From 7124d21d6c61cd510d93a888f53802de910f4d64 Mon Sep 17 00:00:00 2001
From: Matthias Piepkorn <mpiepk@gmail.com>
Date: Sun, 29 Jan 2017 15:05:44 +0000
Subject: [PATCH] Fix handling of 'renew' parameter

---
 src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java      |    7 ++++++-
 src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java                |    6 ++----
 src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java |   10 +++++++---
 3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
index 10c9b5d..17e435e 100644
--- a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
+++ b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
@@ -31,15 +31,13 @@
     protected UriInfo uriInfo;
     protected HttpHeaders headers;
     protected EventBuilder event;
-    private boolean requireReauth;
 
-    public CASLoginProtocol(KeycloakSession session, RealmModel realm, UriInfo uriInfo, HttpHeaders headers, EventBuilder event, boolean requireReauth) {
+    public CASLoginProtocol(KeycloakSession session, RealmModel realm, UriInfo uriInfo, HttpHeaders headers, EventBuilder event) {
         this.session = session;
         this.realm = realm;
         this.uriInfo = uriInfo;
         this.headers = headers;
         this.event = event;
-        this.requireReauth = requireReauth;
     }
 
     public CASLoginProtocol() {
@@ -117,7 +115,7 @@
 
     @Override
     public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) {
-        return requireReauth;
+        return "true".equals(clientSession.getNote(CASLoginProtocol.RENEW_PARAM));
     }
 
     @Override
diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
index aff46db..57b0da0 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
@@ -35,8 +35,8 @@
     public Response build() {
         MultivaluedMap<String, String> params = uriInfo.getQueryParameters();
         String service = params.getFirst(CASLoginProtocol.SERVICE_PARAM);
-        boolean renew = "true".equalsIgnoreCase(params.getFirst(CASLoginProtocol.RENEW_PARAM));
-        boolean gateway = "true".equalsIgnoreCase(params.getFirst(CASLoginProtocol.GATEWAY_PARAM));
+        boolean renew = params.containsKey(CASLoginProtocol.RENEW_PARAM);
+        boolean gateway = params.containsKey(CASLoginProtocol.GATEWAY_PARAM);
 
         checkSsl();
         checkRealm();
@@ -46,8 +46,12 @@
         // So back button doesn't work
         CacheControlUtil.noBackButtonCacheControlHeader();
 
+        if (renew) {
+            clientSession.setNote(CASLoginProtocol.RENEW_PARAM, "true");
+        }
+
         this.event.event(EventType.LOGIN);
-        return handleBrowserAuthenticationRequest(clientSession, new CASLoginProtocol(session, realm, uriInfo, headers, event, renew), gateway, false);
+        return handleBrowserAuthenticationRequest(clientSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
     }
 
     private void checkSsl() {
diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
index 28fbd50..edfa129 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
@@ -56,7 +56,7 @@
         MultivaluedMap<String, String> params = uriInfo.getQueryParameters();
         String service = params.getFirst(CASLoginProtocol.SERVICE_PARAM);
         String ticket = params.getFirst(CASLoginProtocol.TICKET_PARAM);
-        boolean renew = "true".equalsIgnoreCase(params.getFirst(CASLoginProtocol.RENEW_PARAM));
+        boolean renew = params.containsKey(CASLoginProtocol.RENEW_PARAM);
 
         event.event(EventType.CODE_TO_TOKEN);
 
@@ -154,6 +154,11 @@
 
         parseResult.getCode().setAction(null);
 
+        if (requireReauth && AuthenticationManager.isSSOAuthentication(clientSession)) {
+            event.error(Errors.SESSION_EXPIRED);
+            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Interactive authentication was requested but not performed", Response.Status.BAD_REQUEST);
+        }
+
         UserSessionModel userSession = clientSession.getUserSession();
 
         if (userSession == null) {

--
Gitblit v1.9.1