From f75caf002c2014cd1dd875225417f2a5de1af9d0 Mon Sep 17 00:00:00 2001
From: Matthias Piepkorn <mpiepk@gmail.com>
Date: Wed, 26 Jul 2017 17:54:25 +0000
Subject: [PATCH] adapt to changes in Keycloak 3.2 (fixes #6)
---
.travis.yml | 8 ++--
src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java | 2
src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java | 4 +-
src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java | 26 +++++++-----
src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java | 18 +++++----
pom.xml | 2
src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java | 45 ++++++++++------------
7 files changed, 54 insertions(+), 51 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 02ef05d..4773688 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,10 +13,10 @@
- docker
env:
- - KEYCLOAK_VERSION=2.5.5.Final
- - KEYCLOAK_VERSION=3.0.0.Final
- - KEYCLOAK_VERSION=3.1.0.Final
-# - KEYCLOAK_VERSION=3.2.0.Final
+# - KEYCLOAK_VERSION=2.5.5.Final
+# - KEYCLOAK_VERSION=3.0.0.Final
+# - KEYCLOAK_VERSION=3.1.0.Final
+ - KEYCLOAK_VERSION=3.2.1.Final
before_install:
- docker pull jboss/keycloak:$KEYCLOAK_VERSION
diff --git a/pom.xml b/pom.xml
index 840f7db..97a7492 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
<description />
<properties>
- <keycloak.version>2.5.1.Final</keycloak.version>
+ <keycloak.version>3.2.0.Final</keycloak.version>
<jboss.logging.version>3.3.0.Final</jboss.logging.version>
<jboss.logging.tools.version>2.0.1.Final</jboss.logging.tools.version>
<junit.version>4.12</junit.version>
diff --git a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
index 7d82a9a..cbcf1d0 100644
--- a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
+++ b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java
@@ -11,6 +11,8 @@
import org.keycloak.protocol.cas.utils.LogoutHelper;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.ResourceAdminManager;
+import org.keycloak.sessions.AuthenticationSessionModel;
+import org.keycloak.sessions.CommonClientSessionModel;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
@@ -84,12 +86,12 @@
}
@Override
- public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) {
- ClientSessionModel clientSession = accessCode.getClientSession();
+ public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
+ ClientSessionCode<AuthenticatedClientSessionModel> accessCode = new ClientSessionCode<>(session, realm, clientSession);
String service = clientSession.getRedirectUri();
//TODO validate service
- accessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name());
+ accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name());
KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(service);
uriBuilder.queryParam(TICKET_RESPONSE_PARAM, SERVICE_TICKET_PREFIX + accessCode.getCode());
@@ -100,12 +102,12 @@
}
@Override
- public Response sendError(ClientSessionModel clientSession, Error error) {
+ public Response sendError(AuthenticationSessionModel authSession, Error error) {
return Response.serverError().entity(error).build();
}
@Override
- public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
+ public void backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
String logoutUrl = clientSession.getRedirectUri();
String serviceTicket = clientSession.getNote(CASLoginProtocol.SESSION_SERVICE_TICKET);
//check if session is fully authenticated (i.e. serviceValidate has been called)
@@ -127,7 +129,7 @@
}
@Override
- public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
+ public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
// todo oidc redirect support
throw new RuntimeException("NOT IMPLEMENTED");
}
@@ -148,8 +150,8 @@
}
@Override
- public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) {
- return "true".equals(clientSession.getNote(CASLoginProtocol.RENEW_PARAM));
+ public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) {
+ return "true".equals(authSession.getClientNote(CASLoginProtocol.RENEW_PARAM));
}
@Override
diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
index 57b0da0..339051f 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java
@@ -6,7 +6,6 @@
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
-import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.cas.CASLoginProtocol;
@@ -14,6 +13,7 @@
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.CacheControlUtil;
+import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.GET;
import javax.ws.rs.core.MultivaluedMap;
@@ -23,7 +23,7 @@
private static final Logger logger = Logger.getLogger(AuthorizationEndpoint.class);
private ClientModel client;
- private ClientSessionModel clientSession;
+ private AuthenticationSessionModel authenticationSession;
private String redirectUri;
public AuthorizationEndpoint(RealmModel realm, EventBuilder event) {
@@ -42,30 +42,23 @@
checkRealm();
checkClient(service);
- createClientSession();
+ AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, null);
+ if (checks.response != null) {
+ return checks.response;
+ }
+
+ authenticationSession = checks.authSession;
+ updateAuthenticationSession();
+
// So back button doesn't work
CacheControlUtil.noBackButtonCacheControlHeader();
if (renew) {
- clientSession.setNote(CASLoginProtocol.RENEW_PARAM, "true");
+ authenticationSession.setClientNote(CASLoginProtocol.RENEW_PARAM, "true");
}
this.event.event(EventType.LOGIN);
- return handleBrowserAuthenticationRequest(clientSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
- }
-
- private void checkSsl() {
- if (!uriInfo.getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
- event.error(Errors.SSL_REQUIRED);
- throw new ErrorPageException(session, Messages.HTTPS_REQUIRED);
- }
- }
-
- private void checkRealm() {
- if (!realm.isEnabled()) {
- event.error(Errors.REALM_DISABLED);
- throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED);
- }
+ return handleBrowserAuthenticationRequest(authenticationSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
}
private void checkClient(String service) {
@@ -96,10 +89,14 @@
session.getContext().setClient(client);
}
- private void createClientSession() {
- clientSession = session.sessions().createClientSession(realm, client);
- clientSession.setAuthMethod(CASLoginProtocol.LOGIN_PROTOCOL);
- clientSession.setRedirectUri(redirectUri);
- clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
+ private void updateAuthenticationSession() {
+ authenticationSession.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL);
+ authenticationSession.setRedirectUri(redirectUri);
+ authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
+ }
+
+ @Override
+ protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestState) {
+ return true;
}
}
diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java
index 64da5b6..900bb12 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java
@@ -30,7 +30,7 @@
protected Response successResponse() {
UserSessionModel userSession = clientSession.getUserSession();
- Set<ProtocolMapperModel> mappings = new ClientSessionCode(session, realm, clientSession).getRequestedProtocolMappers();
+ Set<ProtocolMapperModel> mappings = new ClientSessionCode<>(session, realm, clientSession).getRequestedProtocolMappers();
KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
Map<String, Object> attributes = new HashMap<>();
for (ProtocolMapperModel mapping : mappings) {
diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
index b2b0702..ed9d5fa 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
@@ -43,7 +43,7 @@
protected RealmModel realm;
protected EventBuilder event;
protected ClientModel client;
- protected ClientSessionModel clientSession;
+ protected AuthenticatedClientSessionModel clientSession;
public ValidateEndpoint(RealmModel realm, EventBuilder event) {
this.realm = realm;
@@ -131,23 +131,27 @@
String code = ticket.substring(CASLoginProtocol.SERVICE_TICKET_PREFIX.length());
- ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm);
- if (parseResult.isClientSessionNotFound() || parseResult.isIllegalHash()) {
- String[] parts = code.split("\\.");
- if (parts.length == 2) {
- event.detail(Details.CODE_ID, parts[1]);
- }
+ String[] parts = code.split("\\.");
+ if (parts.length == 4) {
+ event.detail(Details.CODE_ID, parts[2]);
+ }
+
+ ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class);
+ if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) {
event.error(Errors.INVALID_CODE);
- if (parseResult.getClientSession() != null) {
- session.sessions().removeClientSession(realm, parseResult.getClientSession());
+
+ // Attempt to use same code twice should invalidate existing clientSession
+ AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
+ if (clientSession != null) {
+ clientSession.setUserSession(null);
}
+
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
}
clientSession = parseResult.getClientSession();
- event.detail(Details.CODE_ID, clientSession.getId());
- if (!parseResult.getCode().isValid(ClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
+ if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
event.error(Errors.INVALID_CODE);
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
}
diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java
index 93f59f1..39ae848 100644
--- a/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java
+++ b/src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java
@@ -80,9 +80,9 @@
// get a set of all realm roles assigned to the user or its group
Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction);
- boolean dontLimitScope = userSession.getClientSessions().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
+ boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
if (! dontLimitScope) {
- Set<RoleModel> clientRoles = userSession.getClientSessions().stream()
+ Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
.flatMap(cs -> cs.getClient().getScopeMappings().stream())
.collect(Collectors.toSet());
--
Gitblit v1.9.1