modules/keycloak-protocol-cas

parent: 8c9be26e | patch | commit | ignore whitespace

adapt to changes in Keycloak 3.2 (fixes #6)

Matthias Piepkorn

2017-07-26 f75caf002c2014cd1dd875225417f2a5de1af9d0

adapt to changes in Keycloak 3.2 (fixes #6)

7 files modified

	.travis.yml	8 ●●●●● patch \| view \| raw \| blame \| history
	pom.xml	2 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java	18 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java	45 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java	2 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java	26 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java	4 ●●●●● patch \| view \| raw \| blame \| history

 .travis.yml

@@ -13,10 +13,10 @@
  - docker

env:
  - KEYCLOAK_VERSION=2.5.5.Final
  - KEYCLOAK_VERSION=3.0.0.Final
  - KEYCLOAK_VERSION=3.1.0.Final
#  - KEYCLOAK_VERSION=3.2.0.Final
#  - KEYCLOAK_VERSION=2.5.5.Final
#  - KEYCLOAK_VERSION=3.0.0.Final
#  - KEYCLOAK_VERSION=3.1.0.Final
  - KEYCLOAK_VERSION=3.2.1.Final

before_install:
  - docker pull jboss/keycloak:$KEYCLOAK_VERSION

 pom.xml

@@ -27,7 +27,7 @@
    <description />

    <properties>
        <keycloak.version>2.5.1.Final</keycloak.version>
        <keycloak.version>3.2.0.Final</keycloak.version>
        <jboss.logging.version>3.3.0.Final</jboss.logging.version>
        <jboss.logging.tools.version>2.0.1.Final</jboss.logging.tools.version>
        <junit.version>4.12</junit.version>

 src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java

@@ -11,6 +11,8 @@
import org.keycloak.protocol.cas.utils.LogoutHelper;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;

import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
@@ -84,12 +86,12 @@
    }

    @Override
    public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) {
        ClientSessionModel clientSession = accessCode.getClientSession();
    public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
        ClientSessionCode<AuthenticatedClientSessionModel> accessCode = new ClientSessionCode<>(session, realm, clientSession);

        String service = clientSession.getRedirectUri();
        //TODO validate service
        accessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name());
        accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name());
        KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(service);
        uriBuilder.queryParam(TICKET_RESPONSE_PARAM, SERVICE_TICKET_PREFIX + accessCode.getCode());

@@ -100,12 +102,12 @@
    }

    @Override
    public Response sendError(ClientSessionModel clientSession, Error error) {
    public Response sendError(AuthenticationSessionModel authSession, Error error) {
        return Response.serverError().entity(error).build();
    }

    @Override
    public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
    public void backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
        String logoutUrl = clientSession.getRedirectUri();
        String serviceTicket = clientSession.getNote(CASLoginProtocol.SESSION_SERVICE_TICKET);
        //check if session is fully authenticated (i.e. serviceValidate has been called)
@@ -127,7 +129,7 @@
    }

    @Override
    public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
    public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
        // todo oidc redirect support
        throw new RuntimeException("NOT IMPLEMENTED");
    }
@@ -148,8 +150,8 @@
    }

    @Override
    public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) {
        return "true".equals(clientSession.getNote(CASLoginProtocol.RENEW_PARAM));
    public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) {
        return "true".equals(authSession.getClientNote(CASLoginProtocol.RENEW_PARAM));
    }

    @Override

 src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java

@@ -6,7 +6,6 @@
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.cas.CASLoginProtocol;
@@ -14,6 +13,7 @@
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;

import javax.ws.rs.GET;
import javax.ws.rs.core.MultivaluedMap;
@@ -23,7 +23,7 @@
    private static final Logger logger = Logger.getLogger(AuthorizationEndpoint.class);

    private ClientModel client;
    private ClientSessionModel clientSession;
    private AuthenticationSessionModel authenticationSession;
    private String redirectUri;

    public AuthorizationEndpoint(RealmModel realm, EventBuilder event) {
@@ -42,30 +42,23 @@
        checkRealm();
        checkClient(service);

        createClientSession();
        AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, null);
        if (checks.response != null) {
            return checks.response;
        }

        authenticationSession = checks.authSession;
        updateAuthenticationSession();

        // So back button doesn't work
        CacheControlUtil.noBackButtonCacheControlHeader();

        if (renew) {
            clientSession.setNote(CASLoginProtocol.RENEW_PARAM, "true");
            authenticationSession.setClientNote(CASLoginProtocol.RENEW_PARAM, "true");
        }

        this.event.event(EventType.LOGIN);
        return handleBrowserAuthenticationRequest(clientSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
    }

    private void checkSsl() {
        if (!uriInfo.getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
            event.error(Errors.SSL_REQUIRED);
            throw new ErrorPageException(session, Messages.HTTPS_REQUIRED);
        }
    }

    private void checkRealm() {
        if (!realm.isEnabled()) {
            event.error(Errors.REALM_DISABLED);
            throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED);
        }
        return handleBrowserAuthenticationRequest(authenticationSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
    }

    private void checkClient(String service) {
@@ -96,10 +89,14 @@
        session.getContext().setClient(client);
    }

    private void createClientSession() {
        clientSession = session.sessions().createClientSession(realm, client);
        clientSession.setAuthMethod(CASLoginProtocol.LOGIN_PROTOCOL);
        clientSession.setRedirectUri(redirectUri);
        clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
    private void updateAuthenticationSession() {
        authenticationSession.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL);
        authenticationSession.setRedirectUri(redirectUri);
        authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
    }

    @Override
    protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestState) {
        return true;
    }
}

 src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java

@@ -30,7 +30,7 @@
    protected Response successResponse() {
        UserSessionModel userSession = clientSession.getUserSession();

        Set<ProtocolMapperModel> mappings = new ClientSessionCode(session, realm, clientSession).getRequestedProtocolMappers();
        Set<ProtocolMapperModel> mappings = new ClientSessionCode<>(session, realm, clientSession).getRequestedProtocolMappers();
        KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
        Map<String, Object> attributes = new HashMap<>();
        for (ProtocolMapperModel mapping : mappings) {

 src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java

@@ -43,7 +43,7 @@
    protected RealmModel realm;
    protected EventBuilder event;
    protected ClientModel client;
    protected ClientSessionModel clientSession;
    protected AuthenticatedClientSessionModel clientSession;

    public ValidateEndpoint(RealmModel realm, EventBuilder event) {
        this.realm = realm;
@@ -131,23 +131,27 @@

        String code = ticket.substring(CASLoginProtocol.SERVICE_TICKET_PREFIX.length());

        ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm);
        if (parseResult.isClientSessionNotFound() || parseResult.isIllegalHash()) {
            String[] parts = code.split("\\.");
            if (parts.length == 2) {
                event.detail(Details.CODE_ID, parts[1]);
            }
        String[] parts = code.split("\\.");
        if (parts.length == 4) {
            event.detail(Details.CODE_ID, parts[2]);
        }

        ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class);
        if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) {
            event.error(Errors.INVALID_CODE);
            if (parseResult.getClientSession() != null) {
                session.sessions().removeClientSession(realm, parseResult.getClientSession());

            // Attempt to use same code twice should invalidate existing clientSession
            AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
            if (clientSession != null) {
                clientSession.setUserSession(null);
            }

            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
        }

        clientSession = parseResult.getClientSession();
        event.detail(Details.CODE_ID, clientSession.getId());

        if (!parseResult.getCode().isValid(ClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
        if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
            event.error(Errors.INVALID_CODE);
            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
        }

 src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java

@@ -80,9 +80,9 @@
        // get a set of all realm roles assigned to the user or its group
        Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction);

        boolean dontLimitScope = userSession.getClientSessions().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
        boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
        if (! dontLimitScope) {
            Set<RoleModel> clientRoles = userSession.getClientSessions().stream()
            Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
              .flatMap(cs -> cs.getClient().getScopeMappings().stream())
              .collect(Collectors.toSet());

			@@ -13,10 +13,10 @@
			- docker

			env:
			- KEYCLOAK_VERSION=2.5.5.Final
			- KEYCLOAK_VERSION=3.0.0.Final
			- KEYCLOAK_VERSION=3.1.0.Final
			# - KEYCLOAK_VERSION=3.2.0.Final
			# - KEYCLOAK_VERSION=2.5.5.Final
			# - KEYCLOAK_VERSION=3.0.0.Final
			# - KEYCLOAK_VERSION=3.1.0.Final
			- KEYCLOAK_VERSION=3.2.1.Final

			before_install:
			- docker pull jboss/keycloak:$KEYCLOAK_VERSION

			@@ -27,7 +27,7 @@
			<description />

			<properties>
			<keycloak.version>2.5.1.Final</keycloak.version>
			<keycloak.version>3.2.0.Final</keycloak.version>
			<jboss.logging.version>3.3.0.Final</jboss.logging.version>
			<jboss.logging.tools.version>2.0.1.Final</jboss.logging.tools.version>
			<junit.version>4.12</junit.version>

			@@ -11,6 +11,8 @@
			import org.keycloak.protocol.cas.utils.LogoutHelper;
			import org.keycloak.services.managers.ClientSessionCode;
			import org.keycloak.services.managers.ResourceAdminManager;
			import org.keycloak.sessions.AuthenticationSessionModel;
			import org.keycloak.sessions.CommonClientSessionModel;

			import javax.ws.rs.core.HttpHeaders;
			import javax.ws.rs.core.Response;
			@@ -84,12 +86,12 @@
			}

			@Override
			public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) {
			ClientSessionModel clientSession = accessCode.getClientSession();
			public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
			ClientSessionCode<AuthenticatedClientSessionModel> accessCode = new ClientSessionCode<>(session, realm, clientSession);

			String service = clientSession.getRedirectUri();
			//TODO validate service
			accessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name());
			accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name());
			KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(service);
			uriBuilder.queryParam(TICKET_RESPONSE_PARAM, SERVICE_TICKET_PREFIX + accessCode.getCode());

			@@ -100,12 +102,12 @@
			}

			@Override
			public Response sendError(ClientSessionModel clientSession, Error error) {
			public Response sendError(AuthenticationSessionModel authSession, Error error) {
			return Response.serverError().entity(error).build();
			}

			@Override
			public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
			public void backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
			String logoutUrl = clientSession.getRedirectUri();
			String serviceTicket = clientSession.getNote(CASLoginProtocol.SESSION_SERVICE_TICKET);
			//check if session is fully authenticated (i.e. serviceValidate has been called)
			@@ -127,7 +129,7 @@
			}

			@Override
			public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
			public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
			// todo oidc redirect support
			throw new RuntimeException("NOT IMPLEMENTED");
			}
			@@ -148,8 +150,8 @@
			}

			@Override
			public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) {
			return "true".equals(clientSession.getNote(CASLoginProtocol.RENEW_PARAM));
			public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) {
			return "true".equals(authSession.getClientNote(CASLoginProtocol.RENEW_PARAM));
			}

			@Override

			@@ -6,7 +6,6 @@
			import org.keycloak.events.EventBuilder;
			import org.keycloak.events.EventType;
			import org.keycloak.models.ClientModel;
			import org.keycloak.models.ClientSessionModel;
			import org.keycloak.models.RealmModel;
			import org.keycloak.protocol.AuthorizationEndpointBase;
			import org.keycloak.protocol.cas.CASLoginProtocol;
			@@ -14,6 +13,7 @@
			import org.keycloak.services.ErrorPageException;
			import org.keycloak.services.messages.Messages;
			import org.keycloak.services.util.CacheControlUtil;
			import org.keycloak.sessions.AuthenticationSessionModel;

			import javax.ws.rs.GET;
			import javax.ws.rs.core.MultivaluedMap;
			@@ -23,7 +23,7 @@
			private static final Logger logger = Logger.getLogger(AuthorizationEndpoint.class);

			private ClientModel client;
			private ClientSessionModel clientSession;
			private AuthenticationSessionModel authenticationSession;
			private String redirectUri;

			public AuthorizationEndpoint(RealmModel realm, EventBuilder event) {
			@@ -42,30 +42,23 @@
			checkRealm();
			checkClient(service);

			createClientSession();
			AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, null);
			if (checks.response != null) {
			return checks.response;
			}

			authenticationSession = checks.authSession;
			updateAuthenticationSession();

			// So back button doesn't work
			CacheControlUtil.noBackButtonCacheControlHeader();

			if (renew) {
			clientSession.setNote(CASLoginProtocol.RENEW_PARAM, "true");
			authenticationSession.setClientNote(CASLoginProtocol.RENEW_PARAM, "true");
			}

			this.event.event(EventType.LOGIN);
			return handleBrowserAuthenticationRequest(clientSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
			}

			private void checkSsl() {
			if (!uriInfo.getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
			event.error(Errors.SSL_REQUIRED);
			throw new ErrorPageException(session, Messages.HTTPS_REQUIRED);
			}
			}

			private void checkRealm() {
			if (!realm.isEnabled()) {
			event.error(Errors.REALM_DISABLED);
			throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED);
			}
			return handleBrowserAuthenticationRequest(authenticationSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
			}

			private void checkClient(String service) {
			@@ -96,10 +89,14 @@
			session.getContext().setClient(client);
			}

			private void createClientSession() {
			clientSession = session.sessions().createClientSession(realm, client);
			clientSession.setAuthMethod(CASLoginProtocol.LOGIN_PROTOCOL);
			clientSession.setRedirectUri(redirectUri);
			clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
			private void updateAuthenticationSession() {
			authenticationSession.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL);
			authenticationSession.setRedirectUri(redirectUri);
			authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
			}

			@Override
			protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestState) {
			return true;
			}
			}

			@@ -30,7 +30,7 @@
			protected Response successResponse() {
			UserSessionModel userSession = clientSession.getUserSession();

			Set<ProtocolMapperModel> mappings = new ClientSessionCode(session, realm, clientSession).getRequestedProtocolMappers();
			Set<ProtocolMapperModel> mappings = new ClientSessionCode<>(session, realm, clientSession).getRequestedProtocolMappers();
			KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
			Map<String, Object> attributes = new HashMap<>();
			for (ProtocolMapperModel mapping : mappings) {

			@@ -43,7 +43,7 @@
			protected RealmModel realm;
			protected EventBuilder event;
			protected ClientModel client;
			protected ClientSessionModel clientSession;
			protected AuthenticatedClientSessionModel clientSession;

			public ValidateEndpoint(RealmModel realm, EventBuilder event) {
			this.realm = realm;
			@@ -131,23 +131,27 @@

			String code = ticket.substring(CASLoginProtocol.SERVICE_TICKET_PREFIX.length());

			ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm);
			if (parseResult.isClientSessionNotFound() \|\| parseResult.isIllegalHash()) {
			String[] parts = code.split("\\.");
			if (parts.length == 2) {
			event.detail(Details.CODE_ID, parts[1]);
			}
			String[] parts = code.split("\\.");
			if (parts.length == 4) {
			event.detail(Details.CODE_ID, parts[2]);
			}

			ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class);
			if (parseResult.isAuthSessionNotFound() \|\| parseResult.isIllegalHash()) {
			event.error(Errors.INVALID_CODE);
			if (parseResult.getClientSession() != null) {
			session.sessions().removeClientSession(realm, parseResult.getClientSession());

			// Attempt to use same code twice should invalidate existing clientSession
			AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
			if (clientSession != null) {
			clientSession.setUserSession(null);
			}

			throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
			}

			clientSession = parseResult.getClientSession();
			event.detail(Details.CODE_ID, clientSession.getId());

			if (!parseResult.getCode().isValid(ClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
			if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
			event.error(Errors.INVALID_CODE);
			throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
			}

			@@ -80,9 +80,9 @@
			// get a set of all realm roles assigned to the user or its group
			Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction);

			boolean dontLimitScope = userSession.getClientSessions().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
			boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
			if (! dontLimitScope) {
			Set<RoleModel> clientRoles = userSession.getClientSessions().stream()
			Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
			.flatMap(cs -> cs.getClient().getScopeMappings().stream())
			.collect(Collectors.toSet());