From b8d686069c3249e4bd11eb5eef95f5bd51ea58fb Mon Sep 17 00:00:00 2001 From: Matthias Piepkorn Date: Sun, 17 Jun 2018 12:13:40 +0200 Subject: [PATCH] update for KEYCLOAK-6630 Client scopes initial support --- .../protocol/cas/CASLoginProtocol.java | 3 +- .../protocol/cas/CASLoginProtocolFactory.java | 57 +++++++------------ .../endpoints/ServiceValidateEndpoint.java | 10 ++-- .../cas/mappers/CASAttributeMapperHelper.java | 3 - .../protocol/cas/mappers/FullNameMapper.java | 5 +- .../cas/mappers/GroupMembershipMapper.java | 5 +- .../cas/mappers/UserAttributeMapper.java | 4 +- .../mappers/UserClientRoleMappingMapper.java | 22 +++---- .../cas/mappers/UserPropertyMapper.java | 5 +- .../mappers/UserRealmRoleMappingMapper.java | 2 +- .../cas/mappers/UserSessionNoteMapper.java | 5 +- 11 files changed, 47 insertions(+), 74 deletions(-) diff --git a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java index dd08b5b..a1afb9d 100644 --- a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java +++ b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java @@ -85,7 +85,8 @@ public CASLoginProtocol setEventBuilder(EventBuilder event) { } @Override - public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { + public Response authenticated(UserSessionModel userSession, ClientSessionContext clientSessionCtx) { + AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession(); ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, clientSession); String service = clientSession.getRedirectUri(); diff --git a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocolFactory.java b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocolFactory.java index 57745b8..2702466 100644 --- a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocolFactory.java +++ b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocolFactory.java @@ -2,24 +2,22 @@ import org.jboss.logging.Logger; import org.keycloak.events.EventBuilder; -import org.keycloak.models.*; +import org.keycloak.models.ClientModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.ProtocolMapperModel; +import org.keycloak.models.RealmModel; import org.keycloak.protocol.AbstractLoginProtocolFactory; import org.keycloak.protocol.LoginProtocol; -import org.keycloak.protocol.ProtocolMapperUtils; import org.keycloak.protocol.cas.mappers.FullNameMapper; import org.keycloak.protocol.cas.mappers.UserAttributeMapper; import org.keycloak.protocol.cas.mappers.UserPropertyMapper; import org.keycloak.representations.idm.ClientRepresentation; -import org.keycloak.representations.idm.ClientTemplateRepresentation; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; -import static org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.JSON_TYPE; -import static org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME; - public class CASLoginProtocolFactory extends AbstractLoginProtocolFactory { private static final Logger logger = Logger.getLogger(CASLoginProtocolFactory.class); @@ -43,51 +41,45 @@ public LoginProtocol create(KeycloakSession session) { } @Override - public List getBuiltinMappers() { + public Map getBuiltinMappers() { return builtins; } - @Override - public List getDefaultBuiltinMappers() { - return defaultBuiltins; - } - - static List builtins = new ArrayList<>(); + static Map builtins = new HashMap<>(); static List defaultBuiltins = new ArrayList<>(); static { ProtocolMapperModel model; - model = UserPropertyMapper.create(EMAIL, "email", "mail", "String", - true, EMAIL_CONSENT_TEXT); - builtins.add(model); + model = UserPropertyMapper.create(EMAIL, "email", "mail", "String"); + builtins.put(EMAIL, model); defaultBuiltins.add(model); - model = UserPropertyMapper.create(GIVEN_NAME, "firstName", "givenName", "String", - true, GIVEN_NAME_CONSENT_TEXT); - builtins.add(model); + model = UserPropertyMapper.create(GIVEN_NAME, "firstName", "givenName", "String"); + builtins.put(GIVEN_NAME, model); defaultBuiltins.add(model); - model = UserPropertyMapper.create(FAMILY_NAME, "lastName", "sn", "String", - true, FAMILY_NAME_CONSENT_TEXT); - builtins.add(model); + model = UserPropertyMapper.create(FAMILY_NAME, "lastName", "sn", "String"); + builtins.put(FAMILY_NAME, model); defaultBuiltins.add(model); model = UserPropertyMapper.create(EMAIL_VERIFIED, "emailVerified", - "emailVerified", "boolean", - false, EMAIL_VERIFIED_CONSENT_TEXT); - builtins.add(model); + "emailVerified", "boolean"); + builtins.put(EMAIL_VERIFIED, model); model = UserAttributeMapper.create(LOCALE, "locale", "locale", "String", - false, LOCALE_CONSENT_TEXT, false); - builtins.add(model); + builtins.put(LOCALE, model); - model = FullNameMapper.create(FULL_NAME, "cn", - true, FULL_NAME_CONSENT_TEXT); - builtins.add(model); + model = FullNameMapper.create(FULL_NAME, "cn"); + builtins.put(FULL_NAME, model); defaultBuiltins.add(model); } + @Override + protected void createDefaultClientScopesImpl(RealmModel newRealm) { + // no-op + } + @Override protected void addDefaults(ClientModel client) { for (ProtocolMapperModel model : defaultBuiltins) client.addProtocolMapper(model); @@ -116,9 +108,4 @@ public void setupClientDefaults(ClientRepresentation rep, ClientModel newClient) newClient.setManagementUrl(rep.getRootUrl()); } } - - @Override - public void setupTemplateDefaults(ClientTemplateRepresentation clientRep, ClientTemplateModel newClient) { - - } } diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java index 900bb12..792c525 100644 --- a/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java +++ b/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java @@ -1,10 +1,7 @@ package org.keycloak.protocol.cas.endpoints; import org.keycloak.events.EventBuilder; -import org.keycloak.models.KeycloakSessionFactory; -import org.keycloak.models.ProtocolMapperModel; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserSessionModel; +import org.keycloak.models.*; import org.keycloak.protocol.ProtocolMapper; import org.keycloak.protocol.cas.mappers.CASAttributeMapper; import org.keycloak.protocol.cas.representations.CASServiceResponse; @@ -12,6 +9,7 @@ import org.keycloak.protocol.cas.utils.ContentTypeHelper; import org.keycloak.protocol.cas.utils.ServiceResponseHelper; import org.keycloak.services.managers.ClientSessionCode; +import org.keycloak.services.util.DefaultClientSessionContext; import javax.ws.rs.core.*; import java.util.HashMap; @@ -29,8 +27,10 @@ public ServiceValidateEndpoint(RealmModel realm, EventBuilder event) { @Override protected Response successResponse() { UserSessionModel userSession = clientSession.getUserSession(); + // CAS protocol does not support scopes, so pass null scopeParam + ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession, null); - Set mappings = new ClientSessionCode<>(session, realm, clientSession).getRequestedProtocolMappers(); + Set mappings = clientSessionCtx.getProtocolMappers(); KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); Map attributes = new HashMap<>(); for (ProtocolMapperModel mapping : mappings) { diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/CASAttributeMapperHelper.java b/src/main/java/org/keycloak/protocol/cas/mappers/CASAttributeMapperHelper.java index 53ba5d2..9e243af 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/CASAttributeMapperHelper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/CASAttributeMapperHelper.java @@ -10,14 +10,11 @@ public class CASAttributeMapperHelper { public static ProtocolMapperModel createClaimMapper(String name, String tokenClaimName, String claimType, - boolean consentRequired, String consentText, String mapperId) { ProtocolMapperModel mapper = new ProtocolMapperModel(); mapper.setName(name); mapper.setProtocolMapper(mapperId); mapper.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL); - mapper.setConsentRequired(consentRequired); - mapper.setConsentText(consentText); Map config = new HashMap(); config.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, tokenClaimName); config.put(OIDCAttributeMapperHelper.JSON_TYPE, claimType); diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/FullNameMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/FullNameMapper.java index aef4b51..3d889be 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/FullNameMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/FullNameMapper.java @@ -48,9 +48,8 @@ public void setAttribute(Map attributes, ProtocolMapperModel map setMappedAttribute(attributes, mappingModel, first + last); } - public static ProtocolMapperModel create(String name, String tokenClaimName, - boolean consentRequired, String consentText) { + public static ProtocolMapperModel create(String name, String tokenClaimName) { return CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - "String", consentRequired, consentText, PROVIDER_ID); + "String", PROVIDER_ID); } } diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/GroupMembershipMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/GroupMembershipMapper.java index a6db974..bee3b9e 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/GroupMembershipMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/GroupMembershipMapper.java @@ -69,10 +69,9 @@ public static boolean useFullPath(ProtocolMapperModel mappingModel) { return "true".equals(mappingModel.getConfig().get(FULL_PATH)); } - public static ProtocolMapperModel create(String name, String tokenClaimName, - boolean consentRequired, String consentText, boolean fullPath) { + public static ProtocolMapperModel create(String name, String tokenClaimName, boolean fullPath) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - "String", consentRequired, consentText, PROVIDER_ID); + "String", PROVIDER_ID); mapper.getConfig().put(FULL_PATH, Boolean.toString(fullPath)); return mapper; } diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserAttributeMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserAttributeMapper.java index 19173c2..a75bd27 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserAttributeMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserAttributeMapper.java @@ -68,9 +68,9 @@ public void setAttribute(Map attributes, ProtocolMapperModel map public static ProtocolMapperModel create(String name, String userAttribute, String tokenClaimName, String claimType, - boolean consentRequired, String consentText, boolean multivalued) { + boolean multivalued) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - claimType, consentRequired, consentText, PROVIDER_ID); + claimType, PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_ATTRIBUTE, userAttribute); if (multivalued) { mapper.getConfig().put(ProtocolMapperUtils.MULTIVALUED, "true"); diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java index 15ff8ac..ff872d3 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java @@ -2,6 +2,7 @@ import org.keycloak.models.*; import org.keycloak.protocol.ProtocolMapperUtils; +import org.keycloak.protocol.oidc.TokenManager; import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; import org.keycloak.provider.ProviderConfigProperty; @@ -78,10 +79,7 @@ private static Predicate getClientRoleFilter(String clientId, UserSes return RoleModel::isClientRole; } - ClientTemplateModel template = client.getClientTemplate(); - boolean useTemplateScope = template != null && client.useTemplateScope(); - boolean fullScopeAllowed = (useTemplateScope && template.isFullScopeAllowed()) || client.isFullScopeAllowed(); - + boolean fullScopeAllowed = client.isFullScopeAllowed(); Set clientRoleMappings = client.getRoles(); if (fullScopeAllowed) { return clientRoleMappings::contains; @@ -89,16 +87,10 @@ private static Predicate getClientRoleFilter(String clientId, UserSes Set scopeMappings = new HashSet<>(); - if (useTemplateScope) { - Set templateScopeMappings = template.getScopeMappings(); - if (templateScopeMappings != null) { - scopeMappings.addAll(templateScopeMappings); - } - } - - Set clientScopeMappings = client.getScopeMappings(); - if (clientScopeMappings != null) { - scopeMappings.addAll(clientScopeMappings); + // CAS protocol does not support scopes, so pass null scopeParam + Set clientScopes = TokenManager.getRequestedClientScopes(null, client); + for (ClientScopeModel clientScope : clientScopes) { + scopeMappings.addAll(clientScope.getScopeMappings()); } return role -> clientRoleMappings.contains(role) && scopeMappings.contains(role); @@ -107,7 +99,7 @@ private static Predicate getClientRoleFilter(String clientId, UserSes public static ProtocolMapperModel create(String clientId, String clientRolePrefix, String name, String tokenClaimName) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - "String", true, name, PROVIDER_ID); + "String", PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, clientId); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX, clientRolePrefix); return mapper; diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserPropertyMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserPropertyMapper.java index b299b27..66f09be 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserPropertyMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserPropertyMapper.java @@ -58,10 +58,9 @@ public void setAttribute(Map attributes, ProtocolMapperModel map } public static ProtocolMapperModel create(String name, String userAttribute, - String tokenClaimName, String claimType, - boolean consentRequired, String consentText) { + String tokenClaimName, String claimType) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - claimType, consentRequired, consentText, PROVIDER_ID); + claimType, PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_ATTRIBUTE, userAttribute); return mapper; } diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserRealmRoleMappingMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserRealmRoleMappingMapper.java index 117264a..41a6a78 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserRealmRoleMappingMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserRealmRoleMappingMapper.java @@ -60,7 +60,7 @@ public void setAttribute(Map attributes, ProtocolMapperModel map public static ProtocolMapperModel create(String realmRolePrefix, String name, String tokenClaimName) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - "String", true, name, PROVIDER_ID); + "String", PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_REALM_ROLE_MAPPING_ROLE_PREFIX, realmRolePrefix); return mapper; } diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserSessionNoteMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserSessionNoteMapper.java index 5c2881a..f718aab 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserSessionNoteMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserSessionNoteMapper.java @@ -63,10 +63,9 @@ public void setAttribute(Map attributes, ProtocolMapperModel map public static ProtocolMapperModel create(String name, String userSessionNote, - String tokenClaimName, String jsonType, - boolean consentRequired, String consentText) { + String tokenClaimName, String jsonType) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - jsonType, consentRequired, consentText, PROVIDER_ID); + jsonType, PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_SESSION_NOTE, userSessionNote); return mapper; }