mirror of https://github.com/jacekkow/keycloak-protocol-cas

Jacek Kowalski
2023-11-24 fcbc7c31990c50d1dde8c676a901d00421d73d08
commit | author | age
74023a 1 package org.keycloak.protocol.cas.endpoints;
EH 2
fdb9f6 3 import jakarta.ws.rs.Consumes;
JK 4 import jakarta.ws.rs.POST;
5 import jakarta.ws.rs.Produces;
6 import jakarta.ws.rs.core.MultivaluedMap;
7 import jakarta.ws.rs.core.Response;
74023a 8 import org.keycloak.dom.saml.v1.protocol.SAML11ResponseType;
EH 9 import org.keycloak.events.EventBuilder;
10 import org.keycloak.events.EventType;
11 import org.keycloak.models.RealmModel;
12 import org.keycloak.models.UserModel;
13 import org.keycloak.protocol.cas.CASLoginProtocol;
14 import org.keycloak.protocol.cas.representations.CASErrorCode;
15 import org.keycloak.protocol.cas.representations.SamlResponseHelper;
16 import org.keycloak.protocol.cas.utils.CASValidationException;
17 import org.keycloak.services.Urls;
18 import org.xml.sax.InputSource;
19
20 import javax.xml.namespace.NamespaceContext;
21 import javax.xml.xpath.XPath;
22 import javax.xml.xpath.XPathExpression;
23 import javax.xml.xpath.XPathExpressionException;
24 import javax.xml.xpath.XPathFactory;
25 import java.io.StringReader;
fdb9f6 26 import java.util.Collections;
JK 27 import java.util.Iterator;
28 import java.util.Map;
29 import java.util.Optional;
74023a 30
EH 31 import static org.keycloak.protocol.cas.CASLoginProtocol.TARGET_PARAM;
32
33 public class SamlValidateEndpoint extends AbstractValidateEndpoint {
34     public SamlValidateEndpoint(RealmModel realm, EventBuilder event) {
35         super(realm, event.event(EventType.CODE_TO_TOKEN));
36     }
37
38     @POST
39     @Consumes("text/xml;charset=utf-8")
40     @Produces("text/xml;charset=utf-8")
41     public Response validate(String input) {
4a0a62 42         MultivaluedMap<String, String> queryParams = session.getContext().getUri().getQueryParameters();
74023a 43         try {
4a0a62 44             String soapAction = Optional.ofNullable(session.getContext().getRequestHeaders().getHeaderString("SOAPAction")).map(s -> s.trim().replace("\"", "")).orElse("");
74023a 45             if (!soapAction.equals("http://www.oasis-open.org/committees/security")) {
EH 46                 throw new CASValidationException(CASErrorCode.INTERNAL_ERROR, "Not a validation request", Response.Status.BAD_REQUEST);
47             }
48
49             String service = queryParams.getFirst(TARGET_PARAM);
50             boolean renew = queryParams.containsKey(CASLoginProtocol.RENEW_PARAM);
51
52             checkRealm();
53             checkSsl();
54             checkClient(service);
4a0a62 55             String issuer = Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName());
74023a 56             String ticket = getTicket(input);
EH 57
58             checkTicket(ticket, renew);
59             UserModel user = clientSession.getUserSession().getUser();
60
61             Map<String, Object> attributes = getUserAttributes();
62
63             SAML11ResponseType response = SamlResponseHelper.successResponse(issuer, user.getUsername(), attributes);
64
65             return Response.ok(SamlResponseHelper.soap(response)).build();
66
67         } catch (CASValidationException ex) {
68             logger.warnf("Invalid SAML1.1 token %s", ex.getErrorDescription());
69
70             SAML11ResponseType response = SamlResponseHelper.errorResponse(ex);
71             return Response.ok().entity(SamlResponseHelper.soap(response)).build();
72         }
73     }
74
75     private String getTicket(String input) {
76         try {
77             XPath xPath = XPathFactory.newInstance().newXPath();
78             xPath.setNamespaceContext(new MapNamespaceContext(Collections.singletonMap("samlp", "urn:oasis:names:tc:SAML:1.0:protocol")));
79
80             XPathExpression expression = xPath.compile("//samlp:AssertionArtifact/text()");
81
82             return expression.evaluate(new InputSource(new StringReader(input)));
83         } catch (XPathExpressionException ex) {
84             throw new CASValidationException(CASErrorCode.INVALID_TICKET, ex.getMessage(), Response.Status.BAD_REQUEST);
85         }
86     }
87
88     private static class MapNamespaceContext implements NamespaceContext {
89         Map<String, String> map;
90
91         private MapNamespaceContext(Map<String, String> map) {
92             this.map = map;
93         }
94
95         @Override
96         public String getNamespaceURI(String s) {
97             return map.get(s);
98         }
99
100         @Override
101         public String getPrefix(String s) {
102             return map.entrySet().stream().filter(e -> e.getValue().equals(s)).findFirst().map(Map.Entry::getKey).orElse(null);
103         }
104
105         @Override
106         public Iterator<String> getPrefixes(String s) {
107             return map.keySet().iterator();
108         }
109     }
110 }