mirror of https://github.com/jacekkow/keycloak-protocol-cas

Matthias Piepkorn
2017-07-26 f75caf002c2014cd1dd875225417f2a5de1af9d0
adapt to changes in Keycloak 3.2 (fixes #6)
7 files modified
101 ■■■■ changed files
.travis.yml 8 ●●●● patch | view | raw | blame | history
pom.xml 2 ●●● patch | view | raw | blame | history
src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java 18 ●●●●● patch | view | raw | blame | history
src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java 45 ●●●● patch | view | raw | blame | history
src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java 2 ●●● patch | view | raw | blame | history
src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java 22 ●●●●● patch | view | raw | blame | history
src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java 4 ●●●● patch | view | raw | blame | history
.travis.yml
@@ -13,10 +13,10 @@
  - docker
env:
  - KEYCLOAK_VERSION=2.5.5.Final
  - KEYCLOAK_VERSION=3.0.0.Final
  - KEYCLOAK_VERSION=3.1.0.Final
#  - KEYCLOAK_VERSION=3.2.0.Final
#  - KEYCLOAK_VERSION=2.5.5.Final
#  - KEYCLOAK_VERSION=3.0.0.Final
#  - KEYCLOAK_VERSION=3.1.0.Final
  - KEYCLOAK_VERSION=3.2.1.Final
before_install:
  - docker pull jboss/keycloak:$KEYCLOAK_VERSION
pom.xml
@@ -27,7 +27,7 @@
    <description />
    <properties>
        <keycloak.version>2.5.1.Final</keycloak.version>
        <keycloak.version>3.2.0.Final</keycloak.version>
        <jboss.logging.version>3.3.0.Final</jboss.logging.version>
        <jboss.logging.tools.version>2.0.1.Final</jboss.logging.tools.version>
        <junit.version>4.12</junit.version>
src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
@@ -11,6 +11,8 @@
import org.keycloak.protocol.cas.utils.LogoutHelper;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
@@ -84,12 +86,12 @@
    }
    @Override
    public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) {
        ClientSessionModel clientSession = accessCode.getClientSession();
    public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
        ClientSessionCode<AuthenticatedClientSessionModel> accessCode = new ClientSessionCode<>(session, realm, clientSession);
        String service = clientSession.getRedirectUri();
        //TODO validate service
        accessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name());
        accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name());
        KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(service);
        uriBuilder.queryParam(TICKET_RESPONSE_PARAM, SERVICE_TICKET_PREFIX + accessCode.getCode());
@@ -100,12 +102,12 @@
    }
    @Override
    public Response sendError(ClientSessionModel clientSession, Error error) {
    public Response sendError(AuthenticationSessionModel authSession, Error error) {
        return Response.serverError().entity(error).build();
    }
    @Override
    public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
    public void backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
        String logoutUrl = clientSession.getRedirectUri();
        String serviceTicket = clientSession.getNote(CASLoginProtocol.SESSION_SERVICE_TICKET);
        //check if session is fully authenticated (i.e. serviceValidate has been called)
@@ -127,7 +129,7 @@
    }
    @Override
    public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
    public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
        // todo oidc redirect support
        throw new RuntimeException("NOT IMPLEMENTED");
    }
@@ -148,8 +150,8 @@
    }
    @Override
    public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) {
        return "true".equals(clientSession.getNote(CASLoginProtocol.RENEW_PARAM));
    public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) {
        return "true".equals(authSession.getClientNote(CASLoginProtocol.RENEW_PARAM));
    }
    @Override
src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
@@ -6,7 +6,6 @@
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.cas.CASLoginProtocol;
@@ -14,6 +13,7 @@
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.GET;
import javax.ws.rs.core.MultivaluedMap;
@@ -23,7 +23,7 @@
    private static final Logger logger = Logger.getLogger(AuthorizationEndpoint.class);
    private ClientModel client;
    private ClientSessionModel clientSession;
    private AuthenticationSessionModel authenticationSession;
    private String redirectUri;
    public AuthorizationEndpoint(RealmModel realm, EventBuilder event) {
@@ -42,30 +42,23 @@
        checkRealm();
        checkClient(service);
        createClientSession();
        AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, null);
        if (checks.response != null) {
            return checks.response;
        }
        authenticationSession = checks.authSession;
        updateAuthenticationSession();
        // So back button doesn't work
        CacheControlUtil.noBackButtonCacheControlHeader();
        if (renew) {
            clientSession.setNote(CASLoginProtocol.RENEW_PARAM, "true");
            authenticationSession.setClientNote(CASLoginProtocol.RENEW_PARAM, "true");
        }
        this.event.event(EventType.LOGIN);
        return handleBrowserAuthenticationRequest(clientSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
    }
    private void checkSsl() {
        if (!uriInfo.getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
            event.error(Errors.SSL_REQUIRED);
            throw new ErrorPageException(session, Messages.HTTPS_REQUIRED);
        }
    }
    private void checkRealm() {
        if (!realm.isEnabled()) {
            event.error(Errors.REALM_DISABLED);
            throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED);
        }
        return handleBrowserAuthenticationRequest(authenticationSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
    }
    private void checkClient(String service) {
@@ -96,10 +89,14 @@
        session.getContext().setClient(client);
    }
    private void createClientSession() {
        clientSession = session.sessions().createClientSession(realm, client);
        clientSession.setAuthMethod(CASLoginProtocol.LOGIN_PROTOCOL);
        clientSession.setRedirectUri(redirectUri);
        clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
    private void updateAuthenticationSession() {
        authenticationSession.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL);
        authenticationSession.setRedirectUri(redirectUri);
        authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
    }
    @Override
    protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestState) {
        return true;
    }
}
src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java
@@ -30,7 +30,7 @@
    protected Response successResponse() {
        UserSessionModel userSession = clientSession.getUserSession();
        Set<ProtocolMapperModel> mappings = new ClientSessionCode(session, realm, clientSession).getRequestedProtocolMappers();
        Set<ProtocolMapperModel> mappings = new ClientSessionCode<>(session, realm, clientSession).getRequestedProtocolMappers();
        KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
        Map<String, Object> attributes = new HashMap<>();
        for (ProtocolMapperModel mapping : mappings) {
src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
@@ -43,7 +43,7 @@
    protected RealmModel realm;
    protected EventBuilder event;
    protected ClientModel client;
    protected ClientSessionModel clientSession;
    protected AuthenticatedClientSessionModel clientSession;
    public ValidateEndpoint(RealmModel realm, EventBuilder event) {
        this.realm = realm;
@@ -131,23 +131,27 @@
        String code = ticket.substring(CASLoginProtocol.SERVICE_TICKET_PREFIX.length());
        ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm);
        if (parseResult.isClientSessionNotFound() || parseResult.isIllegalHash()) {
            String[] parts = code.split("\\.");
            if (parts.length == 2) {
                event.detail(Details.CODE_ID, parts[1]);
        if (parts.length == 4) {
            event.detail(Details.CODE_ID, parts[2]);
            }
        ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class);
        if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) {
            event.error(Errors.INVALID_CODE);
            if (parseResult.getClientSession() != null) {
                session.sessions().removeClientSession(realm, parseResult.getClientSession());
            // Attempt to use same code twice should invalidate existing clientSession
            AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
            if (clientSession != null) {
                clientSession.setUserSession(null);
            }
            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
        }
        clientSession = parseResult.getClientSession();
        event.detail(Details.CODE_ID, clientSession.getId());
        if (!parseResult.getCode().isValid(ClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
        if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
            event.error(Errors.INVALID_CODE);
            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
        }
src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java
@@ -80,9 +80,9 @@
        // get a set of all realm roles assigned to the user or its group
        Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction);
        boolean dontLimitScope = userSession.getClientSessions().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
        boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
        if (! dontLimitScope) {
            Set<RoleModel> clientRoles = userSession.getClientSessions().stream()
            Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
              .flatMap(cs -> cs.getClient().getScopeMappings().stream())
              .collect(Collectors.toSet());