Commit f75caf00 authored by Matthias Piepkorn's avatar Matthias Piepkorn

adapt to changes in Keycloak 3.2 (fixes #6)

parent 8c9be26e
......@@ -13,10 +13,10 @@ services:
- docker
env:
- KEYCLOAK_VERSION=2.5.5.Final
- KEYCLOAK_VERSION=3.0.0.Final
- KEYCLOAK_VERSION=3.1.0.Final
# - KEYCLOAK_VERSION=3.2.0.Final
# - KEYCLOAK_VERSION=2.5.5.Final
# - KEYCLOAK_VERSION=3.0.0.Final
# - KEYCLOAK_VERSION=3.1.0.Final
- KEYCLOAK_VERSION=3.2.1.Final
before_install:
- docker pull jboss/keycloak:$KEYCLOAK_VERSION
......
......@@ -27,7 +27,7 @@
<description />
<properties>
<keycloak.version>2.5.1.Final</keycloak.version>
<keycloak.version>3.2.0.Final</keycloak.version>
<jboss.logging.version>3.3.0.Final</jboss.logging.version>
<jboss.logging.tools.version>2.0.1.Final</jboss.logging.tools.version>
<junit.version>4.12</junit.version>
......
......@@ -11,6 +11,8 @@ import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.cas.utils.LogoutHelper;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
......@@ -84,12 +86,12 @@ public class CASLoginProtocol implements LoginProtocol {
}
@Override
public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) {
ClientSessionModel clientSession = accessCode.getClientSession();
public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
ClientSessionCode<AuthenticatedClientSessionModel> accessCode = new ClientSessionCode<>(session, realm, clientSession);
String service = clientSession.getRedirectUri();
//TODO validate service
accessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name());
accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name());
KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(service);
uriBuilder.queryParam(TICKET_RESPONSE_PARAM, SERVICE_TICKET_PREFIX + accessCode.getCode());
......@@ -100,12 +102,12 @@ public class CASLoginProtocol implements LoginProtocol {
}
@Override
public Response sendError(ClientSessionModel clientSession, Error error) {
public Response sendError(AuthenticationSessionModel authSession, Error error) {
return Response.serverError().entity(error).build();
}
@Override
public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
public void backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
String logoutUrl = clientSession.getRedirectUri();
String serviceTicket = clientSession.getNote(CASLoginProtocol.SESSION_SERVICE_TICKET);
//check if session is fully authenticated (i.e. serviceValidate has been called)
......@@ -127,7 +129,7 @@ public class CASLoginProtocol implements LoginProtocol {
}
@Override
public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
// todo oidc redirect support
throw new RuntimeException("NOT IMPLEMENTED");
}
......@@ -148,8 +150,8 @@ public class CASLoginProtocol implements LoginProtocol {
}
@Override
public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) {
return "true".equals(clientSession.getNote(CASLoginProtocol.RENEW_PARAM));
public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) {
return "true".equals(authSession.getClientNote(CASLoginProtocol.RENEW_PARAM));
}
@Override
......
......@@ -6,7 +6,6 @@ import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.cas.CASLoginProtocol;
......@@ -14,6 +13,7 @@ import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.GET;
import javax.ws.rs.core.MultivaluedMap;
......@@ -23,7 +23,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
private static final Logger logger = Logger.getLogger(AuthorizationEndpoint.class);
private ClientModel client;
private ClientSessionModel clientSession;
private AuthenticationSessionModel authenticationSession;
private String redirectUri;
public AuthorizationEndpoint(RealmModel realm, EventBuilder event) {
......@@ -42,30 +42,23 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
checkRealm();
checkClient(service);
createClientSession();
AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, null);
if (checks.response != null) {
return checks.response;
}
authenticationSession = checks.authSession;
updateAuthenticationSession();
// So back button doesn't work
CacheControlUtil.noBackButtonCacheControlHeader();
if (renew) {
clientSession.setNote(CASLoginProtocol.RENEW_PARAM, "true");
authenticationSession.setClientNote(CASLoginProtocol.RENEW_PARAM, "true");
}
this.event.event(EventType.LOGIN);
return handleBrowserAuthenticationRequest(clientSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
}
private void checkSsl() {
if (!uriInfo.getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
event.error(Errors.SSL_REQUIRED);
throw new ErrorPageException(session, Messages.HTTPS_REQUIRED);
}
}
private void checkRealm() {
if (!realm.isEnabled()) {
event.error(Errors.REALM_DISABLED);
throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED);
}
return handleBrowserAuthenticationRequest(authenticationSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
}
private void checkClient(String service) {
......@@ -96,10 +89,14 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
session.getContext().setClient(client);
}
private void createClientSession() {
clientSession = session.sessions().createClientSession(realm, client);
clientSession.setAuthMethod(CASLoginProtocol.LOGIN_PROTOCOL);
clientSession.setRedirectUri(redirectUri);
clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
private void updateAuthenticationSession() {
authenticationSession.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL);
authenticationSession.setRedirectUri(redirectUri);
authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
}
@Override
protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestState) {
return true;
}
}
......@@ -30,7 +30,7 @@ public class ServiceValidateEndpoint extends ValidateEndpoint {
protected Response successResponse() {
UserSessionModel userSession = clientSession.getUserSession();
Set<ProtocolMapperModel> mappings = new ClientSessionCode(session, realm, clientSession).getRequestedProtocolMappers();
Set<ProtocolMapperModel> mappings = new ClientSessionCode<>(session, realm, clientSession).getRequestedProtocolMappers();
KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
Map<String, Object> attributes = new HashMap<>();
for (ProtocolMapperModel mapping : mappings) {
......
......@@ -43,7 +43,7 @@ public class ValidateEndpoint {
protected RealmModel realm;
protected EventBuilder event;
protected ClientModel client;
protected ClientSessionModel clientSession;
protected AuthenticatedClientSessionModel clientSession;
public ValidateEndpoint(RealmModel realm, EventBuilder event) {
this.realm = realm;
......@@ -131,23 +131,27 @@ public class ValidateEndpoint {
String code = ticket.substring(CASLoginProtocol.SERVICE_TICKET_PREFIX.length());
ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm);
if (parseResult.isClientSessionNotFound() || parseResult.isIllegalHash()) {
String[] parts = code.split("\\.");
if (parts.length == 2) {
event.detail(Details.CODE_ID, parts[1]);
}
String[] parts = code.split("\\.");
if (parts.length == 4) {
event.detail(Details.CODE_ID, parts[2]);
}
ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class);
if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) {
event.error(Errors.INVALID_CODE);
if (parseResult.getClientSession() != null) {
session.sessions().removeClientSession(realm, parseResult.getClientSession());
// Attempt to use same code twice should invalidate existing clientSession
AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
if (clientSession != null) {
clientSession.setUserSession(null);
}
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
}
clientSession = parseResult.getClientSession();
event.detail(Details.CODE_ID, clientSession.getId());
if (!parseResult.getCode().isValid(ClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
event.error(Errors.INVALID_CODE);
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
}
......
......@@ -80,9 +80,9 @@ abstract class AbstractUserRoleMappingMapper extends AbstractCASProtocolMapper {
// get a set of all realm roles assigned to the user or its group
Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction);
boolean dontLimitScope = userSession.getClientSessions().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
if (! dontLimitScope) {
Set<RoleModel> clientRoles = userSession.getClientSessions().stream()
Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
.flatMap(cs -> cs.getClient().getScopeMappings().stream())
.collect(Collectors.toSet());
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment