From fb26284c00e09e656732eb7ca4570afd052e0067 Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Fri, 21 Jun 2024 11:47:01 +0000
Subject: [PATCH] Improve error reporting in CAS ticket validation

---
 src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java |   27 +++++++++++----------------
 1 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java
index 2330cdc..e166bb0 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java
@@ -95,7 +95,7 @@
             throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Malformed service ticket", Response.Status.BAD_REQUEST);
         }
 
-        Boolean isreuse = ticket.startsWith(CASLoginProtocol.PROXY_GRANTING_TICKET_PREFIX);
+        boolean isReusable = ticket.startsWith(CASLoginProtocol.PROXY_GRANTING_TICKET_PREFIX);
 
         String[] parsed = DOT.split(ticket.substring(prefix.length()), 3);
         if (parsed.length != 3) {
@@ -103,20 +103,12 @@
             throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Invalid format of the code", Response.Status.BAD_REQUEST);
         }
 
+        String codeUUID = parsed[0];
         String userSessionId = parsed[1];
         String clientUUID = parsed[2];
 
         event.detail(Details.CODE_ID, userSessionId);
         event.session(userSessionId);
-
-        // Parse UUID
-        String codeUUID;
-        try {
-            codeUUID = parsed[0];
-        } catch (IllegalArgumentException re) {
-            event.error(Errors.INVALID_CODE);
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Invalid format of the UUID in the code", Response.Status.BAD_REQUEST);
-        }
 
         // Retrieve UserSession
         UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, userSessionId, clientUUID);
@@ -125,28 +117,31 @@
             userSession = session.sessions().getUserSession(realm, userSessionId);
             if (userSession == null) {
                 event.error(Errors.USER_SESSION_NOT_FOUND);
-                throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User session not found", Response.Status.BAD_REQUEST);
+                throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
             }
         }
 
         clientSession = userSession.getAuthenticatedClientSessionByClient(clientUUID);
         if (clientSession == null) {
+            event.error(Errors.INVALID_CODE);
             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
         }
 
         SingleUseObjectProvider codeStore = session.singleUseObjects();
-        Map<String, String> codeDataSerialized = isreuse? codeStore.get(prefix + codeUUID) : codeStore.remove(prefix + codeUUID);
+        Map<String, String> codeDataSerialized = isReusable ? codeStore.get(prefix + codeUUID) : codeStore.remove(prefix + codeUUID);
 
         // Either code not available
         if (codeDataSerialized == null) {
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code already used", Response.Status.BAD_REQUEST);
+            event.error(Errors.INVALID_CODE);
+            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
         }
 
         OAuth2Code codeData = OAuth2Code.deserializeCode(codeDataSerialized);
 
         String persistedUserSessionId = codeData.getUserSessionId();
         if (!userSessionId.equals(persistedUserSessionId)) {
-            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code "+codeUUID+"' is bound to a different session", Response.Status.BAD_REQUEST);
+            event.error(Errors.INVALID_CODE);
+            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
         }
 
         // Finally doublecheck if code is not expired
@@ -181,7 +176,7 @@
         } else {
             if (!client.getClientId().equals(clientSession.getClient().getClientId())) {
                 event.error(Errors.INVALID_CODE);
-                throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Auth error", Response.Status.BAD_REQUEST);
+                throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Invalid service", Response.Status.BAD_REQUEST);
             }
         }
 
@@ -213,7 +208,7 @@
             this.pgtIou = pgtIou;
         } catch (Exception e) {
             event.error(Errors.INVALID_REQUEST);
-            throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback return with error", Response.Status.BAD_REQUEST);
+            throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback returned an error", Response.Status.BAD_REQUEST);
         }
     }
 

--
Gitblit v1.9.1