From 755fd78fa0ee0f2a67417a119382c63e02c1091e Mon Sep 17 00:00:00 2001
From: Alexandre Rocha Wendling <alexandrerw@celepar.pr.gov.br>
Date: Tue, 16 Jul 2024 14:15:23 +0000
Subject: [PATCH] Proxy ticket service and proxy ticket validation Proxy endpoints improvements suggested by Jacek Kowalski Add ticket type to storage key Rename isreuse to isReusable Remove "parsing" of "codeUUID" that is String, not UUID Improve error reporting in CAS ticket validation

---
 src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java |   58 ++++++++++++++++++----------------------------------------
 1 files changed, 18 insertions(+), 40 deletions(-)

diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java
index 15ff8ac..1b236e4 100644
--- a/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java
+++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java
@@ -4,9 +4,11 @@
 import org.keycloak.protocol.ProtocolMapperUtils;
 import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper;
 import org.keycloak.provider.ProviderConfigProperty;
+import org.keycloak.representations.AccessToken;
+import org.keycloak.utils.RoleResolveUtil;
 
 import java.util.*;
-import java.util.function.Predicate;
+import java.util.stream.Collectors;
 
 public class UserClientRoleMappingMapper extends AbstractUserRoleMappingMapper {
 
@@ -59,55 +61,31 @@
     }
 
     @Override
-    public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession) {
+    public void setAttribute(Map<String, Object> attributes, ProtocolMapperModel mappingModel, UserSessionModel userSession,
+                             KeycloakSession session, ClientSessionContext clientSessionCtx) {
         String clientId = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID);
         String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX);
 
-        setAttribute(attributes, mappingModel, userSession, getClientRoleFilter(clientId, userSession), rolePrefix);
-    }
-
-    private static Predicate<RoleModel> getClientRoleFilter(String clientId, UserSessionModel userSession) {
-        if (clientId == null) {
-            return RoleModel::isClientRole;
-        }
-
-        RealmModel clientRealm = userSession.getRealm();
-        ClientModel client = clientRealm.getClientByClientId(clientId.trim());
-
-        if (client == null) {
-            return RoleModel::isClientRole;
-        }
-
-        ClientTemplateModel template = client.getClientTemplate();
-        boolean useTemplateScope = template != null && client.useTemplateScope();
-        boolean fullScopeAllowed = (useTemplateScope && template.isFullScopeAllowed()) || client.isFullScopeAllowed();
-
-        Set<RoleModel> clientRoleMappings = client.getRoles();
-        if (fullScopeAllowed) {
-            return clientRoleMappings::contains;
-        }
-
-        Set<RoleModel> scopeMappings = new HashSet<>();
-
-        if (useTemplateScope) {
-            Set<RoleModel> templateScopeMappings = template.getScopeMappings();
-            if (templateScopeMappings != null) {
-                scopeMappings.addAll(templateScopeMappings);
+        if (clientId != null && !clientId.isEmpty()) {
+            AccessToken.Access access = RoleResolveUtil.getResolvedClientRoles(session, clientSessionCtx, clientId, false);
+            if (access == null) {
+                return;
             }
+            setAttribute(attributes, mappingModel, access.getRoles(), rolePrefix);
+        } else {
+            // If clientId is not specified, we consider all clients
+            Map<String, AccessToken.Access> allAccess = RoleResolveUtil.getAllResolvedClientRoles(session, clientSessionCtx);
+            Set<String> allRoles = allAccess.values().stream().filter(Objects::nonNull)
+                    .flatMap(access -> access.getRoles().stream())
+                    .collect(Collectors.toSet());
+            setAttribute(attributes, mappingModel, allRoles, rolePrefix);
         }
-
-        Set<RoleModel> clientScopeMappings = client.getScopeMappings();
-        if (clientScopeMappings != null) {
-            scopeMappings.addAll(clientScopeMappings);
-        }
-
-        return role -> clientRoleMappings.contains(role) && scopeMappings.contains(role);
     }
 
     public static ProtocolMapperModel create(String clientId, String clientRolePrefix,
                                              String name, String tokenClaimName) {
         ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName,
-                "String", true, name, PROVIDER_ID);
+                "String", PROVIDER_ID);
         mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, clientId);
         mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX, clientRolePrefix);
         return mapper;

--
Gitblit v1.9.1