libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Merge remote-tracking branch 'upstream/master'

Browse source
This commit is contained in:
Bill Burke 2014-11-11 21:28:49 -05:00
commit 3b347d5f52
13 changed files with 92 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java
View file

@ -53,8 +53,11 @@ public class LDAPFederationProvider implements UserFederationProvider {
this.model = model;
this.partitionManager = partitionManager;
String editModeString = model.getConfig().get(EDIT_MODE);
if (editModeString == null) editMode = EditMode.READ_ONLY;
editMode = EditMode.valueOf(editModeString);
if (editModeString == null) {
editMode = EditMode.READ_ONLY;
} else {
editMode = EditMode.valueOf(editModeString);
}
}
private ModelException convertIDMException(IdentityManagementException ie) {

14
federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProviderFactory.java
View file

@ -16,7 +16,11 @@ import org.picketlink.idm.IdentityManager;
import org.picketlink.idm.PartitionManager;
import org.picketlink.idm.model.IdentityType;
import org.picketlink.idm.model.basic.User;
import org.picketlink.idm.query.AttributeParameter;
import org.picketlink.idm.query.Condition;
import org.picketlink.idm.query.IdentityQuery;
import org.picketlink.idm.query.IdentityQueryBuilder;
import org.picketlink.idm.query.QueryParameter;
import java.util.Collections;
import java.util.Date;
@ -84,13 +88,15 @@ public class LDAPFederationProviderFactory implements UserFederationProviderFact
// Sync newly created users
IdentityManager identityManager = partitionMgr.createIdentityManager();
IdentityQuery<User> userQuery = identityManager.createIdentityQuery(User.class)
.setParameter(IdentityType.CREATED_AFTER, lastSync);
IdentityQueryBuilder queryBuilder = identityManager.getQueryBuilder();
Condition condition = queryBuilder.greaterThanOrEqualTo(IdentityType.CREATED_DATE, lastSync);
IdentityQuery<User> userQuery = queryBuilder.createIdentityQuery(User.class).where(condition);
syncImpl(sessionFactory, userQuery, realmId, model);
// Sync updated users
userQuery = identityManager.createIdentityQuery(User.class)
.setParameter(IdentityType.MODIFIED_AFTER, lastSync);
queryBuilder = identityManager.getQueryBuilder();
condition = queryBuilder.greaterThanOrEqualTo(LDAPUtils.MODIFY_DATE, lastSync);
userQuery = queryBuilder.createIdentityQuery(User.class).where(condition);
syncImpl(sessionFactory, userQuery, realmId, model);
}

4
federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPUtils.java
View file

@ -10,6 +10,8 @@ import org.picketlink.idm.credential.UsernamePasswordCredentials;
import org.picketlink.idm.model.Attribute;
import org.picketlink.idm.model.basic.BasicModel;
import org.picketlink.idm.model.basic.User;
import org.picketlink.idm.query.AttributeParameter;
import org.picketlink.idm.query.QueryParameter;
import java.util.List;
@ -20,6 +22,8 @@ import java.util.List;
*/
public class LDAPUtils {
public static QueryParameter MODIFY_DATE = new AttributeParameter("modifyDate");
public static User addUser(PartitionManager partitionManager, String username, String firstName, String lastName, String email) {
IdentityManager identityManager = getIdentityManager(partitionManager);

2
forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/users.js
View file

@ -529,7 +529,7 @@ module.controller('LDAPCtrl', function($scope, $location, Notifications, Dialog,
];
$scope.usernameLDAPAttributes = [
"uid", "cn", "sAMAccountName"
"uid", "cn", "sAMAccountName", "entryDN"
];
$scope.realm = realm;

2
forms/common-themes/src/main/resources/theme/admin/base/resources/partials/federated-ldap.html
View file

@ -129,7 +129,7 @@
<div class="form-group clearfix">
<label class="col-sm-2 control-label" for="ldapBindCredential">Bind Credential <span class="required">*</span></label>
<div class="col-sm-4">
<input class="form-control" id="ldapBindCredential" type="text" ng-model="instance.config.bindCredential" placeholder="LDAP Bind Credentials" required>
<input class="form-control" id="ldapBindCredential" type="password" ng-model="instance.config.bindCredential" placeholder="LDAP Bind Credentials" required>
</div>
<span tooltip-placement="right" tooltip="Password of LDAP admin" class="fa fa-info-circle"></span>
<div class="col-sm-4" data-ng-show="access.manageRealm">

14
picketlink/keycloak-picketlink-ldap/src/main/java/org/keycloak/picketlink/idm/LDAPKeycloakCredentialHandler.java
View file

@ -37,7 +37,7 @@ public class LDAPKeycloakCredentialHandler extends LDAPPlainTextPasswordCredenti
protected boolean validateCredential(IdentityContext context, CredentialStorage credentialStorage, UsernamePasswordCredentials credentials, LDAPIdentityStore ldapIdentityStore) {
Account account = getAccount(context, credentials.getUsername());
char[] password = credentials.getPassword().getValue();
String userDN = getDNOfUser(ldapIdentityStore, account);
String userDN = (String) account.getAttribute(LDAPIdentityStore.ENTRY_DN_ATTRIBUTE_NAME).getValue();
if (CREDENTIAL_LOGGER.isDebugEnabled()) {
CREDENTIAL_LOGGER.debugf("Using DN [%s] for authentication of user [%s]", userDN, credentials.getUsername());
}
@ -48,16 +48,4 @@ public class LDAPKeycloakCredentialHandler extends LDAPPlainTextPasswordCredenti
return false;
}
protected String getDNOfUser(LDAPIdentityStore ldapIdentityStore, Account user) {
LDAPMappingConfiguration userMappingConfig = ldapIdentityStore.getConfig().getMappingConfig(User.class);
SearchResult sr = ldapIdentityStore.getOperationManager().lookupById(userMappingConfig.getBaseDN(), user.getId(), userMappingConfig);
if (sr != null) {
return sr.getNameInNamespace();
} else {
// Fallback
return ldapIdentityStore.getBindingDN(user, true);
}
}
}

4
pom.xml
View file

@ -20,7 +20,7 @@
<resteasy.version.latest>3.0.9.Final</resteasy.version.latest>
<undertow.version>1.0.15.Final</undertow.version>
<!-- <picketlink.version>2.7.0.CR1-20140924</picketlink.version> -->
<picketlink.version>2.7.0.CR1</picketlink.version>
<picketlink.version>2.7.0.CR2</picketlink.version>
<picketbox.ldap.version>1.0.2.Final</picketbox.ldap.version>
<mongo.driver.version>2.11.3</mongo.driver.version>
<jboss.logging.version>3.1.4.GA</jboss.logging.version>
@ -252,7 +252,7 @@
</dependency>
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-wildlfy-common</artifactId>
<artifactId>picketlink-wildfly-common</artifactId>
<version>${picketlink.version}</version>
</dependency>
<dependency>

12
saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SALM2LoginResponseBuilder.java
View file

@ -38,7 +38,8 @@ public class SALM2LoginResponseBuilder extends SAML2BindingBuilder<SALM2LoginRes
protected static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
protected List<String> roles = new LinkedList<String>();
protected String userPrincipal;
protected String nameId;
protected String nameIdFormat;
protected boolean multiValuedRoles;
protected boolean disableAuthnStatement;
protected String requestID;
@ -88,8 +89,9 @@ public class SALM2LoginResponseBuilder extends SAML2BindingBuilder<SALM2LoginRes
return this;
}
public SALM2LoginResponseBuilder userPrincipal(String userPrincipal) {
this.userPrincipal = userPrincipal;
public SALM2LoginResponseBuilder nameIdentifier(String nameIdFormat, String nameId) {
this.nameIdFormat = nameIdFormat;
this.nameId = nameId;
return this;
}
@ -129,8 +131,8 @@ public class SALM2LoginResponseBuilder extends SAML2BindingBuilder<SALM2LoginRes
issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get());
IDPInfoHolder idp = new IDPInfoHolder();
idp.setNameIDFormatValue(userPrincipal);
idp.setNameIDFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
idp.setNameIDFormatValue(nameId);
idp.setNameIDFormat(nameIdFormat);
SPInfoHolder sp = new SPInfoHolder();
sp.setResponseDestinationURI(destination);

33
saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
View file

@ -54,6 +54,7 @@ public class SamlProtocol implements LoginProtocol {
public static final String SAML_ENCRYPT = "saml.encrypt";
public static final String SAML_FORCE_POST_BINDING = "saml.force.post.binding";
public static final String SAML_REQUEST_ID = "SAML_REQUEST_ID";
public static final String SAML_DEFAULT_NAMEID_FORMAT = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get();
protected KeycloakSession session;
@ -117,6 +118,23 @@ public class SamlProtocol implements LoginProtocol {
return SamlProtocol.SAML_POST_BINDING.equals(clientSession.getNote(SamlProtocol.SAML_BINDING)) || "true".equals(client.getAttribute(SAML_FORCE_POST_BINDING));
}
protected String getNameIdFormat(ClientSessionModel clientSession) {
String nameIdFormat = clientSession.getNote(GeneralConstants.NAMEID_FORMAT);
if(nameIdFormat == null) return SAML_DEFAULT_NAMEID_FORMAT;
return nameIdFormat;
}
protected String getNameId(String nameIdFormat, ClientSessionModel clientSession, UserSessionModel userSession) {
if(nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
return userSession.getUser().getEmail();
} else if(nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) {
return clientSession.getNote(ClientSessionCode.ACTION_KEY);
} else {
// TODO: Support for persistent NameID (pseudo-random identifier persisted in user object)
return userSession.getUser().getUsername();
}
}
@Override
public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) {
ClientSessionModel clientSession = accessCode.getClientSession();
@ -125,6 +143,8 @@ public class SamlProtocol implements LoginProtocol {
String relayState = clientSession.getNote(GeneralConstants.RELAY_STATE);
String redirectUri = clientSession.getRedirectUri();
String responseIssuer = getResponseIssuer(realm);
String nameIdFormat = getNameIdFormat(clientSession);
String nameId = getNameId(nameIdFormat, clientSession, userSession);
SALM2LoginResponseBuilder builder = new SALM2LoginResponseBuilder();
builder.requestID(requestID)
@ -132,8 +152,7 @@ public class SamlProtocol implements LoginProtocol {
.destination(redirectUri)
.responseIssuer(responseIssuer)
.requestIssuer(clientSession.getClient().getClientId())
.userPrincipal(userSession.getUser().getUsername()) // todo userId instead? There is no username claim it seems
.attribute(X500SAMLProfileConstants.USERID.getFriendlyName(), userSession.getUser().getId())
.nameIdentifier(nameIdFormat, nameId)
.authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get());
initClaims(builder, clientSession.getClient(), userSession.getUser());
if (clientSession.getRoles() != null) {
@ -148,12 +167,12 @@ public class SamlProtocol implements LoginProtocol {
}
if (requiresRealmSignature(client)) {
builder.signatureAlgorithm(getSignatureAlgorithm(client))
.signWith(realm.getPrivateKey(), realm.getPublicKey())
.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
.signDocument();
}
if (requiresAssertionSignature(client)) {
builder.signatureAlgorithm(getSignatureAlgorithm(client))
.signWith(realm.getPrivateKey(), realm.getPublicKey())
.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
.signAssertions();
}
if (!includeAuthnStatement(client)) {
@ -218,9 +237,13 @@ public class SamlProtocol implements LoginProtocol {
builder.attribute(X500SAMLProfileConstants.GIVEN_NAME.getFriendlyName(), user.getFirstName());
builder.attribute(X500SAMLProfileConstants.SURNAME.getFriendlyName(), user.getLastName());
}
if (ClaimMask.hasUsername(model.getAllowedClaimsMask())) {
builder.attribute(X500SAMLProfileConstants.USERID.getFriendlyName(), user.getUsername());
}
}
@Override
public Response consentDenied(ClientSessionModel clientSession) {
return getErrorResponse(clientSession, JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
@ -238,7 +261,7 @@ public class SamlProtocol implements LoginProtocol {
.destination(client.getClientId());
if (requiresRealmSignature(client)) {
logoutBuilder.signatureAlgorithm(getSignatureAlgorithm(client))
.signWith(realm.getPrivateKey(), realm.getPublicKey())
.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
.signDocument();
}
/*

26
saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java
View file

@ -24,10 +24,12 @@ import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.util.StreamUtil;
import org.picketlink.common.constants.GeneralConstants;
import org.picketlink.common.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.picketlink.identity.federation.saml.v2.SAML2Object;
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.NameIDPolicyType;
import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
@ -207,6 +209,21 @@ public class SamlService {
clientSession.setNote(GeneralConstants.RELAY_STATE, relayState);
clientSession.setNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID());
// Handle NameIDPolicy from SP
NameIDPolicyType nameIdPolicy = requestAbstractType.getNameIDPolicy();
if(nameIdPolicy != null) {
String nameIdFormat = nameIdPolicy.getFormat().toString();
// TODO: Handle AllowCreate too, relevant for persistent NameID.
if(isSupportedNameIdFormat(nameIdFormat)) {
clientSession.setNote(GeneralConstants.NAMEID_FORMAT, nameIdFormat);
} else {
event.error(Errors.INVALID_TOKEN);
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unsupported NameIDFormat.");
}
} else {
clientSession.setNote(GeneralConstants.NAMEID_FORMAT, JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get());
}
Response response = authManager.checkNonFormAuthentication(session, clientSession, realm, uriInfo, request, clientConnection, headers, event);
if (response != null) return response;
@ -226,6 +243,15 @@ public class SamlService {
return forms.createLogin();
}
private boolean isSupportedNameIdFormat(String nameIdFormat) {
if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()) ||
nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()) ||
nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get())) {
return true;
}
return false;
}
protected abstract String getBindingType();
protected Response logoutRequest(LogoutRequestType requestAbstractType, ClientModel client) {

6
saml/saml-protocol/src/main/resources/idp-metadata-template.xml
View file

@ -5,8 +5,10 @@
<EntityDescriptor entityID="${idp.entityID}">
<IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="${idp.sso.HTTP-POST}" />
<SingleSignOnService

2
testsuite/integration/pom.xml
View file

@ -215,7 +215,7 @@
</dependency>
<dependency>
<groupId>org.picketlink</groupId>
<artifactId>picketlink-wildlfy-common</artifactId>
<artifactId>picketlink-wildfly-common</artifactId>
<scope>test</scope>
</dependency>
<dependency>

3
testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java
View file

@ -25,8 +25,9 @@ public class LDAPRule extends ExternalResource {
protected void after() {
try {
embeddedServer.tearDown();
embeddedServer = null;
} catch (Exception e) {
throw new RuntimeException("Error starting Embedded LDAP server.", e);
throw new RuntimeException("Error tearDown Embedded LDAP server.", e);
}
}