getEmail());
+                }
+            } else if (user != null && user.getEmail() == null) {
+                log.warnv("User {0} has no email address, skipping notification", user.getUsername());
             }
         }
     }
 
-    private String getMessageKey() {
-        return actionModel.getConfig().getFirstOrDefault("message_key", "message");
+    private String getSubjectKey() {
+        String nextActionType = getNextActionType();
+        String customSubjectKey = actionModel.getConfig().getFirst("custom_subject_key");
+        
+        if (customSubjectKey != null && !customSubjectKey.trim().isEmpty()) {
+            return customSubjectKey;
+        }
+        
+        // Return default subject key based on next action type
+        String defaultSubjectKey = getDefaultSubjectKey(nextActionType);
+        return defaultSubjectKey;
+    }
+
+    private String getBodyTemplate() {
+        return "resource-policy-notification.ftl";
+    }
+
+    private Map<String, Object> getBodyAttributes() {
+        RealmModel realm = session.getContext().getRealm();
+        Map<String, Object> attributes = new HashMap<>();
+        
+        String nextActionType = getNextActionType();
+        
+        // Custom message override or default based on action type
+        String customMessage = actionModel.getConfig().getFirst("custom_message");
+        if (customMessage != null && !customMessage.trim().isEmpty()) {
+            attributes.put("messageKey", "customMessage");
+            attributes.put("customMessage", customMessage);
+        } else {
+            attributes.put("messageKey", getDefaultMessageKey(nextActionType));
+        }
+        
+        // Calculate days remaining until next action
+        int daysRemaining = calculateDaysUntilNextAction();
+        
+        // Message parameters for internationalization
+        attributes.put("daysRemaining", daysRemaining);
+        attributes.put("reason", actionModel.getConfig().getFirstOrDefault("reason", "inactivity"));
+        attributes.put("realmName", realm.getDisplayName() != null ? realm.getDisplayName() : realm.getName());
+        attributes.put("nextActionType", nextActionType);
+        attributes.put("subjectKey", getSubjectKey());
+        
+        return attributes;
+    }
+
+    private String getNextActionType() {
+        ComponentModel nextAction = getNextNonNotificationAction();
+        return nextAction != null ? nextAction.getProviderId() : "unknown-action";
+    }
+
+    private int calculateDaysUntilNextAction() {
+        ComponentModel nextAction = getNextNonNotificationAction();
+        if (nextAction == null) {
+            return 0;
+        }
+        
+        String currentAfter = actionModel.get("after");
+        String nextAfter = nextAction.get("after");
+        
+        if (currentAfter == null || nextAfter == null) {
+            return 0;
+        }
+        
+        try {
+            long currentMillis = Long.parseLong(currentAfter);
+            long nextMillis = Long.parseLong(nextAfter);
+            Duration difference = Duration.ofMillis(nextMillis - currentMillis);
+            return Math.toIntExact(difference.toDays());
+        } catch (NumberFormatException e) {
+            log.warnv("Invalid days format: current={0}, next={1}", currentAfter, nextAfter);
+            return 0;
+        }
+    }
+
+    private ComponentModel getNextNonNotificationAction() {
+        RealmModel realm = session.getContext().getRealm();
+        ComponentModel policyModel = realm.getComponent(actionModel.getParentId());
+        
+        List<ComponentModel> actions = realm.getComponentsStream(policyModel.getId(), ResourceActionProvider.class.getName())
+            .sorted((a, b) -> {
+                int priorityA = Integer.parseInt(a.get("priority", "0"));
+                int priorityB = Integer.parseInt(b.get("priority", "0"));
+                return Integer.compare(priorityA, priorityB);
+            })
+            .toList();
+        
+        // Find current action and return next non-notification action
+        boolean foundCurrent = false;
+        for (ComponentModel action : actions) {
+            if (foundCurrent && !action.getProviderId().equals("notify-user-action-provider")) {
+                return action;
+            }
+            if (action.getId().equals(actionModel.getId())) {
+                foundCurrent = true;
+            }
+        }
+        
+        return null;
+    }
+    
+    private String getDefaultSubjectKey(String actionType) {
+        return switch (actionType) {
+            case "disable-user-action-provider" -> ACCOUNT_DISABLE_NOTIFICATION_SUBJECT;
+            case "delete-user-action-provider" -> ACCOUNT_DELETE_NOTIFICATION_SUBJECT;
+            default -> "accountNotificationSubject";
+        };
     }
 
-    private String getMessage() {
-        return actionModel.getConfig().getFirstOrDefault(getMessageKey(), "sent");
+    private String getDefaultMessageKey(String actionType) {
+        return switch (actionType) {
+            case "disable-user-action-provider" -> ACCOUNT_DISABLE_NOTIFICATION_BODY;
+            case "delete-user-action-provider" -> ACCOUNT_DELETE_NOTIFICATION_BODY;
+            default -> "accountNotificationBody";
+        };
     }
 
     @Override

services/src/main/java/org/keycloak/models/policy/NotifyUserActionProviderFactory.java

@@ -17,6 +17,7 @@
 
 package org.keycloak.models.policy;
 
+import java.util.Arrays;
 import java.util.List;
 
 import org.keycloak.Config;
@@ -61,11 +62,23 @@ public ResourceType getType() {
 
     @Override
     public String getHelpText() {
-        return "";
+        return "Sends email notifications to users based on configurable templates";
     }
 
     @Override
     public List<ProviderConfigProperty> getConfigProperties() {
-        return List.of();
+        return Arrays.asList(
+            new ProviderConfigProperty("reason", "Reason", 
+                "Reason for the action (inactivity, policy violation, compliance requirement)", 
+                ProviderConfigProperty.STRING_TYPE, ""),
+
+            new ProviderConfigProperty("custom_subject_key", "Custom Subject Message Key", 
+                "Override default subject with custom message property key (optional)", 
+                ProviderConfigProperty.STRING_TYPE, ""),
+
+            new ProviderConfigProperty("custom_message", "Custom Message", 
+                "Override default message with custom text (optional)", 
+                ProviderConfigProperty.TEXT_TYPE, "")
+        );
     }
 }

services/src/main/java/org/keycloak/models/policy/UserActionBuilder.java

@@ -19,8 +19,6 @@
 
 import java.time.Duration;
 
-import org.keycloak.common.util.KeycloakUriBuilder;
-
 public class UserActionBuilder {
 
     private final ResourceAction action;

tests/base/src/test/java/org/keycloak/tests/admin/model/policy/GroupMembershipJoinPolicyTest.java

@@ -3,11 +3,12 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.is;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.keycloak.tests.admin.model.policy.ResourcePolicyManagementTest.findEmailByRecipient;
 
 import java.time.Duration;
 import java.util.List;
 
+import jakarta.mail.internet.MimeMessage;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.Response.Status;
 import org.junit.jupiter.api.Test;
@@ -27,6 +28,8 @@
 import org.keycloak.testframework.annotations.InjectRealm;
 import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
 import org.keycloak.testframework.injection.LifeCycle;
+import org.keycloak.testframework.mail.MailServer;
+import org.keycloak.testframework.mail.annotations.InjectMailServer;
 import org.keycloak.testframework.realm.GroupConfigBuilder;
 import org.keycloak.testframework.realm.ManagedRealm;
 import org.keycloak.testframework.realm.UserConfigBuilder;
@@ -45,6 +48,9 @@ public class GroupMembershipJoinPolicyTest {
     @InjectRealm(lifecycle = LifeCycle.METHOD)
     ManagedRealm managedRealm;
 
+    @InjectMailServer
+    private MailServer mailServer;
+
     @Test
     public void testEventsOnGroupMembershipJoin() {
         String groupId;
@@ -77,7 +83,7 @@ public void testEventsOnGroupMembershipJoin() {
         String userId;
 
         try (Response response = managedRealm.admin().users().create(UserConfigBuilder.create()
-                .username("generic-user").build())) {
+                .username("generic-user").email("[email protected]").build())) {
             userId = ApiUtil.getCreatedId(response);
         }
 
@@ -88,18 +94,21 @@ public void testEventsOnGroupMembershipJoin() {
             ResourcePolicyManager manager = new ResourcePolicyManager(session);
 
             UserModel user = session.users().getUserById(realm, userId);
-            assertNull(user.getAttributes().get("message"));
 
             try {
                 // set offset to 7 days - notify action should run now
                 Time.setOffset(Math.toIntExact(Duration.ofDays(6).toSeconds()));
                 manager.runScheduledActions();
-                user = session.users().getUserById(realm, userId);
-                assertNotNull(user.getAttributes().get("message"));
             } finally {
                 Time.setOffset(0);
             }
         }));
+
+        // Verify that the notify action was executed by checking email was sent
+        MimeMessage testUserMessage = findEmailByRecipient(mailServer, "[email protected]");
+        assertNotNull(testUserMessage, "The first action (notify) should have sent an email.");
+
+        mailServer.runCleanup();
     }
 
     private static RealmModel configureSessionContext(KeycloakSession session) {