From 755fd78fa0ee0f2a67417a119382c63e02c1091e Mon Sep 17 00:00:00 2001
From: Alexandre Rocha Wendling <alexandrerw@celepar.pr.gov.br>
Date: Tue, 16 Jul 2024 14:15:23 +0000
Subject: [PATCH] Proxy ticket service and proxy ticket validation Proxy endpoints improvements suggested by Jacek Kowalski Add ticket type to storage key Rename isreuse to isReusable Remove "parsing" of "codeUUID" that is String, not UUID Improve error reporting in CAS ticket validation

---
 src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java |  169 +++++---------------------------------------------------
 1 files changed, 16 insertions(+), 153 deletions(-)

diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
index 6145334..a3c14a4 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
@@ -1,60 +1,32 @@
 package org.keycloak.protocol.cas.endpoints;
 
-import org.jboss.logging.Logger;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.Response;
 import org.jboss.resteasy.annotations.cache.NoCache;
-import org.jboss.resteasy.spi.HttpRequest;
-import org.keycloak.common.ClientConnection;
-import org.keycloak.events.Details;
-import org.keycloak.events.Errors;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.events.EventType;
-import org.keycloak.models.*;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.cas.CASLoginProtocol;
-import org.keycloak.protocol.cas.representations.CASErrorCode;
 import org.keycloak.protocol.cas.utils.CASValidationException;
-import org.keycloak.protocol.oidc.utils.RedirectUtils;
-import org.keycloak.services.managers.AuthenticationManager;
-import org.keycloak.services.managers.ClientSessionCode;
 
-import javax.ws.rs.GET;
-import javax.ws.rs.core.*;
-
-public class ValidateEndpoint {
-    protected static final Logger logger = Logger.getLogger(ValidateEndpoint.class);
+public class ValidateEndpoint extends AbstractValidateEndpoint {
 
     private static final String RESPONSE_OK = "yes\n";
     private static final String RESPONSE_FAILED = "no\n";
 
-    @Context
-    protected KeycloakSession session;
-
-    @Context
-    protected ClientConnection clientConnection;
-
-    @Context
-    protected HttpRequest request;
-
-    @Context
-    protected HttpHeaders headers;
-
-    @Context
-    protected UriInfo uriInfo;
-
-    protected RealmModel realm;
-    protected EventBuilder event;
-    protected ClientModel client;
-    protected AuthenticatedClientSessionModel clientSession;
-
-    public ValidateEndpoint(RealmModel realm, EventBuilder event) {
-        this.realm = realm;
-        this.event = event;
+    public ValidateEndpoint(KeycloakSession session, RealmModel realm, EventBuilder event) {
+        super(session, realm, event);
     }
 
     @GET
     @NoCache
     public Response build() {
-        MultivaluedMap<String, String> params = uriInfo.getQueryParameters();
+        MultivaluedMap<String, String> params = session.getContext().getUri().getQueryParameters();
         String service = params.getFirst(CASLoginProtocol.SERVICE_PARAM);
+        String pgtUrl = params.getFirst(CASLoginProtocol.PGTURL_PARAM);
         String ticket = params.getFirst(CASLoginProtocol.TICKET_PARAM);
         boolean renew = params.containsKey(CASLoginProtocol.RENEW_PARAM);
 
@@ -65,7 +37,9 @@
             checkRealm();
             checkClient(service);
 
-            checkTicket(ticket, renew);
+            checkTicket(ticket, CASLoginProtocol.SERVICE_TICKET_PREFIX, renew);
+
+            if (pgtUrl != null) createProxyGrant(pgtUrl);
 
             event.success();
             return successResponse();
@@ -75,123 +49,12 @@
     }
 
     protected Response successResponse() {
-        return Response.ok(RESPONSE_OK).type(MediaType.TEXT_PLAIN).build();
+        String response = RESPONSE_OK + clientSession.getUserSession().getUser().getUsername() + "\n";
+        return Response.ok(response).type(MediaType.TEXT_PLAIN).build();
     }
 
     protected Response errorResponse(CASValidationException e) {
         return Response.status(e.getStatus()).entity(RESPONSE_FAILED).type(MediaType.TEXT_PLAIN).build();
     }
 
-    private void checkSsl() {
-        if (!uriInfo.getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
-            throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "HTTPS required", Response.Status.FORBIDDEN);
-        }
-    }
-
-    private void checkRealm() {
-        if (!realm.isEnabled()) {
-            throw new CASValidationException(CASErrorCode.INTERNAL_ERROR, "Realm not enabled", Response.Status.FORBIDDEN);
-        }
-    }
-
-    private void checkClient(String service) {
-        if (service == null) {
-            event.error(Errors.INVALID_REQUEST);
-            throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "Missing parameter: " + CASLoginProtocol.SERVICE_PARAM, Response.Status.BAD_REQUEST);
-        }
-
-        client = realm.getClients().stream()
-                .filter(c -> CASLoginProtocol.LOGIN_PROTOCOL.equals(c.getProtocol()))
-                .filter(c -> RedirectUtils.verifyRedirectUri(uriInfo, service, realm, c) != null)
-                .findFirst().orElse(null);
-        if (client == null) {
-            event.error(Errors.CLIENT_NOT_FOUND);
-            throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Client not found", Response.Status.BAD_REQUEST);
-        }
-
-        if (!client.isEnabled()) {
-            event.error(Errors.CLIENT_DISABLED);
-            throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Client disabled", Response.Status.BAD_REQUEST);
-        }
-
-        event.client(client.getClientId());
-
-        session.getContext().setClient(client);
-    }
-
-    private void checkTicket(String ticket, boolean requireReauth) {
-        if (ticket == null) {
-            event.error(Errors.INVALID_CODE);
-            throw new CASValidationException(CASErrorCode.INVALID_REQUEST, "Missing parameter: " + CASLoginProtocol.TICKET_PARAM, Response.Status.BAD_REQUEST);
-        }
-        if (!ticket.startsWith(CASLoginProtocol.SERVICE_TICKET_PREFIX)) {
-            event.error(Errors.INVALID_CODE);
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Malformed service ticket", Response.Status.BAD_REQUEST);
-        }
-
-        String code = ticket.substring(CASLoginProtocol.SERVICE_TICKET_PREFIX.length());
-
-        String[] parts = code.split("\\.");
-        if (parts.length == 4) {
-            event.detail(Details.CODE_ID, parts[2]);
-        }
-
-        ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, null, session, realm, client, event, AuthenticatedClientSessionModel.class);
-        if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) {
-            event.error(Errors.INVALID_CODE);
-
-            // Attempt to use same code twice should invalidate existing clientSession
-            AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
-            if (clientSession != null) {
-                clientSession.detachFromUserSession();
-            }
-
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
-        }
-
-        clientSession = parseResult.getClientSession();
-
-        if (parseResult.isExpiredToken()) {
-            event.error(Errors.EXPIRED_CODE);
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
-        }
-
-        clientSession.setNote(CASLoginProtocol.SESSION_SERVICE_TICKET, ticket);
-
-        if (requireReauth && AuthenticationManager.isSSOAuthentication(clientSession)) {
-            event.error(Errors.SESSION_EXPIRED);
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Interactive authentication was requested but not performed", Response.Status.BAD_REQUEST);
-        }
-
-        UserSessionModel userSession = clientSession.getUserSession();
-
-        if (userSession == null) {
-            event.error(Errors.USER_SESSION_NOT_FOUND);
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User session not found", Response.Status.BAD_REQUEST);
-        }
-
-        UserModel user = userSession.getUser();
-        if (user == null) {
-            event.error(Errors.USER_NOT_FOUND);
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User not found", Response.Status.BAD_REQUEST);
-        }
-        if (!user.isEnabled()) {
-            event.error(Errors.USER_DISABLED);
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User disabled", Response.Status.BAD_REQUEST);
-        }
-
-        event.user(userSession.getUser());
-        event.session(userSession.getId());
-
-        if (!client.getClientId().equals(clientSession.getClient().getClientId())) {
-            event.error(Errors.INVALID_CODE);
-            throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Auth error", Response.Status.BAD_REQUEST);
-        }
-
-        if (!AuthenticationManager.isSessionValid(realm, userSession)) {
-            event.error(Errors.USER_SESSION_NOT_FOUND);
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Session not active", Response.Status.BAD_REQUEST);
-        }
-
-    }
 }

--
Gitblit v1.9.1