KEYCLOAK-14193 Client Policy - Condition : Client - Client Access Type

This commit is contained in:
Takashi Norimatsu 2020-11-15 00:01:12 +09:00 committed by Marek Posolda
parent 29e3d89f3a
commit 9ce2e9b1f7
4 changed files with 228 additions and 1 deletions

View file

@ -0,0 +1,92 @@
/*
* Copyright 2020 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.services.clientpolicy.condition;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.ClientPolicyLogger;
import org.keycloak.services.clientpolicy.ClientPolicyVote;
public class ClientAccessTypeCondition implements ClientPolicyConditionProvider {
private static final Logger logger = Logger.getLogger(ClientAccessTypeCondition.class);
private final KeycloakSession session;
private final ComponentModel componentModel;
public ClientAccessTypeCondition(KeycloakSession session, ComponentModel componentModel) {
this.session = session;
this.componentModel = componentModel;
}
@Override
public String getName() {
return componentModel.getName();
}
@Override
public String getProviderId() {
return componentModel.getProviderId();
}
@Override
public ClientPolicyVote applyPolicy(ClientPolicyContext context) throws ClientPolicyException {
switch (context.getEvent()) {
case AUTHORIZATION_REQUEST:
case TOKEN_REQUEST:
case TOKEN_REFRESH:
case TOKEN_REVOKE:
case TOKEN_INTROSPECT:
case USERINFO_REQUEST:
case LOGOUT_REQUEST:
if (isClientAccessTypeMatched()) return ClientPolicyVote.YES;
return ClientPolicyVote.NO;
default:
return ClientPolicyVote.ABSTAIN;
}
}
private String getClientAccessType() {
ClientModel client = session.getContext().getClient();
if (client == null) return null;
if (client.isPublicClient()) return ClientAccessTypeConditionFactory.TYPE_PUBLIC;
if (client.isBearerOnly()) return ClientAccessTypeConditionFactory.TYPE_BEARERONLY;
else return ClientAccessTypeConditionFactory.TYPE_CONFIDENTIAL;
}
private boolean isClientAccessTypeMatched() {
final String accessType = getClientAccessType();
if (logger.isTraceEnabled() ) {
ClientPolicyLogger.log(logger, "client access type = " + accessType);
componentModel.getConfig().get(ClientAccessTypeConditionFactory.TYPE).stream().forEach(i -> ClientPolicyLogger.log(logger, "client access type expected = " + i));
}
boolean isMatched = componentModel.getConfig().get(ClientAccessTypeConditionFactory.TYPE).stream().anyMatch(i -> i.equals(accessType));
if (isMatched) {
ClientPolicyLogger.log(logger, "client access type matched.");
} else {
ClientPolicyLogger.log(logger, "client access type unmatched.");
}
return isMatched;
}
}

View file

@ -0,0 +1,80 @@
/*
* Copyright 2020 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.services.clientpolicy.condition;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import org.keycloak.Config.Scope;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.ProviderConfigProperty;
public class ClientAccessTypeConditionFactory implements ClientPolicyConditionProviderFactory {
public static final String PROVIDER_ID = "client-accesstype-condition";
public static final String TYPE = "type";
public static final String TYPE_CONFIDENTIAL = "confidential";
public static final String TYPE_PUBLIC = "public";
public static final String TYPE_BEARERONLY = "bearer-only";
private static final List<ProviderConfigProperty> configProperties = new ArrayList<ProviderConfigProperty>();
static {
ProviderConfigProperty property;
property = new ProviderConfigProperty(TYPE, "client-accesstype.label", "client-accesstype.tooltip", ProviderConfigProperty.MULTIVALUED_LIST_TYPE, TYPE_CONFIDENTIAL);
List<String> updateProfileValues = Arrays.asList(TYPE_CONFIDENTIAL, TYPE_PUBLIC, TYPE_BEARERONLY);
property.setOptions(updateProfileValues);
configProperties.add(property);
}
@Override
public ClientPolicyConditionProvider create(KeycloakSession session, ComponentModel model) {
return new ClientAccessTypeCondition(session, model);
}
@Override
public void init(Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public void close() {
}
@Override
public String getId() {
return PROVIDER_ID;
}
@Override
public String getHelpText() {
return "It uses the client's access type (confidential, public, bearer-only) to determine whether the policy is applied.";
}
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return configProperties;
}
}

View file

@ -1,4 +1,5 @@
org.keycloak.services.clientpolicy.condition.ClientUpdateContextConditionFactory org.keycloak.services.clientpolicy.condition.ClientUpdateContextConditionFactory
org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory
org.keycloak.services.clientpolicy.condition.ClientIpAddressConditionFactory org.keycloak.services.clientpolicy.condition.ClientIpAddressConditionFactory
org.keycloak.services.clientpolicy.condition.ClientScopesConditionFactory org.keycloak.services.clientpolicy.condition.ClientScopesConditionFactory
org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory

View file

@ -80,6 +80,7 @@ import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyException; import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.ClientPolicyProvider; import org.keycloak.services.clientpolicy.ClientPolicyProvider;
import org.keycloak.services.clientpolicy.DefaultClientPolicyProviderFactory; import org.keycloak.services.clientpolicy.DefaultClientPolicyProviderFactory;
import org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory;
import org.keycloak.services.clientpolicy.condition.ClientIpAddressConditionFactory; import org.keycloak.services.clientpolicy.condition.ClientIpAddressConditionFactory;
import org.keycloak.services.clientpolicy.condition.ClientPolicyConditionProvider; import org.keycloak.services.clientpolicy.condition.ClientPolicyConditionProvider;
import org.keycloak.services.clientpolicy.condition.ClientUpdateContextConditionFactory; import org.keycloak.services.clientpolicy.condition.ClientUpdateContextConditionFactory;
@ -978,6 +979,48 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
} }
} }
@Test
public void testClientAccessTypeCondition() throws ClientRegistrationException, ClientPolicyException {
String policyName = "MyPolicy";
createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
logger.info("... Created Policy : " + policyName);
createCondition("ClientAccessTypeCondition", ClientAccessTypeConditionFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
setConditionClientAccessType(provider, new ArrayList<>(Arrays.asList(ClientAccessTypeConditionFactory.TYPE_CONFIDENTIAL)));
});
registerCondition("ClientAccessTypeCondition", policyName);
logger.info("... Registered Condition : ClientAccessTypeCondition");
createExecutor("SecureSessionEnforceExecutor", SecureSessionEnforceExecutorFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
});
registerExecutor("SecureSessionEnforceExecutor", policyName);
logger.info("... Registered Executor : SecureSessionEnforceExecutor");
// confidential client
String clientAlphaId = "Alpha-App";
String clientAlphaSecret = "secretAlpha";
String cAlphaId = createClientByAdmin(clientAlphaId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientAlphaSecret);
clientRep.setBearerOnly(Boolean.FALSE);
clientRep.setPublicClient(Boolean.FALSE);
});
// public client
String clientBetaId = "Beta-App";
String cBetaId = createClientByAdmin(clientBetaId, (ClientRepresentation clientRep) -> {
clientRep.setBearerOnly(Boolean.FALSE);
clientRep.setPublicClient(Boolean.TRUE);
});
try {
successfulLoginAndLogout(clientBetaId, null);
failLoginWithoutNonce(clientAlphaId);
} finally {
deleteClientByAdmin(cAlphaId);
deleteClientByAdmin(cBetaId);
}
}
private AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor(String clientId) throws URISyntaxException { private AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor(String clientId) throws URISyntaxException {
AuthorizationEndpointRequestObject requestObject = new AuthorizationEndpointRequestObject(); AuthorizationEndpointRequestObject requestObject = new AuthorizationEndpointRequestObject();
requestObject.id(KeycloakModelUtils.generateId()); requestObject.id(KeycloakModelUtils.generateId());
@ -1185,6 +1228,13 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
assertEquals(errorDescription, oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION)); assertEquals(errorDescription, oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
} }
private void failLoginWithoutNonce(String clientId) {
oauth.clientId(clientId);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Missing parameter: nonce", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
}
private String generateS256CodeChallenge(String codeVerifier) throws Exception { private String generateS256CodeChallenge(String codeVerifier) throws Exception {
MessageDigest md = MessageDigest.getInstance("SHA-256"); MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(codeVerifier.getBytes("ISO_8859_1")); md.update(codeVerifier.getBytes("ISO_8859_1"));
@ -1430,6 +1480,10 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
provider.getConfig().put(ClientScopesConditionFactory.SCOPES, clientScopes); provider.getConfig().put(ClientScopesConditionFactory.SCOPES, clientScopes);
} }
private void setConditionClientAccessType(ComponentRepresentation provider, List<String> clientAccessTypes) {
provider.getConfig().put(ClientAccessTypeConditionFactory.TYPE, clientAccessTypes);
}
private void setExecutorAugmentActivate(ComponentRepresentation provider) { private void setExecutorAugmentActivate(ComponentRepresentation provider) {
provider.getConfig().putSingle("is-augment", Boolean.TRUE.toString()); provider.getConfig().putSingle("is-augment", Boolean.TRUE.toString());
} }