Merge pull request #728 from mposolda/master

KEYCLOAK-731

core/src/main/java/org/keycloak/representations/adapters/config/AdapterConfig.java

@@ -10,14 +10,14 @@ import org.codehaus.jackson.annotate.JsonPropertyOrder;
  * @version $Revision: 1 $
  */
 @JsonPropertyOrder({"realm", "realm-public-key", "auth-server-url", "ssl-required",
-        "resource", "credentials",
+        "resource", "public-client", "credentials",
         "use-resource-role-mappings",
         "enable-cors", "cors-max-age", "cors-allowed-methods",
         "expose-token", "bearer-only",
         "connection-pool-size",
         "allow-any-hostname", "disable-trust-manager", "truststore", "truststore-password",
         "client-keystore", "client-keystore-password", "client-key-password",
-        "use-hostname-for-local-requests", "local-requests-scheme", "local-requests-port"
+        "auth-server-url-for-backend-requests"
 })
 public class AdapterConfig extends BaseAdapterConfig {
 
@@ -37,12 +37,8 @@ public class AdapterConfig extends BaseAdapterConfig {
     protected String clientKeyPassword;
     @JsonProperty("connection-pool-size")
     protected int connectionPoolSize = 20;
-    @JsonProperty("use-hostname-for-local-requests")
-    protected boolean useHostnameForLocalRequests;
-    @JsonProperty("local-requests-scheme")
-    protected String localRequestsScheme = "http";
-    @JsonProperty("local-requests-port")
-    protected int localRequestsPort = 8080;
+    @JsonProperty("auth-server-url-for-backend-requests")
+    protected String authServerUrlForBackendRequests;
 
     public boolean isAllowAnyHostname() {
         return allowAnyHostname;
@@ -108,27 +104,11 @@ public class AdapterConfig extends BaseAdapterConfig {
         this.connectionPoolSize = connectionPoolSize;
     }
 
-    public boolean isUseHostnameForLocalRequests() {
-        return useHostnameForLocalRequests;
+    public String getAuthServerUrlForBackendRequests() {
+        return authServerUrlForBackendRequests;
     }
 
-    public void setUseHostnameForLocalRequests(boolean useHostnameForLocalRequests) {
-        this.useHostnameForLocalRequests = useHostnameForLocalRequests;
-    }
-
-    public String getLocalRequestsScheme() {
-        return localRequestsScheme;
-    }
-
-    public void setLocalRequestsScheme(String localRequestsScheme) {
-        this.localRequestsScheme = localRequestsScheme;
-    }
-
-    public int getLocalRequestsPort() {
-        return localRequestsPort;
-    }
-
-    public void setLocalRequestsPort(int localRequestsPort) {
-        this.localRequestsPort = localRequestsPort;
+    public void setAuthServerUrlForBackendRequests(String authServerUrlForBackendRequests) {
+        this.authServerUrlForBackendRequests = authServerUrlForBackendRequests;
     }
 }

core/src/main/java/org/keycloak/util/JsonSerialization.java

@@ -17,6 +17,7 @@ import java.io.OutputStream;
 public class JsonSerialization {
     public static final ObjectMapper mapper = new ObjectMapper();
     public static final ObjectMapper prettyMapper = new ObjectMapper();
+    public static final ObjectMapper sysPropertiesAwareMapper = new ObjectMapper(new SystemPropertiesJsonParserFactory());
 
     static {
         mapper.setSerializationInclusion(JsonSerialize.Inclusion.NON_NULL);
@@ -49,6 +50,10 @@ public class JsonSerialization {
         return mapper.readValue(bytes, type);
     }
 
+    public static <T> T readValueAndReplaceSysProperties(InputStream bytes, Class<T> type) throws IOException {
+        return sysPropertiesAwareMapper.readValue(bytes, type);
+    }
+
 
 
 }

core/src/main/java/org/keycloak/util/SystemPropertiesJsonParserFactory.java

@@ -0,0 +1,51 @@
+package org.keycloak.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+
+import org.codehaus.jackson.JsonParser;
+import org.codehaus.jackson.io.IOContext;
+import org.codehaus.jackson.map.MappingJsonFactory;
+import org.codehaus.jackson.util.JsonParserDelegate;
+
+/**
+ * Provides replacing of system properties for parsed values
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class SystemPropertiesJsonParserFactory extends MappingJsonFactory {
+
+    @Override
+    protected JsonParser _createJsonParser(byte[] data, int offset, int len, IOContext ctxt) throws IOException {
+        JsonParser delegate = super._createJsonParser(data, offset, len, ctxt);
+        return new SystemPropertiesAwareJsonParser(delegate);
+    }
+
+    @Override
+    protected JsonParser _createJsonParser(Reader r, IOContext ctxt) throws IOException {
+        JsonParser delegate = super._createJsonParser(r, ctxt);
+        return new SystemPropertiesAwareJsonParser(delegate);
+    }
+
+    @Override
+    protected JsonParser _createJsonParser(InputStream in, IOContext ctxt) throws IOException {
+        JsonParser delegate = super._createJsonParser(in, ctxt);
+        return new SystemPropertiesAwareJsonParser(delegate);
+    }
+
+
+
+    public static class SystemPropertiesAwareJsonParser extends JsonParserDelegate {
+
+        public SystemPropertiesAwareJsonParser(JsonParser d) {
+            super(d);
+        }
+
+        @Override
+        public String getText() throws IOException {
+            String orig = super.getText();
+            return StringPropertyReplacer.replaceProperties(orig);
+        }
+    }
+}

core/src/test/java/org/keycloak/JsonParserTest.java

@@ -0,0 +1,33 @@
+package org.keycloak;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.keycloak.representations.adapters.config.AdapterConfig;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class JsonParserTest {
+
+    @Test
+    public void testParsingSystemProps() throws IOException {
+        System.setProperty("my.host", "foo");
+        System.setProperty("con.pool.size", "200");
+        System.setProperty("allow.any.hostname", "true");
+
+        InputStream is = getClass().getClassLoader().getResourceAsStream("keycloak.json");
+
+        AdapterConfig config = JsonSerialization.readValueAndReplaceSysProperties(is, AdapterConfig.class);
+        Assert.assertEquals("http://foo:8080/auth", config.getAuthServerUrl());
+        Assert.assertEquals("external", config.getSslRequired());
+        Assert.assertEquals("angular-product${non.existing}", config.getResource());
+        Assert.assertTrue(config.isPublicClient());
+        Assert.assertTrue(config.isAllowAnyHostname());
+        Assert.assertEquals(100, config.getCorsMaxAge());
+        Assert.assertEquals(200, config.getConnectionPoolSize());
+    }
+}

core/src/test/resources/keycloak.json

@@ -0,0 +1,9 @@
+{
+  "auth-server-url" : "http://${my.host}:8080/auth",
+  "ssl-required" : "external",
+  "resource" : "angular-product${non.existing}",
+  "public-client" : true,
+  "allow-any-hostname": "${allow.any.hostname}",
+  "cors-max-age": 100,
+  "connection-pool-size": "${con.pool.size}"
+}

examples/demo-template/customer-app/src/main/webapp/WEB-INF/keycloak.json

@@ -7,6 +7,5 @@
     "expose-token": true,
     "credentials": {
         "secret": "password"
-    },
-    "use-hostname-for-local-requests": false
+    }
 }

examples/demo-template/product-app/src/main/webapp/WEB-INF/keycloak.json

@@ -6,6 +6,5 @@
   "ssl-required" : "external",
   "credentials" : {
       "secret": "password"
-  },
-  "use-hostname-for-local-requests": false
+  }
 }

examples/demo-template/third-party-cdi/src/main/webapp/WEB-INF/keycloak.json

@@ -5,6 +5,5 @@
   "ssl-required" : "external",
    "credentials" : {
        "secret": "password"
-   },
-   "use-hostname-for-local-requests": false
+   }
 }

examples/demo-template/third-party/src/main/webapp/WEB-INF/keycloak.json

@@ -5,6 +5,5 @@
   "ssl-required" : "external",
    "credentials" : {
        "secret": "password"
-   },
-   "use-hostname-for-local-requests": false
+   }
 }

integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java

@@ -7,7 +7,6 @@ import org.keycloak.enums.RelativeUrlsUsed;
 import org.keycloak.enums.SslRequired;
 import org.keycloak.representations.adapters.config.AdapterConfig;
 import org.keycloak.util.KeycloakUriBuilder;
-import org.keycloak.util.UriUtils;
 
 import java.net.URI;
 import java.security.PublicKey;
@@ -87,15 +86,18 @@ public class KeycloakDeployment {
 
         URI uri = URI.create(authServerBaseUrl);
         if (uri.getHost() == null) {
-            if (config.isUseHostnameForLocalRequests()) {
+            String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests();
+            if (authServerURLForBackendReqs != null) {
                 relativeUrls = RelativeUrlsUsed.BROWSER_ONLY;
 
-                KeycloakUriBuilder serverBuilder = KeycloakUriBuilder.fromUri(authServerBaseUrl);
-                serverBuilder.host(UriUtils.getHostName()).port(config.getLocalRequestsPort()).scheme(config.getLocalRequestsScheme());
+                KeycloakUriBuilder serverBuilder = KeycloakUriBuilder.fromUri(authServerURLForBackendReqs);
+                if (serverBuilder.getHost() == null || serverBuilder.getScheme() == null) {
+                    throw new IllegalStateException("Relative URL not supported for auth-server-url-for-backend-requests option. URL used: "
+                            + authServerURLForBackendReqs + ", Client: " + config.getResource());
+                }
                 resolveNonBrowserUrls(serverBuilder);
             } else {
                 relativeUrls = RelativeUrlsUsed.ALL_REQUESTS;
-                return;
             }
         } else {
             // We have absolute URI in config

integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java

@@ -6,6 +6,7 @@ import org.jboss.logging.Logger;
 import org.keycloak.enums.SslRequired;
 import org.keycloak.representations.adapters.config.AdapterConfig;
 import org.keycloak.util.PemUtils;
+import org.keycloak.util.SystemPropertiesJsonParserFactory;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -79,7 +80,7 @@ public class KeycloakDeploymentBuilder {
     }
 
     public static KeycloakDeployment build(InputStream is) {
-        ObjectMapper mapper = new ObjectMapper();
+        ObjectMapper mapper = new ObjectMapper(new SystemPropertiesJsonParserFactory());
         mapper.setSerializationInclusion(JsonSerialize.Inclusion.NON_DEFAULT);
         AdapterConfig adapterConfig = null;
         try {

integration/servlet-oauth-client/src/main/java/org/keycloak/servlet/ServletOAuthClientBuilder.java

@@ -25,7 +25,7 @@ public class ServletOAuthClientBuilder {
 
     public static AdapterConfig getAdapterConfig(InputStream is) {
         try {
-            return JsonSerialization.readValue(is, AdapterConfig.class);
+            return JsonSerialization.readValueAndReplaceSysProperties(is, AdapterConfig.class);
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
@@ -57,13 +57,17 @@ public class ServletOAuthClientBuilder {
 
         String authUrl = serverBuilder.clone().path(ServiceUrlConstants.TOKEN_SERVICE_LOGIN_PATH).build(adapterConfig.getRealm()).toString();
 
-        KeycloakUriBuilder tokenUrlBuilder = serverBuilder.clone();
-        KeycloakUriBuilder refreshUrlBuilder = serverBuilder.clone();
+        KeycloakUriBuilder tokenUrlBuilder;
+        KeycloakUriBuilder refreshUrlBuilder;
 
         if (useRelative == RelativeUrlsUsed.BROWSER_ONLY) {
             // Use absolute URI for refreshToken and codeToToken requests
-            tokenUrlBuilder.scheme(adapterConfig.getLocalRequestsScheme()).host(UriUtils.getHostName()).port(adapterConfig.getLocalRequestsPort());
-            refreshUrlBuilder.scheme(adapterConfig.getLocalRequestsScheme()).host(UriUtils.getHostName()).port(adapterConfig.getLocalRequestsPort());
+            KeycloakUriBuilder nonBrowsersServerBuilder = KeycloakUriBuilder.fromUri(adapterConfig.getAuthServerUrlForBackendRequests());
+            tokenUrlBuilder = nonBrowsersServerBuilder.clone();
+            refreshUrlBuilder = nonBrowsersServerBuilder.clone();
+        } else {
+            tokenUrlBuilder = serverBuilder.clone();
+            refreshUrlBuilder = serverBuilder.clone();
         }
         String tokenUrl = tokenUrlBuilder.path(ServiceUrlConstants.TOKEN_SERVICE_ACCESS_CODE_PATH).build(adapterConfig.getRealm()).toString();
         String refreshUrl = refreshUrlBuilder.path(ServiceUrlConstants.TOKEN_SERVICE_REFRESH_PATH).build(adapterConfig.getRealm()).toString();
@@ -74,7 +78,7 @@ public class ServletOAuthClientBuilder {
 
     private static RelativeUrlsUsed relativeUrls(KeycloakUriBuilder serverBuilder, AdapterConfig adapterConfig) {
         if (serverBuilder.clone().getHost() == null) {
-            return (adapterConfig.isUseHostnameForLocalRequests()) ? RelativeUrlsUsed.BROWSER_ONLY : RelativeUrlsUsed.ALL_REQUESTS;
+            return (adapterConfig.getAuthServerUrlForBackendRequests() != null) ? RelativeUrlsUsed.BROWSER_ONLY : RelativeUrlsUsed.ALL_REQUESTS;
         } else {
             return RelativeUrlsUsed.NEVER;
         }

integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowUserSessionManagement.java

@@ -151,6 +151,7 @@ public class UndertowUserSessionManagement implements SessionListener {
     public void sessionDestroyed(Session session, HttpServerExchange exchange, SessionDestroyedReason reason) {
         // Look up the single session id associated with this session (if any)
         String username = getUsernameFromSession(session);
+        log.debugf("Session destroyed for user: %s, sessionId: %s", username, session.getId());
         if (username == null) return;
         String sessionId = session.getId();
         UserSessions userSessions = userSessionMap.get(username);

services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java

@@ -23,6 +23,7 @@ import org.keycloak.representations.adapters.action.UserStats;
 import org.keycloak.representations.adapters.action.UserStatsAction;
 import org.keycloak.services.util.HttpClientBuilder;
 import org.keycloak.services.util.ResolveRelative;
+import org.keycloak.util.StringPropertyReplacer;
 import org.keycloak.util.Time;
 
 import javax.ws.rs.core.MediaType;
@@ -108,8 +109,10 @@ public class ResourceAdminManager {
         }
 
         // this is to support relative admin urls when keycloak and applications are deployed on the same machine
-        return ResolveRelative.resolveRelativeUri(requestUri, mgmtUrl);
+        String absoluteURI = ResolveRelative.resolveRelativeUri(requestUri, mgmtUrl);
 
+        // this is for resolving URI like "http://${jboss.home.name}:8080/..." in order to send request to same machine and avoid LB in cluster env
+        return StringPropertyReplacer.replaceProperties(absoluteURI);
     }
 
     public UserStats getUserStats(URI requestUri, RealmModel realm, ApplicationModel application, UserModel user) {

testsuite/docker-cluster/wildfly/deploy-examples.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Deploy and configure all examples
+## Deploy and configure all examples
 
 # Deploy examples
 cd /keycloak-docker-cluster/examples
@@ -25,10 +25,13 @@ sed -i -e 's/false/true/' admin-access.war/WEB-INF/web.xml
 
 # Configure other examples
 for I in *.war/WEB-INF/keycloak.json; do
-  sed -i -e 's/\"use-hostname-for-local-requests\": false/\"use-hostname-for-local-requests\": true/' $I;
+  sed -i -e 's/\"\/auth\",/&\n    \"auth-server-url-for-backend-requests\": \"http:\/\/\$\{jboss.host.name\}:8080\/auth\",/' $I;
 done;
 
 # Enable distributable for customer-portal
 sed -i -e 's/<\/module-name>/&\n    <distributable \/>/' customer-portal.war/WEB-INF/web.xml
 
+# Configure testrealm.json - Enable adminUrl to access adapters on local machine
+sed -i -e 's/\"adminUrl\": \"/&http:\/\/\$\{jboss.host.name\}:8080/' /keycloak-docker-cluster/examples/testrealm.json
+