.travis.yml | ●●●●● patch | view | raw | blame | history | |
pom.xml | ●●●●● patch | view | raw | blame | history | |
src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java | ●●●●● patch | view | raw | blame | history | |
src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java | ●●●●● patch | view | raw | blame | history | |
src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java | ●●●●● patch | view | raw | blame | history | |
src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java | ●●●●● patch | view | raw | blame | history | |
src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java | ●●●●● patch | view | raw | blame | history |
.travis.yml
@@ -13,10 +13,10 @@ - docker env: - KEYCLOAK_VERSION=2.5.5.Final - KEYCLOAK_VERSION=3.0.0.Final - KEYCLOAK_VERSION=3.1.0.Final # - KEYCLOAK_VERSION=3.2.0.Final # - KEYCLOAK_VERSION=2.5.5.Final # - KEYCLOAK_VERSION=3.0.0.Final # - KEYCLOAK_VERSION=3.1.0.Final - KEYCLOAK_VERSION=3.2.1.Final before_install: - docker pull jboss/keycloak:$KEYCLOAK_VERSION pom.xml
@@ -27,7 +27,7 @@ <description /> <properties> <keycloak.version>2.5.1.Final</keycloak.version> <keycloak.version>3.2.0.Final</keycloak.version> <jboss.logging.version>3.3.0.Final</jboss.logging.version> <jboss.logging.tools.version>2.0.1.Final</jboss.logging.tools.version> <junit.version>4.12</junit.version> src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
@@ -11,6 +11,8 @@ import org.keycloak.protocol.cas.utils.LogoutHelper; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ResourceAdminManager; import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.sessions.CommonClientSessionModel; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Response; @@ -84,12 +86,12 @@ } @Override public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { ClientSessionModel clientSession = accessCode.getClientSession(); public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { ClientSessionCode<AuthenticatedClientSessionModel> accessCode = new ClientSessionCode<>(session, realm, clientSession); String service = clientSession.getRedirectUri(); //TODO validate service accessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name()); accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name()); KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(service); uriBuilder.queryParam(TICKET_RESPONSE_PARAM, SERVICE_TICKET_PREFIX + accessCode.getCode()); @@ -100,12 +102,12 @@ } @Override public Response sendError(ClientSessionModel clientSession, Error error) { public Response sendError(AuthenticationSessionModel authSession, Error error) { return Response.serverError().entity(error).build(); } @Override public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) { public void backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { String logoutUrl = clientSession.getRedirectUri(); String serviceTicket = clientSession.getNote(CASLoginProtocol.SESSION_SERVICE_TICKET); //check if session is fully authenticated (i.e. serviceValidate has been called) @@ -127,7 +129,7 @@ } @Override public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) { public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { // todo oidc redirect support throw new RuntimeException("NOT IMPLEMENTED"); } @@ -148,8 +150,8 @@ } @Override public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) { return "true".equals(clientSession.getNote(CASLoginProtocol.RENEW_PARAM)); public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) { return "true".equals(authSession.getClientNote(CASLoginProtocol.RENEW_PARAM)); } @Override src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
@@ -6,7 +6,6 @@ import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.RealmModel; import org.keycloak.protocol.AuthorizationEndpointBase; import org.keycloak.protocol.cas.CASLoginProtocol; @@ -14,6 +13,7 @@ import org.keycloak.services.ErrorPageException; import org.keycloak.services.messages.Messages; import org.keycloak.services.util.CacheControlUtil; import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.GET; import javax.ws.rs.core.MultivaluedMap; @@ -23,7 +23,7 @@ private static final Logger logger = Logger.getLogger(AuthorizationEndpoint.class); private ClientModel client; private ClientSessionModel clientSession; private AuthenticationSessionModel authenticationSession; private String redirectUri; public AuthorizationEndpoint(RealmModel realm, EventBuilder event) { @@ -42,30 +42,23 @@ checkRealm(); checkClient(service); createClientSession(); AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, null); if (checks.response != null) { return checks.response; } authenticationSession = checks.authSession; updateAuthenticationSession(); // So back button doesn't work CacheControlUtil.noBackButtonCacheControlHeader(); if (renew) { clientSession.setNote(CASLoginProtocol.RENEW_PARAM, "true"); authenticationSession.setClientNote(CASLoginProtocol.RENEW_PARAM, "true"); } this.event.event(EventType.LOGIN); return handleBrowserAuthenticationRequest(clientSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false); } private void checkSsl() { if (!uriInfo.getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) { event.error(Errors.SSL_REQUIRED); throw new ErrorPageException(session, Messages.HTTPS_REQUIRED); } } private void checkRealm() { if (!realm.isEnabled()) { event.error(Errors.REALM_DISABLED); throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED); } return handleBrowserAuthenticationRequest(authenticationSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false); } private void checkClient(String service) { @@ -96,10 +89,14 @@ session.getContext().setClient(client); } private void createClientSession() { clientSession = session.sessions().createClientSession(realm, client); clientSession.setAuthMethod(CASLoginProtocol.LOGIN_PROTOCOL); clientSession.setRedirectUri(redirectUri); clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); private void updateAuthenticationSession() { authenticationSession.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL); authenticationSession.setRedirectUri(redirectUri); authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name()); } @Override protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestState) { return true; } } src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java
@@ -30,7 +30,7 @@ protected Response successResponse() { UserSessionModel userSession = clientSession.getUserSession(); Set<ProtocolMapperModel> mappings = new ClientSessionCode(session, realm, clientSession).getRequestedProtocolMappers(); Set<ProtocolMapperModel> mappings = new ClientSessionCode<>(session, realm, clientSession).getRequestedProtocolMappers(); KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); Map<String, Object> attributes = new HashMap<>(); for (ProtocolMapperModel mapping : mappings) { src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
@@ -43,7 +43,7 @@ protected RealmModel realm; protected EventBuilder event; protected ClientModel client; protected ClientSessionModel clientSession; protected AuthenticatedClientSessionModel clientSession; public ValidateEndpoint(RealmModel realm, EventBuilder event) { this.realm = realm; @@ -131,23 +131,27 @@ String code = ticket.substring(CASLoginProtocol.SERVICE_TICKET_PREFIX.length()); ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm); if (parseResult.isClientSessionNotFound() || parseResult.isIllegalHash()) { String[] parts = code.split("\\."); if (parts.length == 2) { event.detail(Details.CODE_ID, parts[1]); if (parts.length == 4) { event.detail(Details.CODE_ID, parts[2]); } ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class); if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) { event.error(Errors.INVALID_CODE); if (parseResult.getClientSession() != null) { session.sessions().removeClientSession(realm, parseResult.getClientSession()); // Attempt to use same code twice should invalidate existing clientSession AuthenticatedClientSessionModel clientSession = parseResult.getClientSession(); if (clientSession != null) { clientSession.setUserSession(null); } throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); } clientSession = parseResult.getClientSession(); event.detail(Details.CODE_ID, clientSession.getId()); if (!parseResult.getCode().isValid(ClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) { if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) { event.error(Errors.INVALID_CODE); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST); } src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java
@@ -80,9 +80,9 @@ // get a set of all realm roles assigned to the user or its group Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction); boolean dontLimitScope = userSession.getClientSessions().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed()); boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed()); if (! dontLimitScope) { Set<RoleModel> clientRoles = userSession.getClientSessions().stream() Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream() .flatMap(cs -> cs.getClient().getScopeMappings().stream()) .collect(Collectors.toSet());