Merge pull request #634 from patriot1burke/master

buncho fixes

forms/common-themes/src/main/resources/theme/admin/base/resources/partials/realm-menu.html

@@ -9,7 +9,7 @@
     </li>
     <li data-ng-show="access.viewUsers" data-ng-class="(path[2] == 'users' || path[1] == 'user') && 'active'"><a href="#/realms/{{realm.realm}}/users">Users</a>
     </li>
-    <li data-ng-show="access.viewRealm" data-ng-class="(path[2] == 'roles' || (path[1] == 'role' & path[3] != 'applications') && 'active'"><a href="#/realms/{{realm.realm}}/roles">Roles</a>
+    <li data-ng-show="access.viewRealm" data-ng-class="(path[2] == 'roles' || (path[1] == 'role' && path[3] != 'applications')) && 'active'"><a href="#/realms/{{realm.realm}}/roles">Roles</a>
     </li>
     <li data-ng-show="access.viewApplications" data-ng-class="(path[2] == 'applications' || path[1] == 'application' || path[3] == 'applications') && 'active'"><a href="#/realms/{{realm.realm}}/applications">Applications</a></li>
     <li data-ng-show="access.viewClients" data-ng-class="(path[2] == 'oauth-clients' || path[1] == 'oauth-client') && 'active'"><a href="#/realms/{{realm.realm}}/oauth-clients">OAuth Clients</a></li>

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -173,7 +173,7 @@ public class AuthenticationManager {
     public AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers, boolean checkActive) {
         logger.info("authenticateIdentityCookie");
         Cookie cookie = headers.getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
-        if (cookie == null) {
+        if (cookie == null || "".equals(cookie.getValue())) {
             logger.infov("authenticateCookie could not find cookie: {0}", KEYCLOAK_IDENTITY_COOKIE);
             return null;
         }

services/src/main/java/org/keycloak/services/resources/admin/UserFederationResource.java

@@ -156,7 +156,7 @@ public class UserFederationResource {
     @GET
     @NoCache
     @Path("instances/{id}")
-    @Consumes("application/json")
+    @Produces("application/json")
     public UserFederationProviderRepresentation getProviderInstance(@PathParam("id") String id) {
         logger.info("getProvider");
         auth.requireView();

services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java

@@ -96,7 +96,10 @@ public class OAuthFlows {
 
         Cookie sessionCookie = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_SESSION_COOKIE);
         if (sessionCookie != null) {
-            String oldSessionId = sessionCookie.getValue().split("/")[2];
+
+            String[] split = sessionCookie.getValue().split("/");
+            if (split.length >= 3) {
+                String oldSessionId = split[2];
                 if (!oldSessionId.equals(userSession.getId())) {
                     UserSessionModel oldSession = session.sessions().getUserSession(realm, oldSessionId);
                     if (oldSession != null) {
@@ -105,6 +108,7 @@ public class OAuthFlows {
                     }
                 }
             }
+        }
 
         // refresh the cookies!
         authManager.createLoginCookie(realm, accessCode.getUser(), userSession, uriInfo, clientConnection);

services/src/main/java/org/keycloak/services/util/CookieHelper.java

@@ -1,9 +1,9 @@
 package org.keycloak.services.util;
 
+import org.jboss.resteasy.spi.HttpResponse;
 import org.jboss.resteasy.spi.ResteasyProviderFactory;
 
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.HttpHeaders;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -24,16 +24,12 @@ public class CookieHelper {
      * @param httpOnly
      */
     public static void addCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly) {
-        HttpServletResponse response = ResteasyProviderFactory.getContextData(HttpServletResponse.class);
-        Cookie cookie = new Cookie(name, value);
-        if (path != null) cookie.setPath(path);
-        if (domain != null) cookie.setDomain(domain);
-        if (comment != null) cookie.setComment(comment);
-        cookie.setMaxAge(maxAge);
-        cookie.setSecure(secure);
-        cookie.setHttpOnly(httpOnly);
+        HttpResponse response = ResteasyProviderFactory.getContextData(HttpResponse.class);
+        StringBuffer cookieBuf = new StringBuffer();
+        ServerCookie.appendCookieValue(cookieBuf, 1, name, value, path, domain, comment, maxAge, secure, httpOnly);
+        String cookie = cookieBuf.toString();
+        response.getOutputHeaders().add(HttpHeaders.SET_COOKIE, cookie);
+    }
 
-        response.addCookie(cookie);
 
 }
-}

services/src/main/java/org/keycloak/services/util/ServerCookie.java

@@ -0,0 +1,305 @@
+package org.keycloak.services.util;
+
+import java.io.Serializable;
+import java.text.DateFormat;
+import java.text.FieldPosition;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Locale;
+import java.util.TimeZone;
+
+/**
+ * Server-side cookie representation.  borrowed from Tomcat.
+ */
+public class ServerCookie implements Serializable {
+    private static final String tspecials = ",; ";
+    private static final String tspecials2 = "()<>@,;:\\\"/[]?={} \t";
+
+    /*
+    * Tests a string and returns true if the string counts as a
+    * reserved token in the Java language.
+    *
+    * @param value the <code>String</code> to be tested
+    *
+    * @return      <code>true</code> if the <code>String</code> is a reserved
+    *              token; <code>false</code> if it is not
+    */
+    public static boolean isToken(String value) {
+        if (value == null) return true;
+        int len = value.length();
+
+        for (int i = 0; i < len; i++) {
+            char c = value.charAt(i);
+
+            if (tspecials.indexOf(c) != -1)
+                return false;
+        }
+        return true;
+    }
+
+    public static boolean containsCTL(String value, int version) {
+        if (value == null) return false;
+        int len = value.length();
+        for (int i = 0; i < len; i++) {
+            char c = value.charAt(i);
+            if (c < 0x20 || c >= 0x7f) {
+                if (c == 0x09)
+                    continue; //allow horizontal tabs
+                return true;
+            }
+        }
+        return false;
+    }
+
+
+    public static boolean isToken2(String value) {
+        if (value == null) return true;
+        int len = value.length();
+
+        for (int i = 0; i < len; i++) {
+            char c = value.charAt(i);
+            if (tspecials2.indexOf(c) != -1)
+                return false;
+        }
+        return true;
+    }
+
+    /**
+     * @deprecated - Not used
+     */
+    public static boolean checkName(String name) {
+        if (!isToken(name)
+                || name.equalsIgnoreCase("Comment")     // rfc2019
+                || name.equalsIgnoreCase("Discard")     // rfc2965
+                || name.equalsIgnoreCase("Domain")      // rfc2019
+                || name.equalsIgnoreCase("Expires")     // Netscape
+                || name.equalsIgnoreCase("Max-Age")     // rfc2019
+                || name.equalsIgnoreCase("Path")        // rfc2019
+                || name.equalsIgnoreCase("Secure")      // rfc2019
+                || name.equalsIgnoreCase("Version")     // rfc2019
+            // TODO remaining RFC2965 attributes
+                ) {
+            return false;
+        }
+        return true;
+    }
+
+    // -------------------- Cookie parsing tools
+
+
+    /**
+     * Return the header name to set the cookie, based on cookie version.
+     */
+    public static String getCookieHeaderName(int version) {
+        // TODO Re-enable logging when RFC2965 is implemented
+        // log( (version==1) ? "Set-Cookie2" : "Set-Cookie");
+        if (version == 1) {
+            // XXX RFC2965 not referenced in Servlet Spec
+            // Set-Cookie2 is not supported by Netscape 4, 6, IE 3, 5
+            // Set-Cookie2 is supported by Lynx and Opera
+            // Need to check on later IE and FF releases but for now...
+            // RFC2109
+            return "Set-Cookie";
+            // return "Set-Cookie2";
+        } else {
+            // Old Netscape
+            return "Set-Cookie";
+        }
+    }
+
+    /**
+     * US locale - all HTTP dates are in english
+     */
+    private final static Locale LOCALE_US = Locale.US;
+
+    /**
+     * GMT timezone - all HTTP dates are on GMT
+     */
+    public final static TimeZone GMT_ZONE = TimeZone.getTimeZone("GMT");
+    /**
+     * Pattern used for old cookies
+     */
+    private final static String OLD_COOKIE_PATTERN = "EEE, dd-MMM-yyyy HH:mm:ss z";
+
+
+    private final static DateFormat oldCookieFormat = new SimpleDateFormat(OLD_COOKIE_PATTERN, LOCALE_US);
+
+    public static String formatOldCookie(Date d) {
+        String ocf = null;
+        synchronized (oldCookieFormat) {
+            ocf = oldCookieFormat.format(d);
+        }
+        return ocf;
+    }
+
+    public static void formatOldCookie(Date d, StringBuffer sb,
+                                       FieldPosition fp) {
+        synchronized (oldCookieFormat) {
+            oldCookieFormat.format(d, sb, fp);
+        }
+    }
+
+
+    private static final String ancientDate = formatOldCookie(new Date(10000));
+
+
+    // TODO RFC2965 fields also need to be passed
+    public static void appendCookieValue(StringBuffer headerBuf,
+                                         int version,
+                                         String name,
+                                         String value,
+                                         String path,
+                                         String domain,
+                                         String comment,
+                                         int maxAge,
+                                         boolean isSecure,
+                                         boolean httpOnly) {
+        StringBuffer buf = new StringBuffer();
+        // Servlet implementation checks name
+        buf.append(name);
+        buf.append("=");
+        // Servlet implementation does not check anything else
+
+        // NOTE!!! BROWSERS REALLY DON'T LIKE QUOTING
+        //maybeQuote2(version, buf, value);
+        buf.append(value);
+
+        // Add version 1 specific information
+        if (version == 1) {
+            // Version=1 ... required
+            buf.append("; Version=1");
+
+            // Comment=comment
+            if (comment != null) {
+                buf.append("; Comment=");
+                //maybeQuote2(version, buf, comment);
+                buf.append(comment);
+            }
+        }
+
+        // Add domain information, if present
+        if (domain != null) {
+            buf.append("; Domain=");
+            //maybeQuote2(version, buf, domain);
+            buf.append(domain);
+        }
+
+        // Max-Age=secs ... or use old "Expires" format
+        // TODO RFC2965 Discard
+        if (maxAge >= 0) {
+            // Wdy, DD-Mon-YY HH:MM:SS GMT ( Expires Netscape format )
+            buf.append("; Expires=");
+            // To expire immediately we need to set the time in past
+            if (maxAge == 0)
+                buf.append(ancientDate);
+            else
+                formatOldCookie
+                        (new Date(System.currentTimeMillis() +
+                                        maxAge * 1000L), buf,
+                                new FieldPosition(0));
+
+            buf.append("; Max-Age=");
+            buf.append(maxAge);
+        }
+
+        // Path=path
+        if (path != null) {
+            buf.append("; Path=");
+            buf.append(path);
+        }
+
+        // Secure
+        if (isSecure) {
+            buf.append("; Secure");
+        }
+
+        // HttpOnly
+        if (httpOnly) {
+            buf.append("; HttpOnly");
+        }
+
+        headerBuf.append(buf);
+    }
+
+    /**
+     * @deprecated - Not used
+     */
+    @Deprecated
+    public static void maybeQuote(int version, StringBuffer buf, String value) {
+        // special case - a \n or \r  shouldn't happen in any case
+        if (isToken(value)) {
+            buf.append(value);
+        } else {
+            buf.append('"');
+            buf.append(escapeDoubleQuotes(value, 0, value.length()));
+            buf.append('"');
+        }
+    }
+
+    public static boolean alreadyQuoted(String value) {
+        if (value == null || value.length() == 0) return false;
+        return (value.charAt(0) == '\"' && value.charAt(value.length() - 1) == '\"');
+    }
+
+    /**
+     * Quotes values using rules that vary depending on Cookie version.
+     *
+     * @param version
+     * @param buf
+     * @param value
+     */
+    public static void maybeQuote2(int version, StringBuffer buf, String value) {
+        if (value == null || value.length() == 0) {
+            buf.append("\"\"");
+        } else if (containsCTL(value, version))
+            throw new IllegalArgumentException("Control character in cookie value, consider BASE64 encoding your value");
+        else if (alreadyQuoted(value)) {
+            buf.append('"');
+            buf.append(escapeDoubleQuotes(value, 1, value.length() - 1));
+            buf.append('"');
+        } else if (version == 0 && !isToken(value)) {
+            buf.append('"');
+            buf.append(escapeDoubleQuotes(value, 0, value.length()));
+            buf.append('"');
+        } else if (version == 1 && !isToken2(value)) {
+            buf.append('"');
+            buf.append(escapeDoubleQuotes(value, 0, value.length()));
+            buf.append('"');
+        } else {
+            buf.append(value);
+        }
+    }
+
+
+    /**
+     * Escapes any double quotes in the given string.
+     *
+     * @param s          the input string
+     * @param beginIndex start index inclusive
+     * @param endIndex   exclusive
+     * @return The (possibly) escaped string
+     */
+    private static String escapeDoubleQuotes(String s, int beginIndex, int endIndex) {
+
+        if (s == null || s.length() == 0 || s.indexOf('"') == -1) {
+            return s;
+        }
+
+        StringBuffer b = new StringBuffer();
+        for (int i = beginIndex; i < endIndex; i++) {
+            char c = s.charAt(i);
+            if (c == '\\') {
+                b.append(c);
+                //ignore the character after an escape, just append it
+                if (++i >= endIndex) throw new IllegalArgumentException("Invalid escape character in cookie value.");
+                b.append(s.charAt(i));
+            } else if (c == '"')
+                b.append('\\').append('"');
+            else
+                b.append(c);
+        }
+
+        return b.toString();
+    }
+
+}

testsuite/integration/src/test/java/org/keycloak/testsuite/forms/FederationProvidersIntegrationTest.java

@@ -3,6 +3,7 @@ package org.keycloak.testsuite.forms;
 import org.junit.Assert;
 import org.junit.ClassRule;
 import org.junit.FixMethodOrder;
+import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.RuleChain;
@@ -102,6 +103,13 @@ public class FederationProvidersIntegrationTest {
     @WebResource
     protected AccountPasswordPage changePasswordPage;
 
+    @Test
+    @Ignore
+    public void runit() throws Exception {
+        Thread.sleep(10000000);
+
+    }
+
     static UserModel addUser(KeycloakSession session, RealmModel realm, String username, String email, String password) {
         UserModel user = session.users().addUser(realm, username);
         user.setEmail(email);

testsuite/integration/src/test/java/org/keycloak/testsuite/perf/AccessTokenPerfTest.java

@@ -180,6 +180,11 @@ public class AccessTokenPerfTest {
             }
             Assert.assertEquals(302, response.getStatus());
             uri = response.getLocation();
+            for (String header : response.getHeaders().keySet()) {
+                for (Object value : response.getHeaders().get(header)) {
+                    System.out.println(header + ": " + value);
+                }
+            }
             response.close();
 
             Assert.assertNotNull(uri);