commit | author | age
|
74023a
|
1 |
package org.keycloak.protocol.cas.endpoints; |
EH |
2 |
|
fdb9f6
|
3 |
import jakarta.ws.rs.core.Response; |
74023a
|
4 |
import org.jboss.logging.Logger; |
b88dc3
|
5 |
import org.keycloak.events.Details; |
74023a
|
6 |
import org.keycloak.events.Errors; |
EH |
7 |
import org.keycloak.events.EventBuilder; |
5d7080
|
8 |
import org.keycloak.common.util.Time; |
74023a
|
9 |
import org.keycloak.models.*; |
EH |
10 |
import org.keycloak.protocol.ProtocolMapper; |
|
11 |
import org.keycloak.protocol.cas.CASLoginProtocol; |
|
12 |
import org.keycloak.protocol.cas.mappers.CASAttributeMapper; |
|
13 |
import org.keycloak.protocol.cas.representations.CASErrorCode; |
|
14 |
import org.keycloak.protocol.cas.utils.CASValidationException; |
5d7080
|
15 |
import org.keycloak.protocol.oidc.utils.OAuth2Code; |
74023a
|
16 |
import org.keycloak.protocol.oidc.utils.RedirectUtils; |
EH |
17 |
import org.keycloak.services.managers.AuthenticationManager; |
5d7080
|
18 |
import org.keycloak.services.managers.UserSessionCrossDCManager; |
74023a
|
19 |
import org.keycloak.services.util.DefaultClientSessionContext; |
EH |
20 |
|
|
21 |
import java.util.HashMap; |
|
22 |
import java.util.Map; |
|
23 |
import java.util.Set; |
5d7080
|
24 |
import java.util.UUID; |
ARW |
25 |
import java.util.regex.Pattern; |
ea9555
|
26 |
import java.util.stream.Collectors; |
5d7080
|
27 |
import org.apache.http.client.utils.URIBuilder; |
ARW |
28 |
import org.apache.http.client.methods.HttpGet; |
|
29 |
import org.apache.http.HttpResponse; |
|
30 |
import org.apache.http.impl.client.HttpClientBuilder; |
74023a
|
31 |
|
EH |
32 |
public abstract class AbstractValidateEndpoint { |
|
33 |
protected final Logger logger = Logger.getLogger(getClass()); |
5d7080
|
34 |
private static final Pattern DOT = Pattern.compile("\\."); |
74023a
|
35 |
protected KeycloakSession session; |
EH |
36 |
protected RealmModel realm; |
|
37 |
protected EventBuilder event; |
|
38 |
protected ClientModel client; |
|
39 |
protected AuthenticatedClientSessionModel clientSession; |
5d7080
|
40 |
protected String pgtIou; |
74023a
|
41 |
|
ceed8f
|
42 |
public AbstractValidateEndpoint(KeycloakSession session, RealmModel realm, EventBuilder event) { |
JK |
43 |
this.session = session; |
74023a
|
44 |
this.realm = realm; |
EH |
45 |
this.event = event; |
|
46 |
} |
|
47 |
|
|
48 |
protected void checkSsl() { |
ceed8f
|
49 |
if (!session.getContext().getUri().getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(session.getContext().getConnection())) { |
74023a
|
50 |
throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "HTTPS required", Response.Status.FORBIDDEN); |
EH |
51 |
} |
|
52 |
} |
|
53 |
|
|
54 |
protected void checkRealm() { |
|
55 |
if (!realm.isEnabled()) { |
|
56 |
throw new CASValidationException(CASErrorCode.INTERNAL_ERROR, "Realm not enabled", Response.Status.FORBIDDEN); |
|
57 |
} |
|
58 |
} |
|
59 |
|
|
60 |
protected void checkClient(String service) { |
|
61 |
if (service == null) { |
|
62 |
event.error(Errors.INVALID_REQUEST); |
|
63 |
throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "Missing parameter: " + CASLoginProtocol.SERVICE_PARAM, Response.Status.BAD_REQUEST); |
|
64 |
} |
|
65 |
|
b88dc3
|
66 |
event.detail(Details.REDIRECT_URI, service); |
AP |
67 |
|
ea9555
|
68 |
client = realm.getClientsStream() |
74023a
|
69 |
.filter(c -> CASLoginProtocol.LOGIN_PROTOCOL.equals(c.getProtocol())) |
019db5
|
70 |
.filter(c -> RedirectUtils.verifyRedirectUri(session, service, c) != null) |
74023a
|
71 |
.findFirst().orElse(null); |
EH |
72 |
if (client == null) { |
|
73 |
event.error(Errors.CLIENT_NOT_FOUND); |
|
74 |
throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Client not found", Response.Status.BAD_REQUEST); |
|
75 |
} |
|
76 |
|
|
77 |
if (!client.isEnabled()) { |
|
78 |
event.error(Errors.CLIENT_DISABLED); |
|
79 |
throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Client disabled", Response.Status.BAD_REQUEST); |
|
80 |
} |
|
81 |
|
|
82 |
event.client(client.getClientId()); |
|
83 |
|
|
84 |
session.getContext().setClient(client); |
|
85 |
} |
|
86 |
|
5d7080
|
87 |
protected void checkTicket(String ticket, String prefix, boolean requireReauth) { |
74023a
|
88 |
if (ticket == null) { |
EH |
89 |
event.error(Errors.INVALID_CODE); |
|
90 |
throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "Missing parameter: " + CASLoginProtocol.TICKET_PARAM, Response.Status.BAD_REQUEST); |
|
91 |
} |
5d7080
|
92 |
|
ARW |
93 |
if (!ticket.startsWith(prefix)) { |
74023a
|
94 |
event.error(Errors.INVALID_CODE); |
EH |
95 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Malformed service ticket", Response.Status.BAD_REQUEST); |
|
96 |
} |
|
97 |
|
508897
|
98 |
boolean isReusable = ticket.startsWith(CASLoginProtocol.PROXY_GRANTING_TICKET_PREFIX); |
74023a
|
99 |
|
5d7080
|
100 |
String[] parsed = DOT.split(ticket.substring(prefix.length()), 3); |
ARW |
101 |
if (parsed.length != 3) { |
74023a
|
102 |
event.error(Errors.INVALID_CODE); |
5d7080
|
103 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Invalid format of the code", Response.Status.BAD_REQUEST); |
ARW |
104 |
} |
74023a
|
105 |
|
d270da
|
106 |
String codeUUID = parsed[0]; |
5d7080
|
107 |
String userSessionId = parsed[1]; |
ARW |
108 |
String clientUUID = parsed[2]; |
|
109 |
|
|
110 |
event.detail(Details.CODE_ID, userSessionId); |
|
111 |
event.session(userSessionId); |
|
112 |
|
|
113 |
// Retrieve UserSession |
|
114 |
UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, userSessionId, clientUUID); |
|
115 |
if (userSession == null) { |
|
116 |
// Needed to track if code is invalid |
|
117 |
userSession = session.sessions().getUserSession(realm, userSessionId); |
|
118 |
if (userSession == null) { |
|
119 |
event.error(Errors.USER_SESSION_NOT_FOUND); |
|
120 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User session not found", Response.Status.BAD_REQUEST); |
74023a
|
121 |
} |
5d7080
|
122 |
} |
74023a
|
123 |
|
5d7080
|
124 |
clientSession = userSession.getAuthenticatedClientSessionByClient(clientUUID); |
ARW |
125 |
if (clientSession == null) { |
74023a
|
126 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); |
EH |
127 |
} |
|
128 |
|
5d7080
|
129 |
SingleUseObjectProvider codeStore = session.singleUseObjects(); |
508897
|
130 |
Map<String, String> codeDataSerialized = isReusable ? codeStore.get(prefix + codeUUID) : codeStore.remove(prefix + codeUUID); |
74023a
|
131 |
|
5d7080
|
132 |
// Either code not available |
ARW |
133 |
if (codeDataSerialized == null) { |
|
134 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code already used", Response.Status.BAD_REQUEST); |
|
135 |
} |
|
136 |
|
|
137 |
OAuth2Code codeData = OAuth2Code.deserializeCode(codeDataSerialized); |
|
138 |
|
|
139 |
String persistedUserSessionId = codeData.getUserSessionId(); |
|
140 |
if (!userSessionId.equals(persistedUserSessionId)) { |
|
141 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code "+codeUUID+"' is bound to a different session", Response.Status.BAD_REQUEST); |
|
142 |
} |
|
143 |
|
|
144 |
// Finally doublecheck if code is not expired |
|
145 |
int currentTime = Time.currentTime(); |
|
146 |
if (currentTime > codeData.getExpiration()) { |
74023a
|
147 |
event.error(Errors.EXPIRED_CODE); |
EH |
148 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST); |
|
149 |
} |
|
150 |
|
5d7080
|
151 |
clientSession.setNote(prefix, ticket); |
74023a
|
152 |
|
EH |
153 |
if (requireReauth && AuthenticationManager.isSSOAuthentication(clientSession)) { |
|
154 |
event.error(Errors.SESSION_EXPIRED); |
|
155 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Interactive authentication was requested but not performed", Response.Status.BAD_REQUEST); |
|
156 |
} |
|
157 |
|
|
158 |
UserModel user = userSession.getUser(); |
|
159 |
if (user == null) { |
|
160 |
event.error(Errors.USER_NOT_FOUND); |
|
161 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User not found", Response.Status.BAD_REQUEST); |
|
162 |
} |
|
163 |
if (!user.isEnabled()) { |
|
164 |
event.error(Errors.USER_DISABLED); |
|
165 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User disabled", Response.Status.BAD_REQUEST); |
|
166 |
} |
|
167 |
|
|
168 |
event.user(userSession.getUser()); |
|
169 |
event.session(userSession.getId()); |
|
170 |
|
5d7080
|
171 |
if (client == null) { |
ARW |
172 |
client = clientSession.getClient(); |
|
173 |
} else { |
|
174 |
if (!client.getClientId().equals(clientSession.getClient().getClientId())) { |
|
175 |
event.error(Errors.INVALID_CODE); |
|
176 |
throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Auth error", Response.Status.BAD_REQUEST); |
|
177 |
} |
74023a
|
178 |
} |
EH |
179 |
|
|
180 |
if (!AuthenticationManager.isSessionValid(realm, userSession)) { |
|
181 |
event.error(Errors.USER_SESSION_NOT_FOUND); |
|
182 |
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Session not active", Response.Status.BAD_REQUEST); |
5d7080
|
183 |
} |
ARW |
184 |
|
|
185 |
} |
|
186 |
|
|
187 |
protected void createProxyGrant(String pgtUrl) { |
|
188 |
if ( RedirectUtils.verifyRedirectUri(session, pgtUrl, client) == null ) { |
|
189 |
event.error(Errors.INVALID_REQUEST); |
|
190 |
throw new CASValidationException(CASErrorCode.INVALID_PROXY_CALLBACK, "Proxy callback is invalid", Response.Status.BAD_REQUEST); |
|
191 |
} |
|
192 |
|
|
193 |
String pgtIou = getPGTIOU(); |
|
194 |
String pgtId = getPGT(session, clientSession, pgtUrl); |
|
195 |
|
|
196 |
try { |
|
197 |
HttpResponse response = HttpClientBuilder.create().build().execute( |
|
198 |
new HttpGet(new URIBuilder(pgtUrl).setParameter("pgtIou",pgtIou).setParameter("pgtId",pgtId).build()) |
|
199 |
); |
|
200 |
|
|
201 |
if (response.getStatusLine().getStatusCode() != 200) { |
|
202 |
throw new Exception(); |
|
203 |
} |
|
204 |
|
|
205 |
this.pgtIou = pgtIou; |
|
206 |
} catch (Exception e) { |
|
207 |
event.error(Errors.INVALID_REQUEST); |
|
208 |
throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback return with error", Response.Status.BAD_REQUEST); |
74023a
|
209 |
} |
EH |
210 |
} |
|
211 |
|
|
212 |
protected Map<String, Object> getUserAttributes() { |
|
213 |
UserSessionModel userSession = clientSession.getUserSession(); |
|
214 |
// CAS protocol does not support scopes, so pass null scopeParam |
8379a3
|
215 |
ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession, null, session); |
74023a
|
216 |
|
ea9555
|
217 |
Set<ProtocolMapperModel> mappings = clientSessionCtx.getProtocolMappersStream().collect(Collectors.toSet()); |
74023a
|
218 |
KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); |
EH |
219 |
Map<String, Object> attributes = new HashMap<>(); |
|
220 |
for (ProtocolMapperModel mapping : mappings) { |
|
221 |
ProtocolMapper mapper = (ProtocolMapper) sessionFactory.getProviderFactory(ProtocolMapper.class, mapping.getProtocolMapper()); |
|
222 |
if (mapper instanceof CASAttributeMapper) { |
|
223 |
((CASAttributeMapper) mapper).setAttribute(attributes, mapping, userSession, session, clientSessionCtx); |
|
224 |
} |
|
225 |
} |
|
226 |
return attributes; |
|
227 |
} |
5d7080
|
228 |
|
ARW |
229 |
protected String getPGTIOU() |
|
230 |
{ |
|
231 |
return CASLoginProtocol.PROXY_GRANTING_TICKET_IOU_PREFIX + UUID.randomUUID().toString(); |
|
232 |
} |
|
233 |
|
|
234 |
protected String getPGT(KeycloakSession session, AuthenticatedClientSessionModel clientSession, String pgtUrl) |
|
235 |
{ |
|
236 |
return persistedTicket(pgtUrl, CASLoginProtocol.PROXY_GRANTING_TICKET_PREFIX); |
|
237 |
} |
|
238 |
|
|
239 |
protected String getPT(KeycloakSession session, AuthenticatedClientSessionModel clientSession, String targetService) |
|
240 |
{ |
|
241 |
return persistedTicket(targetService, CASLoginProtocol.PROXY_TICKET_PREFIX); |
|
242 |
} |
|
243 |
|
|
244 |
protected String getST(String redirectUri) |
|
245 |
{ |
|
246 |
return persistedTicket(redirectUri, CASLoginProtocol.SERVICE_TICKET_PREFIX); |
|
247 |
} |
|
248 |
|
|
249 |
public static String getST(KeycloakSession session, AuthenticatedClientSessionModel clientSession, String redirectUri) |
|
250 |
{ |
|
251 |
ValidateEndpoint vp = new ValidateEndpoint(session,null,null); |
|
252 |
vp.clientSession = clientSession; |
|
253 |
return vp.getST(redirectUri); |
|
254 |
} |
|
255 |
|
|
256 |
protected String persistedTicket(String redirectUriParam, String prefix) |
|
257 |
{ |
|
258 |
String key = UUID.randomUUID().toString(); |
|
259 |
UserSessionModel userSession = clientSession.getUserSession(); |
|
260 |
OAuth2Code codeData = new OAuth2Code(key, Time.currentTime() + userSession.getRealm().getAccessCodeLifespan(), null, null, redirectUriParam, null, null, userSession.getId()); |
|
261 |
session.singleUseObjects().put(prefix + key, clientSession.getUserSession().getRealm().getAccessCodeLifespan(), codeData.serializeCode()); |
|
262 |
return prefix + key + "." + clientSession.getUserSession().getId() + "." + clientSession.getClient().getId(); |
|
263 |
} |
74023a
|
264 |
} |