mirror of https://github.com/jacekkow/keycloak-protocol-cas

Jacek Kowalski
2023-11-24 8560e4a392962f6b1bdd40f444f091f6a36cdbd4
commit | author | age
74023a 1 package org.keycloak.protocol.cas.endpoints;
EH 2
fdb9f6 3 import jakarta.ws.rs.core.Context;
JK 4 import jakarta.ws.rs.core.HttpHeaders;
5 import jakarta.ws.rs.core.Response;
74023a 6 import org.jboss.logging.Logger;
EH 7 import org.jboss.resteasy.spi.HttpRequest;
8 import org.keycloak.common.ClientConnection;
b88dc3 9 import org.keycloak.events.Details;
74023a 10 import org.keycloak.events.Errors;
EH 11 import org.keycloak.events.EventBuilder;
12 import org.keycloak.models.*;
13 import org.keycloak.protocol.ProtocolMapper;
14 import org.keycloak.protocol.cas.CASLoginProtocol;
15 import org.keycloak.protocol.cas.mappers.CASAttributeMapper;
16 import org.keycloak.protocol.cas.representations.CASErrorCode;
17 import org.keycloak.protocol.cas.utils.CASValidationException;
c140ce 18 import org.keycloak.protocol.oidc.utils.OAuth2CodeParser;
74023a 19 import org.keycloak.protocol.oidc.utils.RedirectUtils;
EH 20 import org.keycloak.services.managers.AuthenticationManager;
21 import org.keycloak.services.util.DefaultClientSessionContext;
22
23 import java.util.HashMap;
24 import java.util.Map;
25 import java.util.Set;
ea9555 26 import java.util.stream.Collectors;
74023a 27
EH 28 public abstract class AbstractValidateEndpoint {
29     protected final Logger logger = Logger.getLogger(getClass());
30     protected KeycloakSession session;
31     protected RealmModel realm;
32     protected EventBuilder event;
33     protected ClientModel client;
34     protected AuthenticatedClientSessionModel clientSession;
35
ceed8f 36     public AbstractValidateEndpoint(KeycloakSession session, RealmModel realm, EventBuilder event) {
JK 37         this.session = session;
74023a 38         this.realm = realm;
EH 39         this.event = event;
40     }
41
42     protected void checkSsl() {
ceed8f 43         if (!session.getContext().getUri().getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(session.getContext().getConnection())) {
74023a 44             throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "HTTPS required", Response.Status.FORBIDDEN);
EH 45         }
46     }
47
48     protected void checkRealm() {
49         if (!realm.isEnabled()) {
50             throw new CASValidationException(CASErrorCode.INTERNAL_ERROR, "Realm not enabled", Response.Status.FORBIDDEN);
51         }
52     }
53
54     protected void checkClient(String service) {
55         if (service == null) {
56             event.error(Errors.INVALID_REQUEST);
57             throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "Missing parameter: " + CASLoginProtocol.SERVICE_PARAM, Response.Status.BAD_REQUEST);
58         }
59
b88dc3 60         event.detail(Details.REDIRECT_URI, service);
AP 61
ea9555 62         client = realm.getClientsStream()
74023a 63                 .filter(c -> CASLoginProtocol.LOGIN_PROTOCOL.equals(c.getProtocol()))
019db5 64                 .filter(c -> RedirectUtils.verifyRedirectUri(session, service, c) != null)
74023a 65                 .findFirst().orElse(null);
EH 66         if (client == null) {
67             event.error(Errors.CLIENT_NOT_FOUND);
68             throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Client not found", Response.Status.BAD_REQUEST);
69         }
70
71         if (!client.isEnabled()) {
72             event.error(Errors.CLIENT_DISABLED);
73             throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Client disabled", Response.Status.BAD_REQUEST);
74         }
75
76         event.client(client.getClientId());
77
78         session.getContext().setClient(client);
79     }
80
81     protected void checkTicket(String ticket, boolean requireReauth) {
82         if (ticket == null) {
83             event.error(Errors.INVALID_CODE);
84             throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "Missing parameter: " + CASLoginProtocol.TICKET_PARAM, Response.Status.BAD_REQUEST);
85         }
86         if (!ticket.startsWith(CASLoginProtocol.SERVICE_TICKET_PREFIX)) {
87             event.error(Errors.INVALID_CODE);
88             throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Malformed service ticket", Response.Status.BAD_REQUEST);
89         }
90
91         String code = ticket.substring(CASLoginProtocol.SERVICE_TICKET_PREFIX.length());
92
c140ce 93         OAuth2CodeParser.ParseResult parseResult = OAuth2CodeParser.parseCode(session, code, realm, event);
MP 94         if (parseResult.isIllegalCode()) {
74023a 95             event.error(Errors.INVALID_CODE);
EH 96
97             // Attempt to use same code twice should invalidate existing clientSession
98             AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
99             if (clientSession != null) {
100                 clientSession.detachFromUserSession();
101             }
102
103             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
104         }
105
106         clientSession = parseResult.getClientSession();
107
c140ce 108         if (parseResult.isExpiredCode()) {
74023a 109             event.error(Errors.EXPIRED_CODE);
EH 110             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
111         }
112
113         clientSession.setNote(CASLoginProtocol.SESSION_SERVICE_TICKET, ticket);
114
115         if (requireReauth && AuthenticationManager.isSSOAuthentication(clientSession)) {
116             event.error(Errors.SESSION_EXPIRED);
117             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Interactive authentication was requested but not performed", Response.Status.BAD_REQUEST);
118         }
119
120         UserSessionModel userSession = clientSession.getUserSession();
121
122         if (userSession == null) {
123             event.error(Errors.USER_SESSION_NOT_FOUND);
124             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User session not found", Response.Status.BAD_REQUEST);
125         }
126
127         UserModel user = userSession.getUser();
128         if (user == null) {
129             event.error(Errors.USER_NOT_FOUND);
130             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User not found", Response.Status.BAD_REQUEST);
131         }
132         if (!user.isEnabled()) {
133             event.error(Errors.USER_DISABLED);
134             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User disabled", Response.Status.BAD_REQUEST);
135         }
136
137         event.user(userSession.getUser());
138         event.session(userSession.getId());
139
140         if (!client.getClientId().equals(clientSession.getClient().getClientId())) {
141             event.error(Errors.INVALID_CODE);
142             throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Auth error", Response.Status.BAD_REQUEST);
143         }
144
145         if (!AuthenticationManager.isSessionValid(realm, userSession)) {
146             event.error(Errors.USER_SESSION_NOT_FOUND);
147             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Session not active", Response.Status.BAD_REQUEST);
148         }
149     }
150
151     protected Map<String, Object> getUserAttributes() {
152         UserSessionModel userSession = clientSession.getUserSession();
153         // CAS protocol does not support scopes, so pass null scopeParam
8379a3 154         ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession, null, session);
74023a 155
ea9555 156         Set<ProtocolMapperModel> mappings = clientSessionCtx.getProtocolMappersStream().collect(Collectors.toSet());
74023a 157         KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
EH 158         Map<String, Object> attributes = new HashMap<>();
159         for (ProtocolMapperModel mapping : mappings) {
160             ProtocolMapper mapper = (ProtocolMapper) sessionFactory.getProviderFactory(ProtocolMapper.class, mapping.getProtocolMapper());
161             if (mapper instanceof CASAttributeMapper) {
162                 ((CASAttributeMapper) mapper).setAttribute(attributes, mapping, userSession, session, clientSessionCtx);
163             }
164         }
165         return attributes;
166     }
167 }