adapt to changes in Keycloak 3.2 (fixes #6)

.travis.yml

@@ -13,10 +13,10 @@ services:
   - docker
 
 env:
-  - KEYCLOAK_VERSION=2.5.5.Final
-  - KEYCLOAK_VERSION=3.0.0.Final
-  - KEYCLOAK_VERSION=3.1.0.Final
-#  - KEYCLOAK_VERSION=3.2.0.Final
+#  - KEYCLOAK_VERSION=2.5.5.Final
+#  - KEYCLOAK_VERSION=3.0.0.Final
+#  - KEYCLOAK_VERSION=3.1.0.Final
+  - KEYCLOAK_VERSION=3.2.1.Final
 
 before_install:
   - docker pull jboss/keycloak:$KEYCLOAK_VERSION

pom.xml

@@ -27,7 +27,7 @@
     <description />
 
     <properties>
-        <keycloak.version>2.5.1.Final</keycloak.version>
+        <keycloak.version>3.2.0.Final</keycloak.version>
         <jboss.logging.version>3.3.0.Final</jboss.logging.version>
         <jboss.logging.tools.version>2.0.1.Final</jboss.logging.tools.version>
         <junit.version>4.12</junit.version>

src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java

@@ -11,6 +11,8 @@
 import org.keycloak.protocol.cas.utils.LogoutHelper;
 import org.keycloak.services.managers.ClientSessionCode;
 import org.keycloak.services.managers.ResourceAdminManager;
+import org.keycloak.sessions.AuthenticationSessionModel;
+import org.keycloak.sessions.CommonClientSessionModel;
 
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.Response;
@@ -84,12 +86,12 @@ public CASLoginProtocol setEventBuilder(EventBuilder event) {
     }
 
     @Override
-    public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) {
-        ClientSessionModel clientSession = accessCode.getClientSession();
+    public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
+        ClientSessionCode<AuthenticatedClientSessionModel> accessCode = new ClientSessionCode<>(session, realm, clientSession);
 
         String service = clientSession.getRedirectUri();
         //TODO validate service
-        accessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name());
+        accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name());
         KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(service);
         uriBuilder.queryParam(TICKET_RESPONSE_PARAM, SERVICE_TICKET_PREFIX + accessCode.getCode());
 
@@ -100,12 +102,12 @@ public Response authenticated(UserSessionModel userSession, ClientSessionCode ac
     }
 
     @Override
-    public Response sendError(ClientSessionModel clientSession, Error error) {
+    public Response sendError(AuthenticationSessionModel authSession, Error error) {
         return Response.serverError().entity(error).build();
     }
 
     @Override
-    public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
+    public void backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
         String logoutUrl = clientSession.getRedirectUri();
         String serviceTicket = clientSession.getNote(CASLoginProtocol.SESSION_SERVICE_TICKET);
         //check if session is fully authenticated (i.e. serviceValidate has been called)
@@ -127,7 +129,7 @@ private void sendSingleLogoutRequest(String logoutUrl, String serviceTicket) {
     }
 
     @Override
-    public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
+    public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
         // todo oidc redirect support
         throw new RuntimeException("NOT IMPLEMENTED");
     }
@@ -148,8 +150,8 @@ public Response finishLogout(UserSessionModel userSession) {
     }
 
     @Override
-    public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) {
-        return "true".equals(clientSession.getNote(CASLoginProtocol.RENEW_PARAM));
+    public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) {
+        return "true".equals(authSession.getClientNote(CASLoginProtocol.RENEW_PARAM));
     }
 
     @Override

src/main/java/org/keycloak/protocol/cas/endpoints/AuthorizationEndpoint.java

@@ -6,14 +6,14 @@
 import org.keycloak.events.EventBuilder;
 import org.keycloak.events.EventType;
 import org.keycloak.models.ClientModel;
-import org.keycloak.models.ClientSessionModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.AuthorizationEndpointBase;
 import org.keycloak.protocol.cas.CASLoginProtocol;
 import org.keycloak.protocol.oidc.utils.RedirectUtils;
 import org.keycloak.services.ErrorPageException;
 import org.keycloak.services.messages.Messages;
 import org.keycloak.services.util.CacheControlUtil;
+import org.keycloak.sessions.AuthenticationSessionModel;
 
 import javax.ws.rs.GET;
 import javax.ws.rs.core.MultivaluedMap;
@@ -23,7 +23,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
     private static final Logger logger = Logger.getLogger(AuthorizationEndpoint.class);
 
     private ClientModel client;
-    private ClientSessionModel clientSession;
+    private AuthenticationSessionModel authenticationSession;
     private String redirectUri;
 
     public AuthorizationEndpoint(RealmModel realm, EventBuilder event) {
@@ -42,30 +42,23 @@ public Response build() {
         checkRealm();
         checkClient(service);
 
-        createClientSession();
+        AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, null);
+        if (checks.response != null) {
+            return checks.response;
+        }
+
+        authenticationSession = checks.authSession;
+        updateAuthenticationSession();
+
         // So back button doesn't work
         CacheControlUtil.noBackButtonCacheControlHeader();
 
         if (renew) {
-            clientSession.setNote(CASLoginProtocol.RENEW_PARAM, "true");
+            authenticationSession.setClientNote(CASLoginProtocol.RENEW_PARAM, "true");
         }
 
         this.event.event(EventType.LOGIN);
-        return handleBrowserAuthenticationRequest(clientSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
-    }
-
-    private void checkSsl() {
-        if (!uriInfo.getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
-            event.error(Errors.SSL_REQUIRED);
-            throw new ErrorPageException(session, Messages.HTTPS_REQUIRED);
-        }
-    }
-
-    private void checkRealm() {
-        if (!realm.isEnabled()) {
-            event.error(Errors.REALM_DISABLED);
-            throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED);
-        }
+        return handleBrowserAuthenticationRequest(authenticationSession, new CASLoginProtocol(session, realm, uriInfo, headers, event), gateway, false);
     }
 
     private void checkClient(String service) {
@@ -96,10 +89,14 @@ private void checkClient(String service) {
         session.getContext().setClient(client);
     }
 
-    private void createClientSession() {
-        clientSession = session.sessions().createClientSession(realm, client);
-        clientSession.setAuthMethod(CASLoginProtocol.LOGIN_PROTOCOL);
-        clientSession.setRedirectUri(redirectUri);
-        clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
+    private void updateAuthenticationSession() {
+        authenticationSession.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL);
+        authenticationSession.setRedirectUri(redirectUri);
+        authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
+    }
+
+    @Override
+    protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestState) {
+        return true;
     }
 }

src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java

@@ -30,7 +30,7 @@ public ServiceValidateEndpoint(RealmModel realm, EventBuilder event) {
     protected Response successResponse() {
         UserSessionModel userSession = clientSession.getUserSession();
 
-        Set<ProtocolMapperModel> mappings = new ClientSessionCode(session, realm, clientSession).getRequestedProtocolMappers();
+        Set<ProtocolMapperModel> mappings = new ClientSessionCode<>(session, realm, clientSession).getRequestedProtocolMappers();
         KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
         Map<String, Object> attributes = new HashMap<>();
         for (ProtocolMapperModel mapping : mappings) {

src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java

@@ -43,7 +43,7 @@ public class ValidateEndpoint {
     protected RealmModel realm;
     protected EventBuilder event;
     protected ClientModel client;
-    protected ClientSessionModel clientSession;
+    protected AuthenticatedClientSessionModel clientSession;
 
     public ValidateEndpoint(RealmModel realm, EventBuilder event) {
         this.realm = realm;
@@ -131,23 +131,27 @@ private void checkTicket(String ticket, boolean requireReauth) {
 
         String code = ticket.substring(CASLoginProtocol.SERVICE_TICKET_PREFIX.length());
 
-        ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm);
-        if (parseResult.isClientSessionNotFound() || parseResult.isIllegalHash()) {
-            String[] parts = code.split("\\.");
-            if (parts.length == 2) {
-                event.detail(Details.CODE_ID, parts[1]);
-            }
+        String[] parts = code.split("\\.");
+        if (parts.length == 4) {
+            event.detail(Details.CODE_ID, parts[2]);
+        }
+
+        ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class);
+        if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) {
             event.error(Errors.INVALID_CODE);
-            if (parseResult.getClientSession() != null) {
-                session.sessions().removeClientSession(realm, parseResult.getClientSession());
+
+            // Attempt to use same code twice should invalidate existing clientSession
+            AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
+            if (clientSession != null) {
+                clientSession.setUserSession(null);
             }
+
             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
         }
 
         clientSession = parseResult.getClientSession();
-        event.detail(Details.CODE_ID, clientSession.getId());
 
-        if (!parseResult.getCode().isValid(ClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
+        if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
             event.error(Errors.INVALID_CODE);
             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
         }

src/main/java/org/keycloak/protocol/cas/mappers/AbstractUserRoleMappingMapper.java

@@ -80,9 +80,9 @@ protected void setAttribute(Map<String, Object> attributes, ProtocolMapperModel
         // get a set of all realm roles assigned to the user or its group
         Stream<RoleModel> clientUserRoles = getAllUserRolesStream(user).filter(restriction);
 
-        boolean dontLimitScope = userSession.getClientSessions().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
+        boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed());
         if (! dontLimitScope) {
-            Set<RoleModel> clientRoles = userSession.getClientSessions().stream()
+            Set<RoleModel> clientRoles = userSession.getAuthenticatedClientSessions().values().stream()
               .flatMap(cs -> cs.getClient().getScopeMappings().stream())
               .collect(Collectors.toSet());