From 58cea4fab65777587fbd9902bc6756f9ed44f3fe Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Sat, 17 Oct 2020 10:03:08 +0000
Subject: [PATCH] Fix CAS gateway option handling
---
src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java | 8 +++
src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java | 3 +
integrationTest/suite.sh | 58 ++++++++++++++++++++--------
3 files changed, 51 insertions(+), 18 deletions(-)
diff --git a/integrationTest/suite.sh b/integrationTest/suite.sh
index 6958b45..8b1507c 100755
--- a/integrationTest/suite.sh
+++ b/integrationTest/suite.sh
@@ -1,41 +1,65 @@
#!/bin/bash
set -e
+keycloak_cas_url='http://localhost:8080/auth/realms/master/protocol/cas'
action_pattern='action="([^"]+)"'
ticket_pattern='Location: .*\?ticket=(ST-[-A-Za-z0-9_.=]+)'
get_ticket() {
- login_response=$(curl --fail --silent -c /tmp/cookies http://localhost:8080/auth/realms/master/protocol/cas/login?service=http://localhost)
- if [[ !($login_response =~ $action_pattern) ]] ; then
+ local cookie_options="-b /tmp/cookies"
+ if [ "$1" == "save_cookies" ]; then
+ cookie_options="${cookie_options} -c /tmp/cookies"
+ fi
+
+ local login_response=$(curl --fail --silent -c /tmp/cookies "${keycloak_cas_url}/login?service=http://localhost")
+ if [[ ! ($login_response =~ $action_pattern) ]] ; then
echo "Could not parse login form in response"
- echo $login_response
+ echo "${login_response}"
exit 1
fi
- login_url=${BASH_REMATCH[1]//&/&}
- redirect_response=$(curl --fail --silent -D - -b /tmp/cookies --data 'username=admin&password=admin' "$login_url")
- if [[ !($redirect_response =~ $ticket_pattern) ]] ; then
+ local login_url=${BASH_REMATCH[1]//&/&}
+ local redirect_response=$(curl --fail --silent -D - $cookie_options --data 'username=admin&password=admin' "$login_url")
+ if [[ ! ($redirect_response =~ $ticket_pattern) ]] ; then
echo "No service ticket found in response"
- echo $redirect_response
+ echo "${redirect_response}"
exit 1
fi
- ticket=${BASH_REMATCH[1]}
- echo $ticket
+ echo "${BASH_REMATCH[1]}"
}
-get_ticket
-curl --fail --silent "http://localhost:8080/auth/realms/master/protocol/cas/validate?service=http://localhost&ticket=$ticket"
+# CAS 1.0
+ticket=$(get_ticket)
+curl --fail --silent "${keycloak_cas_url}/validate?service=http://localhost&ticket=$ticket"
echo
-get_ticket
-curl --fail --silent "http://localhost:8080/auth/realms/master/protocol/cas/serviceValidate?service=http://localhost&format=XML&ticket=$ticket"
+# CAS 2.0
+ticket=$(get_ticket)
+curl --fail --silent "${keycloak_cas_url}/serviceValidate?service=http://localhost&format=XML&ticket=$ticket"
echo
-get_ticket
-curl --fail --silent "http://localhost:8080/auth/realms/master/protocol/cas/serviceValidate?service=http://localhost&format=JSON&ticket=$ticket"
+ticket=$(get_ticket)
+curl --fail --silent "${keycloak_cas_url}/serviceValidate?service=http://localhost&format=JSON&ticket=$ticket"
echo
-get_ticket
-curl --fail --silent "http://localhost:8080/auth/realms/master/protocol/cas/p3/serviceValidate?service=http://localhost&format=JSON&ticket=$ticket"
+# CAS 3.0
+ticket=$(get_ticket save_cookies)
+curl --fail --silent "${keycloak_cas_url}/p3/serviceValidate?service=http://localhost&format=JSON&ticket=$ticket"
echo
+
+# CAS, gateway option
+get_ticket save_cookies
+login_response=$(curl --fail --silent -D - -b /tmp/cookies "${keycloak_cas_url}/login?service=http://localhost&gateway=true")
+if echo "${login_response}" | grep '^Location: http://localhost\?ticket='; then
+ echo "Gateway option did not redirect back to service with ticket"
+ echo "${login_response}"
+ exit 1
+fi
+
+login_response=$(curl --fail --silent -D - "${keycloak_cas_url}/login?service=http://localhost&gateway=true")
+if echo "${login_response}" | grep '^Location: http://localhost$'; then
+ echo "Gateway option did not redirect back to service without ticket"
+ echo "${login_response}"
+ exit 1
+fi
diff --git a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
index 4557c7a..53f0a32 100644
--- a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
+++ b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
@@ -12,6 +12,7 @@
import org.keycloak.protocol.cas.utils.LogoutHelper;
import org.keycloak.protocol.oidc.utils.OAuth2Code;
import org.keycloak.protocol.oidc.utils.OAuth2CodeParser;
+import org.keycloak.services.ErrorPage;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.sessions.AuthenticationSessionModel;
@@ -111,7 +112,12 @@
@Override
public Response sendError(AuthenticationSessionModel authSession, Error error) {
- return Response.serverError().entity(error).build();
+ if (authSession.getClientNotes().containsKey(CASLoginProtocol.GATEWAY_PARAM)) {
+ if (error == Error.PASSIVE_INTERACTION_REQUIRED || error == Error.PASSIVE_LOGIN_REQUIRED) {
+ return Response.status(302).location(URI.create(authSession.getRedirectUri())).build();
+ }
+ }
+ return ErrorPage.error(session, authSession, Response.Status.INTERNAL_SERVER_ERROR, error.name());
}
@Override
diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
index 2981732..1526d21 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
@@ -51,6 +51,9 @@
if (renew) {
authenticationSession.setClientNote(CASLoginProtocol.RENEW_PARAM, "true");
}
+ if (gateway) {
+ authenticationSession.setClientNote(CASLoginProtocol.GATEWAY_PARAM, "true");
+ }
this.event.event(EventType.LOGIN);
return handleBrowserAuthenticationRequest(authenticationSession, new CASLoginProtocol(session, realm, session.getContext().getUri(), headers, event), gateway, false);
--
Gitblit v1.9.1