Merge pull request #1181 from patriot1burke/master

filter oidc broker import keys
2015-04-24 19:37:25 -04:00 · 2015-04-24 19:37:25 -04:00 · 23a3aa023c
commit 23a3aa023c
parent 05d0f1d2ee 9151d2aebd
6 changed files with 70 additions and 59 deletions
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
@ -70,7 +70,10 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
                for (String sessionId : action.getKeycloakSessionIds()) {
                    String brokerSessionId = getConfig().getAlias() + "." + sessionId;
                    UserSessionModel userSession = session.sessions().getUserSessionByBrokerSessionId(realm, brokerSessionId);
-                    if (userSession != null) {
+                    if (userSession != null
+                            && userSession.getState() != UserSessionModel.State.LOGGING_OUT
+                            && userSession.getState() != UserSessionModel.State.LOGGED_OUT
+                            ) {
                        AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, clientConnection, headers);
                    }
                }
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@ -139,7 +139,8 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
                                        .path(OIDCEndpoint.class, "logoutResponse")
                                        .build(realm.getName(), getConfig().getAlias()).toString();
        logoutUri.queryParam("post_logout_redirect_uri", redirect);
-        return Response.status(302).location(logoutUri.build()).build();
+        Response response = Response.status(302).location(logoutUri.build()).build();
+        return response;
    }

    @Override
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
@ -21,6 +21,7 @@ import org.keycloak.broker.oidc.util.SimpleHttp;
 import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
 import org.keycloak.jose.jwk.JWK;
 import org.keycloak.jose.jwk.JWKParser;
+import org.keycloak.jose.jws.Algorithm;
 import org.keycloak.models.IdentityProviderModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.protocol.oidc.representations.JSONWebKeySet;
@ -80,7 +81,7 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
                JSONWebKeySet keySet = JsonSerialization.readValue(keySetString, JSONWebKeySet.class);
                for (JWK jwk : keySet.getKeys()) {
                    JWKParser parse = JWKParser.create(jwk);
-                    if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE)) {
+                    if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE) && keyTypeSupported(jwk.getKeyType())) {
                        PublicKey key = parse.toPublicKey();
                        config.setPublicKeySignatureVerifier(KeycloakModelUtils.getPemFromKey(key));
                        config.setValidateSignature(true);
@ -95,4 +96,8 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
        }
        return config.getConfig();
    }
+
+    protected static boolean keyTypeSupported(String type) {
+        return type != null && type.equals("RSA");
+    }
 }
--- a/model/api/src/main/java/org/keycloak/models/UserSessionModel.java
+++ b/model/api/src/main/java/org/keycloak/models/UserSessionModel.java
@ -1,53 +1,53 @@
-package org.keycloak.models;
-
-import java.util.List;
-
-/**
- * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
- */
-public interface UserSessionModel {
-
-    String getId();
-
-    /**
-     * If created via a broker external login, this is an identifier that can be
-     * used to match external broker backchannel logout requests to a UserSession
-     *
-     * @return
-     */
-    String getBrokerSessionId();
-    String getBrokerUserId();
-
-    UserModel getUser();
-
-    String getLoginUsername();
-
-    String getIpAddress();
-
-    String getAuthMethod();
-
-    boolean isRememberMe();
-
-    int getStarted();
-
-    int getLastSessionRefresh();
-
-    void setLastSessionRefresh(int seconds);
-
-    List<ClientSessionModel> getClientSessions();
-
-    public String getNote(String name);
-    public void setNote(String name, String value);
-    public void removeNote(String name);
-
-    State getState();
-    void setState(State state);
-
-    public static enum State {
-        LOGGING_IN,
-        LOGGED_IN,
-        LOGGING_OUT,
-        LOGGED_OUT
-    }
-
-}
+package org.keycloak.models;
+
+import java.util.List;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public interface UserSessionModel {
+
+    String getId();
+
+    /**
+     * If created via a broker external login, this is an identifier that can be
+     * used to match external broker backchannel logout requests to a UserSession
+     *
+     * @return
+     */
+    String getBrokerSessionId();
+    String getBrokerUserId();
+
+    UserModel getUser();
+
+    String getLoginUsername();
+
+    String getIpAddress();
+
+    String getAuthMethod();
+
+    boolean isRememberMe();
+
+    int getStarted();
+
+    int getLastSessionRefresh();
+
+    void setLastSessionRefresh(int seconds);
+
+    List<ClientSessionModel> getClientSessions();
+
+    public String getNote(String name);
+    public void setNote(String name, String value);
+    public void removeNote(String name);
+
+    State getState();
+    void setState(State state);
+
+    public static enum State {
+        LOGGING_IN,
+        LOGGED_IN,
+        LOGGING_OUT,
+        LOGGED_OUT
+    }
+
+}
--- a/services/src/main/java/org/keycloak/services/resources/admin/AdminAuth.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminAuth.java
@ -44,6 +44,7 @@ public class AdminAuth {
    public boolean hasRealmRole(String role) {
        if (client instanceof ClientModel) {
            RoleModel roleModel = realm.getRole(role);
+            if (roleModel == null) return false;
            return user.hasRole(roleModel) && client.hasScope(roleModel);
        } else {
            AccessToken.Access access = token.getRealmAccess();
@ -63,6 +64,7 @@ public class AdminAuth {
    public boolean hasAppRole(ClientModel app, String role) {
        if (client instanceof ClientModel) {
            RoleModel roleModel = app.getRole(role);
+            if (roleModel == null) return false;
            return user.hasRole(roleModel) && client.hasScope(roleModel);
        } else {
            AccessToken.Access access = token.getResourceAccess(app.getClientId());
--- a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
@ -218,12 +218,12 @@ public class AdminRoot {
    }

    protected boolean isAdmin(AdminAuth auth) {
-        if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
-            return true;
-        }

        RealmManager realmManager = new RealmManager(session);
        if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
+            if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
+                return true;
+            }
            for (RealmModel realm : session.realms().getRealms()) {
                ClientModel client = realm.getMasterAdminClient();
                if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) {