libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

SamlProtocol should only drop attributes into a single attributeStatement element

Browse source
This commit is contained in:
Josh Cain 2016-07-22 14:49:48 -05:00
parent a73dd537f3
commit 283581f920
1 changed files with 16 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
View file

@ -21,13 +21,7 @@ import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.net.URI; import java.net.URI;
import java.security.PublicKey; import java.security.PublicKey;
import java.util.ArrayList; import java.util.*;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
@ -375,8 +369,15 @@ public class SamlProtocol implements LoginProtocol {
Document samlDocument = null; Document samlDocument = null;
try { try {
ResponseType samlModel = builder.buildModel(); ResponseType samlModel = builder.buildModel();
transformAttributeStatement(attributeStatementMappers, samlModel, session, userSession, clientSession); final AttributeStatementType attributeStatement = populateAttributeStatements(attributeStatementMappers, session, userSession, clientSession);
populateRoles(roleListMapper, samlModel, session, userSession, clientSession); populateRoles(roleListMapper, session, userSession, clientSession, attributeStatement);
// SAML Spec 2.7.3 AttributeStatement must contain one or more Attribute or EncryptedAttribute
if (attributeStatement.getAttributes().size() > 0) {
AssertionType assertion = samlModel.getAssertions().get(0).getAssertion();
assertion.addStatement(attributeStatement);
}
samlModel = transformLoginResponse(loginResponseMappers, samlModel, session, userSession, clientSession); samlModel = transformLoginResponse(loginResponseMappers, samlModel, session, userSession, clientSession);
samlDocument = builder.buildDocument(samlModel); samlDocument = builder.buildDocument(samlModel);
} catch (Exception e) { } catch (Exception e) {
@ -437,19 +438,14 @@ public class SamlProtocol implements LoginProtocol {
} }
} }
public void transformAttributeStatement(List<ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, public AttributeStatementType populateAttributeStatements(List<ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession,
ClientSessionModel clientSession) { ClientSessionModel clientSession) {
AssertionType assertion = response.getAssertions().get(0).getAssertion();
AttributeStatementType attributeStatement = new AttributeStatementType(); AttributeStatementType attributeStatement = new AttributeStatementType();
for (ProtocolMapperProcessor<SAMLAttributeStatementMapper> processor : attributeStatementMappers) { for (ProtocolMapperProcessor<SAMLAttributeStatementMapper> processor : attributeStatementMappers) {
processor.mapper.transformAttributeStatement(attributeStatement, processor.model, session, userSession, clientSession); processor.mapper.transformAttributeStatement(attributeStatement, processor.model, session, userSession, clientSession);
} }
// SAML Spec 2.7.3 AttributeStatement must contain one or more Attribute or EncryptedAttribute return attributeStatement;
if (attributeStatement.getAttributes().size() > 0) {
assertion.addStatement(attributeStatement);
}
} }
public ResponseType transformLoginResponse(List<ProtocolMapperProcessor<SAMLLoginResponseMapper>> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { public ResponseType transformLoginResponse(List<ProtocolMapperProcessor<SAMLLoginResponseMapper>> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) {
@ -459,17 +455,11 @@ public class SamlProtocol implements LoginProtocol {
return response; return response;
} }
public void populateRoles(ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { public void populateRoles(ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession,
final AttributeStatementType existingAttributeStatement) {
if (roleListMapper == null) if (roleListMapper == null)
return; return;
AssertionType assertion = response.getAssertions().get(0).getAssertion(); roleListMapper.mapper.mapRoles(existingAttributeStatement, roleListMapper.model, session, userSession, clientSession);
AttributeStatementType attributeStatement = new AttributeStatementType();
roleListMapper.mapper.mapRoles(attributeStatement, roleListMapper.model, session, userSession, clientSession);
// SAML Spec 2.7.3 AttributeStatement must contain one or more Attribute or EncryptedAttribute
if (attributeStatement.getAttributes().size() > 0) {
assertion.addStatement(attributeStatement);
}
} }
public static String getLogoutServiceUrl(UriInfo uriInfo, ClientModel client, String bindingType) { public static String getLogoutServiceUrl(UriInfo uriInfo, ClientModel client, String bindingType) {