From 4da0d94b96e662b8dffe281d0a2de812f11cda71 Mon Sep 17 00:00:00 2001 From: Jacek Kowalski <Jacek@jacekk.info> Date: Sun, 10 May 2020 20:40:15 +0000 Subject: [PATCH] Filter potentially dangerous input in GitHub Actions workflows --- src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java | 65 +++++--------------------------- 1 files changed, 10 insertions(+), 55 deletions(-) diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java index 93f59f1..4408d7d 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java @@ -17,14 +17,11 @@ package org.keycloak.protocol.cas.mappers; -import org.keycloak.models.*; -import org.keycloak.models.utils.RoleUtils; +import org.keycloak.models.ProtocolMapperModel; import java.util.Map; import java.util.Set; -import java.util.function.Predicate; import java.util.stream.Collectors; -import java.util.stream.Stream; /** * Base class for mapping of user role mappings to an ID and Access Token claim. @@ -34,64 +31,22 @@ abstract class AbstractUserRoleMappingMapper extends AbstractCASProtocolMapper { /** - * Returns a stream with roles that come from: - * <ul> - * <li>Direct assignment of the role to the user</li> - * <li>Direct assignment of the role to any group of the user or any of its parent group</li> - * <li>Composite roles are expanded recursively, the composite role itself is also contained in the returned stream</li> - * </ul> - * @param user User to enumerate the roles for - */ - public Stream<RoleModel> getAllUserRolesStream(UserModel user) { - return Stream.concat( - user.getRoleMappings().stream(), - user.getGroups().stream() - .flatMap(this::groupAndItsParentsStream) - .flatMap(g -> g.getRoleMappings().stream())) - .flatMap(RoleUtils::expandCompositeRolesStream); - } - - /** - * Returns stream of the given group and its parents (recursively). - * @param group - * @return - */ - private Stream<GroupModel> groupAndItsParentsStream(GroupModel group) { - Stream.Builder<GroupModel> sb = Stream.builder(); - while (group != null) { - sb.add(group); - group = group.getParent(); - } - return sb.build(); - } - - /** * Retrieves all roles of the current user based on direct roles set to the user, its groups and their parent groups. * Then it recursively expands all composite roles, and restricts according to the given predicate {@code restriction}. * If the current client sessions is restricted (i.e. no client found in active user session has full scope allowed), * the final list of roles is also restricted by the client scope. Finally, the list is mapped to the token into * a claim. */ - protected void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession, - Predicate<RoleModel> restriction, String prefix) { - String rolePrefix = prefix == null ? "" : prefix; - UserModel user = userSession.getUser(); - - // get a set of all realm roles assigned to the user or its group - Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction); - - boolean dontLimitScope = userSession.getClientSessions().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed()); - if (! dontLimitScope) { - Set<RoleModel> clientRoles = userSession.getClientSessions().stream() - .flatMap(cs -> cs.getClient().getScopeMappings().stream()) - .collect(Collectors.toSet()); - - clientUserRoles = clientUserRoles.filter(clientRoles::contains); + protected void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, Set<String> rolesToAdd, + String prefix) { + Set<String> realmRoleNames; + if (prefix != null && !prefix.isEmpty()) { + realmRoleNames = rolesToAdd.stream() + .map(roleName -> prefix + roleName) + .collect(Collectors.toSet()); + } else { + realmRoleNames = rolesToAdd; } - - Set<String> realmRoleNames = clientUserRoles - .map(m -> rolePrefix + m.getName()) - .collect(Collectors.toSet()); setPlainAttribute(attributes, mappingModel, realmRoleNames); } -- Gitblit v1.9.1