modules/keycloak-protocol-cas

github-actions

2022-07-28 8b93a7b3bc325c9ef9b0606dac64e54a4e1e6975

commit \| author \| age
7f7e0c	1	package org.keycloak.protocol.cas;
MP	2
57a6c1	3	import org.apache.http.HttpEntity;
MP	4	import org.jboss.logging.Logger;
7f7e0c	5	import org.keycloak.common.util.KeycloakUriBuilder;
c140ce	6	import org.keycloak.common.util.Time;
7f7e0c	7	import org.keycloak.events.EventBuilder;
MP	8	import org.keycloak.events.EventType;
4a6620	9	import org.keycloak.forms.login.LoginFormsProvider;
7f7e0c	10	import org.keycloak.models.*;
MP	11	import org.keycloak.protocol.LoginProtocol;
57a6c1	12	import org.keycloak.protocol.cas.utils.LogoutHelper;
c140ce	13	import org.keycloak.protocol.oidc.utils.OAuth2Code;
MP	14	import org.keycloak.protocol.oidc.utils.OAuth2CodeParser;
3882f0	15	import org.keycloak.services.ErrorPage;
7f7e0c	16	import org.keycloak.services.managers.ResourceAdminManager;
f75caf	17	import org.keycloak.sessions.AuthenticationSessionModel;
7f7e0c	18
MP	19	import javax.ws.rs.core.HttpHeaders;
	20	import javax.ws.rs.core.Response;
	21	import javax.ws.rs.core.UriInfo;
57a6c1	22	import java.io.IOException;
7f7e0c	23	import java.net.URI;
c140ce	24	import java.util.UUID;
7f7e0c	25
MP	26	public class CASLoginProtocol implements LoginProtocol {
57a6c1	27	private static final Logger logger = Logger.getLogger(CASLoginProtocol.class);
MP	28
7f7e0c	29	public static final String LOGIN_PROTOCOL = "cas";
MP	30
	31	public static final String SERVICE_PARAM = "service";
74023a	32	public static final String TARGET_PARAM = "TARGET";
7f7e0c	33	public static final String RENEW_PARAM = "renew";
MP	34	public static final String GATEWAY_PARAM = "gateway";
	35	public static final String TICKET_PARAM = "ticket";
	36	public static final String FORMAT_PARAM = "format";
	37
	38	public static final String TICKET_RESPONSE_PARAM = "ticket";
891484	39	public static final String SAMLART_RESPONSE_PARAM = "SAMLart";
7f7e0c	40
MP	41	public static final String SERVICE_TICKET_PREFIX = "ST-";
57a6c1	42	public static final String SESSION_SERVICE_TICKET = "service_ticket";
4a6620	43
MP	44	public static final String LOGOUT_REDIRECT_URI = "CAS_LOGOUT_REDIRECT_URI";
7f7e0c	45
MP	46	protected KeycloakSession session;
	47	protected RealmModel realm;
	48	protected UriInfo uriInfo;
	49	protected HttpHeaders headers;
	50	protected EventBuilder event;
	51
7124d2	52	public CASLoginProtocol(KeycloakSession session, RealmModel realm, UriInfo uriInfo, HttpHeaders headers, EventBuilder event) {
7f7e0c	53	this.session = session;
MP	54	this.realm = realm;
	55	this.uriInfo = uriInfo;
	56	this.headers = headers;
	57	this.event = event;
	58	}
	59
	60	public CASLoginProtocol() {
	61	}
	62
	63	@Override
	64	public CASLoginProtocol setSession(KeycloakSession session) {
	65	this.session = session;
	66	return this;
	67	}
	68
	69	@Override
	70	public CASLoginProtocol setRealm(RealmModel realm) {
	71	this.realm = realm;
	72	return this;
	73	}
	74
	75	@Override
	76	public CASLoginProtocol setUriInfo(UriInfo uriInfo) {
	77	this.uriInfo = uriInfo;
	78	return this;
	79	}
	80
	81	@Override
	82	public CASLoginProtocol setHttpHeaders(HttpHeaders headers) {
	83	this.headers = headers;
	84	return this;
	85	}
	86
	87	@Override
	88	public CASLoginProtocol setEventBuilder(EventBuilder event) {
	89	this.event = event;
	90	return this;
	91	}
	92
	93	@Override
c140ce	94	public Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) {
b8d686	95	AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
7f7e0c	96
c140ce	97	String service = authSession.getRedirectUri();
7f7e0c	98	//TODO validate service
5570d4	99
8b93a7	100	OAuth2Code codeData = new OAuth2Code(UUID.randomUUID().toString(),
c140ce	101	Time.currentTime() + userSession.getRealm().getAccessCodeLifespan(),
MP	102	null, null, authSession.getRedirectUri(), null, null);
	103	String code = OAuth2CodeParser.persistCode(session, clientSession, codeData);
	104
7f7e0c	105	KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(service);
891484	106
DR	107	String loginTicket = SERVICE_TICKET_PREFIX + code;
	108
	109	if (authSession.getClientNotes().containsKey(CASLoginProtocol.TARGET_PARAM)) {
	110	// This was a SAML 1.1 auth request so return the ticket ID as "SAMLart" instead of "ticket"
	111	uriBuilder.queryParam(SAMLART_RESPONSE_PARAM, loginTicket);
	112	} else {
	113	uriBuilder.queryParam(TICKET_RESPONSE_PARAM, loginTicket);
	114	}
7f7e0c	115
MP	116	URI redirectUri = uriBuilder.build();
	117
	118	Response.ResponseBuilder location = Response.status(302).location(redirectUri);
	119	return location.build();
	120	}
	121
	122	@Override
f75caf	123	public Response sendError(AuthenticationSessionModel authSession, Error error) {
3882f0	124	if (authSession.getClientNotes().containsKey(CASLoginProtocol.GATEWAY_PARAM)) {
JK	125	if (error == Error.PASSIVE_INTERACTION_REQUIRED \|\| error == Error.PASSIVE_LOGIN_REQUIRED) {
	126	return Response.status(302).location(URI.create(authSession.getRedirectUri())).build();
	127	}
	128	}
	129	return ErrorPage.error(session, authSession, Response.Status.INTERNAL_SERVER_ERROR, error.name());
7f7e0c	130	}
MP	131
	132	@Override
0ec410	133	public Response backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
57a6c1	134	String logoutUrl = clientSession.getRedirectUri();
MP	135	String serviceTicket = clientSession.getNote(CASLoginProtocol.SESSION_SERVICE_TICKET);
	136	//check if session is fully authenticated (i.e. serviceValidate has been called)
	137	if (serviceTicket != null && !serviceTicket.isEmpty()) {
	138	sendSingleLogoutRequest(logoutUrl, serviceTicket);
	139	}
7f7e0c	140	ClientModel client = clientSession.getClient();
019db5	141	new ResourceAdminManager(session).logoutClientSession(realm, client, clientSession);
0ec410	142	return Response.ok().build();
7f7e0c	143	}
MP	144
57a6c1	145	private void sendSingleLogoutRequest(String logoutUrl, String serviceTicket) {
MP	146	HttpEntity requestEntity = LogoutHelper.buildSingleLogoutRequest(serviceTicket);
	147	try {
	148	LogoutHelper.postWithRedirect(session, logoutUrl, requestEntity);
	149	logger.debug("Sent CAS single logout for service " + logoutUrl);
	150	} catch (IOException e) {
	151	logger.warn("Failed to call CAS service for logout: " + logoutUrl, e);
	152	}
	153	}
	154
7f7e0c	155	@Override
f75caf	156	public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
7f7e0c	157	// todo oidc redirect support
MP	158	throw new RuntimeException("NOT IMPLEMENTED");
	159	}
	160
	161	@Override
d5f868	162	public Response finishBrowserLogout(UserSessionModel userSession, AuthenticationSessionModel logoutSession) {
4a6620	163	String redirectUri = userSession.getNote(CASLoginProtocol.LOGOUT_REDIRECT_URI);
MP	164
7f7e0c	165	event.event(EventType.LOGOUT);
MP	166	event.user(userSession.getUser()).session(userSession).success();
cbb2f2	167
4a6620	168	if (redirectUri != null) {
cbb2f2	169	return Response.status(302).location(URI.create(redirectUri)).build();
4a6620	170	} else {
cbb2f2	171	LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class).setSuccess("Logout successful");
4a6620	172	infoPage.setAttribute("skipLink", true);
cbb2f2	173	return infoPage.createInfoPage();
4a6620	174	}
7f7e0c	175	}
MP	176
	177	@Override
f75caf	178	public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) {
MP	179	return "true".equals(authSession.getClientNote(CASLoginProtocol.RENEW_PARAM));
7f7e0c	180	}
MP	181
	182	@Override
	183	public void close() {
	184
	185	}
	186	}