KEYCLOAK-4995 Support for distributed SAML logout in cross DC
This commit is contained in:
parent
3f8083e34c
commit
794c508b10
28 changed files with 1324 additions and 189 deletions
|
@ -78,6 +78,18 @@
|
|||
<version>7.1.2.Final</version>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.infinispan</groupId>
|
||||
<artifactId>infinispan-core</artifactId>
|
||||
<scope>provided</scope>
|
||||
<version>5.2.20.Final</version> <!-- override version to match EAP's -->
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.infinispan</groupId>
|
||||
<artifactId>infinispan-cachestore-remote</artifactId>
|
||||
<scope>provided</scope>
|
||||
<version>5.2.20.Final</version> <!-- override version to match EAP's -->
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-saml-tomcat-adapter-core</artifactId>
|
||||
|
|
|
@ -16,9 +16,11 @@
|
|||
*/
|
||||
package org.keycloak.adapters.saml.jbossweb.infinispan;
|
||||
|
||||
import org.keycloak.adapters.saml.AdapterConstants;
|
||||
import org.keycloak.adapters.spi.SessionIdMapper;
|
||||
import org.keycloak.adapters.spi.SessionIdMapperUpdater;
|
||||
|
||||
import java.util.List;
|
||||
import javax.naming.InitialContext;
|
||||
import javax.naming.NamingException;
|
||||
import javax.servlet.ServletContext;
|
||||
|
@ -26,6 +28,8 @@ import org.apache.catalina.Context;
|
|||
import org.infinispan.Cache;
|
||||
import org.infinispan.configuration.cache.CacheMode;
|
||||
import org.infinispan.configuration.cache.Configuration;
|
||||
import org.infinispan.loaders.CacheLoaderManager;
|
||||
import org.infinispan.loaders.remote.RemoteCacheStore;
|
||||
import org.infinispan.manager.EmbeddedCacheManager;
|
||||
import org.jboss.logging.Logger;
|
||||
|
||||
|
@ -37,24 +41,12 @@ public class InfinispanSessionCacheIdMapperUpdater {
|
|||
|
||||
private static final Logger LOG = Logger.getLogger(InfinispanSessionCacheIdMapperUpdater.class);
|
||||
|
||||
public static final String DEFAULT_CACHE_CONTAINER_JNDI_NAME = "java:jboss/infinispan/container/web";
|
||||
|
||||
private static final String DEPLOYMENT_CACHE_CONTAINER_JNDI_NAME_PARAM_NAME = "keycloak.sessionIdMapperUpdater.infinispan.cacheContainerJndi";
|
||||
private static final String DEPLOYMENT_CACHE_NAME_PARAM_NAME = "keycloak.sessionIdMapperUpdater.infinispan.deploymentCacheName";
|
||||
private static final String SSO_CACHE_NAME_PARAM_NAME = "keycloak.sessionIdMapperUpdater.infinispan.cacheName";
|
||||
public static final String DEFAULT_CACHE_CONTAINER_JNDI_NAME = "java:jboss/infinispan/container";
|
||||
|
||||
public static SessionIdMapperUpdater addTokenStoreUpdaters(Context context, SessionIdMapper mapper, SessionIdMapperUpdater previousIdMapperUpdater) {
|
||||
boolean distributable = context.getDistributable();
|
||||
|
||||
if (! distributable) {
|
||||
LOG.warnv("Deployment {0} does not use supported distributed session cache mechanism", context.getName());
|
||||
return previousIdMapperUpdater;
|
||||
}
|
||||
|
||||
ServletContext servletContext = context.getServletContext();
|
||||
String cacheContainerLookup = (servletContext != null && servletContext.getInitParameter(DEPLOYMENT_CACHE_CONTAINER_JNDI_NAME_PARAM_NAME) != null)
|
||||
? servletContext.getInitParameter(DEPLOYMENT_CACHE_CONTAINER_JNDI_NAME_PARAM_NAME)
|
||||
: DEFAULT_CACHE_CONTAINER_JNDI_NAME;
|
||||
String containerName = servletContext == null ? null : servletContext.getInitParameter(AdapterConstants.REPLICATION_CONFIG_CONTAINER_PARAM_NAME);
|
||||
String cacheName = servletContext == null ? null : servletContext.getInitParameter(AdapterConstants.REPLICATION_CONFIG_SSO_CACHE_PARAM_NAME);
|
||||
|
||||
// the following is based on https://github.com/jbossas/jboss-as/blob/7.2.0.Final/clustering/web-infinispan/src/main/java/org/jboss/as/clustering/web/infinispan/DistributedCacheManagerFactory.java#L116-L122
|
||||
String host = context.getParent() == null ? "" : context.getParent().getName();
|
||||
|
@ -62,43 +54,48 @@ public class InfinispanSessionCacheIdMapperUpdater {
|
|||
if ("/".equals(contextPath)) {
|
||||
contextPath = "/ROOT";
|
||||
}
|
||||
String deploymentSessionCacheName = host + contextPath;
|
||||
|
||||
boolean deploymentSessionCacheNamePreset = servletContext != null && servletContext.getInitParameter(DEPLOYMENT_CACHE_NAME_PARAM_NAME) != null;
|
||||
String deploymentSessionCacheName = deploymentSessionCacheNamePreset
|
||||
? servletContext.getInitParameter(DEPLOYMENT_CACHE_NAME_PARAM_NAME)
|
||||
: host + contextPath;
|
||||
boolean ssoCacheNamePreset = servletContext != null && servletContext.getInitParameter(SSO_CACHE_NAME_PARAM_NAME) != null;
|
||||
String ssoCacheName = ssoCacheNamePreset
|
||||
? servletContext.getInitParameter(SSO_CACHE_NAME_PARAM_NAME)
|
||||
: deploymentSessionCacheName + ".ssoCache";
|
||||
if (containerName == null || cacheName == null || deploymentSessionCacheName == null) {
|
||||
LOG.warnv("Cannot determine parameters of SSO cache for deployment {0}.", host + contextPath);
|
||||
|
||||
return previousIdMapperUpdater;
|
||||
}
|
||||
|
||||
String cacheContainerLookup = DEFAULT_CACHE_CONTAINER_JNDI_NAME + "/" + containerName;
|
||||
|
||||
try {
|
||||
EmbeddedCacheManager cacheManager = (EmbeddedCacheManager) new InitialContext().lookup(cacheContainerLookup);
|
||||
|
||||
Configuration ssoCacheConfiguration = cacheManager.getCacheConfiguration(ssoCacheName);
|
||||
Configuration ssoCacheConfiguration = cacheManager.getCacheConfiguration(cacheName);
|
||||
if (ssoCacheConfiguration == null) {
|
||||
Configuration cacheConfiguration = cacheManager.getCacheConfiguration(deploymentSessionCacheName);
|
||||
if (cacheConfiguration == null) {
|
||||
LOG.debugv("Using default cache container configuration for SSO cache. lookup={0}, looked up configuration of cache={1}", cacheContainerLookup, deploymentSessionCacheName);
|
||||
LOG.debugv("Using default configuration for SSO cache {0}.{1}.", containerName, cacheName);
|
||||
ssoCacheConfiguration = cacheManager.getDefaultCacheConfiguration();
|
||||
} else {
|
||||
LOG.debugv("Using distributed HTTP session cache configuration for SSO cache. lookup={0}, configuration taken from cache={1}", cacheContainerLookup, deploymentSessionCacheName);
|
||||
LOG.debugv("Using distributed HTTP session cache configuration for SSO cache {0}.{1}, configuration taken from cache {2}",
|
||||
containerName, cacheName, deploymentSessionCacheName);
|
||||
ssoCacheConfiguration = cacheConfiguration;
|
||||
cacheManager.defineConfiguration(ssoCacheName, ssoCacheConfiguration);
|
||||
cacheManager.defineConfiguration(cacheName, ssoCacheConfiguration);
|
||||
}
|
||||
} else {
|
||||
LOG.debugv("Using custom configuration for SSO cache. lookup={0}, cache name={1}", cacheContainerLookup, ssoCacheName);
|
||||
LOG.debugv("Using custom configuration of SSO cache {0}.{1}.", containerName, cacheName);
|
||||
}
|
||||
|
||||
CacheMode ssoCacheMode = ssoCacheConfiguration.clustering().cacheMode();
|
||||
if (ssoCacheMode != CacheMode.REPL_ASYNC && ssoCacheMode != CacheMode.REPL_SYNC) {
|
||||
LOG.warnv("SSO cache mode is {0}, it is recommended to use replicated mode instead", ssoCacheConfiguration.clustering().cacheModeString());
|
||||
LOG.warnv("SSO cache mode is {0}, it is recommended to use replicated mode instead.", ssoCacheConfiguration.clustering().cacheModeString());
|
||||
}
|
||||
|
||||
Cache<String, String[]> ssoCache = cacheManager.getCache(ssoCacheName, true);
|
||||
ssoCache.addListener(new SsoSessionCacheListener(mapper));
|
||||
Cache<String, String[]> ssoCache = cacheManager.getCache(cacheName, true);
|
||||
final SsoSessionCacheListener listener = new SsoSessionCacheListener(ssoCache, mapper);
|
||||
ssoCache.addListener(listener);
|
||||
|
||||
LOG.debugv("Added distributed SSO session cache, lookup={0}, cache name={1}", cacheContainerLookup, deploymentSessionCacheName);
|
||||
// Not possible to add listener for cross-DC support because of too old Infinispan in AS 7
|
||||
warnIfRemoteStoreIsUsed(ssoCache);
|
||||
|
||||
LOG.debugv("Added distributed SSO session cache, lookup={0}, cache name={1}", cacheContainerLookup, cacheName);
|
||||
|
||||
SsoCacheSessionIdMapperUpdater updater = new SsoCacheSessionIdMapperUpdater(ssoCache, previousIdMapperUpdater);
|
||||
|
||||
|
@ -108,4 +105,17 @@ public class InfinispanSessionCacheIdMapperUpdater {
|
|||
return previousIdMapperUpdater;
|
||||
}
|
||||
}
|
||||
|
||||
private static void warnIfRemoteStoreIsUsed(Cache<String, String[]> ssoCache) {
|
||||
final List<RemoteCacheStore> stores = getRemoteStores(ssoCache);
|
||||
if (stores == null || stores.isEmpty()) {
|
||||
return;
|
||||
}
|
||||
|
||||
LOG.warnv("Unable to listen for events on remote stores configured for cache {0} (unsupported in this Infinispan limitations), logouts will not be propagated.", ssoCache.getName());
|
||||
}
|
||||
|
||||
public static List<RemoteCacheStore> getRemoteStores(Cache ssoCache) {
|
||||
return ssoCache.getAdvancedCache().getComponentRegistry().getComponent(CacheLoaderManager.class).getCacheLoaders(RemoteCacheStore.class);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,6 +20,7 @@ import org.keycloak.adapters.spi.SessionIdMapper;
|
|||
|
||||
import java.util.*;
|
||||
import java.util.concurrent.*;
|
||||
import org.infinispan.Cache;
|
||||
import org.infinispan.notifications.Listener;
|
||||
import org.infinispan.notifications.cachelistener.annotation.*;
|
||||
import org.infinispan.notifications.cachelistener.event.*;
|
||||
|
@ -43,9 +44,12 @@ public class SsoSessionCacheListener {
|
|||
|
||||
private final SessionIdMapper idMapper;
|
||||
|
||||
private final Cache<String, String[]> ssoCache;
|
||||
|
||||
private ExecutorService executor = Executors.newSingleThreadExecutor();
|
||||
|
||||
public SsoSessionCacheListener(SessionIdMapper idMapper) {
|
||||
public SsoSessionCacheListener(Cache<String, String[]> ssoCache, SessionIdMapper idMapper) {
|
||||
this.ssoCache = ssoCache;
|
||||
this.idMapper = idMapper;
|
||||
}
|
||||
|
||||
|
@ -68,8 +72,10 @@ public class SsoSessionCacheListener {
|
|||
@CacheEntryRemoved
|
||||
@CacheEntryModified
|
||||
public void addEvent(TransactionalEvent event) {
|
||||
if (event.isPre() == false) {
|
||||
if (event.getGlobalTransaction() != null) {
|
||||
map.get(event.getGlobalTransaction()).add(event);
|
||||
} else {
|
||||
processEvent(event);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -87,6 +93,11 @@ public class SsoSessionCacheListener {
|
|||
}
|
||||
|
||||
for (final Event e : events) {
|
||||
processEvent(e);
|
||||
}
|
||||
}
|
||||
|
||||
private void processEvent(final Event e) {
|
||||
switch (e.getType()) {
|
||||
case CACHE_ENTRY_CREATED:
|
||||
this.executor.submit(new Runnable() {
|
||||
|
@ -113,14 +124,22 @@ public class SsoSessionCacheListener {
|
|||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private void cacheEntryCreated(CacheEntryCreatedEvent event) {
|
||||
if (! (event.getKey() instanceof String) || ! (event.getValue() instanceof String[])) {
|
||||
if (! (event.getKey() instanceof String)) {
|
||||
return;
|
||||
}
|
||||
|
||||
String httpSessionId = (String) event.getKey();
|
||||
String[] value = (String[]) event.getValue();
|
||||
|
||||
if (idMapper.hasSession(httpSessionId)) {
|
||||
// Ignore local events generated by remote store
|
||||
LOG.tracev("IGNORING cacheEntryCreated {0}", httpSessionId);
|
||||
return;
|
||||
}
|
||||
|
||||
String[] value = ssoCache.get((String) httpSessionId);
|
||||
|
||||
String ssoId = value[0];
|
||||
String principal = value[1];
|
||||
|
||||
|
|
|
@ -0,0 +1,157 @@
|
|||
/*
|
||||
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.subsystem.saml.as7;
|
||||
|
||||
import org.keycloak.adapters.saml.AdapterConstants;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
import org.jboss.as.server.deployment.DeploymentPhaseContext;
|
||||
import org.jboss.as.server.deployment.DeploymentUnit;
|
||||
import org.jboss.as.server.deployment.DeploymentUnitProcessingException;
|
||||
import org.jboss.as.server.deployment.DeploymentUnitProcessor;
|
||||
import org.jboss.as.web.deployment.WarMetaData;
|
||||
import org.jboss.logging.Logger;
|
||||
import org.jboss.metadata.javaee.spec.ParamValueMetaData;
|
||||
import org.jboss.metadata.web.jboss.JBossWebMetaData;
|
||||
import org.jboss.metadata.web.spec.LoginConfigMetaData;
|
||||
import org.jboss.msc.service.ServiceName;
|
||||
import org.jboss.msc.service.ServiceTarget;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author hmlnarik
|
||||
*/
|
||||
public class KeycloakClusteredSsoDeploymentProcessor implements DeploymentUnitProcessor {
|
||||
|
||||
private static final Logger LOG = Logger.getLogger(KeycloakClusteredSsoDeploymentProcessor.class);
|
||||
|
||||
private static final String DEFAULT_CACHE_CONTAINER = "web";
|
||||
private static final String SSO_CACHE_CONTAINER_NAME_PARAM_NAME = "keycloak.sessionIdMapperUpdater.infinispan.containerName";
|
||||
private static final String SSO_CACHE_NAME_PARAM_NAME = "keycloak.sessionIdMapperUpdater.infinispan.cacheName";
|
||||
|
||||
@Override
|
||||
public void deploy(DeploymentPhaseContext phaseContext) throws DeploymentUnitProcessingException {
|
||||
final DeploymentUnit deploymentUnit = phaseContext.getDeploymentUnit();
|
||||
|
||||
if (isKeycloakSamlAuthMethod(deploymentUnit) && isDistributable(deploymentUnit)) {
|
||||
addSamlReplicationConfiguration(deploymentUnit, phaseContext);
|
||||
}
|
||||
}
|
||||
|
||||
public static boolean isDistributable(final DeploymentUnit deploymentUnit) {
|
||||
WarMetaData warMetaData = deploymentUnit.getAttachment(WarMetaData.ATTACHMENT_KEY);
|
||||
if (warMetaData == null) {
|
||||
return false;
|
||||
}
|
||||
JBossWebMetaData webMetaData = warMetaData.getMergedJBossWebMetaData();
|
||||
if (webMetaData == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return webMetaData.getDistributable() != null || webMetaData.getReplicationConfig() != null;
|
||||
}
|
||||
|
||||
public static boolean isKeycloakSamlAuthMethod(final DeploymentUnit deploymentUnit) {
|
||||
WarMetaData warMetaData = deploymentUnit.getAttachment(WarMetaData.ATTACHMENT_KEY);
|
||||
if (warMetaData == null) {
|
||||
return false;
|
||||
}
|
||||
JBossWebMetaData webMetaData = warMetaData.getMergedJBossWebMetaData();
|
||||
if (webMetaData == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (Configuration.INSTANCE.isSecureDeployment(deploymentUnit)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
LoginConfigMetaData loginConfig = webMetaData.getLoginConfig();
|
||||
|
||||
return loginConfig != null && Objects.equals(loginConfig.getAuthMethod(), "KEYCLOAK-SAML");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void undeploy(DeploymentUnit du) {
|
||||
|
||||
}
|
||||
|
||||
private void addSamlReplicationConfiguration(DeploymentUnit deploymentUnit, DeploymentPhaseContext context) {
|
||||
WarMetaData warMetaData = deploymentUnit.getAttachment(WarMetaData.ATTACHMENT_KEY);
|
||||
if (warMetaData == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
JBossWebMetaData webMetaData = warMetaData.getMergedJBossWebMetaData();
|
||||
if (webMetaData == null) {
|
||||
webMetaData = new JBossWebMetaData();
|
||||
warMetaData.setMergedJBossWebMetaData(webMetaData);
|
||||
}
|
||||
|
||||
// Find out default names of cache container and cache
|
||||
String cacheContainer = DEFAULT_CACHE_CONTAINER;
|
||||
String deploymentSessionCacheName =
|
||||
(deploymentUnit.getParent() == null
|
||||
? ""
|
||||
: deploymentUnit.getParent().getName() + ".")
|
||||
+ deploymentUnit.getName();
|
||||
|
||||
// Update names from jboss-web.xml's <replicationConfig>
|
||||
if (webMetaData.getReplicationConfig() != null && webMetaData.getReplicationConfig().getCacheName() != null) {
|
||||
ServiceName sn = ServiceName.parse(webMetaData.getReplicationConfig().getCacheName());
|
||||
cacheContainer = sn.getParent().getSimpleName();
|
||||
deploymentSessionCacheName = sn.getSimpleName();
|
||||
}
|
||||
String ssoCacheName = deploymentSessionCacheName + ".ssoCache";
|
||||
|
||||
// Override if they were set in the context parameters
|
||||
List<ParamValueMetaData> contextParams = webMetaData.getContextParams();
|
||||
if (contextParams == null) {
|
||||
contextParams = new ArrayList<>();
|
||||
}
|
||||
for (ParamValueMetaData contextParam : contextParams) {
|
||||
if (Objects.equals(contextParam.getParamName(), SSO_CACHE_CONTAINER_NAME_PARAM_NAME)) {
|
||||
cacheContainer = contextParam.getParamValue();
|
||||
} else if (Objects.equals(contextParam.getParamName(), SSO_CACHE_NAME_PARAM_NAME)) {
|
||||
ssoCacheName = contextParam.getParamValue();
|
||||
}
|
||||
}
|
||||
|
||||
LOG.debugv("Determined SSO cache container configuration: container: {0}, cache: {1}", cacheContainer, ssoCacheName);
|
||||
// addCacheDependency(context, deploymentUnit, cacheContainer, cacheName);
|
||||
|
||||
// Set context parameters for SSO cache container/name
|
||||
ParamValueMetaData paramContainer = new ParamValueMetaData();
|
||||
paramContainer.setParamName(AdapterConstants.REPLICATION_CONFIG_CONTAINER_PARAM_NAME);
|
||||
paramContainer.setParamValue(cacheContainer);
|
||||
contextParams.add(paramContainer);
|
||||
|
||||
ParamValueMetaData paramSsoCache = new ParamValueMetaData();
|
||||
paramSsoCache.setParamName(AdapterConstants.REPLICATION_CONFIG_SSO_CACHE_PARAM_NAME);
|
||||
paramSsoCache.setParamValue(ssoCacheName);
|
||||
contextParams.add(paramSsoCache);
|
||||
|
||||
webMetaData.setContextParams(contextParams);
|
||||
}
|
||||
|
||||
private void addCacheDependency(DeploymentPhaseContext context, DeploymentUnit deploymentUnit, String cacheContainer, String cacheName) {
|
||||
ServiceName jbossAsCacheContainerService = ServiceName.of("jboss", "infinispan", cacheContainer);
|
||||
ServiceTarget st = context.getServiceTarget();
|
||||
st.addDependency(jbossAsCacheContainerService.append(cacheName));
|
||||
}
|
||||
|
||||
}
|
|
@ -48,6 +48,10 @@ class KeycloakSubsystemAdd extends AbstractBoottimeAddStepHandler {
|
|||
Phase.POST_MODULE, // PHASE
|
||||
Phase.POST_MODULE_VALIDATOR_FACTORY - 1, // PRIORITY
|
||||
chooseConfigDeploymentProcessor());
|
||||
processorTarget.addDeploymentProcessor(KeycloakSamlExtension.SUBSYSTEM_NAME,
|
||||
Phase.POST_MODULE, // PHASE
|
||||
Phase.POST_MODULE_VALIDATOR_FACTORY - 1, // PRIORITY
|
||||
chooseClusteredSsoDeploymentProcessor());
|
||||
}
|
||||
}, OperationContext.Stage.RUNTIME);
|
||||
}
|
||||
|
@ -60,6 +64,10 @@ class KeycloakSubsystemAdd extends AbstractBoottimeAddStepHandler {
|
|||
return new KeycloakAdapterConfigDeploymentProcessor();
|
||||
}
|
||||
|
||||
private DeploymentUnitProcessor chooseClusteredSsoDeploymentProcessor() {
|
||||
return new KeycloakClusteredSsoDeploymentProcessor();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void populateModel(ModelNode operation, ModelNode model) throws OperationFailedException {
|
||||
}
|
||||
|
|
|
@ -23,4 +23,6 @@ package org.keycloak.adapters.saml;
|
|||
*/
|
||||
public class AdapterConstants {
|
||||
public static final String AUTH_DATA_PARAM_NAME="org.keycloak.saml.xml.adapterConfig";
|
||||
public static final String REPLICATION_CONFIG_CONTAINER_PARAM_NAME = "org.keycloak.saml.replication.container";
|
||||
public static final String REPLICATION_CONFIG_SSO_CACHE_PARAM_NAME = "org.keycloak.saml.replication.cache.sso";
|
||||
}
|
||||
|
|
|
@ -152,12 +152,19 @@ public class ServletSamlSessionStore implements SamlSessionStore {
|
|||
public boolean isLoggedIn() {
|
||||
HttpSession session = getSession(false);
|
||||
if (session == null) {
|
||||
log.debug("session was null, returning null");
|
||||
log.debug("Session was not found");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! idMapper.hasSession(session.getId())) {
|
||||
log.debugf("Session %s has expired on some other node", session.getId());
|
||||
session.removeAttribute(SamlSession.class.getName());
|
||||
return false;
|
||||
}
|
||||
|
||||
final SamlSession samlSession = (SamlSession)session.getAttribute(SamlSession.class.getName());
|
||||
if (samlSession == null) {
|
||||
log.debug("SamlSession was not in session, returning null");
|
||||
log.debug("SamlSession was not found in the session");
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
@ -70,6 +70,10 @@
|
|||
<groupId>org.infinispan</groupId>
|
||||
<artifactId>infinispan-core</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.infinispan</groupId>
|
||||
<artifactId>infinispan-cachestore-remote</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.picketbox</groupId>
|
||||
<artifactId>picketbox</artifactId>
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
*/
|
||||
package org.keycloak.adapters.saml.wildfly.infinispan;
|
||||
|
||||
import org.keycloak.adapters.saml.AdapterConstants;
|
||||
import org.keycloak.adapters.spi.SessionIdMapper;
|
||||
import org.keycloak.adapters.spi.SessionIdMapperUpdater;
|
||||
|
||||
|
@ -27,6 +28,8 @@ import org.infinispan.Cache;
|
|||
import org.infinispan.configuration.cache.CacheMode;
|
||||
import org.infinispan.configuration.cache.Configuration;
|
||||
import org.infinispan.manager.EmbeddedCacheManager;
|
||||
import org.infinispan.persistence.manager.PersistenceManager;
|
||||
import org.infinispan.persistence.remote.RemoteStore;
|
||||
import org.jboss.logging.Logger;
|
||||
|
||||
/**
|
||||
|
@ -37,64 +40,55 @@ public class InfinispanSessionCacheIdMapperUpdater {
|
|||
|
||||
private static final Logger LOG = Logger.getLogger(InfinispanSessionCacheIdMapperUpdater.class);
|
||||
|
||||
public static final String DEFAULT_CACHE_CONTAINER_JNDI_NAME = "java:jboss/infinispan/container/web";
|
||||
|
||||
private static final String DEPLOYMENT_CACHE_CONTAINER_JNDI_NAME_PARAM_NAME = "keycloak.sessionIdMapperUpdater.infinispan.cacheContainerJndi";
|
||||
private static final String DEPLOYMENT_CACHE_NAME_PARAM_NAME = "keycloak.sessionIdMapperUpdater.infinispan.deploymentCacheName";
|
||||
private static final String SSO_CACHE_NAME_PARAM_NAME = "keycloak.sessionIdMapperUpdater.infinispan.cacheName";
|
||||
public static final String DEFAULT_CACHE_CONTAINER_JNDI_NAME = "java:jboss/infinispan/container";
|
||||
|
||||
public static SessionIdMapperUpdater addTokenStoreUpdaters(DeploymentInfo deploymentInfo, SessionIdMapper mapper, SessionIdMapperUpdater previousIdMapperUpdater) {
|
||||
boolean distributable = Objects.equals(
|
||||
deploymentInfo.getSessionManagerFactory().getClass().getName(),
|
||||
"org.wildfly.clustering.web.undertow.session.DistributableSessionManagerFactory"
|
||||
);
|
||||
Map<String, String> initParameters = deploymentInfo.getInitParameters();
|
||||
String containerName = initParameters == null ? null : initParameters.get(AdapterConstants.REPLICATION_CONFIG_CONTAINER_PARAM_NAME);
|
||||
String cacheName = initParameters == null ? null : initParameters.get(AdapterConstants.REPLICATION_CONFIG_SSO_CACHE_PARAM_NAME);
|
||||
|
||||
if (containerName == null || cacheName == null) {
|
||||
LOG.warnv("Cannot determine parameters of SSO cache for deployment {0}.", deploymentInfo.getDeploymentName());
|
||||
|
||||
if (! distributable) {
|
||||
LOG.warnv("Deployment {0} does not use supported distributed session cache mechanism", deploymentInfo.getDeploymentName());
|
||||
return previousIdMapperUpdater;
|
||||
}
|
||||
|
||||
Map<String, String> initParameters = deploymentInfo.getInitParameters();
|
||||
String cacheContainerLookup = (initParameters != null && initParameters.get(DEPLOYMENT_CACHE_CONTAINER_JNDI_NAME_PARAM_NAME) != null)
|
||||
? initParameters.get(DEPLOYMENT_CACHE_CONTAINER_JNDI_NAME_PARAM_NAME)
|
||||
: DEFAULT_CACHE_CONTAINER_JNDI_NAME;
|
||||
boolean deploymentSessionCacheNamePreset = initParameters != null && initParameters.get(DEPLOYMENT_CACHE_NAME_PARAM_NAME) != null;
|
||||
String deploymentSessionCacheName = deploymentSessionCacheNamePreset
|
||||
? initParameters.get(DEPLOYMENT_CACHE_NAME_PARAM_NAME)
|
||||
: deploymentInfo.getDeploymentName();
|
||||
boolean ssoCacheNamePreset = initParameters != null && initParameters.get(SSO_CACHE_NAME_PARAM_NAME) != null;
|
||||
String ssoCacheName = ssoCacheNamePreset
|
||||
? initParameters.get(SSO_CACHE_NAME_PARAM_NAME)
|
||||
: deploymentSessionCacheName + ".ssoCache";
|
||||
String cacheContainerLookup = DEFAULT_CACHE_CONTAINER_JNDI_NAME + "/" + containerName;
|
||||
String deploymentSessionCacheName = deploymentInfo.getDeploymentName();
|
||||
|
||||
try {
|
||||
EmbeddedCacheManager cacheManager = (EmbeddedCacheManager) new InitialContext().lookup(cacheContainerLookup);
|
||||
|
||||
Configuration ssoCacheConfiguration = cacheManager.getCacheConfiguration(ssoCacheName);
|
||||
Configuration ssoCacheConfiguration = cacheManager.getCacheConfiguration(cacheName);
|
||||
if (ssoCacheConfiguration == null) {
|
||||
Configuration cacheConfiguration = cacheManager.getCacheConfiguration(deploymentSessionCacheName);
|
||||
if (cacheConfiguration == null) {
|
||||
LOG.debugv("Using default cache container configuration for SSO cache. lookup={0}, looked up configuration of cache={1}", cacheContainerLookup, deploymentSessionCacheName);
|
||||
LOG.debugv("Using default configuration for SSO cache {0}.{1}.", containerName, cacheName);
|
||||
ssoCacheConfiguration = cacheManager.getDefaultCacheConfiguration();
|
||||
} else {
|
||||
LOG.debugv("Using distributed HTTP session cache configuration for SSO cache. lookup={0}, configuration taken from cache={1}", cacheContainerLookup, deploymentSessionCacheName);
|
||||
LOG.debugv("Using distributed HTTP session cache configuration for SSO cache {0}.{1}, configuration taken from cache {2}",
|
||||
containerName, cacheName, deploymentSessionCacheName);
|
||||
ssoCacheConfiguration = cacheConfiguration;
|
||||
cacheManager.defineConfiguration(ssoCacheName, ssoCacheConfiguration);
|
||||
cacheManager.defineConfiguration(cacheName, ssoCacheConfiguration);
|
||||
}
|
||||
} else {
|
||||
LOG.debugv("Using custom configuration of SSO cache. lookup={0}, cache name={1}", cacheContainerLookup, ssoCacheName);
|
||||
LOG.debugv("Using custom configuration of SSO cache {0}.{1}.", containerName, cacheName);
|
||||
}
|
||||
|
||||
CacheMode ssoCacheMode = ssoCacheConfiguration.clustering().cacheMode();
|
||||
if (ssoCacheMode != CacheMode.REPL_ASYNC && ssoCacheMode != CacheMode.REPL_SYNC) {
|
||||
LOG.warnv("SSO cache mode is {0}, it is recommended to use replicated mode instead", ssoCacheConfiguration.clustering().cacheModeString());
|
||||
LOG.warnv("SSO cache mode is {0}, it is recommended to use replicated mode instead.", ssoCacheConfiguration.clustering().cacheModeString());
|
||||
}
|
||||
|
||||
Cache<String, String[]> ssoCache = cacheManager.getCache(ssoCacheName, true);
|
||||
ssoCache.addListener(new SsoSessionCacheListener(mapper));
|
||||
Cache<String, String[]> ssoCache = cacheManager.getCache(cacheName, true);
|
||||
final SsoSessionCacheListener listener = new SsoSessionCacheListener(ssoCache, mapper);
|
||||
ssoCache.addListener(listener);
|
||||
|
||||
LOG.debugv("Added distributed SSO session cache, lookup={0}, cache name={1}", cacheContainerLookup, deploymentSessionCacheName);
|
||||
addSsoCacheCrossDcListener(ssoCache, listener);
|
||||
|
||||
LOG.debugv("Added distributed SSO session cache, lookup={0}, cache name={1}", cacheContainerLookup, cacheName);
|
||||
|
||||
LOG.debugv("Adding session listener for SSO session cache, lookup={0}, cache name={1}", cacheContainerLookup, cacheName);
|
||||
SsoCacheSessionIdMapperUpdater updater = new SsoCacheSessionIdMapperUpdater(ssoCache, previousIdMapperUpdater);
|
||||
deploymentInfo.addSessionListener(updater);
|
||||
|
||||
|
@ -104,4 +98,25 @@ public class InfinispanSessionCacheIdMapperUpdater {
|
|||
return previousIdMapperUpdater;
|
||||
}
|
||||
}
|
||||
|
||||
private static void addSsoCacheCrossDcListener(Cache<String, String[]> ssoCache, SsoSessionCacheListener listener) {
|
||||
if (ssoCache.getCacheConfiguration().persistence() == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
final Set<RemoteStore> stores = getRemoteStores(ssoCache);
|
||||
if (stores == null || stores.isEmpty()) {
|
||||
return;
|
||||
}
|
||||
|
||||
LOG.infov("Listening for events on remote stores configured for cache {0}", ssoCache.getName());
|
||||
|
||||
for (RemoteStore store : stores) {
|
||||
store.getRemoteCache().addClientListener(listener);
|
||||
}
|
||||
}
|
||||
|
||||
public static Set<RemoteStore> getRemoteStores(Cache ispnCache) {
|
||||
return ispnCache.getAdvancedCache().getComponentRegistry().getComponent(PersistenceManager.class).getStores(RemoteStore.class);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,6 +20,12 @@ import org.keycloak.adapters.spi.SessionIdMapper;
|
|||
|
||||
import java.util.*;
|
||||
import java.util.concurrent.*;
|
||||
import org.infinispan.Cache;
|
||||
import org.infinispan.client.hotrod.annotation.ClientCacheEntryCreated;
|
||||
import org.infinispan.client.hotrod.annotation.ClientCacheEntryRemoved;
|
||||
import org.infinispan.client.hotrod.annotation.ClientListener;
|
||||
import org.infinispan.client.hotrod.event.ClientCacheEntryCreatedEvent;
|
||||
import org.infinispan.client.hotrod.event.ClientCacheEntryRemovedEvent;
|
||||
import org.infinispan.notifications.Listener;
|
||||
import org.infinispan.notifications.cachelistener.annotation.*;
|
||||
import org.infinispan.notifications.cachelistener.event.*;
|
||||
|
@ -34,6 +40,7 @@ import org.jboss.logging.Logger;
|
|||
* @author hmlnarik
|
||||
*/
|
||||
@Listener
|
||||
@ClientListener
|
||||
public class SsoSessionCacheListener {
|
||||
|
||||
private static final Logger LOG = Logger.getLogger(SsoSessionCacheListener.class);
|
||||
|
@ -42,14 +49,21 @@ public class SsoSessionCacheListener {
|
|||
|
||||
private final SessionIdMapper idMapper;
|
||||
|
||||
private final Cache<String, String[]> ssoCache;
|
||||
|
||||
private ExecutorService executor = Executors.newSingleThreadExecutor();
|
||||
|
||||
public SsoSessionCacheListener(SessionIdMapper idMapper) {
|
||||
public SsoSessionCacheListener(Cache<String, String[]> ssoCache, SessionIdMapper idMapper) {
|
||||
this.ssoCache = ssoCache;
|
||||
this.idMapper = idMapper;
|
||||
}
|
||||
|
||||
@TransactionRegistered
|
||||
public void startTransaction(TransactionRegisteredEvent event) {
|
||||
if (event.getGlobalTransaction() == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
map.put(event.getGlobalTransaction().globalId(), new ConcurrentLinkedQueue<Event>());
|
||||
}
|
||||
|
||||
|
@ -66,25 +80,40 @@ public class SsoSessionCacheListener {
|
|||
@CacheEntryCreated
|
||||
@CacheEntryRemoved
|
||||
public void addEvent(TransactionalEvent event) {
|
||||
if (event.isPre() == false) {
|
||||
if (event.isOriginLocal()) {
|
||||
// Local events are processed by local HTTP session listener
|
||||
return;
|
||||
}
|
||||
|
||||
if (event.isPre()) { // only handle post events
|
||||
return;
|
||||
}
|
||||
|
||||
if (event.getGlobalTransaction() != null) {
|
||||
map.get(event.getGlobalTransaction().globalId()).add(event);
|
||||
} else {
|
||||
processEvent(event);
|
||||
}
|
||||
}
|
||||
|
||||
@TransactionCompleted
|
||||
public void endTransaction(TransactionCompletedEvent event) {
|
||||
if (event.getGlobalTransaction() == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
Queue<Event> events = map.remove(event.getGlobalTransaction().globalId());
|
||||
|
||||
if (events == null || ! event.isTransactionSuccessful()) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (event.isOriginLocal()) {
|
||||
// Local events are processed by local HTTP session listener
|
||||
return;
|
||||
for (final Event e : events) {
|
||||
processEvent(e);
|
||||
}
|
||||
}
|
||||
|
||||
for (final Event e : events) {
|
||||
private void processEvent(final Event e) {
|
||||
switch (e.getType()) {
|
||||
case CACHE_ENTRY_CREATED:
|
||||
this.executor.submit(new Runnable() {
|
||||
|
@ -103,7 +132,6 @@ public class SsoSessionCacheListener {
|
|||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private void cacheEntryCreated(CacheEntryCreatedEvent event) {
|
||||
if (! (event.getKey() instanceof String) || ! (event.getValue() instanceof String[])) {
|
||||
|
@ -128,4 +156,40 @@ public class SsoSessionCacheListener {
|
|||
|
||||
this.idMapper.removeSession((String) event.getKey());
|
||||
}
|
||||
|
||||
@ClientCacheEntryCreated
|
||||
public void remoteCacheEntryCreated(ClientCacheEntryCreatedEvent event) {
|
||||
if (! (event.getKey() instanceof String)) {
|
||||
return;
|
||||
}
|
||||
|
||||
String httpSessionId = (String) event.getKey();
|
||||
|
||||
if (idMapper.hasSession(httpSessionId)) {
|
||||
// Ignore local events generated by remote store
|
||||
LOG.tracev("IGNORING remoteCacheEntryCreated {0}", httpSessionId);
|
||||
return;
|
||||
}
|
||||
|
||||
String[] value = ssoCache.get((String) httpSessionId);
|
||||
|
||||
if (value != null) {
|
||||
String ssoId = value[0];
|
||||
String principal = value[1];
|
||||
|
||||
LOG.tracev("remoteCacheEntryCreated {0}:{1}", httpSessionId, ssoId);
|
||||
|
||||
this.idMapper.map(ssoId, principal, httpSessionId);
|
||||
} else {
|
||||
LOG.tracev("remoteCacheEntryCreated {0}", event.getKey());
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@ClientCacheEntryRemoved
|
||||
public void remoteCacheEntryRemoved(ClientCacheEntryRemovedEvent event) {
|
||||
LOG.tracev("remoteCacheEntryRemoved {0}", event.getKey());
|
||||
|
||||
this.idMapper.removeSession((String) event.getKey());
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,178 @@
|
|||
/*
|
||||
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.subsystem.adapter.saml.extension;
|
||||
|
||||
import org.keycloak.adapters.saml.AdapterConstants;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
import org.jboss.as.controller.capability.CapabilityServiceSupport;
|
||||
import org.jboss.as.server.deployment.Attachments;
|
||||
import org.jboss.as.server.deployment.DeploymentPhaseContext;
|
||||
import org.jboss.as.server.deployment.DeploymentUnit;
|
||||
import org.jboss.as.server.deployment.DeploymentUnitProcessingException;
|
||||
import org.jboss.as.server.deployment.DeploymentUnitProcessor;
|
||||
import org.jboss.as.web.common.WarMetaData;
|
||||
import org.jboss.logging.Logger;
|
||||
import org.jboss.metadata.javaee.spec.ParamValueMetaData;
|
||||
import org.jboss.metadata.web.jboss.JBossWebMetaData;
|
||||
import org.jboss.metadata.web.spec.LoginConfigMetaData;
|
||||
import org.jboss.msc.service.ServiceController;
|
||||
import org.jboss.msc.service.ServiceName;
|
||||
import org.jboss.msc.service.ServiceTarget;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author hmlnarik
|
||||
*/
|
||||
public class KeycloakClusteredSsoDeploymentProcessor implements DeploymentUnitProcessor {
|
||||
|
||||
private static final Logger LOG = Logger.getLogger(KeycloakClusteredSsoDeploymentProcessor.class);
|
||||
|
||||
private static final String DEFAULT_CACHE_CONTAINER = "web";
|
||||
private static final String SSO_CACHE_CONTAINER_NAME_PARAM_NAME = "keycloak.sessionIdMapperUpdater.infinispan.containerName";
|
||||
private static final String SSO_CACHE_NAME_PARAM_NAME = "keycloak.sessionIdMapperUpdater.infinispan.cacheName";
|
||||
|
||||
@Override
|
||||
public void deploy(DeploymentPhaseContext phaseContext) throws DeploymentUnitProcessingException {
|
||||
final DeploymentUnit deploymentUnit = phaseContext.getDeploymentUnit();
|
||||
|
||||
if (isKeycloakSamlAuthMethod(deploymentUnit) && isDistributable(deploymentUnit)) {
|
||||
addSamlReplicationConfiguration(deploymentUnit, phaseContext);
|
||||
}
|
||||
}
|
||||
|
||||
public static boolean isDistributable(final DeploymentUnit deploymentUnit) {
|
||||
WarMetaData warMetaData = deploymentUnit.getAttachment(WarMetaData.ATTACHMENT_KEY);
|
||||
if (warMetaData == null) {
|
||||
return false;
|
||||
}
|
||||
JBossWebMetaData webMetaData = warMetaData.getMergedJBossWebMetaData();
|
||||
if (webMetaData == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return webMetaData.getDistributable() != null || webMetaData.getReplicationConfig() != null;
|
||||
}
|
||||
|
||||
public static boolean isKeycloakSamlAuthMethod(final DeploymentUnit deploymentUnit) {
|
||||
if (Configuration.INSTANCE.getSecureDeployment(deploymentUnit) != null) {
|
||||
return true;
|
||||
}
|
||||
|
||||
WarMetaData warMetaData = deploymentUnit.getAttachment(WarMetaData.ATTACHMENT_KEY);
|
||||
if (warMetaData == null) {
|
||||
return false;
|
||||
}
|
||||
JBossWebMetaData webMetaData = warMetaData.getMergedJBossWebMetaData();
|
||||
if (webMetaData == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
LoginConfigMetaData loginConfig = webMetaData.getLoginConfig();
|
||||
|
||||
return loginConfig != null && Objects.equals(loginConfig.getAuthMethod(), "KEYCLOAK-SAML");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void undeploy(DeploymentUnit du) {
|
||||
|
||||
}
|
||||
|
||||
private void addSamlReplicationConfiguration(DeploymentUnit deploymentUnit, DeploymentPhaseContext context) {
|
||||
WarMetaData warMetaData = deploymentUnit.getAttachment(WarMetaData.ATTACHMENT_KEY);
|
||||
if (warMetaData == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
JBossWebMetaData webMetaData = warMetaData.getMergedJBossWebMetaData();
|
||||
if (webMetaData == null) {
|
||||
webMetaData = new JBossWebMetaData();
|
||||
warMetaData.setMergedJBossWebMetaData(webMetaData);
|
||||
}
|
||||
|
||||
// Find out default names of cache container and cache
|
||||
String cacheContainer = DEFAULT_CACHE_CONTAINER;
|
||||
String deploymentSessionCacheName =
|
||||
(deploymentUnit.getParent() == null
|
||||
? ""
|
||||
: deploymentUnit.getParent().getName() + ".")
|
||||
+ deploymentUnit.getName();
|
||||
|
||||
// Update names from jboss-web.xml's <replicationConfig>
|
||||
if (webMetaData.getReplicationConfig() != null && webMetaData.getReplicationConfig().getCacheName() != null) {
|
||||
ServiceName sn = ServiceName.parse(webMetaData.getReplicationConfig().getCacheName());
|
||||
cacheContainer = sn.getParent().getSimpleName();
|
||||
deploymentSessionCacheName = sn.getSimpleName();
|
||||
}
|
||||
String ssoCacheName = deploymentSessionCacheName + ".ssoCache";
|
||||
|
||||
// Override if they were set in the context parameters
|
||||
List<ParamValueMetaData> contextParams = webMetaData.getContextParams();
|
||||
if (contextParams == null) {
|
||||
contextParams = new ArrayList<>();
|
||||
}
|
||||
for (ParamValueMetaData contextParam : contextParams) {
|
||||
if (Objects.equals(contextParam.getParamName(), SSO_CACHE_CONTAINER_NAME_PARAM_NAME)) {
|
||||
cacheContainer = contextParam.getParamValue();
|
||||
} else if (Objects.equals(contextParam.getParamName(), SSO_CACHE_NAME_PARAM_NAME)) {
|
||||
ssoCacheName = contextParam.getParamValue();
|
||||
}
|
||||
}
|
||||
|
||||
LOG.debugv("Determined SSO cache container configuration: container: {0}, cache: {1}", cacheContainer, ssoCacheName);
|
||||
addCacheDependency(context, deploymentUnit, cacheContainer, ssoCacheName);
|
||||
|
||||
// Set context parameters for SSO cache container/name
|
||||
ParamValueMetaData paramContainer = new ParamValueMetaData();
|
||||
paramContainer.setParamName(AdapterConstants.REPLICATION_CONFIG_CONTAINER_PARAM_NAME);
|
||||
paramContainer.setParamValue(cacheContainer);
|
||||
contextParams.add(paramContainer);
|
||||
|
||||
ParamValueMetaData paramSsoCache = new ParamValueMetaData();
|
||||
paramSsoCache.setParamName(AdapterConstants.REPLICATION_CONFIG_SSO_CACHE_PARAM_NAME);
|
||||
paramSsoCache.setParamValue(ssoCacheName);
|
||||
contextParams.add(paramSsoCache);
|
||||
|
||||
webMetaData.setContextParams(contextParams);
|
||||
}
|
||||
|
||||
private void addCacheDependency(DeploymentPhaseContext context, DeploymentUnit deploymentUnit, String cacheContainer, String cacheName) {
|
||||
ServiceName wf10CacheContainerServiceName = ServiceName.of("jboss", "infinispan", cacheContainer);
|
||||
final ServiceController<?> wf10CacheContainerService = context.getServiceRegistry().getService(wf10CacheContainerServiceName);
|
||||
|
||||
boolean legacy = wf10CacheContainerService != null;
|
||||
ServiceTarget st = context.getServiceTarget();
|
||||
|
||||
if (legacy) {
|
||||
ServiceName cacheServiceName = wf10CacheContainerServiceName.append(cacheName);
|
||||
ServiceController<?> cacheService = context.getServiceRegistry().getService(cacheServiceName);
|
||||
if (cacheService != null) {
|
||||
st.addDependency(cacheServiceName);
|
||||
}
|
||||
} else {
|
||||
CapabilityServiceSupport support = deploymentUnit.getAttachment(Attachments.CAPABILITY_SERVICE_SUPPORT);
|
||||
|
||||
ServiceName cacheServiceName = support.getCapabilityServiceName("org.wildfly.clustering.infinispan.cache." + cacheContainer + "." + cacheName);
|
||||
ServiceController<?> cacheService = context.getServiceRegistry().getService(cacheServiceName);
|
||||
if (cacheService != null) {
|
||||
st.addDependency(cacheServiceName);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -43,6 +43,10 @@ class KeycloakSubsystemAdd extends AbstractBoottimeAddStepHandler {
|
|||
Phase.POST_MODULE, // PHASE
|
||||
Phase.POST_MODULE_VALIDATOR_FACTORY - 1, // PRIORITY
|
||||
chooseConfigDeploymentProcessor());
|
||||
processorTarget.addDeploymentProcessor(KeycloakSamlExtension.SUBSYSTEM_NAME,
|
||||
Phase.POST_MODULE, // PHASE
|
||||
Phase.POST_MODULE_VALIDATOR_FACTORY - 1, // PRIORITY
|
||||
chooseClusteredSsoDeploymentProcessor());
|
||||
}
|
||||
}, OperationContext.Stage.RUNTIME);
|
||||
}
|
||||
|
@ -54,4 +58,8 @@ class KeycloakSubsystemAdd extends AbstractBoottimeAddStepHandler {
|
|||
private DeploymentUnitProcessor chooseConfigDeploymentProcessor() {
|
||||
return new KeycloakAdapterConfigDeploymentProcessor();
|
||||
}
|
||||
|
||||
private DeploymentUnitProcessor chooseClusteredSsoDeploymentProcessor() {
|
||||
return new KeycloakClusteredSsoDeploymentProcessor();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -67,6 +67,11 @@ public class InMemorySessionIdMapper implements SessionIdMapper {
|
|||
ssoToSession.put(sso, session);
|
||||
sessionToSso.put(session, sso);
|
||||
}
|
||||
|
||||
if (principal == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
Set<String> userSessions = principalToSession.get(principal);
|
||||
if (userSessions == null) {
|
||||
final Set<String> tmp = Collections.synchronizedSet(new HashSet<String>());
|
||||
|
|
|
@ -34,7 +34,6 @@
|
|||
<module name="org.jboss.as.security"/>
|
||||
<module name="org.jboss.as.web"/>
|
||||
<module name="org.picketbox"/>
|
||||
<module name="org.keycloak.keycloak-saml-as7-adapter"/>
|
||||
<module name="org.keycloak.keycloak-adapter-spi"/>
|
||||
<module name="org.keycloak.keycloak-saml-core-public"/>
|
||||
<module name="org.keycloak.keycloak-saml-core"/>
|
||||
|
|
|
@ -40,5 +40,6 @@
|
|||
<module name="org.jboss.as.web-common"/>
|
||||
<module name="org.jboss.metadata"/>
|
||||
<module name="org.apache.httpcomponents"/>
|
||||
<module name="org.infinispan.cachestore.remote"/>
|
||||
</dependencies>
|
||||
</module>
|
||||
|
|
|
@ -39,6 +39,8 @@
|
|||
<local-cache name="loginFailures" configuration="sessions-cfg" />
|
||||
<local-cache name="actionTokens" configuration="sessions-cfg" />
|
||||
<local-cache name="work" configuration="sessions-cfg" />
|
||||
<local-cache name="employee-distributable-cache.ssoCache" configuration="sessions-cfg"/>
|
||||
<local-cache name="employee-distributable-cache" configuration="sessions-cfg"/>
|
||||
</xsl:copy>
|
||||
</xsl:template>
|
||||
|
||||
|
@ -57,6 +59,8 @@
|
|||
<replicated-cache name="loginFailures" configuration="sessions-cfg" />
|
||||
<replicated-cache name="actionTokens" configuration="sessions-cfg" />
|
||||
<replicated-cache name="work" configuration="sessions-cfg" />
|
||||
<replicated-cache name="employee-distributable-cache.ssoCache" configuration="sessions-cfg"/>
|
||||
<replicated-cache name="employee-distributable-cache" configuration="sessions-cfg"/>
|
||||
</xsl:copy>
|
||||
</xsl:template>
|
||||
|
||||
|
|
|
@ -51,6 +51,7 @@ import java.io.UnsupportedEncodingException;
|
|||
import java.net.URI;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.PublicKey;
|
||||
import java.util.Arrays;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.UUID;
|
||||
|
@ -289,6 +290,18 @@ public class SamlClient {
|
|||
}
|
||||
}
|
||||
|
||||
public void execute(Step... steps) {
|
||||
executeAndTransform(resp -> null, Arrays.asList(steps));
|
||||
}
|
||||
|
||||
public void execute(List<Step> steps) {
|
||||
executeAndTransform(resp -> null, steps);
|
||||
}
|
||||
|
||||
public <T> T executeAndTransform(ResultExtractor<T> resultTransformer, Step... steps) {
|
||||
return executeAndTransform(resultTransformer, Arrays.asList(steps));
|
||||
}
|
||||
|
||||
public <T> T executeAndTransform(ResultExtractor<T> resultTransformer, List<Step> steps) {
|
||||
CloseableHttpResponse currentResponse = null;
|
||||
URI currentUri = URI.create("about:blank");
|
||||
|
|
|
@ -33,6 +33,10 @@ import org.keycloak.testsuite.util.saml.IdPInitiatedLoginBuilder;
|
|||
import org.keycloak.testsuite.util.saml.LoginBuilder;
|
||||
import org.keycloak.testsuite.util.saml.ModifySamlResponseStepBuilder;
|
||||
import org.keycloak.testsuite.util.saml.RequiredConsentBuilder;
|
||||
import org.apache.http.HttpResponse;
|
||||
import org.apache.http.client.methods.HttpUriRequest;
|
||||
import org.hamcrest.Matcher;
|
||||
import org.junit.Assert;
|
||||
import org.w3c.dom.Document;
|
||||
|
||||
/**
|
||||
|
@ -43,6 +47,19 @@ public class SamlClientBuilder {
|
|||
|
||||
private final List<Step> steps = new LinkedList<>();
|
||||
|
||||
/**
|
||||
* Execute the current steps without any work on the final response.
|
||||
* @return Client that executed the steps
|
||||
*/
|
||||
public SamlClient execute() {
|
||||
return execute(resp -> {});
|
||||
}
|
||||
|
||||
/**
|
||||
* Execute the current steps and pass the final response to the {@code resultConsumer} for processing.
|
||||
* @param resultConsumer This function is given the final response
|
||||
* @return Client that executed the steps
|
||||
*/
|
||||
public SamlClient execute(Consumer<CloseableHttpResponse> resultConsumer) {
|
||||
final SamlClient samlClient = new SamlClient();
|
||||
samlClient.executeAndTransform(r -> {
|
||||
|
@ -52,6 +69,11 @@ public class SamlClientBuilder {
|
|||
return samlClient;
|
||||
}
|
||||
|
||||
/**
|
||||
* Execute the current steps and pass the final response to the {@code resultTransformer} for processing.
|
||||
* @param resultTransformer This function is given the final response and processes it into some value
|
||||
* @return Value returned by {@code resultTransformer}
|
||||
*/
|
||||
public <T> T executeAndTransform(ResultExtractor<T> resultTransformer) {
|
||||
return new SamlClient().executeAndTransform(resultTransformer, steps);
|
||||
}
|
||||
|
@ -60,11 +82,48 @@ public class SamlClientBuilder {
|
|||
return steps;
|
||||
}
|
||||
|
||||
public <T extends Step> T addStep(T step) {
|
||||
public <T extends Step> T addStepBuilder(T step) {
|
||||
steps.add(step);
|
||||
return step;
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a single generic step
|
||||
* @param step
|
||||
* @return This builder
|
||||
*/
|
||||
public SamlClientBuilder addStep(Step step) {
|
||||
steps.add(step);
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a single generic step
|
||||
* @param step
|
||||
* @return This builder
|
||||
*/
|
||||
public SamlClientBuilder addStep(Runnable stepWithNoParameters) {
|
||||
addStep((client, currentURI, currentResponse, context) -> {
|
||||
stepWithNoParameters.run();
|
||||
return null;
|
||||
});
|
||||
return this;
|
||||
}
|
||||
|
||||
public SamlClientBuilder assertResponse(Matcher<HttpResponse> matcher) {
|
||||
steps.add((client, currentURI, currentResponse, context) -> {
|
||||
Assert.assertThat(currentResponse, matcher);
|
||||
return null;
|
||||
});
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* When executing the {@link HttpUriRequest} obtained from the previous step,
|
||||
* do not to follow HTTP redirects but pass the first response immediately
|
||||
* to the following step.
|
||||
* @return This builder
|
||||
*/
|
||||
public SamlClientBuilder doNotFollowRedirects() {
|
||||
this.steps.add(new DoNotFollowRedirectStep());
|
||||
return this;
|
||||
|
@ -80,32 +139,32 @@ public class SamlClientBuilder {
|
|||
|
||||
/** Creates fresh and issues an AuthnRequest to the SAML endpoint */
|
||||
public CreateAuthnRequestStepBuilder authnRequest(URI authServerSamlUrl, String issuer, String assertionConsumerURL, Binding requestBinding) {
|
||||
return addStep(new CreateAuthnRequestStepBuilder(authServerSamlUrl, issuer, assertionConsumerURL, requestBinding, this));
|
||||
return addStepBuilder(new CreateAuthnRequestStepBuilder(authServerSamlUrl, issuer, assertionConsumerURL, requestBinding, this));
|
||||
}
|
||||
|
||||
/** Issues the given AuthnRequest to the SAML endpoint */
|
||||
public CreateAuthnRequestStepBuilder authnRequest(URI authServerSamlUrl, Document authnRequestDocument, Binding requestBinding) {
|
||||
return addStep(new CreateAuthnRequestStepBuilder(authServerSamlUrl, authnRequestDocument, requestBinding, this));
|
||||
return addStepBuilder(new CreateAuthnRequestStepBuilder(authServerSamlUrl, authnRequestDocument, requestBinding, this));
|
||||
}
|
||||
|
||||
/** Issues the given AuthnRequest to the SAML endpoint */
|
||||
public CreateLogoutRequestStepBuilder logoutRequest(URI authServerSamlUrl, String issuer, Binding requestBinding) {
|
||||
return addStep(new CreateLogoutRequestStepBuilder(authServerSamlUrl, issuer, requestBinding, this));
|
||||
return addStepBuilder(new CreateLogoutRequestStepBuilder(authServerSamlUrl, issuer, requestBinding, this));
|
||||
}
|
||||
|
||||
/** Handles login page */
|
||||
public LoginBuilder login() {
|
||||
return addStep(new LoginBuilder(this));
|
||||
return addStepBuilder(new LoginBuilder(this));
|
||||
}
|
||||
|
||||
/** Starts IdP-initiated flow for the given client */
|
||||
public IdPInitiatedLoginBuilder idpInitiatedLogin(URI authServerSamlUrl, String clientId) {
|
||||
return addStep(new IdPInitiatedLoginBuilder(authServerSamlUrl, clientId, this));
|
||||
return addStepBuilder(new IdPInitiatedLoginBuilder(authServerSamlUrl, clientId, this));
|
||||
}
|
||||
|
||||
/** Handles "Requires consent" page */
|
||||
public RequiredConsentBuilder consentRequired() {
|
||||
return addStep(new RequiredConsentBuilder(this));
|
||||
return addStepBuilder(new RequiredConsentBuilder(this));
|
||||
}
|
||||
|
||||
/** Returns SAML request or response as replied from server. Note that the redirects are disabled for this to work. */
|
||||
|
@ -119,20 +178,16 @@ public class SamlClientBuilder {
|
|||
public ModifySamlResponseStepBuilder processSamlResponse(Binding responseBinding) {
|
||||
return
|
||||
doNotFollowRedirects()
|
||||
.addStep(new ModifySamlResponseStepBuilder(responseBinding, this));
|
||||
.addStepBuilder(new ModifySamlResponseStepBuilder(responseBinding, this));
|
||||
}
|
||||
|
||||
public SamlClientBuilder navigateTo(String httpGetUri) {
|
||||
steps.add((client, currentURI, currentResponse, context) -> {
|
||||
return new HttpGet(httpGetUri);
|
||||
});
|
||||
steps.add((client, currentURI, currentResponse, context) -> new HttpGet(httpGetUri));
|
||||
return this;
|
||||
}
|
||||
|
||||
public SamlClientBuilder navigateTo(URI httpGetUri) {
|
||||
steps.add((client, currentURI, currentResponse, context) -> {
|
||||
return new HttpGet(httpGetUri);
|
||||
});
|
||||
steps.add((client, currentURI, currentResponse, context) -> new HttpGet(httpGetUri));
|
||||
return this;
|
||||
}
|
||||
|
||||
|
|
|
@ -37,7 +37,6 @@ import java.net.URL;
|
|||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.util.List;
|
||||
import java.util.function.Consumer;
|
||||
import org.apache.commons.io.FileUtils;
|
||||
import org.apache.commons.lang3.math.NumberUtils;
|
||||
import org.jboss.arquillian.container.test.api.*;
|
||||
|
@ -49,13 +48,21 @@ import org.keycloak.testsuite.adapter.AbstractServletsAdapterTest;
|
|||
import org.keycloak.testsuite.admin.ApiUtil;
|
||||
import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
|
||||
|
||||
import org.keycloak.testsuite.util.Matchers;
|
||||
import org.keycloak.testsuite.util.SamlClient;
|
||||
import org.keycloak.testsuite.util.SamlClient.Binding;
|
||||
import org.keycloak.testsuite.util.SamlClientBuilder;
|
||||
import java.net.MalformedURLException;
|
||||
import java.util.function.BiConsumer;
|
||||
import org.apache.http.client.methods.HttpGet;
|
||||
import org.openqa.selenium.TimeoutException;
|
||||
import org.openqa.selenium.WebDriver;
|
||||
import org.openqa.selenium.support.PageFactory;
|
||||
import org.openqa.selenium.support.ui.WebDriverWait;
|
||||
|
||||
import static org.hamcrest.Matchers.*;
|
||||
import static org.keycloak.testsuite.AbstractAuthTest.createUserRepresentation;
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.hamcrest.Matchers.not;
|
||||
import static org.junit.Assert.assertThat;
|
||||
import static org.keycloak.testsuite.admin.Users.setPasswordFor;
|
||||
import static org.keycloak.testsuite.arquillian.AppServerTestEnricher.getNearestSuperclassWithAnnotation;
|
||||
import static org.keycloak.testsuite.auth.page.AuthRealm.DEMO;
|
||||
|
@ -130,15 +137,21 @@ public abstract class AbstractSAMLAdapterClusterTest extends AbstractServletsAda
|
|||
public void startServer() throws Exception {
|
||||
prepareServerDirectory("standalone-" + NODE_1_NAME);
|
||||
controller.start(NODE_1_SERVER_NAME);
|
||||
prepareWorkerNode(Integer.valueOf(System.getProperty("app.server.1.management.port")));
|
||||
prepareWorkerNode(0, Integer.valueOf(System.getProperty("app.server.1.management.port")));
|
||||
prepareServerDirectory("standalone-" + NODE_2_NAME);
|
||||
controller.start(NODE_2_SERVER_NAME);
|
||||
prepareWorkerNode(Integer.valueOf(System.getProperty("app.server.2.management.port")));
|
||||
prepareWorkerNode(1, Integer.valueOf(System.getProperty("app.server.2.management.port")));
|
||||
deployer.deploy(EmployeeServletDistributable.DEPLOYMENT_NAME);
|
||||
deployer.deploy(EmployeeServletDistributable.DEPLOYMENT_NAME + "_2");
|
||||
}
|
||||
|
||||
protected abstract void prepareWorkerNode(Integer managementPort) throws Exception;
|
||||
/**
|
||||
* Prepares a worker node
|
||||
* @param nodeIndex Node index, counting from 0
|
||||
* @param managementPort Port for management operations on this node
|
||||
* @throws Exception
|
||||
*/
|
||||
protected abstract void prepareWorkerNode(int nodeIndex, Integer managementPort) throws Exception;
|
||||
|
||||
@After
|
||||
public void stopServer() {
|
||||
|
@ -155,41 +168,103 @@ public abstract class AbstractSAMLAdapterClusterTest extends AbstractServletsAda
|
|||
loginActionsPage.setAuthRealm(DEMO);
|
||||
}
|
||||
|
||||
protected void testLogoutViaSessionIndex(URL employeeUrl, Consumer<EmployeeServletDistributable> logoutFunction) {
|
||||
EmployeeServletDistributable page = PageFactory.initElements(driver, EmployeeServletDistributable.class);
|
||||
page.setUrl(employeeUrl);
|
||||
page.getUriBuilder().port(HTTP_PORT_NODE_REVPROXY);
|
||||
|
||||
UserRepresentation bburkeUser = createUserRepresentation("bburke", "bburke@redhat.com", "Bill", "Burke", true);
|
||||
protected void testLogoutViaSessionIndex(URL employeeUrl, boolean forceRefreshAtOtherNode, BiConsumer<SamlClientBuilder, String> logoutFunction) {
|
||||
setPasswordFor(bburkeUser, CredentialRepresentation.PASSWORD);
|
||||
|
||||
assertSuccessfulLogin(page, bburkeUser, testRealmSAMLPostLoginPage, "principal=bburke");
|
||||
|
||||
updateProxy(NODE_2_NAME, NODE_2_URI, NODE_1_URI);
|
||||
logoutFunction.accept(page);
|
||||
delayedCheckLoggedOut(page, loginActionsPage);
|
||||
|
||||
updateProxy(NODE_1_NAME, NODE_1_URI, NODE_2_URI);
|
||||
delayedCheckLoggedOut(page, loginActionsPage);
|
||||
final String employeeUrlString;
|
||||
try {
|
||||
URL employeeUrlAtRevProxy = new URL(employeeUrl.getProtocol(), employeeUrl.getHost(), HTTP_PORT_NODE_REVPROXY, employeeUrl.getFile());
|
||||
employeeUrlString = employeeUrlAtRevProxy.toString();
|
||||
} catch (MalformedURLException ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testBackchannelLogout(@ArquillianResource
|
||||
@OperateOnDeployment(value = EmployeeServletDistributable.DEPLOYMENT_NAME) URL employeeUrl) throws Exception {
|
||||
testLogoutViaSessionIndex(employeeUrl, (EmployeeServletDistributable page) -> {
|
||||
SamlClientBuilder builder = new SamlClientBuilder()
|
||||
// Go to employee URL at reverse proxy which is set to forward to first node
|
||||
.navigateTo(employeeUrlString)
|
||||
|
||||
// process redirection to login page
|
||||
.processSamlResponse(Binding.POST).build()
|
||||
.login().user(bburkeUser).build()
|
||||
.processSamlResponse(Binding.POST).build()
|
||||
|
||||
// Returned to the page
|
||||
.assertResponse(Matchers.bodyHC(containsString("principal=bburke")))
|
||||
|
||||
// Update the proxy to forward to the second node.
|
||||
.addStep(() -> updateProxy(NODE_2_NAME, NODE_2_URI, NODE_1_URI));
|
||||
|
||||
if (forceRefreshAtOtherNode) {
|
||||
// Go to employee URL at reverse proxy which is set to forward to _second_ node now
|
||||
builder
|
||||
.navigateTo(employeeUrlString)
|
||||
.doNotFollowRedirects()
|
||||
.assertResponse(Matchers.bodyHC(containsString("principal=bburke")));
|
||||
}
|
||||
|
||||
// Logout at the _second_ node
|
||||
logoutFunction.accept(builder, employeeUrlString);
|
||||
|
||||
SamlClient samlClient = builder.execute();
|
||||
delayedCheckLoggedOut(samlClient, employeeUrlString);
|
||||
|
||||
// Update the proxy to forward to the first node.
|
||||
updateProxy(NODE_1_NAME, NODE_1_URI, NODE_2_URI);
|
||||
delayedCheckLoggedOut(samlClient, employeeUrlString);
|
||||
}
|
||||
|
||||
private void delayedCheckLoggedOut(SamlClient samlClient, String url) {
|
||||
Retry.execute(() -> {
|
||||
samlClient.execute(
|
||||
(client, currentURI, currentResponse, context) -> new HttpGet(url),
|
||||
(client, currentURI, currentResponse, context) -> {
|
||||
assertThat(currentResponse, Matchers.bodyHC(not(containsString("principal=bburke"))));
|
||||
return null;
|
||||
}
|
||||
);
|
||||
}, 10, 300);
|
||||
}
|
||||
|
||||
private void logoutViaAdminConsole() {
|
||||
RealmResource demoRealm = adminClient.realm(DEMO);
|
||||
String bburkeId = ApiUtil.findUserByUsername(demoRealm, "bburke").getId();
|
||||
demoRealm.users().get(bburkeId).logout();
|
||||
log.infov("Logged out via admin console");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAdminInitiatedBackchannelLogout(@ArquillianResource
|
||||
@OperateOnDeployment(value = EmployeeServletDistributable.DEPLOYMENT_NAME) URL employeeUrl) throws Exception {
|
||||
testLogoutViaSessionIndex(employeeUrl, false, (builder, url) -> builder.addStep(this::logoutViaAdminConsole));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAdminInitiatedBackchannelLogoutWithAssertionOfLoggedIn(@ArquillianResource
|
||||
@OperateOnDeployment(value = EmployeeServletDistributable.DEPLOYMENT_NAME) URL employeeUrl) throws Exception {
|
||||
testLogoutViaSessionIndex(employeeUrl, true, (builder, url) -> builder.addStep(this::logoutViaAdminConsole));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUserInitiatedFrontchannelLogout(@ArquillianResource
|
||||
@OperateOnDeployment(value = EmployeeServletDistributable.DEPLOYMENT_NAME) URL employeeUrl) throws Exception {
|
||||
testLogoutViaSessionIndex(employeeUrl, false, (builder, url) -> {
|
||||
builder
|
||||
.navigateTo(url + "?GLO=true")
|
||||
.processSamlResponse(Binding.POST).build() // logout request
|
||||
.processSamlResponse(Binding.POST).build() // logout response
|
||||
;
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFrontchannelLogout(@ArquillianResource
|
||||
public void testUserInitiatedFrontchannelLogoutWithAssertionOfLoggedIn(@ArquillianResource
|
||||
@OperateOnDeployment(value = EmployeeServletDistributable.DEPLOYMENT_NAME) URL employeeUrl) throws Exception {
|
||||
testLogoutViaSessionIndex(employeeUrl, (EmployeeServletDistributable page) -> {
|
||||
page.logout();
|
||||
log.infov("Logged out via application");
|
||||
testLogoutViaSessionIndex(employeeUrl, true, (builder, url) -> {
|
||||
builder
|
||||
.navigateTo(url + "?GLO=true")
|
||||
.processSamlResponse(Binding.POST).build() // logout request
|
||||
.processSamlResponse(Binding.POST).build() // logout response
|
||||
;
|
||||
});
|
||||
}
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
|
||||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<PrincipalNameMapping policy="FROM_ATTRIBUTE" attribute="email"/>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="memberOf"/>
|
||||
<Attribute name="Role"/>
|
||||
|
|
|
@ -13,6 +13,8 @@
|
|||
<xsl:copy>
|
||||
<xsl:apply-templates select="@* | node()" />
|
||||
|
||||
<xsl:if test="not(*[local-name() = 'secure-deployment'])">
|
||||
|
||||
<secure-deployment name="customer-portal-subsystem.war">
|
||||
<realm>demo</realm>
|
||||
<realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</realm-public-key>
|
||||
|
@ -31,7 +33,9 @@
|
|||
<credential name="secret">password</credential>
|
||||
</secure-deployment>
|
||||
|
||||
</xsl:if>
|
||||
</xsl:copy>
|
||||
|
||||
</xsl:template>
|
||||
|
||||
<xsl:template match="@*|node()">
|
||||
|
|
|
@ -54,8 +54,8 @@ public class EAP6SAMLAdapterClusterTest extends AbstractSAMLAdapterClusterTest {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected void prepareWorkerNode(Integer managementPort) throws IOException, CliException, NumberFormatException {
|
||||
log.infov("Preparing worker node ({0})", managementPort);
|
||||
protected void prepareWorkerNode(int nodeIndex, Integer managementPort) throws IOException, CliException, NumberFormatException {
|
||||
log.infov("Preparing worker node ({0} @ {1})", nodeIndex, managementPort);
|
||||
|
||||
OnlineManagementClient clientWorkerNodeClient = ManagementClient.online(OnlineOptions
|
||||
.standalone()
|
||||
|
|
|
@ -0,0 +1,169 @@
|
|||
/*
|
||||
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.testsuite.adapter.crossdc;
|
||||
|
||||
import org.keycloak.testsuite.adapter.page.EmployeeServletDistributable;
|
||||
import org.keycloak.testsuite.arquillian.annotation.*;
|
||||
|
||||
import java.io.*;
|
||||
|
||||
import org.keycloak.testsuite.adapter.servlet.cluster.AbstractSAMLAdapterClusterTest;
|
||||
import org.keycloak.testsuite.adapter.servlet.SendUsernameServlet;
|
||||
|
||||
import org.apache.commons.lang3.math.NumberUtils;
|
||||
import org.jboss.arquillian.container.test.api.Deployment;
|
||||
import org.jboss.arquillian.container.test.api.TargetsContainer;
|
||||
import org.jboss.dmr.ModelNode;
|
||||
import org.jboss.shrinkwrap.api.asset.StringAsset;
|
||||
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Assume;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Ignore;
|
||||
import org.wildfly.extras.creaper.core.*;
|
||||
import org.wildfly.extras.creaper.core.online.*;
|
||||
import org.wildfly.extras.creaper.core.online.operations.*;
|
||||
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.hamcrest.Matchers.not;
|
||||
import static org.keycloak.testsuite.adapter.AbstractServletsAdapterTest.samlServletDeployment;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author hmlnarik
|
||||
*/
|
||||
@Ignore("Infinispan version 5 does not support remote cache events, hence this test is left here for development purposes only")
|
||||
@AppServerContainer("app-server-eap6")
|
||||
public class EAP6SAMLAdapterCrossDCTest extends AbstractSAMLAdapterClusterTest {
|
||||
|
||||
@BeforeClass
|
||||
public static void checkCrossDcTest() {
|
||||
Assume.assumeThat("Seems not to be running cross-DC tests", System.getProperty("cache.server"), not(is("undefined")));
|
||||
}
|
||||
|
||||
protected static final int PORT_OFFSET_CACHE_1 = NumberUtils.toInt(System.getProperty("cache.server.port.offset"), 0);
|
||||
protected static final int CACHE_HOTROD_PORT_CACHE_1 = 11222 + PORT_OFFSET_CACHE_1;
|
||||
protected static final int PORT_OFFSET_CACHE_2 = NumberUtils.toInt(System.getProperty("cache.server.2.port.offset"), 0);
|
||||
protected static final int CACHE_HOTROD_PORT_CACHE_2 = 11222 + PORT_OFFSET_CACHE_2;
|
||||
|
||||
private final int[] CACHE_HOTROD_PORTS = new int[] { CACHE_HOTROD_PORT_CACHE_1, CACHE_HOTROD_PORT_CACHE_2 };
|
||||
private final int[] TCPPING_PORTS = new int[] { 7600 + PORT_OFFSET_NODE_1, 7600 + PORT_OFFSET_NODE_2 };
|
||||
|
||||
private static final String SESSION_CACHE_NAME = EmployeeServletDistributable.DEPLOYMENT_NAME + "-cache";
|
||||
private static final String SSO_CACHE_NAME = SESSION_CACHE_NAME + ".ssoCache";
|
||||
|
||||
private static final Address SESSION_CACHE_ADDR = Address.subsystem("infinispan")
|
||||
.and("cache-container", "web")
|
||||
.and("replicated-cache", SESSION_CACHE_NAME);
|
||||
private static final Address SSO_CACHE_ADDR = Address.subsystem("infinispan")
|
||||
.and("cache-container", "web")
|
||||
.and("replicated-cache", SSO_CACHE_NAME);
|
||||
|
||||
private static final String JBOSS_WEB_XML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
|
||||
+ "<jboss-web>\n"
|
||||
+ " <replication-config>\n"
|
||||
+ " <replication-granularity>SESSION</replication-granularity>\n"
|
||||
+ " <cache-name>" + "web." + SESSION_CACHE_NAME + "</cache-name>\n"
|
||||
+ " </replication-config>\n"
|
||||
+ "</jboss-web>";
|
||||
|
||||
@TargetsContainer(value = "app-server-eap6-" + NODE_1_NAME)
|
||||
@Deployment(name = EmployeeServletDistributable.DEPLOYMENT_NAME, managed = false)
|
||||
protected static WebArchive employee() {
|
||||
return samlServletDeployment(EmployeeServletDistributable.DEPLOYMENT_NAME,
|
||||
EmployeeServletDistributable.DEPLOYMENT_NAME + "/WEB-INF/web.xml",
|
||||
SendUsernameServlet.class)
|
||||
.addAsWebInfResource(new StringAsset(JBOSS_WEB_XML), "jboss-web.xml");
|
||||
}
|
||||
|
||||
@TargetsContainer(value = "app-server-eap6-" + NODE_2_NAME)
|
||||
@Deployment(name = EmployeeServletDistributable.DEPLOYMENT_NAME + "_2", managed = false)
|
||||
protected static WebArchive employee2() {
|
||||
return employee();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void prepareWorkerNode(int nodeIndex, Integer managementPort) throws IOException, CliException, NumberFormatException {
|
||||
log.infov("Preparing worker node ({0} @ {1})", nodeIndex, managementPort);
|
||||
|
||||
OnlineManagementClient clientWorkerNodeClient = ManagementClient.online(OnlineOptions
|
||||
.standalone()
|
||||
.hostAndPort("localhost", managementPort)
|
||||
.protocol(ManagementProtocol.REMOTE)
|
||||
.build());
|
||||
Operations op = new Operations(clientWorkerNodeClient);
|
||||
|
||||
Batch b = new Batch();
|
||||
Address tcppingStack = Address
|
||||
.subsystem("jgroups")
|
||||
.and("stack", "tcpping");
|
||||
b.add(tcppingStack);
|
||||
b.add(tcppingStack.and("transport", "TRANSPORT"), Values.of("socket-binding", "jgroups-tcp").and("type", "TCP"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "TCPPING"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "initial_hosts"), Values.of("value", "localhost[" + TCPPING_PORTS[nodeIndex] + "]"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "port_range"), Values.of("value", "0"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "num_initial_members"), Values.of("value", "1"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "timeout"), Values.of("value", "3000"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "MERGE2"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "FD_SOCK").and("socket-binding", "jgroups-tcp-fd"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "FD"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "VERIFY_SUSPECT"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "pbcast.NAKACK"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "UNICAST2"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "pbcast.STABLE"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "pbcast.GMS"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "UFC"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "MFC"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "FRAG2"));
|
||||
b.invoke("add-protocol", tcppingStack, Values.of("type", "RSVP"));
|
||||
Assert.assertTrue("Could not add TCPPING JGroups stack", op.batch(b).isSuccess());
|
||||
|
||||
op.add(Address.of("socket-binding-group", "standard-sockets").and("remote-destination-outbound-socket-binding", "cache-server"),
|
||||
Values.of("host", "localhost")
|
||||
.and("port", CACHE_HOTROD_PORTS[nodeIndex]));
|
||||
|
||||
op.add(SESSION_CACHE_ADDR, Values.of("statistics-enabled", "true").and("mode", "SYNC"));
|
||||
op.add(SESSION_CACHE_ADDR.and("remote-store", "REMOTE_STORE"),
|
||||
Values.of("remote-servers", ModelNode.fromString("[{\"outbound-socket-binding\"=>\"cache-server\"}]"))
|
||||
.and("cache", SESSION_CACHE_NAME)
|
||||
.and("passivation", false)
|
||||
.and("purge", false)
|
||||
.and("preload", false)
|
||||
.and("shared", true)
|
||||
);
|
||||
|
||||
op.add(SSO_CACHE_ADDR, Values.of("statistics-enabled", "true").and("mode", "SYNC"));
|
||||
op.add(SSO_CACHE_ADDR.and("remote-store", "REMOTE_STORE"),
|
||||
Values.of("remote-servers", ModelNode.fromString("[{\"outbound-socket-binding\"=>\"cache-server\"}]"))
|
||||
.and("cache", SSO_CACHE_NAME)
|
||||
.and("passivation", false)
|
||||
.and("purge", false)
|
||||
.and("preload", false)
|
||||
.and("shared", true)
|
||||
);
|
||||
|
||||
Assert.assertTrue(op.writeAttribute(Address.subsystem("jgroups"), "default-stack", "tcpping").isSuccess());
|
||||
Assert.assertTrue(op.writeAttribute(Address.subsystem("web"), "instance-id", "${jboss.node.name}").isSuccess());
|
||||
op.add(Address.extension("org.keycloak.keycloak-saml-adapter-subsystem"), Values.of("module", "org.keycloak.keycloak-saml-adapter-subsystem"));
|
||||
op.add(Address.subsystem("keycloak-saml"));
|
||||
|
||||
clientWorkerNodeClient.execute("reload");
|
||||
|
||||
log.infov("Worker node ({0}) Prepared", managementPort);
|
||||
}
|
||||
|
||||
}
|
|
@ -36,13 +36,19 @@
|
|||
<groupId>org.wildfly.extras.creaper</groupId>
|
||||
<artifactId>creaper-core</artifactId>
|
||||
<scope>test</scope>
|
||||
<version>1.5.0</version>
|
||||
<version>1.6.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wildfly.core</groupId>
|
||||
<artifactId>wildfly-cli</artifactId>
|
||||
<scope>test</scope>
|
||||
<version>3.0.0.Beta30</version>
|
||||
<version>${wildfly.core.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wildfly.core</groupId>
|
||||
<artifactId>wildfly-controller-client</artifactId>
|
||||
<scope>test</scope>
|
||||
<version>${wildfly.core.version}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
|
|
|
@ -53,8 +53,8 @@ public class WildflySAMLAdapterClusterTest extends AbstractSAMLAdapterClusterTes
|
|||
}
|
||||
|
||||
@Override
|
||||
protected void prepareWorkerNode(Integer managementPort) throws IOException, CliException, NumberFormatException {
|
||||
log.infov("Preparing worker node ({0})", managementPort);
|
||||
protected void prepareWorkerNode(int nodeIndex, Integer managementPort) throws IOException, CliException, NumberFormatException {
|
||||
log.infov("Preparing worker node ({0} @ {1})", nodeIndex, managementPort);
|
||||
|
||||
OnlineManagementClient clientWorkerNodeClient = ManagementClient.online(OnlineOptions
|
||||
.standalone()
|
||||
|
@ -71,8 +71,6 @@ public class WildflySAMLAdapterClusterTest extends AbstractSAMLAdapterClusterTes
|
|||
b.add(tcppingStack.and("protocol", "TCPPING"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "initial_hosts"), Values.of("value", "localhost[" + (7600 + PORT_OFFSET_NODE_1) + "],localhost[" + (7600 + PORT_OFFSET_NODE_2) + "]"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "port_range"), Values.of("value", "0"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "num_initial_members"), Values.of("value", "2"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "timeout"), Values.of("value", "3000"));
|
||||
b.add(tcppingStack.and("protocol", "MERGE3"));
|
||||
b.add(tcppingStack.and("protocol", "FD_SOCK"), Values.of("socket-binding", "jgroups-tcp-fd"));
|
||||
b.add(tcppingStack.and("protocol", "FD"));
|
||||
|
|
|
@ -0,0 +1,162 @@
|
|||
/*
|
||||
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.testsuite.adapter.crossdc;
|
||||
|
||||
import org.keycloak.testsuite.adapter.page.EmployeeServletDistributable;
|
||||
import org.keycloak.testsuite.arquillian.annotation.*;
|
||||
|
||||
import java.io.*;
|
||||
|
||||
import org.keycloak.testsuite.adapter.servlet.cluster.AbstractSAMLAdapterClusterTest;
|
||||
import org.keycloak.testsuite.adapter.servlet.SendUsernameServlet;
|
||||
|
||||
import org.apache.commons.lang3.math.NumberUtils;
|
||||
import org.jboss.arquillian.container.test.api.Deployment;
|
||||
import org.jboss.arquillian.container.test.api.TargetsContainer;
|
||||
import org.jboss.shrinkwrap.api.asset.StringAsset;
|
||||
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||
import org.junit.Assume;
|
||||
import org.junit.BeforeClass;
|
||||
import org.wildfly.extras.creaper.core.*;
|
||||
import org.wildfly.extras.creaper.core.online.*;
|
||||
import org.wildfly.extras.creaper.core.online.operations.*;
|
||||
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.hamcrest.Matchers.not;
|
||||
import static org.keycloak.testsuite.adapter.AbstractServletsAdapterTest.samlServletDeployment;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author hmlnarik
|
||||
*/
|
||||
@AppServerContainer("app-server-wildfly")
|
||||
public class WildflySAMLAdapterCrossDCTest extends AbstractSAMLAdapterClusterTest {
|
||||
|
||||
@BeforeClass
|
||||
public static void checkCrossDcTest() {
|
||||
Assume.assumeThat("Seems not to be running cross-DC tests", System.getProperty("cache.server"), not(is("undefined")));
|
||||
}
|
||||
|
||||
protected static final int PORT_OFFSET_CACHE_1 = NumberUtils.toInt(System.getProperty("cache.server.port.offset"), 0);
|
||||
protected static final int CACHE_HOTROD_PORT_CACHE_1 = 11222 + PORT_OFFSET_CACHE_1;
|
||||
protected static final int PORT_OFFSET_CACHE_2 = NumberUtils.toInt(System.getProperty("cache.server.2.port.offset"), 0);
|
||||
protected static final int CACHE_HOTROD_PORT_CACHE_2 = 11222 + PORT_OFFSET_CACHE_2;
|
||||
|
||||
private final int[] CACHE_HOTROD_PORTS = new int[] { CACHE_HOTROD_PORT_CACHE_1, CACHE_HOTROD_PORT_CACHE_2 };
|
||||
private final int[] TCPPING_PORTS = new int[] { 7600 + PORT_OFFSET_NODE_1, 7600 + PORT_OFFSET_NODE_2 };
|
||||
|
||||
private static final String SESSION_CACHE_NAME = EmployeeServletDistributable.DEPLOYMENT_NAME + "-cache";
|
||||
private static final String SSO_CACHE_NAME = SESSION_CACHE_NAME + ".ssoCache";
|
||||
|
||||
private static final Address SESSION_CACHE_ADDR = Address.subsystem("infinispan")
|
||||
.and("cache-container", "web")
|
||||
.and("replicated-cache", SESSION_CACHE_NAME);
|
||||
private static final Address SSO_CACHE_ADDR = Address.subsystem("infinispan")
|
||||
.and("cache-container", "web")
|
||||
.and("replicated-cache", SSO_CACHE_NAME);
|
||||
|
||||
private static final String JBOSS_WEB_XML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
|
||||
+ "<jboss-web>\n"
|
||||
+ " <replication-config>\n"
|
||||
+ " <replication-granularity>SESSION</replication-granularity>\n"
|
||||
+ " <cache-name>" + "web." + SESSION_CACHE_NAME + "</cache-name>\n"
|
||||
+ " </replication-config>\n"
|
||||
+ "</jboss-web>";
|
||||
|
||||
@TargetsContainer(value = "app-server-wildfly-" + NODE_1_NAME)
|
||||
@Deployment(name = EmployeeServletDistributable.DEPLOYMENT_NAME, managed = false)
|
||||
protected static WebArchive employee() {
|
||||
return samlServletDeployment(EmployeeServletDistributable.DEPLOYMENT_NAME,
|
||||
EmployeeServletDistributable.DEPLOYMENT_NAME + "/WEB-INF/web.xml",
|
||||
SendUsernameServlet.class)
|
||||
.addAsWebInfResource(new StringAsset(JBOSS_WEB_XML), "jboss-web.xml");
|
||||
}
|
||||
|
||||
@TargetsContainer(value = "app-server-wildfly-" + NODE_2_NAME)
|
||||
@Deployment(name = EmployeeServletDistributable.DEPLOYMENT_NAME + "_2", managed = false)
|
||||
protected static WebArchive employee2() {
|
||||
return employee();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void prepareWorkerNode(int nodeIndex, Integer managementPort) throws IOException, CliException, NumberFormatException {
|
||||
log.infov("Preparing worker node ({0} @ {1})", nodeIndex, managementPort);
|
||||
|
||||
OnlineManagementClient clientWorkerNodeClient = ManagementClient.online(OnlineOptions
|
||||
.standalone()
|
||||
.hostAndPort("localhost", managementPort)
|
||||
.build());
|
||||
Operations op = new Operations(clientWorkerNodeClient);
|
||||
|
||||
Batch b = new Batch();
|
||||
Address tcppingStack = Address
|
||||
.subsystem("jgroups")
|
||||
.and("stack", "tcpping");
|
||||
b.add(tcppingStack);
|
||||
b.add(tcppingStack.and("transport", "TCP"), Values.of("socket-binding", "jgroups-tcp"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "initial_hosts"), Values.of("value", "localhost[" + TCPPING_PORTS[nodeIndex] + "]"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "port_range"), Values.of("value", "0"));
|
||||
b.add(tcppingStack.and("protocol", "MERGE3"));
|
||||
b.add(tcppingStack.and("protocol", "FD_SOCK"), Values.of("socket-binding", "jgroups-tcp-fd"));
|
||||
b.add(tcppingStack.and("protocol", "FD"));
|
||||
b.add(tcppingStack.and("protocol", "VERIFY_SUSPECT"));
|
||||
b.add(tcppingStack.and("protocol", "pbcast.NAKACK2"));
|
||||
b.add(tcppingStack.and("protocol", "UNICAST3"));
|
||||
b.add(tcppingStack.and("protocol", "pbcast.STABLE"));
|
||||
b.add(tcppingStack.and("protocol", "pbcast.GMS"));
|
||||
b.add(tcppingStack.and("protocol", "MFC"));
|
||||
b.add(tcppingStack.and("protocol", "FRAG2"));
|
||||
b.writeAttribute(Address.subsystem("jgroups").and("channel", "ee"), "stack", "tcpping");
|
||||
op.batch(b);
|
||||
|
||||
|
||||
op.add(Address.of("socket-binding-group", "standard-sockets").and("remote-destination-outbound-socket-binding", "cache-server"),
|
||||
Values.of("host", "localhost")
|
||||
.and("port", CACHE_HOTROD_PORTS[nodeIndex]));
|
||||
|
||||
op.add(SESSION_CACHE_ADDR, Values.of("statistics-enabled", "true").and("mode", "SYNC"));
|
||||
op.writeAttribute(SESSION_CACHE_ADDR.and("component", "locking"), "isolation", "REPEATABLE_READ");
|
||||
op.writeAttribute(SESSION_CACHE_ADDR.and("component", "transaction"), "mode", "BATCH");
|
||||
op.add(SESSION_CACHE_ADDR.and("store", "remote"),
|
||||
Values.ofList("remote-servers", "cache-server")
|
||||
.and("cache", SESSION_CACHE_NAME)
|
||||
.and("passivation", false)
|
||||
.and("purge", false)
|
||||
.and("preload", false)
|
||||
.and("shared", true)
|
||||
);
|
||||
|
||||
op.add(SSO_CACHE_ADDR, Values.of("statistics-enabled", "true").and("mode", "SYNC"));
|
||||
op.add(SSO_CACHE_ADDR.and("store", "remote"),
|
||||
Values.ofList("remote-servers", "cache-server")
|
||||
.and("cache", SSO_CACHE_NAME)
|
||||
.and("passivation", false)
|
||||
.and("purge", false)
|
||||
.and("preload", false)
|
||||
.and("shared", true)
|
||||
);
|
||||
|
||||
op.add(Address.extension("org.keycloak.keycloak-saml-adapter-subsystem"), Values.of("module", "org.keycloak.keycloak-saml-adapter-subsystem"));
|
||||
op.add(Address.subsystem("keycloak-saml"));
|
||||
|
||||
clientWorkerNodeClient.execute("reload");
|
||||
|
||||
log.infov("Worker node ({0}) Prepared", managementPort);
|
||||
}
|
||||
|
||||
}
|
|
@ -53,8 +53,8 @@ public class Wildfly10SAMLAdapterClusterTest extends AbstractSAMLAdapterClusterT
|
|||
}
|
||||
|
||||
@Override
|
||||
protected void prepareWorkerNode(Integer managementPort) throws IOException, CliException, NumberFormatException {
|
||||
log.infov("Preparing worker node ({0})", managementPort);
|
||||
protected void prepareWorkerNode(int nodeIndex, Integer managementPort) throws IOException, CliException, NumberFormatException {
|
||||
log.infov("Preparing worker node ({0} @ {1})", nodeIndex, managementPort);
|
||||
|
||||
OnlineManagementClient clientWorkerNodeClient = ManagementClient.online(OnlineOptions
|
||||
.standalone()
|
||||
|
@ -71,8 +71,6 @@ public class Wildfly10SAMLAdapterClusterTest extends AbstractSAMLAdapterClusterT
|
|||
b.add(tcppingStack.and("protocol", "TCPPING"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "initial_hosts"), Values.of("value", "localhost[" + (7600 + PORT_OFFSET_NODE_1) + "],localhost[" + (7600 + PORT_OFFSET_NODE_2) + "]"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "port_range"), Values.of("value", "0"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "num_initial_members"), Values.of("value", "2"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "timeout"), Values.of("value", "3000"));
|
||||
b.add(tcppingStack.and("protocol", "MERGE3"));
|
||||
b.add(tcppingStack.and("protocol", "FD_SOCK"), Values.of("socket-binding", "jgroups-tcp-fd"));
|
||||
b.add(tcppingStack.and("protocol", "FD"));
|
||||
|
|
|
@ -0,0 +1,162 @@
|
|||
/*
|
||||
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.testsuite.adapter.crossdc;
|
||||
|
||||
import org.keycloak.testsuite.adapter.page.EmployeeServletDistributable;
|
||||
import org.keycloak.testsuite.arquillian.annotation.*;
|
||||
|
||||
import java.io.*;
|
||||
|
||||
import org.keycloak.testsuite.adapter.servlet.cluster.AbstractSAMLAdapterClusterTest;
|
||||
import org.keycloak.testsuite.adapter.servlet.SendUsernameServlet;
|
||||
|
||||
import org.apache.commons.lang3.math.NumberUtils;
|
||||
import org.jboss.arquillian.container.test.api.Deployment;
|
||||
import org.jboss.arquillian.container.test.api.TargetsContainer;
|
||||
import org.jboss.shrinkwrap.api.asset.StringAsset;
|
||||
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||
import org.junit.Assume;
|
||||
import org.junit.BeforeClass;
|
||||
import org.wildfly.extras.creaper.core.*;
|
||||
import org.wildfly.extras.creaper.core.online.*;
|
||||
import org.wildfly.extras.creaper.core.online.operations.*;
|
||||
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.hamcrest.Matchers.not;
|
||||
import static org.keycloak.testsuite.adapter.AbstractServletsAdapterTest.samlServletDeployment;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author hmlnarik
|
||||
*/
|
||||
@AppServerContainer("app-server-wildfly10")
|
||||
public class Wildfly10SAMLAdapterCrossDCTest extends AbstractSAMLAdapterClusterTest {
|
||||
|
||||
@BeforeClass
|
||||
public static void checkCrossDcTest() {
|
||||
Assume.assumeThat("Seems not to be running cross-DC tests", System.getProperty("cache.server"), not(is("undefined")));
|
||||
}
|
||||
|
||||
protected static final int PORT_OFFSET_CACHE_1 = NumberUtils.toInt(System.getProperty("cache.server.port.offset"), 0);
|
||||
protected static final int CACHE_HOTROD_PORT_CACHE_1 = 11222 + PORT_OFFSET_CACHE_1;
|
||||
protected static final int PORT_OFFSET_CACHE_2 = NumberUtils.toInt(System.getProperty("cache.server.2.port.offset"), 0);
|
||||
protected static final int CACHE_HOTROD_PORT_CACHE_2 = 11222 + PORT_OFFSET_CACHE_2;
|
||||
|
||||
private final int[] CACHE_HOTROD_PORTS = new int[] { CACHE_HOTROD_PORT_CACHE_1, CACHE_HOTROD_PORT_CACHE_2 };
|
||||
private final int[] TCPPING_PORTS = new int[] { 7600 + PORT_OFFSET_NODE_1, 7600 + PORT_OFFSET_NODE_2 };
|
||||
|
||||
private static final String SESSION_CACHE_NAME = EmployeeServletDistributable.DEPLOYMENT_NAME + "-cache";
|
||||
private static final String SSO_CACHE_NAME = SESSION_CACHE_NAME + ".ssoCache";
|
||||
|
||||
private static final Address SESSION_CACHE_ADDR = Address.subsystem("infinispan")
|
||||
.and("cache-container", "web")
|
||||
.and("replicated-cache", SESSION_CACHE_NAME);
|
||||
private static final Address SSO_CACHE_ADDR = Address.subsystem("infinispan")
|
||||
.and("cache-container", "web")
|
||||
.and("replicated-cache", SSO_CACHE_NAME);
|
||||
|
||||
private static final String JBOSS_WEB_XML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
|
||||
+ "<jboss-web>\n"
|
||||
+ " <replication-config>\n"
|
||||
+ " <replication-granularity>SESSION</replication-granularity>\n"
|
||||
+ " <cache-name>" + "web." + SESSION_CACHE_NAME + "</cache-name>\n"
|
||||
+ " </replication-config>\n"
|
||||
+ "</jboss-web>";
|
||||
|
||||
@TargetsContainer(value = "app-server-wildfly10-" + NODE_1_NAME)
|
||||
@Deployment(name = EmployeeServletDistributable.DEPLOYMENT_NAME, managed = false)
|
||||
protected static WebArchive employee() {
|
||||
return samlServletDeployment(EmployeeServletDistributable.DEPLOYMENT_NAME,
|
||||
EmployeeServletDistributable.DEPLOYMENT_NAME + "/WEB-INF/web.xml",
|
||||
SendUsernameServlet.class)
|
||||
.addAsWebInfResource(new StringAsset(JBOSS_WEB_XML), "jboss-web.xml");
|
||||
}
|
||||
|
||||
@TargetsContainer(value = "app-server-wildfly10-" + NODE_2_NAME)
|
||||
@Deployment(name = EmployeeServletDistributable.DEPLOYMENT_NAME + "_2", managed = false)
|
||||
protected static WebArchive employee2() {
|
||||
return employee();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void prepareWorkerNode(int nodeIndex, Integer managementPort) throws IOException, CliException, NumberFormatException {
|
||||
log.infov("Preparing worker node ({0} @ {1})", nodeIndex, managementPort);
|
||||
|
||||
OnlineManagementClient clientWorkerNodeClient = ManagementClient.online(OnlineOptions
|
||||
.standalone()
|
||||
.hostAndPort("localhost", managementPort)
|
||||
.build());
|
||||
Operations op = new Operations(clientWorkerNodeClient);
|
||||
|
||||
Batch b = new Batch();
|
||||
Address tcppingStack = Address
|
||||
.subsystem("jgroups")
|
||||
.and("stack", "tcpping");
|
||||
b.add(tcppingStack);
|
||||
b.add(tcppingStack.and("transport", "TCP"), Values.of("socket-binding", "jgroups-tcp"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "initial_hosts"), Values.of("value", "localhost[" + TCPPING_PORTS[nodeIndex] + "]"));
|
||||
b.add(tcppingStack.and("protocol", "TCPPING").and("property", "port_range"), Values.of("value", "0"));
|
||||
b.add(tcppingStack.and("protocol", "MERGE3"));
|
||||
b.add(tcppingStack.and("protocol", "FD_SOCK"), Values.of("socket-binding", "jgroups-tcp-fd"));
|
||||
b.add(tcppingStack.and("protocol", "FD"));
|
||||
b.add(tcppingStack.and("protocol", "VERIFY_SUSPECT"));
|
||||
b.add(tcppingStack.and("protocol", "pbcast.NAKACK2"));
|
||||
b.add(tcppingStack.and("protocol", "UNICAST3"));
|
||||
b.add(tcppingStack.and("protocol", "pbcast.STABLE"));
|
||||
b.add(tcppingStack.and("protocol", "pbcast.GMS"));
|
||||
b.add(tcppingStack.and("protocol", "MFC"));
|
||||
b.add(tcppingStack.and("protocol", "FRAG2"));
|
||||
b.writeAttribute(Address.subsystem("jgroups").and("channel", "ee"), "stack", "tcpping");
|
||||
op.batch(b);
|
||||
|
||||
|
||||
op.add(Address.of("socket-binding-group", "standard-sockets").and("remote-destination-outbound-socket-binding", "cache-server"),
|
||||
Values.of("host", "localhost")
|
||||
.and("port", CACHE_HOTROD_PORTS[nodeIndex]));
|
||||
|
||||
op.add(SESSION_CACHE_ADDR, Values.of("statistics-enabled", "true").and("mode", "SYNC"));
|
||||
op.writeAttribute(SESSION_CACHE_ADDR.and("component", "locking"), "isolation", "REPEATABLE_READ");
|
||||
op.writeAttribute(SESSION_CACHE_ADDR.and("component", "transaction"), "mode", "BATCH");
|
||||
op.add(SESSION_CACHE_ADDR.and("store", "remote"),
|
||||
Values.ofList("remote-servers", "cache-server")
|
||||
.and("cache", SESSION_CACHE_NAME)
|
||||
.and("passivation", false)
|
||||
.and("purge", false)
|
||||
.and("preload", false)
|
||||
.and("shared", true)
|
||||
);
|
||||
|
||||
op.add(SSO_CACHE_ADDR, Values.of("statistics-enabled", "true").and("mode", "SYNC"));
|
||||
op.add(SSO_CACHE_ADDR.and("store", "remote"),
|
||||
Values.ofList("remote-servers", "cache-server")
|
||||
.and("cache", SSO_CACHE_NAME)
|
||||
.and("passivation", false)
|
||||
.and("purge", false)
|
||||
.and("preload", false)
|
||||
.and("shared", true)
|
||||
);
|
||||
|
||||
op.add(Address.extension("org.keycloak.keycloak-saml-adapter-subsystem"), Values.of("module", "org.keycloak.keycloak-saml-adapter-subsystem"));
|
||||
op.add(Address.subsystem("keycloak-saml"));
|
||||
|
||||
clientWorkerNodeClient.execute("reload");
|
||||
|
||||
log.infov("Worker node ({0}) Prepared", managementPort);
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in a new issue