Allow the dataset to generate users with a limited number of unique passwords

ryanemerson · ryanemerson · commit af93f475f585 · 2025-11-26T15:35:43.000Z
Closes #1237 Signed-off-by: Ryan Emerson <remerson@ibm.com>
diff --git a/dataset/src/main/java/org/keycloak/benchmark/dataset/DatasetResourceProvider.java b/dataset/src/main/java/org/keycloak/benchmark/dataset/DatasetResourceProvider.java
@@ -33,6 +33,7 @@
 import org.keycloak.benchmark.dataset.config.DatasetException;
 import org.keycloak.benchmark.dataset.organization.OrganizationProvisioner;
 import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
+import org.keycloak.credential.hash.PasswordHashProvider;
 import org.keycloak.events.Event;
 import org.keycloak.events.EventStoreProvider;
 import org.keycloak.events.EventType;
@@ -52,6 +53,7 @@
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.models.cache.CacheRealmProvider;
+import org.keycloak.models.credential.PasswordCredentialModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
@@ -435,6 +437,8 @@ private void createUsersImpl(Task task, DatasetConfig config, RealmModel realm)
     }
 
     private void addUserCreationTasks(RealmContext context, Task task, DatasetConfig config, ExecutorHelper executor, int startIndex, int usersCount) {
+        // Initialize password credentials if unique-credentials-count is configured
+        List<PasswordCredentialModel> credentials = initializeCredentials(config, context);
 
         for (int i = startIndex; i < (startIndex + usersCount); i += config.getUsersPerTransaction()) {
             final int usersStartIndex = i;
@@ -446,7 +450,7 @@ private void addUserCreationTasks(RealmContext context, Task task, DatasetConfig
             executor.addTaskRunningInTransaction(session -> {
                 KeycloakModelUtils.cloneContextRealmClientToSession(baseSession.getContext(), session);
 
-                createUsers(context, session, usersStartIndex, endIndex);
+                createUsers(context, session, usersStartIndex, endIndex, credentials);
 
                 task.debug(logger, "Created users in realm %s from %d to %d", context.getRealm().getName(), usersStartIndex, endIndex);
 
@@ -457,6 +461,17 @@ private void addUserCreationTasks(RealmContext context, Task task, DatasetConfig
         }
     }
 
+    private List<PasswordCredentialModel> initializeCredentials(DatasetConfig config, RealmContext context) {
+        PasswordPolicy policy = context.getRealm().getPasswordPolicy();
+        PasswordHashProvider hash = policy.getHashAlgorithm() != null ?
+              baseSession.getProvider(PasswordHashProvider.class, policy.getHashAlgorithm()) :
+              baseSession.getProvider(PasswordHashProvider.class);
+
+        return IntStream.range(0, config.getUniqueCredentialCount())
+              .boxed()
+              .map(i -> hash.encodedCredential("password-" + i, policy.getHashIterations()))
+              .toList();
+    }
 
     @GET
     @Path("/create-events")
@@ -1130,7 +1145,7 @@ private void createClients(RealmContext context, Task task, KeycloakSession sess
     }
 
     // Worker task to be triggered by single executor thread
-    private void createUsers(RealmContext context, KeycloakSession session, int startIndex, int endIndex) {
+    private void createUsers(RealmContext context, KeycloakSession session, int startIndex, int endIndex, List<PasswordCredentialModel> credentials) {
         // Refresh the realm
         RealmModel realm = session.realms().getRealm(context.getRealm().getId());
         DatasetConfig config = context.getConfig();
@@ -1147,8 +1162,13 @@ private void createUsers(RealmContext context, KeycloakSession session, int star
             user.setLastName(username + "-last");
             user.setEmail(username + String.format("@%s.com", realm.getName()));
 
-            String password = String.format("%s-password", username);
-            user.credentialManager().updateCredential(UserCredentialModel.password(password, false));
+            if (credentials.isEmpty()) {
+                String password = String.format("%s-password", username);
+                user.credentialManager().updateCredential(UserCredentialModel.password(password, false));
+            } else {
+                PasswordCredentialModel password = credentials.get(i % config.getUniqueCredentialCount());
+                user.credentialManager().createStoredCredential(password);
+            }
 
             // Assign a role to a user if any exist in the realm
             if (!context.getRealmRoles().isEmpty()) {
diff --git a/dataset/src/main/java/org/keycloak/benchmark/dataset/config/DatasetConfig.java b/dataset/src/main/java/org/keycloak/benchmark/dataset/config/DatasetConfig.java
@@ -226,6 +226,9 @@ public class DatasetConfig {
     @QueryParamIntFill(paramName = "identity-provider-mappers-count", operations = CREATE_ORGS)
     private int identityProviderMappersCount;
 
+    @QueryParamIntFill(paramName = "unique-credential-count", defaultValue = 0, operations =  CREATE_USERS)
+    private int uniqueCredentialCount;
+
     // String representation of this configuration (cached here to not be computed in runtime)
     private String toString = "DatasetConfig []";
 
@@ -432,4 +435,8 @@ public int getIdentityProvidersCount() {
     public int getIdentityProviderMappersCount() {
         return identityProviderMappersCount;
     }
+
+    public int getUniqueCredentialCount() {
+        return uniqueCredentialCount;
+    }
 }
