From 4da0d94b96e662b8dffe281d0a2de812f11cda71 Mon Sep 17 00:00:00 2001 From: Jacek Kowalski <Jacek@jacekk.info> Date: Sun, 10 May 2020 20:40:15 +0000 Subject: [PATCH] Filter potentially dangerous input in GitHub Actions workflows --- src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java | 58 ++++++++++++++++++---------------------------------------- 1 files changed, 18 insertions(+), 40 deletions(-) diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java index 15ff8ac..1b236e4 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java @@ -4,9 +4,11 @@ import org.keycloak.protocol.ProtocolMapperUtils; import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; import org.keycloak.provider.ProviderConfigProperty; +import org.keycloak.representations.AccessToken; +import org.keycloak.utils.RoleResolveUtil; import java.util.*; -import java.util.function.Predicate; +import java.util.stream.Collectors; public class UserClientRoleMappingMapper extends AbstractUserRoleMappingMapper { @@ -59,55 +61,31 @@ } @Override - public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession) { + public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession, + KeycloakSession session, ClientSessionContext clientSessionCtx) { String clientId = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID); String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX); - setAttribute(attributes, mappingModel, userSession, getClientRoleFilter(clientId, userSession), rolePrefix); - } - - private static Predicate<RoleModel> getClientRoleFilter(String clientId, UserSessionModel userSession) { - if (clientId == null) { - return RoleModel::isClientRole; - } - - RealmModel clientRealm = userSession.getRealm(); - ClientModel client = clientRealm.getClientByClientId(clientId.trim()); - - if (client == null) { - return RoleModel::isClientRole; - } - - ClientTemplateModel template = client.getClientTemplate(); - boolean useTemplateScope = template != null && client.useTemplateScope(); - boolean fullScopeAllowed = (useTemplateScope && template.isFullScopeAllowed()) || client.isFullScopeAllowed(); - - Set<RoleModel> clientRoleMappings = client.getRoles(); - if (fullScopeAllowed) { - return clientRoleMappings::contains; - } - - Set<RoleModel> scopeMappings = new HashSet<>(); - - if (useTemplateScope) { - Set<RoleModel> templateScopeMappings = template.getScopeMappings(); - if (templateScopeMappings != null) { - scopeMappings.addAll(templateScopeMappings); + if (clientId != null && !clientId.isEmpty()) { + AccessToken.Access access = RoleResolveUtil.getResolvedClientRoles(session, clientSessionCtx, clientId, false); + if (access == null) { + return; } + setAttribute(attributes, mappingModel, access.getRoles(), rolePrefix); + } else { + // If clientId is not specified, we consider all clients + Map<String, AccessToken.Access> allAccess = RoleResolveUtil.getAllResolvedClientRoles(session, clientSessionCtx); + Set<String> allRoles = allAccess.values().stream().filter(Objects::nonNull) + .flatMap(access -> access.getRoles().stream()) + .collect(Collectors.toSet()); + setAttribute(attributes, mappingModel, allRoles, rolePrefix); } - - Set<RoleModel> clientScopeMappings = client.getScopeMappings(); - if (clientScopeMappings != null) { - scopeMappings.addAll(clientScopeMappings); - } - - return role -> clientRoleMappings.contains(role) && scopeMappings.contains(role); } public static ProtocolMapperModel create(String clientId, String clientRolePrefix, String name, String tokenClaimName) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - "String", true, name, PROVIDER_ID); + "String", PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, clientId); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX, clientRolePrefix); return mapper; -- Gitblit v1.9.1