Merge pull request #3666 from hmlnarik/KEYCLOAK-4072-User-ID-from-User-Storage-Provider-too-long-for-Offline-User-Session

KEYCLOAK-4072 Add explicit check for key format
This commit is contained in:
Bill Burke 2017-01-13 09:39:45 -05:00 committed by GitHub
commit aa78c9eaf5
8 changed files with 127 additions and 0 deletions

View file

@ -17,6 +17,8 @@
package org.keycloak.models.jpa.session; package org.keycloak.models.jpa.session;
import org.keycloak.storage.jpa.KeyUtils;
import javax.persistence.Column; import javax.persistence.Column;
import javax.persistence.Entity; import javax.persistence.Entity;
import javax.persistence.Id; import javax.persistence.Id;
@ -84,6 +86,7 @@ public class PersistentUserSessionEntity {
} }
public void setUserId(String userId) { public void setUserId(String userId) {
KeyUtils.assertValidKey(userId);
this.userId = userId; this.userId = userId;
} }

View file

@ -0,0 +1,56 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.storage.jpa;
import java.util.regex.Pattern;
import org.jboss.logging.Logger;
/**
*
* @author hmlnarik
*/
public class KeyUtils {
private static final Logger LOG = Logger.getLogger(KeyUtils.class);
public static final Pattern UUID_PATTERN = Pattern.compile("[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}");
public static final Pattern EXPECTED_KEY_PATTERN = Pattern.compile(
UUID_PATTERN.pattern()
+ "|"
+ "f:" + UUID_PATTERN.pattern() + ":.*"
);
/**
* Returns {@code} true when the key is {@code null} or either a plain UUID or a key formatted as "f:[UUID]:any_string"
* @param key String representation of the key
* @return
*/
public static boolean isValidKey(String key) {
return key == null || EXPECTED_KEY_PATTERN.matcher(key).matches();
}
/**
* Logs an warning when the key is not a valid key
* @param key String representation of the key
*/
public static void assertValidKey(String key) throws IllegalArgumentException {
if (! isValidKey(key)) {
LOG.warnf("The given key is not a valid key per specification, future migration might fail: %s", key);
}
}
}

View file

@ -17,6 +17,8 @@
package org.keycloak.storage.jpa.entity; package org.keycloak.storage.jpa.entity;
import org.keycloak.storage.jpa.KeyUtils;
import javax.persistence.Column; import javax.persistence.Column;
import javax.persistence.Entity; import javax.persistence.Entity;
import javax.persistence.Id; import javax.persistence.Id;
@ -71,6 +73,7 @@ public class BrokerLinkEntity {
} }
public void setUserId(String userId) { public void setUserId(String userId) {
KeyUtils.assertValidKey(userId);
this.userId = userId; this.userId = userId;
} }

View file

@ -16,6 +16,8 @@
*/ */
package org.keycloak.storage.jpa.entity; package org.keycloak.storage.jpa.entity;
import org.keycloak.storage.jpa.KeyUtils;
import javax.persistence.Access; import javax.persistence.Access;
import javax.persistence.AccessType; import javax.persistence.AccessType;
import javax.persistence.Column; import javax.persistence.Column;
@ -58,6 +60,7 @@ public class FederatedUser {
} }
public void setId(String id) { public void setId(String id) {
KeyUtils.assertValidKey(id);
this.id = id; this.id = id;
} }

View file

@ -17,6 +17,8 @@
package org.keycloak.storage.jpa.entity; package org.keycloak.storage.jpa.entity;
import org.keycloak.storage.jpa.KeyUtils;
import javax.persistence.Column; import javax.persistence.Column;
import javax.persistence.Entity; import javax.persistence.Entity;
import javax.persistence.Id; import javax.persistence.Id;
@ -74,6 +76,7 @@ public class FederatedUserGroupMembershipEntity {
} }
public void setUserId(String userId) { public void setUserId(String userId) {
KeyUtils.assertValidKey(userId);
this.userId = userId; this.userId = userId;
} }

View file

@ -17,6 +17,8 @@
package org.keycloak.storage.jpa.entity; package org.keycloak.storage.jpa.entity;
import org.keycloak.storage.jpa.KeyUtils;
import javax.persistence.Column; import javax.persistence.Column;
import javax.persistence.Entity; import javax.persistence.Entity;
import javax.persistence.Id; import javax.persistence.Id;
@ -69,6 +71,7 @@ public class FederatedUserRequiredActionEntity {
} }
public void setUserId(String userId) { public void setUserId(String userId) {
KeyUtils.assertValidKey(userId);
this.userId = userId; this.userId = userId;
} }

View file

@ -17,6 +17,8 @@
package org.keycloak.storage.jpa.entity; package org.keycloak.storage.jpa.entity;
import org.keycloak.storage.jpa.KeyUtils;
import javax.persistence.Column; import javax.persistence.Column;
import javax.persistence.Entity; import javax.persistence.Entity;
import javax.persistence.Id; import javax.persistence.Id;
@ -64,6 +66,7 @@ public class FederatedUserRoleMappingEntity {
} }
public void setUserId(String userId) { public void setUserId(String userId) {
KeyUtils.assertValidKey(userId);
this.userId = userId; this.userId = userId;
} }

View file

@ -0,0 +1,53 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.storage.jpa;
import java.util.UUID;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author hmlnarik
*/
public class KeyUtilsTest {
@Test
public void testValidKeys() {
assertTrue(KeyUtils.isValidKey(UUID.randomUUID().toString()));
assertTrue(KeyUtils.isValidKey("01234567-1234-1234-aAAa-123456789012"));
assertTrue(KeyUtils.isValidKey("01234567-1234-1234-aAAf-123456789012"));
assertTrue(KeyUtils.isValidKey("f:" + UUID.randomUUID() + ":dsadsada"));
assertTrue(KeyUtils.isValidKey("f:01234567-1234-1234-aAAa-123456789012:dsadsada"));
assertTrue(KeyUtils.isValidKey("f:a1234567-1234-1234-aAAa-123456789012:dsadsada"));
}
@Test
public void testInvalidKeys() {
assertFalse(KeyUtils.isValidKey("any string"));
assertFalse(KeyUtils.isValidKey("0"));
assertFalse(KeyUtils.isValidKey("01234567-1234-1234-aAAg-123456789012a"));
assertFalse(KeyUtils.isValidKey("z1234567-1234-1234-aAAa-123456789012"));
assertFalse(KeyUtils.isValidKey("f:g1234567-1234-1234-aAAa-123456789012:dsadsada"));
assertFalse(KeyUtils.isValidKey("g:a1234567-1234-1234-aAAa-123456789012:dsadsada"));
assertFalse(KeyUtils.isValidKey("f:a1234567-1234-1234-aAAa-123456789012"));
}
}