[KEYCLOAK-10867] - Remove upload of JavaScript code through REST

2019-11-01 09:09:56 -03:00 · 2019-11-01 09:09:56 -03:00 · 2dd592380d
commit 2dd592380d
parent 14fe48ee38
12 changed files with 168 additions and 0 deletions
--- a/authorization_services/topics/policy-js-policy.adoc
+++ b/authorization_services/topics/policy-js-policy.adoc
@ -6,6 +6,10 @@ supported by {project_name}, and provides flexibility to write any policy based

 To create a new JavaScript-based policy, select *JavaScript* in the dropdown list in the upper right corner of the policy listing.

+NOTE: By default, JavaScript Policies can not be uploaded to the server. You should prefer deploying your JS Policies directly to
+the server as described in link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}]. If you still want to use the 
+{project_name} Administration Console to manage your JS policies you should enable the `Upload Scripts` feature.
+
 .Add JavaScript Policy
 image:{project_images}/policy/create-js.png[alt="Add JavaScript Policy"]

@ -28,6 +32,13 @@ The JavaScript code providing the conditions for this policy.
 +
 The <<_policy_logic, Logic>> of this policy to apply after the other conditions have been evaluated.

+== Creating a JS Policy from a Deployed JAR File
+
+{project_name} allows you to deploy a JAR file in order to deploy scripts to the server. Please, take a look at link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}]
+for more details.
+
+Once you have your scripts deployed, you should be able to select the scripts you deployed from the list of available policy providers.
+
 == Examples

 === Checking for attributes from the evaluation context
--- a/authorization_services/topics/service-protection-policy-api.adoc
+++ b/authorization_services/topics/service-protection-policy-api.adoc
@ -73,6 +73,10 @@ curl -X POST \

 Or even using a custom policy using JavaScript:

+:tech_feature_name: Upload Scripts
+:tech_feature_setting: -Dkeycloak.profile.feature.upload_scripts=enabled
+include::./templates/deprecated.adoc[]
+
 ```bash
 curl -X POST \
  http://localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{resource_id} \
--- a/release_notes/index.adoc
+++ b/release_notes/index.adoc
@ -9,6 +9,9 @@ include::topics/templates/document-attributes-community.adoc[]

 = {releasenotes_name}

+== {project_name_full} 7.0.1.Final
+include::topics/7_0_1_final.adoc[leveloffset=2]
+
 == {project_name_full} 7.0.0
 include::topics/7_0_0.adoc[leveloffset=2]

--- a/release_notes/topics/7_0_1_final.adoc
+++ b/release_notes/topics/7_0_1_final.adoc
@ -0,0 +1,7 @@
+= Deploying Scripts to the Server
+
+Until now, administrators were allowed to upload scripts to the server through the {project_name} Administration Console as well as
+through the RESTful Admin API.
+
+For now on, this capability is *disabled* by default and users should prefer to deploy scripts directly to the server. For more details,
+please take a look at link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}].
--- a/release_notes/topics/8_0_0.adoc
+++ b/release_notes/topics/8_0_0.adoc
@ -62,3 +62,7 @@ Thanks to https://github.com/jonkoops[jonkoops] now it's possible to enable or d
 * Secure token and logout endpoint were included in Gatekeeper. Thanks to https://github.com/fredbi[fredbi]
 * There was a bug on Gatekeeper which was making cookies to be applied to subdomains. Thanks to https://github.com/daniel-ac-martin[daniel-ac-martin] the issue was fixed
 * Now Gatekeeper provides support to https://www.owasp.org/index.php/SameSite[Same-site cookies]. Thanks to https://github.com/fiji-flo[fiji-flo]
+
+== Deploying Scripts to the Server
+
+Please take a look at link:{releasenotes_link}#keycloak-7-0-1-final[7.0.1 {releasenotes_name}] for more details on how you can now deploy and run scripts to customize specific behavior.
--- a/server_admin/topics/clients/protocol-mappers.adoc
+++ b/server_admin/topics/clients/protocol-mappers.adoc
@ -68,3 +68,9 @@ Service account sessions provide the following details:
 * `clientAddress`: The remote host IP of the service account authenticated device
 * `clientHost`: The remote host name of the service account authenticated device

+==== Script Mapper
+
+The `Script Mapper` allows you to map claims to tokens by running a user-defined JavaScript code. For more details about how to
+deploy scripts to the server, please take a look at link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}].
+
+Once you have your scripts deployed, you should be able to select the scripts you deployed from the list of available mappers.
--- a/server_development/topics/providers.adoc
+++ b/server_development/topics/providers.adoc
@ -303,6 +303,110 @@ public class EjbExampleUserStorageProviderFactory
    }
 ----

+[[_script_providers]]
+=== JavaScript Providers
+
+{project_name} has the ability to execute scripts during runtime in order to allow administrators to customize specific functionalities:
+
+* OpenID Connect Script Protocol Mapper
+* OpenID Connect Script Authenticator
+* JavaScript Policy
+
+==== Create a JAR with the scripts you want to deploy
+
+NOTE: JAR files are regular ZIP files with a `.jar` extension.
+
+In order to make your scripts available to {project_name} you need to deploy them to the server. For that, you should create
+a `JAR` file with the following structure:
+
+[source]
+----
+META-INF/keycloak-scripts.json
+
+my-script-authenticator.js
+my-script-policy.js
+my-script-mapper.js
+----
+
+The `META-INF/keycloak-scripts.json` is a file descriptor that provides metadata information about the scripts you want to deploy. It is a JSON file with the following structure:
+
+```json
+{
+    "authenticators": [
+        {
+            "name": "My Authenticator",
+            "fileName": "my-authenticator.js",
+            "description": "My Authenticator from a JS file"
+        }
+    ],
+    "policies": [
+        {
+            "name": "My Policy",
+            "fileName": "my-policy.js",
+            "description": "My Policy from a JS file"
+        }
+    ],
+    "mappers": [
+        {
+            "name": "My Mapper",
+            "fileName": "my-mapper.js",
+            "description": "My Mapper from a JS file"
+        }
+    ]
+}
+```
+
+This file should reference the different types of script providers that you want to deploy:
+
+* `authenticators`
+
+For OpenID Connect Script Authenticators. You can have one or multiple authenticators in the same JAR file
+
+* `policies`
+
+For JavaScript Policies when using {project_name} Authorization Services. You can have one or multiple policies in the same JAR file
+
+* `mappers`
+
+For OpenID Connect Script Protocol Mappers. You can have one or multiple mappers in the same JAR file
+
+For each script file in your `JAR` file you must have a corresponding entry in `META-INF/keycloak-scripts.json` that maps your scripts files to a specific provider type. For that you should provide the following properties for each entry:
+
+* `name`
+
+A friendly name that will be used to show the scripts through the {project_name} Administration Console. If not provided, the name
+of the script file will be used instead
+
+* `description`
+
+An optional text that better describes the intend of the script file
+
+* `fileName`
+
+The name of the script file. This property is *mandatory* and should map to a file within the JAR.
+
+==== Deploy the Script JAR
+
+Once you have a JAR file with a descriptor and the scripts you want to deploy, you just need to copy the JAR to the to the {project_name} `standalone/deployments/` directory.
+
+==== Using {project_name} Administration Console to upload scripts
+
+By default, the {project_name} Administration Console won't allow administrators to upload scripts to the server. The reason is that
+script execution can potentially harm the system due to the execution of malicious scripts. In order to prevent different types of
+attacks and lower the risks when running scripts at runtime, administrators should prefer deploying scripts directly to the server using a JAR file.
+
+By deploying scripts directly into the server, we expect that scripts go through a proper code analysis in order to find possible
+vulnerabilities that can be introduced by any script deployed to the server.
+
+However, it should still be possible to upload scripts to the server through the {project_name} Administration Console. For that,
+you must set the following system property when booting the server:
+
+```bash
+    -Dkeycloak.profile.feature.upload_scripts=enabled
+```
+
+For more details about how to enable the `upload_scripts` feature. Please, take a look at the link:{installguide_profile_link}[{installguide_profile_name}].
+
 === Available SPIs

 If you want to see list of all available SPIs at runtime, you can check `Server Info` page in admin console as described in <<_providers_admin_console,Admin Console>> section.
--- a/server_installation/topics/profiles.adoc
+++ b/server_installation/topics/profiles.adoc
@ -60,6 +60,11 @@ endif::[]
 |Token Exchange Service
 |No
 |Preview
+
+|upload_scripts
+|Upload scripts through the {project_name} REST API
+|No
+|Deprecated
 |===

 To enable all preview features start the server with:
--- a/topics/templates/deprecated.adoc
+++ b/topics/templates/deprecated.adoc
@ -0,0 +1,12 @@
+ifeval::[{tech_feature_disabled}!=false]
+[NOTE]
+====
+{tech_feature_name} is *Deprecated* and will be removed in future releases. This feature is disabled by default.
+
+To enable start the server with
+ifdef::tech_feature_setting[]
+`{tech_feature_setting}`
+endif::[]
+. For more details see link:{installguide_profile_link}[{installguide_profile_name}].
+====
+endif::[]
--- a/topics/templates/document-attributes-community.adoc
+++ b/topics/templates/document-attributes-community.adoc
@ -34,6 +34,8 @@
 :developerguide_link: {project_doc_base_url}/server_development/
 :developerguide_actiontoken_name: Action Token SPI
 :developerguide_actiontoken_link: {developerguide_link}#_action_token_spi
+:developerguide_jsproviders_name: JavaScript Providers
+:developerguide_jsproviders_link: {developerguide_link}#_script_providers
 :gettingstarted_name: Getting Started Guide
 :gettingstarted_link: {project_doc_base_url}/getting_started/
 :upgradingguide_name: Upgrading Guide
--- a/topics/templates/document-attributes-product.adoc
+++ b/topics/templates/document-attributes-product.adoc
@ -53,6 +53,8 @@ endif::[]
 :developerguide_link: {project_doc_base_url}/server_developer_guide/
 :developerguide_actiontoken_name: Action Token SPI
 :developerguide_actiontoken_link: {developerguide_link}#_action_token_spi
+:developerguide_jsproviders_name: JavaScript Providers
+:developerguide_jsproviders_link: {developerguide_link}#_script_providers
 :gettingstarted_name: Getting Started Guide
 :gettingstarted_link: {project_doc_base_url}/getting_started_guide/
 :upgradingguide_name: Upgrading Guide
--- a/upgrading/topics/keycloak/changes.adoc
+++ b/upgrading/topics/keycloak/changes.adoc
@ -18,6 +18,14 @@ Cross-Datacenter Replication changes::
  * You will need to upgrade {jdgserver_name} server to version {jdgserver_version}. The older version may still work, but it is
  not guaranteed as we don't test it anymore.

+==== Deploying Scripts to the Server
+
+Until now, administrators were allowed to upload scripts to the server through the {project_name} Administration Console as well as
+through the RESTful Admin API.
+
+For now on, this capability is *disabled* by default and users should prefer to deploy scripts directly to the server. For more details,
+please take a look at link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}].
+
 === Migrating to 7.0.0

 ==== Upgrade to Wildfly 17