From c19d6f36ed2c11131516d936445a802a2363c1d9 Mon Sep 17 00:00:00 2001 From: Mark True Date: Wed, 10 May 2017 11:18:42 -0400 Subject: [PATCH 01/30] KEYCLOAK-4350 fixes test for embedded LDAP for ApacheDS --- .../federation/ldap/LDAPTestConfiguration.java | 12 +++++++----- .../storage/ldap/LDAPLegacyImportTest.java | 3 +-- .../java/org/keycloak/testsuite/rule/LDAPRule.java | 2 +- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPTestConfiguration.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPTestConfiguration.java index f4cbc2283b..ba47fca448 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPTestConfiguration.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPTestConfiguration.java @@ -38,10 +38,11 @@ public class LDAPTestConfiguration { private String connectionPropertiesLocation; private int sleepTime; - private boolean startEmbeddedLdapLerver = true; + private boolean startEmbeddedLdapServer = true; private Map config; protected static final Map PROP_MAPPINGS = new HashMap(); + protected static final Map DEFAULT_VALUES = new HashMap(); static { @@ -124,9 +125,10 @@ public class LDAPTestConfiguration { config.put(propertyName, value); } - startEmbeddedLdapLerver = Boolean.parseBoolean(p.getProperty("idm.test.ldap.start.embedded.ldap.server", "true")); + startEmbeddedLdapServer = Boolean.parseBoolean(p.getProperty("idm.test.ldap.start.embedded.ldap.server", "true")); sleepTime = Integer.parseInt(p.getProperty("idm.test.ldap.sleepTime", "1000")); - log.info("Start embedded server: " + startEmbeddedLdapLerver); + config.put("startEmbeddedLdapServer", Boolean.toString(startEmbeddedLdapServer)); + log.info("Start embedded server: " + startEmbeddedLdapServer); log.info("Read config: " + config); } @@ -138,8 +140,8 @@ public class LDAPTestConfiguration { this.connectionPropertiesLocation = connectionPropertiesLocation; } - public boolean isStartEmbeddedLdapLerver() { - return startEmbeddedLdapLerver; + public boolean isStartEmbeddedLdapServer() { + return startEmbeddedLdapServer; } public int getSleepTime() { diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPLegacyImportTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPLegacyImportTest.java index 39b93fb590..086bf257ed 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPLegacyImportTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPLegacyImportTest.java @@ -61,8 +61,7 @@ public class LDAPLegacyImportTest { // This test is executed just for the embedded LDAP server private static LDAPRule ldapRule = new LDAPRule((Map ldapConfig) -> { - String connectionURL = ldapConfig.get(LDAPConstants.CONNECTION_URL); - return !"ldap://localhost:10389".equals(connectionURL); + return Boolean.parseBoolean(ldapConfig.get("startEmbeddedLdapServer")); }); private static ComponentModel ldapModel = null; diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java index 6dbc938ec2..7b217b66f9 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java @@ -88,7 +88,7 @@ public class LDAPRule implements TestRule { return true; } - if (ldapTestConfiguration.isStartEmbeddedLdapLerver()) { + if (ldapTestConfiguration.isStartEmbeddedLdapServer()) { ldapEmbeddedServer = createServer(); ldapEmbeddedServer.init(); ldapEmbeddedServer.start(); From 83b29c50803ddd63f9633579dba768354b3b1f19 Mon Sep 17 00:00:00 2001 From: mposolda Date: Mon, 6 Mar 2017 11:39:47 +0100 Subject: [PATCH 02/30] KEYCLOAK-4626 AuthenticationSessions: start --- .../infinispan/ClientSessionAdapter.java | 4 +- .../InfinispanKeycloakTransaction.java | 166 ++ .../InfinispanUserSessionProvider.java | 178 +- .../infinispan/UserSessionAdapter.java | 7 + .../entities/ClientSessionEntity.java | 1 + .../InfinispanLoginSessionProvider.java | 69 + .../infinispan/LoginSessionAdapter.java | 270 +++ .../infinispan/LoginSessionEntity.java | 142 ++ .../JpaUserSessionPersisterProvider.java | 6 +- .../AuthenticationFlowContext.java | 3 +- .../keycloak/authentication/FormContext.java | 5 +- .../authentication/RequiredActionContext.java | 4 +- .../provider/BrokeredIdentityContext.java | 11 +- .../forms/login/LoginFormsProvider.java | 6 +- .../DisabledUserSessionPersisterProvider.java | 3 +- .../PersistentClientSessionAdapter.java | 120 +- .../session/PersistentUserSessionAdapter.java | 7 + .../session/UserSessionPersisterProvider.java | 4 +- .../models/utils/ModelToRepresentation.java | 3 +- .../org/keycloak/protocol/LoginProtocol.java | 14 +- .../services/managers/ClientSessionCode.java | 96 +- .../services/managers/CodeGenerateUtil.java | 99 + .../sessions/LoginSessionProviderFactory.java | 26 + .../keycloak/sessions/LoginSessionSpi.java | 49 + .../services/org.keycloak.provider.Spi | 1 + .../models/ClientLoginSessionModel.java | 30 + .../keycloak/models/ClientSessionModel.java | 60 +- .../org/keycloak/models/KeycloakSession.java | 4 + .../org/keycloak/models/UserSessionModel.java | 5 +- .../keycloak/models/UserSessionProvider.java | 8 +- .../sessions/CommonClientSessionModel.java | 86 + .../keycloak/sessions/LoginSessionModel.java | 76 + .../sessions/LoginSessionProvider.java | 43 + .../AuthenticationProcessor.java | 148 +- .../DefaultAuthenticationFlow.java | 50 +- .../FormAuthenticationFlow.java | 19 +- .../RequiredActionContextResult.java | 24 +- .../broker/AbstractIdpAuthenticator.java | 16 +- .../broker/IdpConfirmLinkAuthenticator.java | 10 +- .../IdpCreateUserIfUniqueAuthenticator.java | 8 +- .../IdpEmailVerificationAuthenticator.java | 11 +- .../broker/IdpReviewProfileAuthenticator.java | 7 +- .../broker/IdpUsernamePasswordForm.java | 6 +- .../SerializedBrokeredIdentityContext.java | 19 +- .../AbstractUsernameFormAuthenticator.java | 6 +- .../browser/CookieAuthenticator.java | 5 +- .../IdentityProviderAuthenticator.java | 2 +- .../browser/ScriptBasedAuthenticator.java | 2 +- .../browser/SpnegoAuthenticator.java | 2 +- .../browser/UsernamePasswordForm.java | 4 +- .../directgrant/ValidateUsername.java | 2 +- .../resetcred/ResetCredentialChooseUser.java | 6 +- .../resetcred/ResetCredentialEmail.java | 8 +- .../authenticators/resetcred/ResetOTP.java | 2 +- .../resetcred/ResetPassword.java | 6 +- .../forms/RegistrationUserCreation.java | 10 +- .../requiredactions/UpdatePassword.java | 4 +- .../requiredactions/VerifyEmail.java | 3 + .../admin/PolicyEvaluationService.java | 21 +- .../HardcodedUserSessionAttributeMapper.java | 4 +- .../FreeMarkerLoginFormsProvider.java | 24 +- .../freemarker/model/OAuthGrantBean.java | 3 +- .../protocol/AuthorizationEndpointBase.java | 30 +- .../keycloak/protocol/RestartLoginCookie.java | 13 +- .../protocol/oidc/OIDCLoginProtocol.java | 40 +- .../keycloak/protocol/oidc/TokenManager.java | 123 +- .../oidc/endpoints/AuthorizationEndpoint.java | 60 +- .../oidc/endpoints/TokenEndpoint.java | 81 +- .../oidc/endpoints/UserInfoEndpoint.java | 1 + .../mappers/AbstractOIDCProtocolMapper.java | 8 +- .../mappers/AbstractPairwiseSubMapper.java | 8 +- .../protocol/oidc/mappers/FullNameMapper.java | 3 - .../oidc/mappers/GroupMembershipMapper.java | 3 - .../protocol/oidc/mappers/HardcodedClaim.java | 3 - .../protocol/oidc/mappers/HardcodedRole.java | 4 +- .../oidc/mappers/OIDCAccessTokenMapper.java | 4 +- .../oidc/mappers/OIDCIDTokenMapper.java | 4 +- .../protocol/oidc/mappers/RoleNameMapper.java | 5 +- .../oidc/mappers/UserAttributeMapper.java | 3 - .../oidc/mappers/UserInfoTokenMapper.java | 4 +- .../oidc/mappers/UserPropertyMapper.java | 3 - .../oidc/mappers/UserSessionNoteMapper.java | 3 - .../keycloak/protocol/saml/SamlProtocol.java | 68 +- .../keycloak/protocol/saml/SamlService.java | 51 +- .../saml/mappers/GroupMembershipMapper.java | 4 +- .../mappers/HardcodedAttributeMapper.java | 4 +- .../protocol/saml/mappers/RoleListMapper.java | 6 +- .../mappers/SAMLAttributeStatementMapper.java | 4 +- .../saml/mappers/SAMLLoginResponseMapper.java | 4 +- .../saml/mappers/SAMLRoleListMapper.java | 4 +- .../mappers/UserAttributeStatementMapper.java | 4 +- .../UserPropertyAttributeStatementMapper.java | 4 +- .../UserSessionNoteStatementMapper.java | 4 +- .../profile/ecp/SamlEcpProfileService.java | 13 +- .../authenticator/HttpBasicAuthenticator.java | 2 +- .../services/DefaultKeycloakSession.java | 11 +- .../org/keycloak/services/managers/Auth.java | 7 +- .../managers/AuthenticationManager.java | 136 +- .../managers/ResourceAdminManager.java | 33 +- .../services/managers/UserSessionManager.java | 73 +- .../services/resources/AccountService.java | 12 +- .../resources/IdentityBrokerService.java | 1937 ++++++++--------- .../resources/LoginActionsService.java | 165 +- .../services/resources/RealmsResource.java | 4 + .../resources/admin/UsersResource.java | 26 +- .../twitter/TwitterIdentityProvider.java | 30 +- .../forms/PassThroughRegistration.java | 10 +- .../model/UserSessionInitializerTest.java | 247 +-- .../UserSessionPersisterProviderTest.java | 787 +++---- .../model/UserSessionProviderOfflineTest.java | 811 +++---- .../model/UserSessionProviderTest.java | 1144 +++++----- .../keycloak/testsuite/rule/KeycloakRule.java | 18 - .../util/cli/PersistSessionsCommand.java | 5 +- .../src/test/resources/log4j.properties | 5 +- 114 files changed, 4441 insertions(+), 3633 deletions(-) create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java create mode 100644 model/infinispan/src/main/java/org/keycloak/sessions/infinispan/InfinispanLoginSessionProvider.java create mode 100644 model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionAdapter.java create mode 100644 model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionEntity.java create mode 100644 server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java create mode 100644 server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionProviderFactory.java create mode 100644 server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionSpi.java create mode 100644 server-spi/src/main/java/org/keycloak/models/ClientLoginSessionModel.java create mode 100644 server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java create mode 100644 server-spi/src/main/java/org/keycloak/sessions/LoginSessionModel.java create mode 100644 server-spi/src/main/java/org/keycloak/sessions/LoginSessionProvider.java diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java index c67a576250..8abf19b2bb 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java @@ -157,12 +157,12 @@ public class ClientSessionAdapter implements ClientSessionModel { } @Override - public String getAuthMethod() { + public String getProtocol() { return entity.getAuthMethod(); } @Override - public void setAuthMethod(String authMethod) { + public void setProtocol(String authMethod) { entity.setAuthMethod(authMethod); update(); } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java new file mode 100644 index 0000000000..c6b30f41cf --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java @@ -0,0 +1,166 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.sessions.infinispan; + +import org.keycloak.models.KeycloakTransaction; + +import java.util.HashMap; +import java.util.Map; +import org.infinispan.Cache; +import org.jboss.logging.Logger; + +/** + * @author Stian Thorgersen + */ +public class InfinispanKeycloakTransaction implements KeycloakTransaction { + + private final static Logger log = Logger.getLogger(InfinispanKeycloakTransaction.class); + + public enum CacheOperation { + ADD, REMOVE, REPLACE + } + + private boolean active; + private boolean rollback; + private final Map tasks = new HashMap<>(); + + @Override + public void begin() { + active = true; + } + + @Override + public void commit() { + if (rollback) { + throw new RuntimeException("Rollback only!"); + } + + tasks.values().forEach(CacheTask::execute); + } + + @Override + public void rollback() { + tasks.clear(); + } + + @Override + public void setRollbackOnly() { + rollback = true; + } + + @Override + public boolean getRollbackOnly() { + return rollback; + } + + @Override + public boolean isActive() { + return active; + } + + public void put(Cache cache, K key, V value) { + log.tracev("Adding cache operation: {0} on {1}", CacheOperation.ADD, key); + + Object taskKey = getTaskKey(cache, key); + if (tasks.containsKey(taskKey)) { + throw new IllegalStateException("Can't add session: task in progress for session"); + } else { + tasks.put(taskKey, new CacheTask(cache, CacheOperation.ADD, key, value)); + } + } + + public void replace(Cache cache, K key, V value) { + log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REPLACE, key); + + Object taskKey = getTaskKey(cache, key); + CacheTask current = tasks.get(taskKey); + if (current != null) { + switch (current.operation) { + case ADD: + case REPLACE: + current.value = value; + return; + case REMOVE: + return; + } + } else { + tasks.put(taskKey, new CacheTask(cache, CacheOperation.REPLACE, key, value)); + } + } + + public void remove(Cache cache, K key) { + log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REMOVE, key); + + Object taskKey = getTaskKey(cache, key); + tasks.put(taskKey, new CacheTask(cache, CacheOperation.REMOVE, key, null)); + } + + // This is for possibility to lookup for session by id, which was created in this transaction + public V get(Cache cache, K key) { + Object taskKey = getTaskKey(cache, key); + CacheTask current = tasks.get(taskKey); + if (current != null) { + switch (current.operation) { + case ADD: + case REPLACE: + return current.value; + } + } + + return null; + } + + private static Object getTaskKey(Cache cache, K key) { + if (key instanceof String) { + return new StringBuilder(cache.getName()) + .append("::") + .append(key).toString(); + } else { + return key; + } + } + + public static class CacheTask { + private final Cache cache; + private final CacheOperation operation; + private final K key; + private V value; + + public CacheTask(Cache cache, CacheOperation operation, K key, V value) { + this.cache = cache; + this.operation = operation; + this.key = key; + this.value = value; + } + + public void execute() { + log.tracev("Executing cache operation: {0} on {1}", operation, key); + + switch (operation) { + case ADD: + cache.put(key, value); + break; + case REMOVE: + cache.remove(key); + break; + case REPLACE: + cache.replace(key, value); + break; + } + } + } +} \ No newline at end of file diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java index a7c8c31ec4..7fa9f81337 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java @@ -23,6 +23,7 @@ import org.infinispan.context.Flag; import org.jboss.logging.Logger; import org.keycloak.common.util.Time; import org.keycloak.models.ClientInitialAccessModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; @@ -89,6 +90,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { return offline ? offlineSessionCache : sessionCache; } + /* @Override public ClientSessionModel createClientSession(RealmModel realm, ClientModel client) { String id = KeycloakModelUtils.generateId(); @@ -104,6 +106,12 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { ClientSessionAdapter wrap = wrap(realm, entity, false); return wrap; + }*/ + + // TODO:mposolda + @Override + public ClientLoginSessionModel createClientSession(RealmModel realm, ClientModel client, UserSessionModel userSession) { + return null; } @Override @@ -608,6 +616,8 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { } } + // TODO:mposolda + /* @Override public ClientSessionModel createOfflineClientSession(ClientSessionModel clientSession) { ClientSessionAdapter offlineClientSession = importClientSession(clientSession, true); @@ -616,6 +626,11 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { offlineClientSession.setTimestamp(Time.currentTime()); return offlineClientSession; + }*/ + + @Override + public ClientLoginSessionModel createOfflineClientSession(ClientLoginSessionModel clientSession) { + return null; } @Override @@ -624,27 +639,17 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { } @Override - public List getOfflineClientSessions(RealmModel realm, UserModel user) { + public List getOfflineUserSessions(RealmModel realm, UserModel user) { Iterator> itr = offlineSessionCache.entrySet().stream().filter(UserSessionPredicate.create(realm.getId()).user(user.getId())).iterator(); - List clientSessions = new LinkedList<>(); + List userSessions = new LinkedList<>(); while(itr.hasNext()) { UserSessionEntity entity = (UserSessionEntity) itr.next().getValue(); - Set currClientSessions = entity.getClientSessions(); - - if (currClientSessions == null) { - continue; - } - - for (String clientSessionId : currClientSessions) { - ClientSessionEntity cls = (ClientSessionEntity) offlineSessionCache.get(clientSessionId); - if (cls != null) { - clientSessions.add(wrap(realm, cls, true)); - } - } + UserSessionModel userSession = wrap(realm, entity, true); + userSessions.add(userSession); } - return clientSessions; + return userSessions; } @Override @@ -695,7 +700,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { entity.setAction(clientSession.getAction()); entity.setAuthenticatorStatus(clientSession.getExecutionStatus()); - entity.setAuthMethod(clientSession.getAuthMethod()); + entity.setAuthMethod(clientSession.getProtocol()); if (clientSession.getAuthenticatedUser() != null) { entity.setAuthUserId(clientSession.getAuthenticatedUser().getId()); } @@ -757,145 +762,4 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { return list; } - - class InfinispanKeycloakTransaction implements KeycloakTransaction { - - private boolean active; - private boolean rollback; - private Map tasks = new HashMap<>(); - - @Override - public void begin() { - active = true; - } - - @Override - public void commit() { - if (rollback) { - throw new RuntimeException("Rollback only!"); - } - - for (CacheTask task : tasks.values()) { - task.execute(); - } - } - - @Override - public void rollback() { - tasks.clear(); - } - - @Override - public void setRollbackOnly() { - rollback = true; - } - - @Override - public boolean getRollbackOnly() { - return rollback; - } - - @Override - public boolean isActive() { - return active; - } - - public void put(Cache cache, Object key, Object value) { - log.tracev("Adding cache operation: {0} on {1}", CacheOperation.ADD, key); - - Object taskKey = getTaskKey(cache, key); - if (tasks.containsKey(taskKey)) { - throw new IllegalStateException("Can't add session: task in progress for session"); - } else { - tasks.put(taskKey, new CacheTask(cache, CacheOperation.ADD, key, value)); - } - } - - public void replace(Cache cache, Object key, Object value) { - log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REPLACE, key); - - Object taskKey = getTaskKey(cache, key); - CacheTask current = tasks.get(taskKey); - if (current != null) { - switch (current.operation) { - case ADD: - case REPLACE: - current.value = value; - return; - case REMOVE: - return; - } - } else { - tasks.put(taskKey, new CacheTask(cache, CacheOperation.REPLACE, key, value)); - } - } - - public void remove(Cache cache, Object key) { - log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REMOVE, key); - - Object taskKey = getTaskKey(cache, key); - tasks.put(taskKey, new CacheTask(cache, CacheOperation.REMOVE, key, null)); - } - - // This is for possibility to lookup for session by id, which was created in this transaction - public Object get(Cache cache, Object key) { - Object taskKey = getTaskKey(cache, key); - CacheTask current = tasks.get(taskKey); - if (current != null) { - switch (current.operation) { - case ADD: - case REPLACE: - return current.value; } - } - - return null; - } - - private Object getTaskKey(Cache cache, Object key) { - if (key instanceof String) { - return new StringBuilder(cache.getName()) - .append("::") - .append(key.toString()).toString(); - } else { - // loginFailure cache - return key; - } - } - - public class CacheTask { - private Cache cache; - private CacheOperation operation; - private Object key; - private Object value; - - public CacheTask(Cache cache, CacheOperation operation, Object key, Object value) { - this.cache = cache; - this.operation = operation; - this.key = key; - this.value = value; - } - - public void execute() { - log.tracev("Executing cache operation: {0} on {1}", operation, key); - - switch (operation) { - case ADD: - cache.put(key, value); - break; - case REMOVE: - cache.remove(key); - break; - case REPLACE: - cache.replace(key, value); - break; - } - } - } - - } - - public enum CacheOperation { - ADD, REMOVE, REPLACE - } - } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java index bf1e6fd391..6c81313c74 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java @@ -18,6 +18,7 @@ package org.keycloak.models.sessions.infinispan; import org.infinispan.Cache; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; @@ -60,6 +61,12 @@ public class UserSessionAdapter implements UserSessionModel { this.offline = offline; } + // TODO;mposolda + @Override + public Map getClientLoginSessions() { + return null; + } + public String getId() { return entity.getId(); } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java index 0cbdc79d9b..6bce9e9287 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java @@ -18,6 +18,7 @@ package org.keycloak.models.sessions.infinispan.entities; import org.keycloak.models.ClientSessionModel; +import org.keycloak.sessions.LoginSessionModel; import java.util.HashMap; import java.util.HashSet; diff --git a/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/InfinispanLoginSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/InfinispanLoginSessionProvider.java new file mode 100644 index 0000000000..8389424c3c --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/InfinispanLoginSessionProvider.java @@ -0,0 +1,69 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions.infinispan; + +import org.keycloak.models.ClientModel; +import org.keycloak.models.RealmModel; +import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.LoginSessionProvider; + +/** + * @author Marek Posolda + */ +public class InfinispanLoginSessionProvider implements LoginSessionProvider { + + @Override + public LoginSessionModel createLoginSession(RealmModel realm, ClientModel client, boolean browser) { + return null; + } + + @Override + public LoginSessionModel getCurrentLoginSession(RealmModel realm) { + return null; + } + + @Override + public LoginSessionModel getLoginSession(RealmModel realm, String loginSessionId) { + return null; + } + + @Override + public void removeLoginSession(RealmModel realm, LoginSessionModel loginSession) { + + } + + @Override + public void removeExpired(RealmModel realm) { + + } + + @Override + public void onRealmRemoved(RealmModel realm) { + + } + + @Override + public void onClientRemoved(RealmModel realm, ClientModel client) { + + } + + @Override + public void close() { + + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionAdapter.java new file mode 100644 index 0000000000..e8dda52e63 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionAdapter.java @@ -0,0 +1,270 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions.infinispan; + +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +import org.infinispan.Cache; +import org.keycloak.models.ClientModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import org.keycloak.models.UserModel; +import org.keycloak.models.sessions.infinispan.entities.SessionEntity; +import org.keycloak.sessions.LoginSessionModel; + +/** + * NOTE: Calling setter doesn't automatically enlist for update + * + * @author Marek Posolda + */ +public class LoginSessionAdapter implements LoginSessionModel { + + private KeycloakSession session; + private InfinispanLoginSessionProvider provider; + private Cache cache; + private RealmModel realm; + private LoginSessionEntity entity; + + public LoginSessionAdapter(KeycloakSession session, InfinispanLoginSessionProvider provider, Cache cache, RealmModel realm, + LoginSessionEntity entity) { + this.session = session; + this.provider = provider; + this.cache = cache; + this.realm = realm; + this.entity = entity; + } + + @Override + public String getId() { + return entity.getId(); + } + + @Override + public RealmModel getRealm() { + return realm; + } + + @Override + public ClientModel getClient() { + return realm.getClientById(entity.getClientUuid()); + } + +// @Override +// public UserSessionAdapter getUserSession() { +// return entity.getUserSession() != null ? provider.getUserSession(realm, entity.getUserSession(), offline) : null; +// } +// +// @Override +// public void setUserSession(UserSessionModel userSession) { +// if (userSession == null) { +// if (entity.getUserSession() != null) { +// provider.dettachSession(getUserSession(), this); +// } +// entity.setUserSession(null); +// } else { +// UserSessionAdapter userSessionAdapter = (UserSessionAdapter) userSession; +// if (entity.getUserSession() != null) { +// if (entity.getUserSession().equals(userSession.getId())) { +// return; +// } else { +// provider.dettachSession(userSessionAdapter, this); +// } +// } else { +// provider.attachSession(userSessionAdapter, this); +// } +// +// entity.setUserSession(userSession.getId()); +// } +// } + + @Override + public String getRedirectUri() { + return entity.getRedirectUri(); + } + + @Override + public void setRedirectUri(String uri) { + entity.setRedirectUri(uri); + } + + @Override + public int getTimestamp() { + return entity.getTimestamp(); + } + + @Override + public void setTimestamp(int timestamp) { + entity.setTimestamp(timestamp); + } + + @Override + public String getAction() { + return entity.getAction(); + } + + @Override + public void setAction(String action) { + entity.setAction(action); + } + + @Override + public Set getRoles() { + if (entity.getRoles() == null || entity.getRoles().isEmpty()) return Collections.emptySet(); + return new HashSet<>(entity.getRoles()); + } + + @Override + public void setRoles(Set roles) { + entity.setRoles(roles); + } + + @Override + public Set getProtocolMappers() { + if (entity.getProtocolMappers() == null || entity.getProtocolMappers().isEmpty()) return Collections.emptySet(); + return new HashSet<>(entity.getProtocolMappers()); + } + + @Override + public void setProtocolMappers(Set protocolMappers) { + entity.setProtocolMappers(protocolMappers); + } + + @Override + public String getProtocol() { + return entity.getProtocol(); + } + + @Override + public void setProtocol(String protocol) { + entity.setProtocol(protocol); + } + + @Override + public String getNote(String name) { + return entity.getNotes() != null ? entity.getNotes().get(name) : null; + } + + @Override + public void setNote(String name, String value) { + if (entity.getNotes() == null) { + entity.setNotes(new HashMap()); + } + entity.getNotes().put(name, value); + } + + @Override + public void removeNote(String name) { + if (entity.getNotes() != null) { + entity.getNotes().remove(name); + } + } + + @Override + public Map getNotes() { + if (entity.getNotes() == null || entity.getNotes().isEmpty()) return Collections.emptyMap(); + Map copy = new HashMap<>(); + copy.putAll(entity.getNotes()); + return copy; + } + + @Override + public void setUserSessionNote(String name, String value) { + if (entity.getUserSessionNotes() == null) { + entity.setUserSessionNotes(new HashMap()); + } + entity.getUserSessionNotes().put(name, value); + + } + + @Override + public Map getUserSessionNotes() { + if (entity.getUserSessionNotes() == null) { + return Collections.EMPTY_MAP; + } + HashMap copy = new HashMap<>(); + copy.putAll(entity.getUserSessionNotes()); + return copy; + } + + @Override + public void clearUserSessionNotes() { + entity.setUserSessionNotes(new HashMap()); + + } + + @Override + public Set getRequiredActions() { + Set copy = new HashSet<>(); + copy.addAll(entity.getRequiredActions()); + return copy; + } + + @Override + public void addRequiredAction(String action) { + entity.getRequiredActions().add(action); + + } + + @Override + public void removeRequiredAction(String action) { + entity.getRequiredActions().remove(action); + + } + + @Override + public void addRequiredAction(UserModel.RequiredAction action) { + addRequiredAction(action.name()); + + } + + @Override + public void removeRequiredAction(UserModel.RequiredAction action) { + removeRequiredAction(action.name()); + } + + @Override + public Map getExecutionStatus() { + return entity.getExecutionStatus(); + } + + @Override + public void setExecutionStatus(String authenticator, LoginSessionModel.ExecutionStatus status) { + entity.getExecutionStatus().put(authenticator, status); + + } + + @Override + public void clearExecutionStatus() { + entity.getExecutionStatus().clear(); + } + + @Override + public UserModel getAuthenticatedUser() { + return entity.getAuthUserId() == null ? null : session.users().getUserById(entity.getAuthUserId(), realm); } + + @Override + public void setAuthenticatedUser(UserModel user) { + if (user == null) entity.setAuthUserId(null); + else entity.setAuthUserId(user.getId()); + + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionEntity.java new file mode 100644 index 0000000000..97ccad4bfc --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionEntity.java @@ -0,0 +1,142 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions.infinispan; + +import java.util.Map; +import java.util.Set; + +import org.keycloak.models.sessions.infinispan.entities.SessionEntity; +import org.keycloak.sessions.LoginSessionModel; + +/** + * @author Marek Posolda + */ +public class LoginSessionEntity extends SessionEntity { + + private String clientUuid; + private String authUserId; + + private String redirectUri; + private int timestamp; + private String action; + private Set roles; + private Set protocolMappers; + + private Map executionStatus; + private String protocol; + + private Map notes; + private Set requiredActions; + private Map userSessionNotes; + + public String getClientUuid() { + return clientUuid; + } + + public void setClientUuid(String clientUuid) { + this.clientUuid = clientUuid; + } + + public String getAuthUserId() { + return authUserId; + } + + public void setAuthUserId(String authUserId) { + this.authUserId = authUserId; + } + + public String getRedirectUri() { + return redirectUri; + } + + public void setRedirectUri(String redirectUri) { + this.redirectUri = redirectUri; + } + + public int getTimestamp() { + return timestamp; + } + + public void setTimestamp(int timestamp) { + this.timestamp = timestamp; + } + + public String getAction() { + return action; + } + + public void setAction(String action) { + this.action = action; + } + + public Set getRoles() { + return roles; + } + + public void setRoles(Set roles) { + this.roles = roles; + } + + public Set getProtocolMappers() { + return protocolMappers; + } + + public void setProtocolMappers(Set protocolMappers) { + this.protocolMappers = protocolMappers; + } + + public Map getExecutionStatus() { + return executionStatus; + } + + public void setExecutionStatus(Map executionStatus) { + this.executionStatus = executionStatus; + } + + public String getProtocol() { + return protocol; + } + + public void setProtocol(String protocol) { + this.protocol = protocol; + } + + public Map getNotes() { + return notes; + } + + public void setNotes(Map notes) { + this.notes = notes; + } + + public Set getRequiredActions() { + return requiredActions; + } + + public void setRequiredActions(Set requiredActions) { + this.requiredActions = requiredActions; + } + + public Map getUserSessionNotes() { + return userSessionNotes; + } + + public void setUserSessionNotes(Map userSessionNotes) { + this.userSessionNotes = userSessionNotes; + } +} diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java b/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java index b3aea63f55..e842948493 100644 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java @@ -17,6 +17,7 @@ package org.keycloak.models.jpa.session; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; @@ -68,7 +69,7 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv } @Override - public void createClientSession(ClientSessionModel clientSession, boolean offline) { + public void createClientSession(UserSessionModel userSession, ClientLoginSessionModel clientSession, boolean offline) { PersistentClientSessionAdapter adapter = new PersistentClientSessionAdapter(clientSession); PersistentClientSessionModel model = adapter.getUpdatedModel(); @@ -217,6 +218,8 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv userSessionIds.add(entity.getUserSessionId()); } + // TODO:mposolda + /* if (!userSessionIds.isEmpty()) { TypedQuery query2 = em.createNamedQuery("findClientSessionsByUserSessions", PersistentClientSessionEntity.class); query2.setParameter("userSessionIds", userSessionIds); @@ -242,6 +245,7 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv } } } + */ return result; } diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java index 98632fbe3c..80c7575c0b 100755 --- a/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java +++ b/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java @@ -22,6 +22,7 @@ import org.keycloak.models.ClientSessionModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.FormMessage; +import org.keycloak.sessions.LoginSessionModel; import java.net.URI; @@ -62,7 +63,7 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon * * @return */ - ClientSessionModel getClientSession(); + LoginSessionModel getLoginSession(); /** * Create a Freemarker form builder that presets the user, action URI, and a generated access code diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java index 7c7d143f13..b131c2021b 100755 --- a/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java +++ b/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java @@ -26,6 +26,7 @@ import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.core.UriInfo; @@ -79,11 +80,11 @@ public interface FormContext { RealmModel getRealm(); /** - * ClientSessionModel attached to this flow + * LoginSessionModel attached to this flow * * @return */ - ClientSessionModel getClientSession(); + LoginSessionModel getLoginSession(); /** * Information about the IP address from the connecting HTTP client. diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java index 3ece79e5f4..df0bc66c03 100755 --- a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java +++ b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java @@ -26,6 +26,7 @@ import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; @@ -90,8 +91,7 @@ public interface RequiredActionContext { */ UserModel getUser(); RealmModel getRealm(); - ClientSessionModel getClientSession(); - UserSessionModel getUserSession(); + LoginSessionModel getLoginSession(); ClientConnection getConnection(); UriInfo getUriInfo(); KeycloakSession getSession(); diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java index f2c8a7aad7..bcce1b880f 100755 --- a/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java +++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java @@ -19,6 +19,7 @@ package org.keycloak.broker.provider; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.Constants; import org.keycloak.models.IdentityProviderModel; +import org.keycloak.sessions.LoginSessionModel; import java.util.ArrayList; import java.util.HashMap; @@ -46,7 +47,7 @@ public class BrokeredIdentityContext { private IdentityProviderModel idpConfig; private IdentityProvider idp; private Map contextData = new HashMap<>(); - private ClientSessionModel clientSession; + private LoginSessionModel loginSession; public BrokeredIdentityContext(String id) { if (id == null) { @@ -190,12 +191,12 @@ public class BrokeredIdentityContext { this.lastName = lastName; } - public ClientSessionModel getClientSession() { - return clientSession; + public LoginSessionModel getLoginSession() { + return loginSession; } - public void setClientSession(ClientSessionModel clientSession) { - this.clientSession = clientSession; + public void setLoginSession(LoginSessionModel loginSession) { + this.loginSession = loginSession; } public void setName(String name) { diff --git a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java index f16f0c2165..a379e9df13 100755 --- a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java @@ -17,12 +17,12 @@ package org.keycloak.forms.login; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.RoleModel; import org.keycloak.models.UserModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.provider.Provider; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; @@ -70,13 +70,13 @@ public interface LoginFormsProvider extends Provider { public Response createErrorPage(); - public Response createOAuthGrant(ClientSessionModel clientSessionModel); + public Response createOAuthGrant(); public Response createCode(); public LoginFormsProvider setClientSessionCode(String accessCode); - public LoginFormsProvider setClientSession(ClientSessionModel clientSession); + public LoginFormsProvider setLoginSession(LoginSessionModel loginSession); public LoginFormsProvider setAccessRequest(List realmRolesRequested, MultivaluedMap resourceRolesRequested, List protocolMappers); public LoginFormsProvider setAccessRequest(String message); diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java b/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java index f5e58d33bf..c860ea3090 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java @@ -18,6 +18,7 @@ package org.keycloak.models.session; import org.keycloak.Config; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; @@ -70,7 +71,7 @@ public class DisabledUserSessionPersisterProvider implements UserSessionPersiste } @Override - public void createClientSession(ClientSessionModel clientSession, boolean offline) { + public void createClientSession(UserSessionModel userSession, ClientLoginSessionModel clientSession, boolean offline) { } diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionAdapter.java b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionAdapter.java index f842787a2c..7194382bb8 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionAdapter.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionAdapter.java @@ -18,6 +18,7 @@ package org.keycloak.models.session; import com.fasterxml.jackson.annotation.JsonProperty; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ModelException; @@ -36,7 +37,7 @@ import java.util.Set; /** * @author Marek Posolda */ -public class PersistentClientSessionAdapter implements ClientSessionModel { +public class PersistentClientSessionAdapter implements ClientLoginSessionModel { private final PersistentClientSessionModel model; private final RealmModel realm; @@ -45,22 +46,20 @@ public class PersistentClientSessionAdapter implements ClientSessionModel { private PersistentClientSessionData data; - public PersistentClientSessionAdapter(ClientSessionModel clientSession) { + public PersistentClientSessionAdapter(ClientLoginSessionModel clientSession) { data = new PersistentClientSessionData(); data.setAction(clientSession.getAction()); - data.setAuthMethod(clientSession.getAuthMethod()); - data.setExecutionStatus(clientSession.getExecutionStatus()); + data.setAuthMethod(clientSession.getProtocol()); data.setNotes(clientSession.getNotes()); data.setProtocolMappers(clientSession.getProtocolMappers()); data.setRedirectUri(clientSession.getRedirectUri()); data.setRoles(clientSession.getRoles()); - data.setUserSessionNotes(clientSession.getUserSessionNotes()); model = new PersistentClientSessionModel(); model.setClientId(clientSession.getClient().getId()); model.setClientSessionId(clientSession.getId()); - if (clientSession.getAuthenticatedUser() != null) { - model.setUserId(clientSession.getAuthenticatedUser().getId()); + if (clientSession.getUserSession() != null) { + model.setUserId(clientSession.getUserSession().getUser().getId()); } model.setUserSessionId(clientSession.getUserSession().getId()); model.setTimestamp(clientSession.getTimestamp()); @@ -178,37 +177,12 @@ public class PersistentClientSessionAdapter implements ClientSessionModel { } @Override - public Map getExecutionStatus() { - return getData().getExecutionStatus(); - } - - @Override - public void setExecutionStatus(String authenticator, ExecutionStatus status) { - getData().getExecutionStatus().put(authenticator, status); - } - - @Override - public void clearExecutionStatus() { - getData().getExecutionStatus().clear(); - } - - @Override - public UserModel getAuthenticatedUser() { - return userSession.getUser(); - } - - @Override - public void setAuthenticatedUser(UserModel user) { - throw new IllegalStateException("Not supported setAuthenticatedUser"); - } - - @Override - public String getAuthMethod() { + public String getProtocol() { return getData().getAuthMethod(); } @Override - public void setAuthMethod(String method) { + public void setProtocol(String method) { getData().setAuthMethod(method); } @@ -242,52 +216,6 @@ public class PersistentClientSessionAdapter implements ClientSessionModel { return entity.getNotes(); } - @Override - public Set getRequiredActions() { - return getData().getRequiredActions(); - } - - @Override - public void addRequiredAction(String action) { - getData().getRequiredActions().add(action); - } - - @Override - public void removeRequiredAction(String action) { - getData().getRequiredActions().remove(action); - } - - @Override - public void addRequiredAction(UserModel.RequiredAction action) { - addRequiredAction(action.name()); - } - - @Override - public void removeRequiredAction(UserModel.RequiredAction action) { - removeRequiredAction(action.name()); - } - - @Override - public void setUserSessionNote(String name, String value) { - PersistentClientSessionData entity = getData(); - if (entity.getUserSessionNotes() == null) { - entity.setUserSessionNotes(new HashMap()); - } - entity.getUserSessionNotes().put(name, value); - } - - @Override - public Map getUserSessionNotes() { - PersistentClientSessionData entity = getData(); - if (entity.getUserSessionNotes() == null || entity.getUserSessionNotes().isEmpty()) return Collections.emptyMap(); - return entity.getUserSessionNotes(); - } - - @Override - public void clearUserSessionNotes() { - PersistentClientSessionData entity = getData(); - entity.setUserSessionNotes(new HashMap()); - } @Override public boolean equals(Object o) { @@ -320,18 +248,9 @@ public class PersistentClientSessionAdapter implements ClientSessionModel { @JsonProperty("notes") private Map notes; - @JsonProperty("userSessionNotes") - private Map userSessionNotes; - - @JsonProperty("executionStatus") - private Map executionStatus = new HashMap<>(); - @JsonProperty("action") private String action; - @JsonProperty("requiredActions") - private Set requiredActions = new HashSet<>(); - public String getAuthMethod() { return authMethod; } @@ -372,22 +291,6 @@ public class PersistentClientSessionAdapter implements ClientSessionModel { this.notes = notes; } - public Map getUserSessionNotes() { - return userSessionNotes; - } - - public void setUserSessionNotes(Map userSessionNotes) { - this.userSessionNotes = userSessionNotes; - } - - public Map getExecutionStatus() { - return executionStatus; - } - - public void setExecutionStatus(Map executionStatus) { - this.executionStatus = executionStatus; - } - public String getAction() { return action; } @@ -396,12 +299,5 @@ public class PersistentClientSessionAdapter implements ClientSessionModel { this.action = action; } - public Set getRequiredActions() { - return requiredActions; - } - - public void setRequiredActions(Set requiredActions) { - this.requiredActions = requiredActions; - } } } diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java index 6047be29ea..882dd539d0 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java @@ -18,6 +18,7 @@ package org.keycloak.models.session; import com.fasterxml.jackson.annotation.JsonProperty; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ModelException; import org.keycloak.models.RealmModel; @@ -159,6 +160,12 @@ public class PersistentUserSessionAdapter implements UserSessionModel { return clientSessions; } + // TODO:mposolda + @Override + public Map getClientLoginSessions() { + return null; + } + @Override public String getNote(String name) { return getData().getNotes()==null ? null : getData().getNotes().get(name); diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java b/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java index c0d033acb0..cbaf31eb30 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java @@ -17,8 +17,8 @@ package org.keycloak.models.session; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; @@ -35,7 +35,7 @@ public interface UserSessionPersisterProvider extends Provider { void createUserSession(UserSessionModel userSession, boolean offline); // Assuming that corresponding userSession is already persisted - void createClientSession(ClientSessionModel clientSession, boolean offline); + void createClientSession(UserSessionModel userSession, ClientLoginSessionModel clientSession, boolean offline); void updateUserSession(UserSessionModel userSession, boolean offline); diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java index e90192963f..3ebe6d3396 100755 --- a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java +++ b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java @@ -45,6 +45,7 @@ import org.keycloak.events.admin.AuthDetails; import org.keycloak.models.AuthenticationExecutionModel; import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.AuthenticatorConfigModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ClientTemplateModel; @@ -485,7 +486,7 @@ public class ModelToRepresentation { rep.setUsername(session.getUser().getUsername()); rep.setUserId(session.getUser().getId()); rep.setIpAddress(session.getIpAddress()); - for (ClientSessionModel clientSession : session.getClientSessions()) { + for (ClientLoginSessionModel clientSession : session.getClientLoginSessions().values()) { ClientModel client = clientSession.getClient(); rep.getClients().put(client.getId(), client.getClientId()); } diff --git a/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java b/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java index 086a8edc48..015ead0fa3 100755 --- a/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java +++ b/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java @@ -18,12 +18,14 @@ package org.keycloak.protocol; import org.keycloak.events.EventBuilder; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; import org.keycloak.provider.Provider; import org.keycloak.services.managers.ClientSessionCode; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Response; @@ -66,19 +68,19 @@ public interface LoginProtocol extends Provider { LoginProtocol setEventBuilder(EventBuilder event); - Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode); + Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode); - Response sendError(ClientSessionModel clientSession, Error error); + Response sendError(LoginSessionModel loginSession, Error error); - void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession); - Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession); + void backchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession); + Response frontchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession); Response finishLogout(UserSessionModel userSession); /** * @param userSession - * @param clientSession + * @param loginSession * @return true if SSO cookie authentication can't be used. User will need to "actively" reauthenticate */ - boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession); + boolean requireReauthentication(UserSessionModel userSession, LoginSessionModel loginSession); } diff --git a/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java b/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java index 3d536ddf05..4096924bed 100755 --- a/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java +++ b/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java @@ -21,7 +21,6 @@ import org.jboss.logging.Logger; import org.keycloak.common.util.Base64Url; import org.keycloak.common.util.Time; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ClientTemplateModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; @@ -29,6 +28,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.OAuth2Constants; +import org.keycloak.sessions.CommonClientSessionModel; import java.security.MessageDigest; import java.util.HashSet; @@ -38,7 +38,7 @@ import java.util.Set; * @author Bill Burke * @version $Revision: 1 $ */ -public class ClientSessionCode { +public class ClientSessionCode { private static final String ACTIVE_CODE = "active_code"; @@ -48,7 +48,7 @@ public class ClientSessionCode { private KeycloakSession session; private final RealmModel realm; - private final ClientSessionModel clientSession; + private final CLIENT_SESSION commonLoginSession; public enum ActionType { CLIENT, @@ -56,45 +56,45 @@ public class ClientSessionCode { USER } - public ClientSessionCode(KeycloakSession session, RealmModel realm, ClientSessionModel clientSession) { + public ClientSessionCode(KeycloakSession session, RealmModel realm, CLIENT_SESSION commonLoginSession) { this.session = session; this.realm = realm; - this.clientSession = clientSession; + this.commonLoginSession = commonLoginSession; } - public static class ParseResult { - ClientSessionCode code; - boolean clientSessionNotFound; + public static class ParseResult { + ClientSessionCode code; + boolean loginSessionNotFound; boolean illegalHash; - ClientSessionModel clientSession; + CLIENT_SESSION clientSession; - public ClientSessionCode getCode() { + public ClientSessionCode getCode() { return code; } - public boolean isClientSessionNotFound() { - return clientSessionNotFound; + public boolean isLoginSessionNotFound() { + return loginSessionNotFound; } public boolean isIllegalHash() { return illegalHash; } - public ClientSessionModel getClientSession() { + public CLIENT_SESSION getClientSession() { return clientSession; } } - public static ParseResult parseResult(String code, KeycloakSession session, RealmModel realm) { - ParseResult result = new ParseResult(); + public static ParseResult parseResult(String code, KeycloakSession session, RealmModel realm, Class sessionClass) { + ParseResult result = new ParseResult<>(); if (code == null) { result.illegalHash = true; return result; } try { - result.clientSession = getClientSession(code, session, realm); + result.clientSession = getClientSession(code, session, realm, sessionClass); if (result.clientSession == null) { - result.clientSessionNotFound = true; + result.loginSessionNotFound = true; return result; } @@ -103,7 +103,7 @@ public class ClientSessionCode { return result; } - result.code = new ClientSessionCode(session, realm, result.clientSession); + result.code = new ClientSessionCode(session, realm, result.clientSession); return result; } catch (RuntimeException e) { result.illegalHash = true; @@ -111,9 +111,9 @@ public class ClientSessionCode { } } - public static ClientSessionCode parse(String code, KeycloakSession session, RealmModel realm) { + public static ClientSessionCode parse(String code, KeycloakSession session, RealmModel realm, Class sessionClass) { try { - ClientSessionModel clientSession = getClientSession(code, session, realm); + CLIENT_SESSION clientSession = getClientSession(code, session, realm, sessionClass); if (clientSession == null) { return null; } @@ -122,24 +122,18 @@ public class ClientSessionCode { return null; } - return new ClientSessionCode(session, realm, clientSession); + return new ClientSessionCode<>(session, realm, clientSession); } catch (RuntimeException e) { return null; } } - public static ClientSessionModel getClientSession(String code, KeycloakSession session, RealmModel realm) { - try { - String[] parts = code.split("\\."); - String id = parts[1]; - return session.sessions().getClientSession(realm, id); - } catch (ArrayIndexOutOfBoundsException e) { - return null; - } + public static CLIENT_SESSION getClientSession(String code, KeycloakSession session, RealmModel realm, Class sessionClass) { + return CodeGenerateUtil.parseSession(code, session, realm, sessionClass); } - public ClientSessionModel getClientSession() { - return clientSession; + public CLIENT_SESSION getClientSession() { + return commonLoginSession; } public boolean isValid(String requestedAction, ActionType actionType) { @@ -148,7 +142,7 @@ public class ClientSessionCode { } public boolean isActionActive(ActionType actionType) { - int timestamp = clientSession.getTimestamp(); + int timestamp = commonLoginSession.getTimestamp(); int lifespan; switch (actionType) { @@ -169,7 +163,7 @@ public class ClientSessionCode { } public boolean isValidAction(String requestedAction) { - String action = clientSession.getAction(); + String action = commonLoginSession.getAction(); if (action == null) { return false; } @@ -182,7 +176,7 @@ public class ClientSessionCode { public Set getRequestedRoles() { Set requestedRoles = new HashSet<>(); - for (String roleId : clientSession.getRoles()) { + for (String roleId : commonLoginSession.getRoles()) { RoleModel role = realm.getRoleById(roleId); if (role != null) { requestedRoles.add(role); @@ -192,9 +186,11 @@ public class ClientSessionCode { } public Set getRequestedProtocolMappers() { + return getRequestedProtocolMappers(commonLoginSession.getProtocolMappers(), commonLoginSession.getClient()); + } + + public static Set getRequestedProtocolMappers(Set protocolMappers, ClientModel client) { Set requestedProtocolMappers = new HashSet<>(); - Set protocolMappers = clientSession.getProtocolMappers(); - ClientModel client = clientSession.getClient(); ClientTemplateModel template = client.getClientTemplate(); if (protocolMappers != null) { for (String protocolMapperId : protocolMappers) { @@ -211,33 +207,33 @@ public class ClientSessionCode { } public void setAction(String action) { - clientSession.setAction(action); - clientSession.setTimestamp(Time.currentTime()); + commonLoginSession.setAction(action); + commonLoginSession.setTimestamp(Time.currentTime()); } public String getCode() { - String nextCode = (String) session.getAttribute(NEXT_CODE + "." + clientSession.getId()); + String nextCode = (String) session.getAttribute(NEXT_CODE + "." + commonLoginSession.getId()); if (nextCode == null) { - nextCode = generateCode(clientSession); - session.setAttribute(NEXT_CODE + "." + clientSession.getId(), nextCode); + nextCode = generateCode(commonLoginSession); + session.setAttribute(NEXT_CODE + "." + commonLoginSession.getId(), nextCode); } else { logger.debug("Code already generated for session, using code from session attributes"); } return nextCode; } - private static String generateCode(ClientSessionModel clientSession) { + private static String generateCode(CommonClientSessionModel loginSession) { try { String actionId = Base64Url.encode(KeycloakModelUtils.generateSecret()); StringBuilder sb = new StringBuilder(); sb.append(actionId); sb.append('.'); - sb.append(clientSession.getId()); + sb.append(loginSession.getId()); // https://tools.ietf.org/html/rfc7636#section-4 - String codeChallenge = clientSession.getNote(OAuth2Constants.CODE_CHALLENGE); - String codeChallengeMethod = clientSession.getNote(OAuth2Constants.CODE_CHALLENGE_METHOD); + String codeChallenge = loginSession.getNote(OAuth2Constants.CODE_CHALLENGE); + String codeChallengeMethod = loginSession.getNote(OAuth2Constants.CODE_CHALLENGE_METHOD); if (codeChallenge != null) { logger.debugf("PKCE received codeChallenge = %s", codeChallenge); if (codeChallengeMethod == null) { @@ -248,9 +244,9 @@ public class ClientSessionCode { } } - String code = sb.toString(); + String code = CodeGenerateUtil.generateCode(loginSession, actionId); - clientSession.setNote(ACTIVE_CODE, code); + loginSession.setNote(ACTIVE_CODE, code); return code; } catch (Exception e) { @@ -258,15 +254,15 @@ public class ClientSessionCode { } } - private static boolean verifyCode(String code, ClientSessionModel clientSession) { + private static boolean verifyCode(String code, CommonClientSessionModel loginSession) { try { - String activeCode = clientSession.getNote(ACTIVE_CODE); + String activeCode = loginSession.getNote(ACTIVE_CODE); if (activeCode == null) { logger.debug("Active code not found in client session"); return false; } - clientSession.removeNote(ACTIVE_CODE); + loginSession.removeNote(ACTIVE_CODE); return MessageDigest.isEqual(code.getBytes(), activeCode.getBytes()); } catch (Exception e) { diff --git a/server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java b/server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java new file mode 100644 index 0000000000..9c6a571be2 --- /dev/null +++ b/server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java @@ -0,0 +1,99 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.services.managers; + +import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.ClientModel; +import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import org.keycloak.models.UserSessionModel; +import org.keycloak.sessions.CommonClientSessionModel; +import org.keycloak.sessions.LoginSessionModel; + +/** + * TODO: More object oriented and rather add parsing/generating logic into the session implementations itself + * + * @author Marek Posolda + */ +class CodeGenerateUtil { + + static CS parseSession(String code, KeycloakSession session, RealmModel realm, Class expectedClazz) { + CommonClientSessionModel result = null; + if (expectedClazz.equals(ClientSessionModel.class)) { + try { + String[] parts = code.split("\\."); + String id = parts[2]; + result = session.sessions().getClientSession(realm, id); + } catch (ArrayIndexOutOfBoundsException e) { + return null; + } + } else if (expectedClazz.equals(LoginSessionModel.class)) { + result = session.loginSessions().getCurrentLoginSession(realm); + } else if (expectedClazz.equals(ClientLoginSessionModel.class)) { + try { + String[] parts = code.split("\\."); + String userSessionId = parts[1]; + String clientUUID = parts[2]; + + UserSessionModel userSession = session.sessions().getUserSession(realm, userSessionId); + if (userSession == null) { + return null; + } + + result = userSession.getClientLoginSessions().get(clientUUID); + } catch (ArrayIndexOutOfBoundsException e) { + return null; + } + } else { + throw new IllegalArgumentException("Not known impl: " + expectedClazz.getName()); + } + + return expectedClazz.cast(result); + } + + static String generateCode(CommonClientSessionModel clientSession, String actionId) { + if (clientSession instanceof ClientSessionModel) { + StringBuilder sb = new StringBuilder(); + sb.append("cls."); + sb.append(actionId); + sb.append('.'); + sb.append(clientSession.getId()); + + return sb.toString(); + } else if (clientSession instanceof LoginSessionModel) { + // Should be sufficient. LoginSession itself is in the cookie + return actionId; + } else if (clientSession instanceof ClientLoginSessionModel) { + String userSessionId = ((ClientLoginSessionModel) clientSession).getUserSession().getId(); + String clientUUID = clientSession.getClient().getId(); + StringBuilder sb = new StringBuilder(); + sb.append("uss."); + sb.append(actionId); + sb.append('.'); + sb.append(userSessionId); + sb.append('.'); + sb.append(clientUUID); + return sb.toString(); + } else { + throw new IllegalArgumentException("Not known impl: " + clientSession.getClass().getName()); + } + } + + +} diff --git a/server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionProviderFactory.java new file mode 100644 index 0000000000..0dfbf8740f --- /dev/null +++ b/server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionProviderFactory.java @@ -0,0 +1,26 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions; + +import org.keycloak.provider.ProviderFactory; + +/** + * @author Marek Posolda + */ +public interface LoginSessionProviderFactory extends ProviderFactory { +} diff --git a/server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionSpi.java b/server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionSpi.java new file mode 100644 index 0000000000..cffa4c5023 --- /dev/null +++ b/server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionSpi.java @@ -0,0 +1,49 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions; + +import org.keycloak.provider.Provider; +import org.keycloak.provider.ProviderFactory; +import org.keycloak.provider.Spi; + +/** + * @author Marek Posolda + */ +public class LoginSessionSpi implements Spi { + + @Override + public boolean isInternal() { + return true; + } + + @Override + public String getName() { + return "loginSessions"; + } + + @Override + public Class getProviderClass() { + return LoginSessionProvider.class; + } + + @Override + public Class getProviderFactoryClass() { + return LoginSessionProviderFactory.class; + } + +} diff --git a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi index 9397536ea6..f858ea1ef9 100755 --- a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi +++ b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi @@ -32,6 +32,7 @@ org.keycloak.timer.TimerSpi org.keycloak.scripting.ScriptingSpi org.keycloak.services.managers.BruteForceProtectorSpi org.keycloak.services.resource.RealmResourceSPI +org.keycloak.sessions.LoginSessionSpi org.keycloak.protocol.ClientInstallationSpi org.keycloak.protocol.LoginProtocolSpi org.keycloak.protocol.ProtocolMapperSpi diff --git a/server-spi/src/main/java/org/keycloak/models/ClientLoginSessionModel.java b/server-spi/src/main/java/org/keycloak/models/ClientLoginSessionModel.java new file mode 100644 index 0000000000..80d7c8dcfd --- /dev/null +++ b/server-spi/src/main/java/org/keycloak/models/ClientLoginSessionModel.java @@ -0,0 +1,30 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models; + + +import org.keycloak.sessions.CommonClientSessionModel; + +/** + * @author Marek Posolda + */ +public interface ClientLoginSessionModel extends CommonClientSessionModel { + + void setUserSession(UserSessionModel userSession); + UserSessionModel getUserSession(); +} diff --git a/server-spi/src/main/java/org/keycloak/models/ClientSessionModel.java b/server-spi/src/main/java/org/keycloak/models/ClientSessionModel.java index 84fa64e1c1..109709fa58 100755 --- a/server-spi/src/main/java/org/keycloak/models/ClientSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/models/ClientSessionModel.java @@ -20,14 +20,12 @@ package org.keycloak.models; import java.util.Map; import java.util.Set; +import org.keycloak.sessions.CommonClientSessionModel; + /** * @author Stian Thorgersen */ -public interface ClientSessionModel { - - public String getId(); - public RealmModel getRealm(); - public ClientModel getClient(); +public interface ClientSessionModel extends CommonClientSessionModel { public UserSessionModel getUserSession(); public void setUserSession(UserSessionModel userSession); @@ -35,41 +33,12 @@ public interface ClientSessionModel { public String getRedirectUri(); public void setRedirectUri(String uri); - public int getTimestamp(); - - public void setTimestamp(int timestamp); - - public String getAction(); - - public void setAction(String action); - - public Set getRoles(); - public void setRoles(Set roles); - - public Set getProtocolMappers(); - public void setProtocolMappers(Set protocolMappers); - public Map getExecutionStatus(); public void setExecutionStatus(String authenticator, ExecutionStatus status); public void clearExecutionStatus(); public UserModel getAuthenticatedUser(); public void setAuthenticatedUser(UserModel user); - - - /** - * Authentication request type, i.e. OAUTH, SAML 2.0, SAML 1.1, etc. - * - * @return - */ - public String getAuthMethod(); - public void setAuthMethod(String method); - - public String getNote(String name); - public void setNote(String name, String value); - public void removeNote(String name); - public Map getNotes(); - /** * Required actions that are attached to this client session. * @@ -103,28 +72,5 @@ public interface ClientSessionModel { public void clearUserSessionNotes(); - public static enum Action { - OAUTH_GRANT, - CODE_TO_TOKEN, - VERIFY_EMAIL, - UPDATE_PROFILE, - CONFIGURE_TOTP, - UPDATE_PASSWORD, - RECOVER_PASSWORD, // deprecated - AUTHENTICATE, - SOCIAL_CALLBACK, - LOGGED_OUT, - RESET_CREDENTIALS, - EXECUTE_ACTIONS, - REQUIRED_ACTIONS - } - public enum ExecutionStatus { - FAILED, - SUCCESS, - SETUP_REQUIRED, - ATTEMPTED, - SKIPPED, - CHALLENGED - } } diff --git a/server-spi/src/main/java/org/keycloak/models/KeycloakSession.java b/server-spi/src/main/java/org/keycloak/models/KeycloakSession.java index 766078d769..1494126624 100755 --- a/server-spi/src/main/java/org/keycloak/models/KeycloakSession.java +++ b/server-spi/src/main/java/org/keycloak/models/KeycloakSession.java @@ -20,6 +20,7 @@ package org.keycloak.models; import org.keycloak.component.ComponentModel; import org.keycloak.models.cache.UserCache; import org.keycloak.provider.Provider; +import org.keycloak.sessions.LoginSessionProvider; import org.keycloak.storage.federated.UserFederatedStorageProvider; import java.util.Set; @@ -102,6 +103,9 @@ public interface KeycloakSession { UserSessionProvider sessions(); + LoginSessionProvider loginSessions(); + + void close(); diff --git a/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java b/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java index d58c40522c..99f69f7616 100755 --- a/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java @@ -53,6 +53,9 @@ public interface UserSessionModel { void setLastSessionRefresh(int seconds); + Map getClientLoginSessions(); + + // TODO: Remove List getClientSessions(); public String getNote(String name); @@ -64,7 +67,7 @@ public interface UserSessionModel { void setState(State state); public static enum State { - LOGGING_IN, + LOGGING_IN, // TODO: Maybe state "LOGGING_IN" is useless now once userSession is attached after requiredActions LOGGED_IN, LOGGING_OUT, LOGGED_OUT diff --git a/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java b/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java index 4102de1f32..fbd5761cfb 100755 --- a/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java +++ b/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java @@ -27,7 +27,7 @@ import java.util.List; */ public interface UserSessionProvider extends Provider { - ClientSessionModel createClientSession(RealmModel realm, ClientModel client); + ClientLoginSessionModel createClientSession(RealmModel realm, ClientModel client, UserSessionModel userSession); ClientSessionModel getClientSession(RealmModel realm, String id); ClientSessionModel getClientSession(String id); @@ -40,6 +40,8 @@ public interface UserSessionProvider extends Provider { UserSessionModel getUserSessionByBrokerSessionId(RealmModel realm, String brokerSessionId); long getActiveUserSessions(RealmModel realm, ClientModel client); + + // This will remove attached ClientLoginSessionModels too void removeUserSession(RealmModel realm, UserSessionModel session); void removeUserSessions(RealmModel realm, UserModel user); @@ -62,9 +64,9 @@ public interface UserSessionProvider extends Provider { // Removes the attached clientSessions as well void removeOfflineUserSession(RealmModel realm, UserSessionModel userSession); - ClientSessionModel createOfflineClientSession(ClientSessionModel clientSession); + ClientLoginSessionModel createOfflineClientSession(ClientLoginSessionModel clientSession); ClientSessionModel getOfflineClientSession(RealmModel realm, String clientSessionId); - List getOfflineClientSessions(RealmModel realm, UserModel user); + List getOfflineUserSessions(RealmModel realm, UserModel user); // Don't remove userSession even if it's last userSession void removeOfflineClientSession(RealmModel realm, String clientSessionId); diff --git a/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java b/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java new file mode 100644 index 0000000000..c2e51935a3 --- /dev/null +++ b/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java @@ -0,0 +1,86 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions; + +import java.util.Map; +import java.util.Set; + +import org.keycloak.models.ClientModel; +import org.keycloak.models.RealmModel; + +/** + * Predecesor of LoginSessionModel, ClientLoginSessionModel and ClientSessionModel (then action tickets). Maybe we will remove it later... + * + * @author Marek Posolda + */ +public interface CommonClientSessionModel { + + public String getRedirectUri(); + public void setRedirectUri(String uri); + + public String getId(); + public RealmModel getRealm(); + public ClientModel getClient(); + + public int getTimestamp(); + public void setTimestamp(int timestamp); + + public String getAction(); + public void setAction(String action); + + public String getProtocol(); + public void setProtocol(String method); + + // TODO: Not needed here...? + public Set getRoles(); + public void setRoles(Set roles); + + // TODO: Not needed here...? + public Set getProtocolMappers(); + public void setProtocolMappers(Set protocolMappers); + + public String getNote(String name); + public void setNote(String name, String value); + public void removeNote(String name); + public Map getNotes(); + + public static enum Action { + OAUTH_GRANT, + CODE_TO_TOKEN, + VERIFY_EMAIL, + UPDATE_PROFILE, + CONFIGURE_TOTP, + UPDATE_PASSWORD, + RECOVER_PASSWORD, // deprecated + AUTHENTICATE, + SOCIAL_CALLBACK, + LOGGED_OUT, + RESET_CREDENTIALS, + EXECUTE_ACTIONS, + REQUIRED_ACTIONS + } + + public enum ExecutionStatus { + FAILED, + SUCCESS, + SETUP_REQUIRED, + ATTEMPTED, + SKIPPED, + CHALLENGED + } +} diff --git a/server-spi/src/main/java/org/keycloak/sessions/LoginSessionModel.java b/server-spi/src/main/java/org/keycloak/sessions/LoginSessionModel.java new file mode 100644 index 0000000000..e3fd0e726c --- /dev/null +++ b/server-spi/src/main/java/org/keycloak/sessions/LoginSessionModel.java @@ -0,0 +1,76 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions; + +import java.util.Map; +import java.util.Set; + +import org.keycloak.models.UserModel; + +/** + * Using class for now to avoid many updates among implementations + * + * @author Marek Posolda + */ +public interface LoginSessionModel extends CommonClientSessionModel { + +// +// public UserSessionModel getUserSession(); +// public void setUserSession(UserSessionModel userSession); + + + public Map getExecutionStatus(); + public void setExecutionStatus(String authenticator, ExecutionStatus status); + public void clearExecutionStatus(); + public UserModel getAuthenticatedUser(); + public void setAuthenticatedUser(UserModel user); + + /** + * Required actions that are attached to this client session. + * + * @return + */ + Set getRequiredActions(); + + void addRequiredAction(String action); + + void removeRequiredAction(String action); + + void addRequiredAction(UserModel.RequiredAction action); + + void removeRequiredAction(UserModel.RequiredAction action); + + + /** + * These are notes you want applied to the UserSessionModel when the client session is attached to it. + * + * @param name + * @param value + */ + public void setUserSessionNote(String name, String value); + + /** + * These are notes you want applied to the UserSessionModel when the client session is attached to it. + * + * @return + */ + public Map getUserSessionNotes(); + + public void clearUserSessionNotes(); + +} diff --git a/server-spi/src/main/java/org/keycloak/sessions/LoginSessionProvider.java b/server-spi/src/main/java/org/keycloak/sessions/LoginSessionProvider.java new file mode 100644 index 0000000000..2b5141a68b --- /dev/null +++ b/server-spi/src/main/java/org/keycloak/sessions/LoginSessionProvider.java @@ -0,0 +1,43 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions; + +import org.keycloak.models.ClientModel; +import org.keycloak.models.RealmModel; +import org.keycloak.provider.Provider; + +/** + * @author Marek Posolda + */ +public interface LoginSessionProvider extends Provider { + + LoginSessionModel createLoginSession(RealmModel realm, ClientModel client, boolean browser); + + LoginSessionModel getCurrentLoginSession(RealmModel realm); + + LoginSessionModel getLoginSession(RealmModel realm, String loginSessionId); + + void removeLoginSession(RealmModel realm, LoginSessionModel loginSession); + + + void removeExpired(RealmModel realm); + void onRealmRemoved(RealmModel realm); + void onClientRemoved(RealmModel realm, ClientModel client); + + +} diff --git a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java index a34e4ee914..4a5053fddf 100755 --- a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java +++ b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java @@ -31,6 +31,7 @@ import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AuthenticationExecutionModel; import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.AuthenticatorConfigModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; @@ -50,6 +51,7 @@ import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.util.CacheControlUtil; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; @@ -67,7 +69,7 @@ public class AuthenticationProcessor { protected static final Logger logger = Logger.getLogger(AuthenticationProcessor.class); protected RealmModel realm; protected UserSessionModel userSession; - protected ClientSessionModel clientSession; + protected LoginSessionModel loginSession; protected ClientConnection connection; protected UriInfo uriInfo; protected KeycloakSession session; @@ -87,7 +89,6 @@ public class AuthenticationProcessor { * This could be an success message forwarded from another authenticator */ protected FormMessage forwardedSuccessMessage; - protected boolean userSessionCreated; // Used for client authentication protected ClientModel client; @@ -128,8 +129,8 @@ public class AuthenticationProcessor { return clientAuthAttributes; } - public ClientSessionModel getClientSession() { - return clientSession; + public LoginSessionModel getLoginSession() { + return loginSession; } public ClientConnection getConnection() { @@ -148,17 +149,13 @@ public class AuthenticationProcessor { return userSession; } - public boolean isUserSessionCreated() { - return userSessionCreated; - } - public AuthenticationProcessor setRealm(RealmModel realm) { this.realm = realm; return this; } - public AuthenticationProcessor setClientSession(ClientSessionModel clientSession) { - this.clientSession = clientSession; + public AuthenticationProcessor setLoginSession(LoginSessionModel loginSession) { + this.loginSession = loginSession; return this; } @@ -213,8 +210,8 @@ public class AuthenticationProcessor { } public String generateCode() { - ClientSessionCode accessCode = new ClientSessionCode(session, getRealm(), getClientSession()); - clientSession.setTimestamp(Time.currentTime()); + ClientSessionCode accessCode = new ClientSessionCode(session, getRealm(), getLoginSession()); + loginSession.setTimestamp(Time.currentTime()); return accessCode.getCode(); } @@ -232,15 +229,15 @@ public class AuthenticationProcessor { } public void setAutheticatedUser(UserModel user) { - UserModel previousUser = clientSession.getAuthenticatedUser(); + UserModel previousUser = getLoginSession().getAuthenticatedUser(); if (previousUser != null && !user.getId().equals(previousUser.getId())) throw new AuthenticationFlowException(AuthenticationFlowError.USER_CONFLICT); validateUser(user); - getClientSession().setAuthenticatedUser(user); + getLoginSession().setAuthenticatedUser(user); } public void clearAuthenticatedUser() { - getClientSession().setAuthenticatedUser(null); + getLoginSession().setAuthenticatedUser(null); } public class Result implements AuthenticationFlowContext, ClientAuthenticationFlowContext { @@ -363,7 +360,7 @@ public class AuthenticationProcessor { @Override public UserModel getUser() { - return getClientSession().getAuthenticatedUser(); + return getLoginSession().getAuthenticatedUser(); } @Override @@ -397,8 +394,8 @@ public class AuthenticationProcessor { } @Override - public ClientSessionModel getClientSession() { - return AuthenticationProcessor.this.getClientSession(); + public LoginSessionModel getLoginSession() { + return AuthenticationProcessor.this.getLoginSession(); } @Override @@ -490,12 +487,12 @@ public class AuthenticationProcessor { @Override public void cancelLogin() { getEvent().error(Errors.REJECTED_BY_USER); - LoginProtocol protocol = getSession().getProvider(LoginProtocol.class, getClientSession().getAuthMethod()); + LoginProtocol protocol = getSession().getProvider(LoginProtocol.class, getLoginSession().getProtocol()); protocol.setRealm(getRealm()) .setHttpHeaders(getHttpRequest().getHttpHeaders()) .setUriInfo(getUriInfo()) .setEventBuilder(event); - Response response = protocol.sendError(getClientSession(), Error.CANCELLED_BY_USER); + Response response = protocol.sendError(getLoginSession(), Error.CANCELLED_BY_USER); forceChallenge(response); } @@ -539,7 +536,7 @@ public class AuthenticationProcessor { public void logFailure() { if (realm.isBruteForceProtected()) { - String username = clientSession.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); + String username = loginSession.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); // todo need to handle non form failures if (username == null) { @@ -569,7 +566,7 @@ public class AuthenticationProcessor { } public boolean isSuccessful(AuthenticationExecutionModel model) { - ClientSessionModel.ExecutionStatus status = clientSession.getExecutionStatus().get(model.getId()); + ClientSessionModel.ExecutionStatus status = loginSession.getExecutionStatus().get(model.getId()); if (status == null) return false; return status == ClientSessionModel.ExecutionStatus.SUCCESS; } @@ -602,10 +599,10 @@ public class AuthenticationProcessor { } else if (e.getError() == AuthenticationFlowError.FORK_FLOW) { ForkFlowException reset = (ForkFlowException)e; - ClientSessionModel clone = clone(session, clientSession); + LoginSessionModel clone = clone(session, loginSession); clone.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); AuthenticationProcessor processor = new AuthenticationProcessor(); - processor.setClientSession(clone) + processor.setLoginSession(clone) .setFlowPath(LoginActionsService.AUTHENTICATE_PATH) .setFlowId(realm.getBrowserFlow().getId()) .setForwardedErrorMessage(reset.getErrorMessage()) @@ -707,12 +704,12 @@ public class AuthenticationProcessor { } - public static Response redirectToRequiredActions(KeycloakSession session, RealmModel realm, ClientSessionModel clientSession, UriInfo uriInfo) { + public static Response redirectToRequiredActions(KeycloakSession session, RealmModel realm, LoginSessionModel loginSession, UriInfo uriInfo) { // redirect to non-action url so browser refresh button works without reposting past data - ClientSessionCode accessCode = new ClientSessionCode(session, realm, clientSession); + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, loginSession); accessCode.setAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name()); - clientSession.setTimestamp(Time.currentTime()); + loginSession.setTimestamp(Time.currentTime()); URI redirect = LoginActionsService.loginActionsBaseUrl(uriInfo) .path(LoginActionsService.REQUIRED_ACTION) @@ -721,22 +718,23 @@ public class AuthenticationProcessor { } - public static void resetFlow(ClientSessionModel clientSession) { + public static void resetFlow(LoginSessionModel loginSession) { logger.debug("RESET FLOW"); - clientSession.setTimestamp(Time.currentTime()); - clientSession.setAuthenticatedUser(null); - clientSession.clearExecutionStatus(); - clientSession.clearUserSessionNotes(); - clientSession.removeNote(CURRENT_AUTHENTICATION_EXECUTION); + loginSession.setTimestamp(Time.currentTime()); + loginSession.setAuthenticatedUser(null); + loginSession.clearExecutionStatus(); + loginSession.clearUserSessionNotes(); + loginSession.removeNote(CURRENT_AUTHENTICATION_EXECUTION); } - public static ClientSessionModel clone(KeycloakSession session, ClientSessionModel clientSession) { - ClientSessionModel clone = session.sessions().createClientSession(clientSession.getRealm(), clientSession.getClient()); - for (Map.Entry entry : clientSession.getNotes().entrySet()) { + public static LoginSessionModel clone(KeycloakSession session, LoginSessionModel loginSession) { + // TODO: Doublecheck false... + LoginSessionModel clone = session.loginSessions().createLoginSession(loginSession.getRealm(), loginSession.getClient(), false); + for (Map.Entry entry : loginSession.getNotes().entrySet()) { clone.setNote(entry.getKey(), entry.getValue()); } - clone.setRedirectUri(clientSession.getRedirectUri()); - clone.setAuthMethod(clientSession.getAuthMethod()); + clone.setRedirectUri(loginSession.getRedirectUri()); + clone.setProtocol(loginSession.getProtocol()); clone.setTimestamp(Time.currentTime()); clone.removeNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); return clone; @@ -747,26 +745,26 @@ public class AuthenticationProcessor { public Response authenticationAction(String execution) { logger.debug("authenticationAction"); checkClientSession(); - String current = clientSession.getNote(CURRENT_AUTHENTICATION_EXECUTION); + String current = loginSession.getNote(CURRENT_AUTHENTICATION_EXECUTION); if (!execution.equals(current)) { logger.debug("Current execution does not equal executed execution. Might be a page refresh"); //logFailure(); //resetFlow(clientSession); return authenticate(); } - UserModel authUser = clientSession.getAuthenticatedUser(); + UserModel authUser = loginSession.getAuthenticatedUser(); validateUser(authUser); AuthenticationExecutionModel model = realm.getAuthenticationExecutionById(execution); if (model == null) { logger.debug("Cannot find execution, reseting flow"); logFailure(); - resetFlow(clientSession); + resetFlow(loginSession); return authenticate(); } - event.client(clientSession.getClient().getClientId()) - .detail(Details.REDIRECT_URI, clientSession.getRedirectUri()) - .detail(Details.AUTH_METHOD, clientSession.getAuthMethod()); - String authType = clientSession.getNote(Details.AUTH_TYPE); + event.client(loginSession.getClient().getClientId()) + .detail(Details.REDIRECT_URI, loginSession.getRedirectUri()) + .detail(Details.AUTH_METHOD, loginSession.getProtocol()); + String authType = loginSession.getNote(Details.AUTH_TYPE); if (authType != null) { event.detail(Details.AUTH_TYPE, authType); } @@ -774,14 +772,14 @@ public class AuthenticationProcessor { AuthenticationFlow authenticationFlow = createFlowExecution(this.flowId, model); Response challenge = authenticationFlow.processAction(execution); if (challenge != null) return challenge; - if (clientSession.getAuthenticatedUser() == null) { + if (loginSession.getAuthenticatedUser() == null) { throw new AuthenticationFlowException(AuthenticationFlowError.UNKNOWN_USER); } return authenticationComplete(); } public void checkClientSession() { - ClientSessionCode code = new ClientSessionCode(session, realm, clientSession); + ClientSessionCode code = new ClientSessionCode(session, realm, loginSession); String action = ClientSessionModel.Action.AUTHENTICATE.name(); if (!code.isValidAction(action)) { throw new AuthenticationFlowException(AuthenticationFlowError.INVALID_CLIENT_SESSION); @@ -789,25 +787,25 @@ public class AuthenticationProcessor { if (!code.isActionActive(ClientSessionCode.ActionType.LOGIN)) { throw new AuthenticationFlowException(AuthenticationFlowError.EXPIRED_CODE); } - clientSession.setTimestamp(Time.currentTime()); + loginSession.setTimestamp(Time.currentTime()); } public Response authenticateOnly() throws AuthenticationFlowException { logger.debug("AUTHENTICATE ONLY"); checkClientSession(); - event.client(clientSession.getClient().getClientId()) - .detail(Details.REDIRECT_URI, clientSession.getRedirectUri()) - .detail(Details.AUTH_METHOD, clientSession.getAuthMethod()); - String authType = clientSession.getNote(Details.AUTH_TYPE); + event.client(loginSession.getClient().getClientId()) + .detail(Details.REDIRECT_URI, loginSession.getRedirectUri()) + .detail(Details.AUTH_METHOD, loginSession.getProtocol()); + String authType = loginSession.getNote(Details.AUTH_TYPE); if (authType != null) { event.detail(Details.AUTH_TYPE, authType); } - UserModel authUser = clientSession.getAuthenticatedUser(); + UserModel authUser = loginSession.getAuthenticatedUser(); validateUser(authUser); AuthenticationFlow authenticationFlow = createFlowExecution(this.flowId, null); Response challenge = authenticationFlow.processFlow(); if (challenge != null) return challenge; - if (clientSession.getAuthenticatedUser() == null) { + if (loginSession.getAuthenticatedUser() == null) { throw new AuthenticationFlowException(AuthenticationFlowError.UNKNOWN_USER); } return challenge; @@ -835,34 +833,44 @@ public class AuthenticationProcessor { } } - public void attachSession() { - String username = clientSession.getAuthenticatedUser().getUsername(); - String attemptedUsername = clientSession.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); + // May create userSession too + public ClientLoginSessionModel attachSession() { + return attachSession(loginSession, userSession, session, realm, connection, event); + } + + // May create new userSession too (if userSession argument is null) + public static ClientLoginSessionModel attachSession(LoginSessionModel loginSession, UserSessionModel userSession, KeycloakSession session, RealmModel realm, ClientConnection connection, EventBuilder event) { + String username = loginSession.getAuthenticatedUser().getUsername(); + String attemptedUsername = loginSession.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); if (attemptedUsername != null) username = attemptedUsername; - String rememberMe = clientSession.getNote(Details.REMEMBER_ME); + String rememberMe = loginSession.getNote(Details.REMEMBER_ME); boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("true"); if (userSession == null) { // if no authenticator attached a usersession - userSession = session.sessions().createUserSession(realm, clientSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), clientSession.getAuthMethod(), remember, null, null); + userSession = session.sessions().createUserSession(realm, loginSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), loginSession.getProtocol(), remember, null, null); userSession.setState(UserSessionModel.State.LOGGING_IN); - userSessionCreated = true; } if (remember) { event.detail(Details.REMEMBER_ME, "true"); } - TokenManager.attachClientSession(userSession, clientSession); + + ClientLoginSessionModel clientSession = TokenManager.attachLoginSession(session, userSession, loginSession); + event.user(userSession.getUser()) .detail(Details.USERNAME, username) .session(userSession); + + return clientSession; } public void evaluateRequiredActionTriggers() { - AuthenticationManager.evaluateRequiredActionTriggers(session, userSession, clientSession, connection, request, uriInfo, event, realm, clientSession.getAuthenticatedUser()); + AuthenticationManager.evaluateRequiredActionTriggers(session, loginSession, connection, request, uriInfo, event, realm, loginSession.getAuthenticatedUser()); } public Response finishAuthentication(LoginProtocol protocol) { event.success(); - RealmModel realm = clientSession.getRealm(); - return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, userSession, clientSession, request, uriInfo, connection, event, protocol); + RealmModel realm = loginSession.getRealm(); + ClientLoginSessionModel clientSession = attachSession(); + return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, userSession,clientSession, request, uriInfo, connection, event, protocol); } @@ -877,19 +885,21 @@ public class AuthenticationProcessor { } protected Response authenticationComplete() { - attachSession(); + // attachSession(); // Session will be attached after requiredActions + consents are finished. if (isActionRequired()) { - return redirectToRequiredActions(session, realm, clientSession, uriInfo); + // TODO:mposolda Changed this to avoid additional redirect. Doublecheck consequences... + //return redirectToRequiredActions(session, realm, loginSession, uriInfo); + return AuthenticationManager.nextActionAfterAuthentication(session, loginSession, connection, request, uriInfo, event); } else { - event.detail(Details.CODE_ID, clientSession.getId()); // todo This should be set elsewhere. find out why tests fail. Don't know where this is supposed to be set + event.detail(Details.CODE_ID, loginSession.getId()); // todo This should be set elsewhere. find out why tests fail. Don't know where this is supposed to be set // the user has successfully logged in and we can clear his/her previous login failure attempts. logSuccess(); - return AuthenticationManager.finishedRequiredActions(session, userSession, clientSession, connection, request, uriInfo, event); + return AuthenticationManager.finishedRequiredActions(session, loginSession, connection, request, uriInfo, event); } } public boolean isActionRequired() { - return AuthenticationManager.isActionRequired(session, userSession, clientSession, connection, request, uriInfo, event); + return AuthenticationManager.isActionRequired(session, loginSession, connection, request, uriInfo, event); } public AuthenticationProcessor.Result createAuthenticatorContext(AuthenticationExecutionModel model, Authenticator authenticator, List executions) { diff --git a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java index 40433cfee7..d87301f81f 100755 --- a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java +++ b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java @@ -51,7 +51,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { protected boolean isProcessed(AuthenticationExecutionModel model) { if (model.isDisabled()) return true; - ClientSessionModel.ExecutionStatus status = processor.getClientSession().getExecutionStatus().get(model.getId()); + ClientSessionModel.ExecutionStatus status = processor.getLoginSession().getExecutionStatus().get(model.getId()); if (status == null) return false; return status == ClientSessionModel.ExecutionStatus.SUCCESS || status == ClientSessionModel.ExecutionStatus.SKIPPED || status == ClientSessionModel.ExecutionStatus.ATTEMPTED @@ -75,7 +75,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { AuthenticationFlow authenticationFlow = processor.createFlowExecution(model.getFlowId(), model); Response flowChallenge = authenticationFlow.processAction(actionExecution); if (flowChallenge == null) { - processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); if (model.isAlternative()) alternativeSuccessful = true; return processFlow(); } else { @@ -92,7 +92,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { authenticator.action(result); Response response = processResult(result); if (response == null) { - processor.getClientSession().removeNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + processor.getLoginSession().removeNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); if (result.status == FlowStatus.SUCCESS) { // we do this so that flow can redirect to a non-action URL processor.setActionSuccessful(); @@ -119,7 +119,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { } if (model.isAlternative() && alternativeSuccessful) { logger.debug("Skip alternative execution"); - processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); continue; } if (model.isAuthenticatorFlow()) { @@ -127,7 +127,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { AuthenticationFlow authenticationFlow = processor.createFlowExecution(model.getFlowId(), model); Response flowChallenge = authenticationFlow.processFlow(); if (flowChallenge == null) { - processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); if (model.isAlternative()) alternativeSuccessful = true; continue; } else { @@ -135,13 +135,13 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { alternativeChallenge = flowChallenge; challengedAlternativeExecution = model; } else if (model.isRequired()) { - processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return flowChallenge; } else if (model.isOptional()) { - processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); continue; } else { - processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); continue; } return flowChallenge; @@ -154,11 +154,11 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { } Authenticator authenticator = factory.create(processor.getSession()); logger.debugv("authenticator: {0}", factory.getId()); - UserModel authUser = processor.getClientSession().getAuthenticatedUser(); + UserModel authUser = processor.getLoginSession().getAuthenticatedUser(); if (authenticator.requiresUser() && authUser == null) { if (alternativeChallenge != null) { - processor.getClientSession().setExecutionStatus(challengedAlternativeExecution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getLoginSession().setExecutionStatus(challengedAlternativeExecution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return alternativeChallenge; } throw new AuthenticationFlowException("authenticator: " + factory.getId(), AuthenticationFlowError.UNKNOWN_USER); @@ -170,14 +170,14 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { if (model.isRequired()) { if (factory.isUserSetupAllowed()) { logger.debugv("authenticator SETUP_REQUIRED: {0}", factory.getId()); - processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SETUP_REQUIRED); - authenticator.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getClientSession().getAuthenticatedUser()); + processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SETUP_REQUIRED); + authenticator.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getLoginSession().getAuthenticatedUser()); continue; } else { throw new AuthenticationFlowException(AuthenticationFlowError.CREDENTIAL_SETUP_REQUIRED); } } else if (model.isOptional()) { - processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); continue; } } @@ -202,56 +202,56 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { switch (status) { case SUCCESS: logger.debugv("authenticator SUCCESS: {0}", execution.getAuthenticator()); - processor.getClientSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); if (execution.isAlternative()) alternativeSuccessful = true; return null; case FAILED: logger.debugv("authenticator FAILED: {0}", execution.getAuthenticator()); processor.logFailure(); - processor.getClientSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.FAILED); + processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.FAILED); if (result.getChallenge() != null) { return sendChallenge(result, execution); } throw new AuthenticationFlowException(result.getError()); case FORK: logger.debugv("reset browser login from authenticator: {0}", execution.getAuthenticator()); - processor.getClientSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution.getId()); + processor.getLoginSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution.getId()); throw new ForkFlowException(result.getSuccessMessage(), result.getErrorMessage()); case FORCE_CHALLENGE: - processor.getClientSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); case CHALLENGE: logger.debugv("authenticator CHALLENGE: {0}", execution.getAuthenticator()); if (execution.isRequired()) { - processor.getClientSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); } - UserModel authenticatedUser = processor.getClientSession().getAuthenticatedUser(); + UserModel authenticatedUser = processor.getLoginSession().getAuthenticatedUser(); if (execution.isOptional() && authenticatedUser != null && result.getAuthenticator().configuredFor(processor.getSession(), processor.getRealm(), authenticatedUser)) { - processor.getClientSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); } if (execution.isAlternative()) { alternativeChallenge = result.getChallenge(); challengedAlternativeExecution = execution; } else { - processor.getClientSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); } return null; case FAILURE_CHALLENGE: logger.debugv("authenticator FAILURE_CHALLENGE: {0}", execution.getAuthenticator()); processor.logFailure(); - processor.getClientSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); case ATTEMPTED: logger.debugv("authenticator ATTEMPTED: {0}", execution.getAuthenticator()); if (execution.getRequirement() == AuthenticationExecutionModel.Requirement.REQUIRED) { throw new AuthenticationFlowException(AuthenticationFlowError.INVALID_CREDENTIALS); } - processor.getClientSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.ATTEMPTED); + processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.ATTEMPTED); return null; case FLOW_RESET: - AuthenticationProcessor.resetFlow(processor.getClientSession()); + AuthenticationProcessor.resetFlow(processor.getLoginSession()); return processor.authenticate(); default: logger.debugv("authenticator INTERNAL_ERROR: {0}", execution.getAuthenticator()); @@ -261,7 +261,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { } public Response sendChallenge(AuthenticationProcessor.Result result, AuthenticationExecutionModel execution) { - processor.getClientSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution.getId()); + processor.getLoginSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution.getId()); return result.getChallenge(); } diff --git a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java index 59c85fb74a..b1d29f18a6 100755 --- a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java +++ b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java @@ -30,6 +30,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.services.resources.LoginActionsService; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; @@ -93,7 +94,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow { @Override public UserModel getUser() { - return getClientSession().getAuthenticatedUser(); + return getLoginSession().getAuthenticatedUser(); } @Override @@ -107,8 +108,8 @@ public class FormAuthenticationFlow implements AuthenticationFlow { } @Override - public ClientSessionModel getClientSession() { - return processor.getClientSession(); + public LoginSessionModel getLoginSession() { + return processor.getLoginSession(); } @Override @@ -178,7 +179,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow { FormActionFactory factory = (FormActionFactory)processor.getSession().getKeycloakSessionFactory().getProviderFactory(FormAction.class, formActionExecution.getAuthenticator()); FormAction action = factory.create(processor.getSession()); - UserModel authUser = processor.getClientSession().getAuthenticatedUser(); + UserModel authUser = processor.getLoginSession().getAuthenticatedUser(); if (action.requiresUser() && authUser == null) { throw new AuthenticationFlowException("form action: " + formExecution.getAuthenticator() + " requires user", AuthenticationFlowError.UNKNOWN_USER); } @@ -235,14 +236,14 @@ public class FormAuthenticationFlow implements AuthenticationFlow { } // set status and required actions only if form is fully successful for (Map.Entry entry : executionStatus.entrySet()) { - processor.getClientSession().setExecutionStatus(entry.getKey(), entry.getValue()); + processor.getLoginSession().setExecutionStatus(entry.getKey(), entry.getValue()); } for (FormAction action : requiredActions) { - action.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getClientSession().getAuthenticatedUser()); + action.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getLoginSession().getAuthenticatedUser()); } - processor.getClientSession().setExecutionStatus(actionExecution, ClientSessionModel.ExecutionStatus.SUCCESS); - processor.getClientSession().removeNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + processor.getLoginSession().setExecutionStatus(actionExecution, ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getLoginSession().removeNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); processor.setActionSuccessful(); return null; } @@ -262,7 +263,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow { public Response renderForm(MultivaluedMap formData, List errors) { String executionId = formExecution.getId(); - processor.getClientSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, executionId); + processor.getLoginSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, executionId); String code = processor.generateCode(); URI actionUrl = getActionUrl(executionId, code); LoginFormsProvider form = processor.getSession().getProvider(LoginFormsProvider.class) diff --git a/services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java b/services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java index 8f830d1e40..fd60a9d10e 100755 --- a/services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java +++ b/services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java @@ -23,13 +23,12 @@ import org.keycloak.common.ClientConnection; import org.keycloak.common.util.Time; import org.keycloak.events.EventBuilder; import org.keycloak.forms.login.LoginFormsProvider; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; -import org.keycloak.models.UserSessionModel; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.resources.LoginActionsService; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; @@ -40,8 +39,7 @@ import java.net.URI; * @version $Revision: 1 $ */ public class RequiredActionContextResult implements RequiredActionContext { - protected UserSessionModel userSession; - protected ClientSessionModel clientSession; + protected LoginSessionModel loginSession; protected RealmModel realm; protected EventBuilder eventBuilder; protected KeycloakSession session; @@ -51,12 +49,11 @@ public class RequiredActionContextResult implements RequiredActionContext { protected UserModel user; protected RequiredActionFactory factory; - public RequiredActionContextResult(UserSessionModel userSession, ClientSessionModel clientSession, + public RequiredActionContextResult(LoginSessionModel loginSession, RealmModel realm, EventBuilder eventBuilder, KeycloakSession session, HttpRequest httpRequest, UserModel user, RequiredActionFactory factory) { - this.userSession = userSession; - this.clientSession = clientSession; + this.loginSession = loginSession; this.realm = realm; this.eventBuilder = eventBuilder; this.session = session; @@ -81,13 +78,8 @@ public class RequiredActionContextResult implements RequiredActionContext { } @Override - public ClientSessionModel getClientSession() { - return clientSession; - } - - @Override - public UserSessionModel getUserSession() { - return userSession; + public LoginSessionModel getLoginSession() { + return loginSession; } @Override @@ -148,8 +140,8 @@ public class RequiredActionContextResult implements RequiredActionContext { @Override public String generateCode() { - ClientSessionCode accessCode = new ClientSessionCode(session, getRealm(), getClientSession()); - clientSession.setTimestamp(Time.currentTime()); + ClientSessionCode accessCode = new ClientSessionCode<>(session, getRealm(), getLoginSession()); + loginSession.setTimestamp(Time.currentTime()); return accessCode.getCode(); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java index 87108da0a3..fd65f61eb9 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java @@ -25,11 +25,11 @@ import org.keycloak.authentication.authenticators.broker.util.ExistingUserInfo; import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; import org.keycloak.broker.provider.BrokeredIdentityContext; import org.keycloak.events.Errors; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.services.messages.Messages; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.core.Response; @@ -59,13 +59,13 @@ public abstract class AbstractIdpAuthenticator implements Authenticator { @Override public void authenticate(AuthenticationFlowContext context) { - ClientSessionModel clientSession = context.getClientSession(); + LoginSessionModel loginSession = context.getLoginSession(); - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, BROKERED_CONTEXT_NOTE); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(loginSession, BROKERED_CONTEXT_NOTE); if (serializedCtx == null) { throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR); } - BrokeredIdentityContext brokerContext = serializedCtx.deserialize(context.getSession(), clientSession); + BrokeredIdentityContext brokerContext = serializedCtx.deserialize(context.getSession(), loginSession); if (!brokerContext.getIdpConfig().isEnabled()) { sendFailureChallenge(context, Errors.IDENTITY_PROVIDER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, AuthenticationFlowError.IDENTITY_PROVIDER_ERROR); @@ -76,9 +76,9 @@ public abstract class AbstractIdpAuthenticator implements Authenticator { @Override public void action(AuthenticationFlowContext context) { - ClientSessionModel clientSession = context.getClientSession(); + LoginSessionModel clientSession = context.getLoginSession(); - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, BROKERED_CONTEXT_NOTE); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(clientSession, BROKERED_CONTEXT_NOTE); if (serializedCtx == null) { throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR); } @@ -112,8 +112,8 @@ public abstract class AbstractIdpAuthenticator implements Authenticator { } - public static UserModel getExistingUser(KeycloakSession session, RealmModel realm, ClientSessionModel clientSession) { - String existingUserId = clientSession.getNote(EXISTING_USER_INFO); + public static UserModel getExistingUser(KeycloakSession session, RealmModel realm, LoginSessionModel loginSession) { + String existingUserId = loginSession.getNote(EXISTING_USER_INFO); if (existingUserId == null) { throw new AuthenticationFlowException("Unexpected state. There is no existing duplicated user identified in ClientSession", AuthenticationFlowError.INTERNAL_ERROR); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java index 82347004c6..0b848723df 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java @@ -24,12 +24,12 @@ import org.keycloak.authentication.authenticators.broker.util.ExistingUserInfo; import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; import org.keycloak.broker.provider.BrokeredIdentityContext; import org.keycloak.forms.login.LoginFormsProvider; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.services.ServicesLogger; import org.keycloak.services.messages.Messages; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; @@ -41,9 +41,9 @@ public class IdpConfirmLinkAuthenticator extends AbstractIdpAuthenticator { @Override protected void authenticateImpl(AuthenticationFlowContext context, SerializedBrokeredIdentityContext serializedCtx, BrokeredIdentityContext brokerContext) { - ClientSessionModel clientSession = context.getClientSession(); + LoginSessionModel loginSession = context.getLoginSession(); - String existingUserInfo = clientSession.getNote(EXISTING_USER_INFO); + String existingUserInfo = loginSession.getNote(EXISTING_USER_INFO); if (existingUserInfo == null) { ServicesLogger.LOGGER.noDuplicationDetected(); context.attempted(); @@ -65,8 +65,8 @@ public class IdpConfirmLinkAuthenticator extends AbstractIdpAuthenticator { String action = formData.getFirst("submitAction"); if (action != null && action.equals("updateProfile")) { - context.getClientSession().setNote(ENFORCE_UPDATE_PROFILE, "true"); - context.getClientSession().removeNote(EXISTING_USER_INFO); + context.getLoginSession().setNote(ENFORCE_UPDATE_PROFILE, "true"); + context.getLoginSession().removeNote(EXISTING_USER_INFO); context.resetFlow(); } else if (action != null && action.equals("linkAccount")) { context.success(); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java index 317cb64873..f905e0cc2a 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java @@ -53,7 +53,7 @@ public class IdpCreateUserIfUniqueAuthenticator extends AbstractIdpAuthenticator KeycloakSession session = context.getSession(); RealmModel realm = context.getRealm(); - if (context.getClientSession().getNote(EXISTING_USER_INFO) != null) { + if (context.getLoginSession().getNote(EXISTING_USER_INFO) != null) { context.attempted(); return; } @@ -61,7 +61,7 @@ public class IdpCreateUserIfUniqueAuthenticator extends AbstractIdpAuthenticator String username = getUsername(context, serializedCtx, brokerContext); if (username == null) { ServicesLogger.LOGGER.resetFlow(realm.isRegistrationEmailAsUsername() ? "Email" : "Username"); - context.getClientSession().setNote(ENFORCE_UPDATE_PROFILE, "true"); + context.getLoginSession().setNote(ENFORCE_UPDATE_PROFILE, "true"); context.resetFlow(); return; } @@ -91,14 +91,14 @@ public class IdpCreateUserIfUniqueAuthenticator extends AbstractIdpAuthenticator userRegisteredSuccess(context, federatedUser, serializedCtx, brokerContext); context.setUser(federatedUser); - context.getClientSession().setNote(BROKER_REGISTERED_NEW_USER, "true"); + context.getLoginSession().setNote(BROKER_REGISTERED_NEW_USER, "true"); context.success(); } else { logger.debugf("Duplication detected. There is already existing user with %s '%s' .", duplication.getDuplicateAttributeName(), duplication.getDuplicateAttributeValue()); // Set duplicated user, so next authenticators can deal with it - context.getClientSession().setNote(EXISTING_USER_INFO, duplication.serialize()); + context.getLoginSession().setNote(EXISTING_USER_INFO, duplication.serialize()); Response challengeResponse = context.form() .setError(Messages.FEDERATED_IDENTITY_EXISTS, duplication.getDuplicateAttributeName(), duplication.getDuplicateAttributeValue()) diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java index 420eb20924..27a30e8647 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java @@ -53,7 +53,7 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator @Override protected void authenticateImpl(AuthenticationFlowContext context, SerializedBrokeredIdentityContext serializedCtx, BrokeredIdentityContext brokerContext) { - KeycloakSession session = context.getSession(); + /*KeycloakSession session = context.getSession(); RealmModel realm = context.getRealm(); ClientSessionModel clientSession = context.getClientSession(); @@ -63,9 +63,6 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator return; } - // Create action cookie to detect if email verification happened in same browser - LoginActionsService.createActionCookie(context.getRealm(), context.getUriInfo(), context.getConnection(), context.getClientSession().getId()); - VerifyEmail.setupKey(clientSession); UserModel existingUser = getExistingUser(session, realm, clientSession); @@ -107,12 +104,12 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator .setStatus(Response.Status.OK) .setAttribute(LoginFormsProvider.IDENTITY_PROVIDER_BROKER_CONTEXT, brokerContext) .createIdpLinkEmailPage(); - context.forceChallenge(challenge); + context.forceChallenge(challenge);*/ } @Override protected void actionImpl(AuthenticationFlowContext context, SerializedBrokeredIdentityContext serializedCtx, BrokeredIdentityContext brokerContext) { - MultivaluedMap queryParams = context.getSession().getContext().getUri().getQueryParameters(); + /*MultivaluedMap queryParams = context.getSession().getContext().getUri().getQueryParameters(); String key = queryParams.getFirst(Constants.KEY); ClientSessionModel clientSession = context.getClientSession(); RealmModel realm = context.getRealm(); @@ -149,7 +146,7 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator .setError(Messages.MISSING_PARAMETER, Constants.KEY) .createErrorPage(); context.failureChallenge(AuthenticationFlowError.IDENTITY_PROVIDER_ERROR, challengeResponse); - } + }*/ } @Override diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java index c58e3e16c5..edd3c62200 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java @@ -33,7 +33,6 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.representations.idm.IdentityProviderRepresentation; -import org.keycloak.services.ServicesLogger; import org.keycloak.services.resources.AttributeFormDataProcessor; import org.keycloak.services.validation.Validation; @@ -74,7 +73,7 @@ public class IdpReviewProfileAuthenticator extends AbstractIdpAuthenticator { } protected boolean requiresUpdateProfilePage(AuthenticationFlowContext context, SerializedBrokeredIdentityContext userCtx, BrokeredIdentityContext brokerContext) { - String enforceUpdateProfile = context.getClientSession().getNote(ENFORCE_UPDATE_PROFILE); + String enforceUpdateProfile = context.getLoginSession().getNote(ENFORCE_UPDATE_PROFILE); if (Boolean.parseBoolean(enforceUpdateProfile)) { return true; } @@ -123,12 +122,12 @@ public class IdpReviewProfileAuthenticator extends AbstractIdpAuthenticator { } userCtx.setEmail(email); - context.getClientSession().setNote(UPDATE_PROFILE_EMAIL_CHANGED, "true"); + context.getLoginSession().setNote(UPDATE_PROFILE_EMAIL_CHANGED, "true"); } AttributeFormDataProcessor.process(formData, realm, userCtx); - userCtx.saveToClientSession(context.getClientSession(), BROKERED_CONTEXT_NOTE); + userCtx.saveToLoginSession(context.getLoginSession(), BROKERED_CONTEXT_NOTE); logger.debugf("Profile updated successfully after first authentication with identity provider '%s' for broker user '%s'.", brokerContext.getIdpConfig().getAlias(), userCtx.getUsername()); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java index cd09c37159..071a1ec410 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java @@ -39,7 +39,7 @@ public class IdpUsernamePasswordForm extends UsernamePasswordForm { @Override protected Response challenge(AuthenticationFlowContext context, MultivaluedMap formData) { - UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getClientSession()); + UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getLoginSession()); return setupForm(context, formData, existingUser) .setStatus(Response.Status.OK) @@ -48,7 +48,7 @@ public class IdpUsernamePasswordForm extends UsernamePasswordForm { @Override protected boolean validateForm(AuthenticationFlowContext context, MultivaluedMap formData) { - UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getClientSession()); + UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getLoginSession()); context.setUser(existingUser); // Restore formData for the case of error @@ -58,7 +58,7 @@ public class IdpUsernamePasswordForm extends UsernamePasswordForm { } protected LoginFormsProvider setupForm(AuthenticationFlowContext context, MultivaluedMap formData, UserModel existingUser) { - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromClientSession(context.getClientSession(), AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(context.getLoginSession(), AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); if (serializedCtx == null) { throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java index 1e404621c7..86bb9795a7 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java @@ -31,6 +31,7 @@ import org.keycloak.models.KeycloakSession; import org.keycloak.models.ModelException; import org.keycloak.models.RealmModel; import org.keycloak.services.resources.IdentityBrokerService; +import org.keycloak.sessions.LoginSessionModel; import org.keycloak.util.JsonSerialization; import java.io.IOException; @@ -246,7 +247,7 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { } } - public BrokeredIdentityContext deserialize(KeycloakSession session, ClientSessionModel clientSession) { + public BrokeredIdentityContext deserialize(KeycloakSession session, LoginSessionModel loginSession) { BrokeredIdentityContext ctx = new BrokeredIdentityContext(getId()); ctx.setUsername(getBrokerUsername()); @@ -258,7 +259,7 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { ctx.setBrokerUserId(getBrokerUserId()); ctx.setToken(getToken()); - RealmModel realm = clientSession.getRealm(); + RealmModel realm = loginSession.getRealm(); IdentityProviderModel idpConfig = realm.getIdentityProviderByAlias(getIdentityProviderId()); if (idpConfig == null) { throw new ModelException("Can't find identity provider with ID " + getIdentityProviderId() + " in realm " + realm.getName()); @@ -282,7 +283,7 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { } } - ctx.setClientSession(clientSession); + ctx.setLoginSession(loginSession); return ctx; } @@ -299,7 +300,7 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { ctx.setToken(context.getToken()); ctx.setIdentityProviderId(context.getIdpConfig().getAlias()); - ctx.emailAsUsername = context.getClientSession().getRealm().isRegistrationEmailAsUsername(); + ctx.emailAsUsername = context.getLoginSession().getRealm().isRegistrationEmailAsUsername(); IdentityProviderDataMarshaller serializer = context.getIdp().getMarshaller(); @@ -314,23 +315,23 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { } // Save this context as note to clientSession - public void saveToClientSession(ClientSessionModel clientSession, String noteKey) { + public void saveToLoginSession(LoginSessionModel loginSession, String noteKey) { try { String asString = JsonSerialization.writeValueAsString(this); - clientSession.setNote(noteKey, asString); + loginSession.setNote(noteKey, asString); } catch (IOException ioe) { throw new RuntimeException(ioe); } } - public static SerializedBrokeredIdentityContext readFromClientSession(ClientSessionModel clientSession, String noteKey) { - String asString = clientSession.getNote(noteKey); + public static SerializedBrokeredIdentityContext readFromLoginSession(LoginSessionModel loginSession, String noteKey) { + String asString = loginSession.getNote(noteKey); if (asString == null) { return null; } else { try { SerializedBrokeredIdentityContext serializedCtx = JsonSerialization.readValue(asString, SerializedBrokeredIdentityContext.class); - serializedCtx.emailAsUsername = clientSession.getRealm().isRegistrationEmailAsUsername(); + serializedCtx.emailAsUsername = loginSession.getRealm().isRegistrationEmailAsUsername(); return serializedCtx; } catch (IOException ioe) { throw new RuntimeException(ioe); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java index f837d3ca51..fc73e1875a 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java @@ -126,7 +126,7 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth username = username.trim(); context.getEvent().detail(Details.USERNAME, username); - context.getClientSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); + context.getLoginSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); UserModel user = null; try { @@ -159,10 +159,10 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth String rememberMe = inputData.getFirst("rememberMe"); boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("on"); if (remember) { - context.getClientSession().setNote(Details.REMEMBER_ME, "true"); + context.getLoginSession().setNote(Details.REMEMBER_ME, "true"); context.getEvent().detail(Details.REMEMBER_ME, "true"); } else { - context.getClientSession().removeNote(Details.REMEMBER_ME); + context.getLoginSession().removeNote(Details.REMEMBER_ME); } context.setUser(user); return true; diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java index b4552af50f..d1c22f543d 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java @@ -25,6 +25,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.protocol.LoginProtocol; import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.sessions.LoginSessionModel; /** * @author Bill Burke @@ -44,8 +45,8 @@ public class CookieAuthenticator implements Authenticator { if (authResult == null) { context.attempted(); } else { - ClientSessionModel clientSession = context.getClientSession(); - LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, clientSession.getAuthMethod()); + LoginSessionModel clientSession = context.getLoginSession(); + LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, clientSession.getProtocol()); // Cookie re-authentication is skipped if re-authentication is required if (protocol.requireReauthentication(authResult.getSession(), clientSession)) { diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java index f8408a4ecc..8cfd714c65 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java @@ -63,7 +63,7 @@ public class IdentityProviderAuthenticator implements Authenticator { List identityProviders = context.getRealm().getIdentityProviders(); for (IdentityProviderModel identityProvider : identityProviders) { if (identityProvider.isEnabled() && providerId.equals(identityProvider.getAlias())) { - String accessCode = new ClientSessionCode(context.getSession(), context.getRealm(), context.getClientSession()).getCode(); + String accessCode = new ClientSessionCode<>(context.getSession(), context.getRealm(), context.getLoginSession()).getCode(); Response response = Response.seeOther( Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode)) .build(); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java index 0b400f07ac..1a90b59ff5 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java @@ -160,7 +160,7 @@ public class ScriptBasedAuthenticator implements Authenticator { bindings.put("user", context.getUser()); bindings.put("session", context.getSession()); bindings.put("httpRequest", context.getHttpRequest()); - bindings.put("clientSession", context.getClientSession()); + bindings.put("clientSession", context.getLoginSession()); bindings.put("LOG", LOGGER); }); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java index 8bfb995316..c909921641 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java @@ -98,7 +98,7 @@ public class SpnegoAuthenticator extends AbstractUsernameFormAuthenticator imple context.setUser(output.getAuthenticatedUser()); if (output.getState() != null && !output.getState().isEmpty()) { for (Map.Entry entry : output.getState().entrySet()) { - context.getClientSession().setUserSessionNote(entry.getKey(), entry.getValue()); + context.getLoginSession().setUserSessionNote(entry.getKey(), entry.getValue()); } } context.success(); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java index 4f8e2d1948..cde0cb3ad4 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java @@ -59,7 +59,7 @@ public class UsernamePasswordForm extends AbstractUsernameFormAuthenticator impl @Override public void authenticate(AuthenticationFlowContext context) { MultivaluedMap formData = new MultivaluedMapImpl<>(); - String loginHint = context.getClientSession().getNote(OIDCLoginProtocol.LOGIN_HINT_PARAM); + String loginHint = context.getLoginSession().getNote(OIDCLoginProtocol.LOGIN_HINT_PARAM); String rememberMeUsername = AuthenticationManager.getRememberMeUsername(context.getRealm(), context.getHttpRequest().getHttpHeaders()); @@ -72,7 +72,7 @@ public class UsernamePasswordForm extends AbstractUsernameFormAuthenticator impl } } Response challengeResponse = challenge(context, formData); - context.getClientSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, context.getExecution().getId()); + context.getLoginSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, context.getExecution().getId()); context.challenge(challengeResponse); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java b/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java index da7a67f1f7..409618f318 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java @@ -55,7 +55,7 @@ public class ValidateUsername extends AbstractDirectGrantAuthenticator { return; } context.getEvent().detail(Details.USERNAME, username); - context.getClientSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); + context.getLoginSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); UserModel user = null; try { diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java index 46097a022f..9604504891 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java @@ -53,9 +53,9 @@ public class ResetCredentialChooseUser implements Authenticator, AuthenticatorFa @Override public void authenticate(AuthenticationFlowContext context) { - String existingUserId = context.getClientSession().getNote(AbstractIdpAuthenticator.EXISTING_USER_INFO); + String existingUserId = context.getLoginSession().getNote(AbstractIdpAuthenticator.EXISTING_USER_INFO); if (existingUserId != null) { - UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getClientSession()); + UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getLoginSession()); logger.debugf("Forget-password triggered when reauthenticating user after first broker login. Skipping reset-credential-choose-user screen and using user '%s' ", existingUser.getUsername()); context.setUser(existingUser); @@ -89,7 +89,7 @@ public class ResetCredentialChooseUser implements Authenticator, AuthenticatorFa user = context.getSession().users().getUserByEmail(username, realm); } - context.getClientSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); + context.getLoginSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); // we don't want people guessing usernames, so if there is a problem, just continue, but don't set the user // a null user will notify further executions, that this was a failure. diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java index 0d41b062c6..e74fa20882 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java @@ -61,7 +61,7 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory @Override public void authenticate(AuthenticationFlowContext context) { - LoginActionsService.createActionCookie(context.getRealm(), context.getUriInfo(), context.getConnection(), context.getClientSession().getId()); + /*LoginActionsService.createActionCookie(context.getRealm(), context.getUriInfo(), context.getConnection(), context.getClientSession().getId()); UserModel user = context.getUser(); String username = context.getClientSession().getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); @@ -109,12 +109,12 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory .setError(Messages.EMAIL_SENT_ERROR) .createErrorPage(); context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge); - } + }*/ } @Override public void action(AuthenticationFlowContext context) { - String secret = context.getClientSession().getNote(RESET_CREDENTIAL_SECRET); + /*String secret = context.getClientSession().getNote(RESET_CREDENTIAL_SECRET); String key = context.getUriInfo().getQueryParameters().getFirst(Constants.KEY); // Can only guess once! We remove the note so another guess can't happen @@ -129,7 +129,7 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory } // We now know email is valid, so set it to valid. context.getUser().setEmailVerified(true); - context.success(); + context.success();*/ } @Override diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetOTP.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetOTP.java index 40c703b988..7dcf8293f0 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetOTP.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetOTP.java @@ -33,7 +33,7 @@ public class ResetOTP extends AbstractSetRequiredActionAuthenticator { if (context.getExecution().isRequired() || (context.getExecution().isOptional() && configuredFor(context))) { - context.getClientSession().addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP); + context.getLoginSession().addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP); } context.success(); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java index 64098fa379..9c0fdab7cd 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java @@ -34,14 +34,14 @@ public class ResetPassword extends AbstractSetRequiredActionAuthenticator { @Override public void authenticate(AuthenticationFlowContext context) { String actionCookie = LoginActionsService.getActionCookie(context.getSession().getContext().getRequestHeaders(), context.getRealm(), context.getUriInfo(), context.getConnection()); - if (actionCookie == null || !actionCookie.equals(context.getClientSession().getId())) { - context.getClientSession().setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); + if (actionCookie == null || !actionCookie.equals(context.getLoginSession().getId())) { + context.getLoginSession().setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); } if (context.getExecution().isRequired() || (context.getExecution().isOptional() && configuredFor(context))) { - context.getClientSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD); + context.getLoginSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD); } context.success(); } diff --git a/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java b/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java index 90dee70808..ddb42be050 100755 --- a/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java +++ b/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java @@ -134,16 +134,16 @@ public class RegistrationUserCreation implements FormAction, FormActionFactory { user.setEnabled(true); user.setEmail(email); - context.getClientSession().setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, username); + context.getLoginSession().setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, username); AttributeFormDataProcessor.process(formData, context.getRealm(), user); context.setUser(user); context.getEvent().user(user); context.getEvent().success(); context.newEvent().event(EventType.LOGIN); - context.getEvent().client(context.getClientSession().getClient().getClientId()) - .detail(Details.REDIRECT_URI, context.getClientSession().getRedirectUri()) - .detail(Details.AUTH_METHOD, context.getClientSession().getAuthMethod()); - String authType = context.getClientSession().getNote(Details.AUTH_TYPE); + context.getEvent().client(context.getLoginSession().getClient().getClientId()) + .detail(Details.REDIRECT_URI, context.getLoginSession().getRedirectUri()) + .detail(Details.AUTH_METHOD, context.getLoginSession().getProtocol()); + String authType = context.getLoginSession().getNote(Details.AUTH_TYPE); if (authType != null) { context.getEvent().detail(Details.AUTH_TYPE, authType); } diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java index aa5bf25db5..9984e823ae 100755 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java @@ -88,8 +88,8 @@ public class UpdatePassword implements RequiredActionProvider, RequiredActionFac String passwordConfirm = formData.getFirst("password-confirm"); EventBuilder errorEvent = event.clone().event(EventType.UPDATE_PASSWORD_ERROR) - .client(context.getClientSession().getClient()) - .user(context.getClientSession().getUserSession().getUser()); + .client(context.getLoginSession().getClient()) + .user(context.getLoginSession().getAuthenticatedUser()); if (Validation.isBlank(passwordNew)) { Response challenge = context.form() diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java index 2d683d3afa..e45ddcb657 100755 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java @@ -62,6 +62,8 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor return; } + // TODO:mposolda + /* context.getEvent().clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, context.getUser().getEmail()).success(); LoginActionsService.createActionCookie(context.getRealm(), context.getUriInfo(), context.getConnection(), context.getUserSession().getId()); @@ -73,6 +75,7 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor .setUser(context.getUser()); Response challenge = loginFormsProvider.createResponse(UserModel.RequiredAction.VERIFY_EMAIL); context.challenge(challenge); + */ } @Override diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java index 2e82794927..88d859420b 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java +++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java @@ -38,6 +38,7 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.authorization.AuthorizationProvider; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest; import org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder; @@ -55,7 +56,6 @@ import org.keycloak.authorization.store.ScopeStore; import org.keycloak.authorization.store.StoreFactory; import org.keycloak.authorization.util.Permissions; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; @@ -67,6 +67,7 @@ import org.keycloak.representations.idm.authorization.ResourceRepresentation; import org.keycloak.representations.idm.authorization.ScopeRepresentation; import org.keycloak.services.Urls; import org.keycloak.services.resources.admin.RealmAuth; +import org.keycloak.sessions.LoginSessionModel; /** * @author Pedro Igor @@ -192,19 +193,13 @@ public class PolicyEvaluationService { private static class CloseableKeycloakIdentity extends KeycloakIdentity { private UserSessionModel userSession; - private ClientSessionModel clientSession; - public CloseableKeycloakIdentity(AccessToken accessToken, KeycloakSession keycloakSession, UserSessionModel userSession, ClientSessionModel clientSession) { + public CloseableKeycloakIdentity(AccessToken accessToken, KeycloakSession keycloakSession, UserSessionModel userSession) { super(accessToken, keycloakSession); this.userSession = userSession; - this.clientSession = clientSession; } public void close() { - if (clientSession != null) { - keycloakSession.sessions().removeClientSession(realm, clientSession); - } - if (userSession != null) { keycloakSession.sessions().removeUserSession(realm, userSession); } @@ -220,7 +215,7 @@ public class PolicyEvaluationService { String subject = representation.getUserId(); - ClientSessionModel clientSession = null; + ClientLoginSessionModel clientSession = null; UserSessionModel userSession = null; if (subject != null) { UserModel userModel = keycloakSession.users().getUserById(subject, realm); @@ -234,11 +229,11 @@ public class PolicyEvaluationService { if (clientId != null) { ClientModel clientModel = realm.getClientById(clientId); - clientSession = keycloakSession.sessions().createClientSession(realm, clientModel); - clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); + LoginSessionModel loginSession = keycloakSession.loginSessions().createLoginSession(realm, clientModel, false); + loginSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); userSession = keycloakSession.sessions().createUserSession(realm, userModel, userModel.getUsername(), "127.0.0.1", "passwd", false, null, null); - new TokenManager().attachClientSession(userSession, clientSession); + new TokenManager().attachLoginSession(keycloakSession, userSession, loginSession); Set requestedRoles = new HashSet<>(); for (String roleId : clientSession.getRoles()) { @@ -276,6 +271,6 @@ public class PolicyEvaluationService { representation.getRoleIds().forEach(roleName -> realmAccess.addRole(roleName)); } - return new CloseableKeycloakIdentity(accessToken, keycloakSession, userSession, clientSession); + return new CloseableKeycloakIdentity(accessToken, keycloakSession, userSession); } } \ No newline at end of file diff --git a/services/src/main/java/org/keycloak/broker/provider/HardcodedUserSessionAttributeMapper.java b/services/src/main/java/org/keycloak/broker/provider/HardcodedUserSessionAttributeMapper.java index e46798cd0c..8409206b04 100755 --- a/services/src/main/java/org/keycloak/broker/provider/HardcodedUserSessionAttributeMapper.java +++ b/services/src/main/java/org/keycloak/broker/provider/HardcodedUserSessionAttributeMapper.java @@ -87,14 +87,14 @@ public class HardcodedUserSessionAttributeMapper extends AbstractIdentityProvide public void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String attribute = mapperModel.getConfig().get(ATTRIBUTE); String attributeValue = mapperModel.getConfig().get(ATTRIBUTE_VALUE); - context.getClientSession().setUserSessionNote(attribute, attributeValue); + context.getLoginSession().setUserSessionNote(attribute, attributeValue); } @Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String attribute = mapperModel.getConfig().get(ATTRIBUTE); String attributeValue = mapperModel.getConfig().get(ATTRIBUTE_VALUE); - context.getClientSession().setUserSessionNote(attribute, attributeValue); + context.getLoginSession().setUserSessionNote(attribute, attributeValue); } @Override diff --git a/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java b/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java index 9f60404077..b1c087207f 100755 --- a/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java +++ b/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java @@ -23,8 +23,6 @@ import org.keycloak.authentication.requiredactions.util.UpdateProfileContext; import org.keycloak.authentication.requiredactions.util.UserUpdateProfileContext; import org.keycloak.broker.provider.BrokeredIdentityContext; import org.keycloak.common.util.ObjectUtil; -import org.keycloak.email.EmailException; -import org.keycloak.email.EmailTemplateProvider; import org.keycloak.forms.login.LoginFormsPages; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.forms.login.freemarker.model.ClientBean; @@ -39,8 +37,6 @@ import org.keycloak.forms.login.freemarker.model.RequiredActionUrlFormatterMetho import org.keycloak.forms.login.freemarker.model.TotpBean; import org.keycloak.forms.login.freemarker.model.UrlBean; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.Constants; import org.keycloak.models.IdentityProviderModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; @@ -50,6 +46,7 @@ import org.keycloak.models.UserModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.services.Urls; import org.keycloak.services.messages.Messages; +import org.keycloak.sessions.LoginSessionModel; import org.keycloak.theme.BrowserSecurityHeaderSetup; import org.keycloak.theme.FreeMarkerException; import org.keycloak.theme.FreeMarkerUtil; @@ -77,7 +74,6 @@ import java.util.List; import java.util.Locale; import java.util.Map; import java.util.Properties; -import java.util.concurrent.TimeUnit; /** * @author Stian Thorgersen @@ -106,7 +102,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { private UserModel user; - private ClientSessionModel clientSession; + private LoginSessionModel loginSession; private final Map attributes = new HashMap(); public FreeMarkerLoginFormsProvider(KeycloakSession session, FreeMarkerUtil freeMarker) { @@ -145,10 +141,11 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { page = LoginFormsPages.LOGIN_UPDATE_PASSWORD; break; case VERIFY_EMAIL: - try { + // TODO:mposolda It should be also clientSession (actionTicket) involved here. Not just loginSession + /*try { UriBuilder builder = Urls.loginActionEmailVerificationBuilder(uriInfo.getBaseUri()); builder.queryParam(OAuth2Constants.CODE, accessCode); - builder.queryParam(Constants.KEY, clientSession.getNote(Constants.VERIFY_EMAIL_KEY)); + builder.queryParam(Constants.KEY, loginSession.getNote(Constants.VERIFY_EMAIL_KEY)); String link = builder.build(realm.getName()).toString(); long expiration = TimeUnit.SECONDS.toMinutes(realm.getAccessCodeLifespanUserAction()); @@ -157,7 +154,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { } catch (EmailException e) { logger.error("Failed to send verification email", e); return setError(Messages.EMAIL_SENT_ERROR).createErrorPage(); - } + }*/ actionMessage = Messages.VERIFY_EMAIL; page = LoginFormsPages.LOGIN_VERIFY_EMAIL; @@ -298,7 +295,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { attributes.put("register", new RegisterBean(formData)); break; case OAUTH_GRANT: - attributes.put("oauth", new OAuthGrantBean(accessCode, clientSession, client, realmRolesRequested, resourceRolesRequested, protocolMappersRequested, this.accessRequestMessage)); + attributes.put("oauth", new OAuthGrantBean(accessCode, client, realmRolesRequested, resourceRolesRequested, protocolMappersRequested, this.accessRequestMessage)); attributes.put("advancedMsg", new AdvancedMessageFormatterMethod(locale, messagesBundle)); break; case CODE: @@ -485,8 +482,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { } @Override - public Response createOAuthGrant(ClientSessionModel clientSession) { - this.clientSession = clientSession; + public Response createOAuthGrant() { return createResponse(LoginFormsPages.OAUTH_GRANT); } @@ -593,8 +589,8 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { } @Override - public LoginFormsProvider setClientSession(ClientSessionModel clientSession) { - this.clientSession = clientSession; + public LoginFormsProvider setLoginSession(LoginSessionModel loginSession) { + this.loginSession = loginSession; return this; } diff --git a/services/src/main/java/org/keycloak/forms/login/freemarker/model/OAuthGrantBean.java b/services/src/main/java/org/keycloak/forms/login/freemarker/model/OAuthGrantBean.java index 556db25a47..bf424cb80d 100755 --- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/OAuthGrantBean.java +++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/OAuthGrantBean.java @@ -18,7 +18,6 @@ package org.keycloak.forms.login.freemarker.model; import org.jboss.resteasy.specimpl.MultivaluedMapImpl; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.RoleModel; @@ -38,7 +37,7 @@ public class OAuthGrantBean { private ClientModel client; private List claimsRequested; - public OAuthGrantBean(String code, ClientSessionModel clientSession, ClientModel client, List realmRolesRequested, MultivaluedMap resourceRolesRequested, + public OAuthGrantBean(String code, ClientModel client, List realmRolesRequested, MultivaluedMap resourceRolesRequested, List protocolMappersRequested, String accessRequestMessage) { this.code = code; this.client = client; diff --git a/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java b/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java index 0c1462c787..f0387e8055 100755 --- a/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java +++ b/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java @@ -30,6 +30,7 @@ import org.keycloak.protocol.LoginProtocol.Error; import org.keycloak.services.ServicesLogger; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.resources.LoginActionsService; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; @@ -63,9 +64,9 @@ public abstract class AuthorizationEndpointBase { this.event = event; } - protected AuthenticationProcessor createProcessor(ClientSessionModel clientSession, String flowId, String flowPath) { + protected AuthenticationProcessor createProcessor(LoginSessionModel loginSession, String flowId, String flowPath) { AuthenticationProcessor processor = new AuthenticationProcessor(); - processor.setClientSession(clientSession) + processor.setLoginSession(loginSession) .setFlowPath(flowPath) .setFlowId(flowId) .setBrowserFlow(true) @@ -81,42 +82,45 @@ public abstract class AuthorizationEndpointBase { /** * Common method to handle browser authentication request in protocols unified way. * - * @param clientSession for current request + * @param loginSession for current request * @param protocol handler for protocol used to initiate login * @param isPassive set to true if login should be passive (without login screen shown) * @param redirectToAuthentication if true redirect to flow url. If initial call to protocol is a POST, you probably want to do this. This is so we can disable the back button on browser * @return response to be returned to the browser */ - protected Response handleBrowserAuthenticationRequest(ClientSessionModel clientSession, LoginProtocol protocol, boolean isPassive, boolean redirectToAuthentication) { + protected Response handleBrowserAuthenticationRequest(LoginSessionModel loginSession, LoginProtocol protocol, boolean isPassive, boolean redirectToAuthentication) { AuthenticationFlowModel flow = getAuthenticationFlow(); String flowId = flow.getId(); - AuthenticationProcessor processor = createProcessor(clientSession, flowId, LoginActionsService.AUTHENTICATE_PATH); - event.detail(Details.CODE_ID, clientSession.getId()); + AuthenticationProcessor processor = createProcessor(loginSession, flowId, LoginActionsService.AUTHENTICATE_PATH); + event.detail(Details.CODE_ID, loginSession.getId()); if (isPassive) { // OIDC prompt == NONE or SAML 2 IsPassive flag // This means that client is just checking if the user is already completely logged in. // We cancel login if any authentication action or required action is required try { if (processor.authenticateOnly() == null) { - processor.attachSession(); + // processor.attachSession(); } else { - Response response = protocol.sendError(clientSession, Error.PASSIVE_LOGIN_REQUIRED); - session.sessions().removeClientSession(realm, clientSession); + Response response = protocol.sendError(loginSession, Error.PASSIVE_LOGIN_REQUIRED); + session.loginSessions().removeLoginSession(realm, loginSession); return response; } if (processor.isActionRequired()) { - Response response = protocol.sendError(clientSession, Error.PASSIVE_INTERACTION_REQUIRED); - session.sessions().removeClientSession(realm, clientSession); + Response response = protocol.sendError(loginSession, Error.PASSIVE_INTERACTION_REQUIRED); + session.loginSessions().removeLoginSession(realm, loginSession); return response; - } + + // Attach session once no requiredActions or other things are required + processor.attachSession(); } catch (Exception e) { return processor.handleBrowserException(e); } return processor.finishAuthentication(protocol); } else { try { - RestartLoginCookie.setRestartCookie(session, realm, clientConnection, uriInfo, clientSession); + // TODO: Check if this is required... + RestartLoginCookie.setRestartCookie(session, realm, clientConnection, uriInfo, loginSession); if (redirectToAuthentication) { return processor.redirectToFlow(); } diff --git a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java index 51bdd81034..4fda88959f 100644 --- a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java +++ b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java @@ -31,6 +31,7 @@ import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.util.CookieHelper; +import org.keycloak.sessions.LoginSessionModel; import javax.crypto.SecretKey; import javax.ws.rs.core.Cookie; @@ -125,10 +126,10 @@ public class RestartLoginCookie { public RestartLoginCookie() { } - public RestartLoginCookie(ClientSessionModel clientSession) { + public RestartLoginCookie(LoginSessionModel clientSession) { this.action = clientSession.getAction(); this.clientId = clientSession.getClient().getClientId(); - this.authMethod = clientSession.getAuthMethod(); + this.authMethod = clientSession.getProtocol(); this.redirectUri = clientSession.getRedirectUri(); this.clientSession = clientSession.getId(); for (Map.Entry entry : clientSession.getNotes().entrySet()) { @@ -136,8 +137,8 @@ public class RestartLoginCookie { } } - public static void setRestartCookie(KeycloakSession session, RealmModel realm, ClientConnection connection, UriInfo uriInfo, ClientSessionModel clientSession) { - RestartLoginCookie restart = new RestartLoginCookie(clientSession); + public static void setRestartCookie(KeycloakSession session, RealmModel realm, ClientConnection connection, UriInfo uriInfo, LoginSessionModel loginSession) { + RestartLoginCookie restart = new RestartLoginCookie(loginSession); String encoded = restart.encode(session, realm); String path = AuthenticationManager.getRealmCookiePath(realm, uriInfo); boolean secureOnly = realm.getSslRequired().isRequired(connection); @@ -150,6 +151,8 @@ public class RestartLoginCookie { CookieHelper.addCookie(KC_RESTART, "", path, null, null, 0, secureOnly, true); } + // TODO:mposolda + /* public static ClientSessionModel restartSession(KeycloakSession session, RealmModel realm, String code) throws Exception { Cookie cook = session.getContext().getRequestHeaders().getCookies().get(KC_RESTART); if (cook == null) { @@ -183,5 +186,5 @@ public class RestartLoginCookie { } return clientSession; - } + }*/ } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java index 4c0691a974..5dd0433a9a 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java @@ -23,8 +23,8 @@ import org.keycloak.common.util.Time; import org.keycloak.events.Details; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; @@ -38,6 +38,8 @@ import org.keycloak.services.ServicesLogger; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ResourceAdminManager; +import org.keycloak.sessions.CommonClientSessionModel; +import org.keycloak.sessions.LoginSessionModel; import org.keycloak.util.TokenUtil; import javax.ws.rs.core.HttpHeaders; @@ -128,7 +130,7 @@ public class OIDCLoginProtocol implements LoginProtocol { } - private void setupResponseTypeAndMode(ClientSessionModel clientSession) { + private void setupResponseTypeAndMode(CommonClientSessionModel clientSession) { String responseType = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); String responseMode = clientSession.getNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM); this.responseType = OIDCResponseType.parse(responseType); @@ -169,8 +171,8 @@ public class OIDCLoginProtocol implements LoginProtocol { @Override - public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { - ClientSessionModel clientSession = accessCode.getClientSession(); + public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { + ClientLoginSessionModel clientSession = accessCode.getClientSession(); setupResponseTypeAndMode(clientSession); String redirect = clientSession.getRedirectUri(); @@ -182,7 +184,7 @@ public class OIDCLoginProtocol implements LoginProtocol { // Standard or hybrid flow if (responseType.hasResponseType(OIDCResponseType.CODE)) { - accessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name()); + accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name()); redirectUri.addParam(OAuth2Constants.CODE, accessCode.getCode()); } @@ -227,15 +229,15 @@ public class OIDCLoginProtocol implements LoginProtocol { @Override - public Response sendError(ClientSessionModel clientSession, Error error) { - setupResponseTypeAndMode(clientSession); + public Response sendError(LoginSessionModel loginSession, Error error) { + setupResponseTypeAndMode(loginSession); - String redirect = clientSession.getRedirectUri(); - String state = clientSession.getNote(OIDCLoginProtocol.STATE_PARAM); + String redirect = loginSession.getRedirectUri(); + String state = loginSession.getNote(OIDCLoginProtocol.STATE_PARAM); OIDCRedirectUriBuilder redirectUri = OIDCRedirectUriBuilder.fromUri(redirect, responseMode).addParam(OAuth2Constants.ERROR, translateError(error)); if (state != null) redirectUri.addParam(OAuth2Constants.STATE, state); - session.sessions().removeClientSession(realm, clientSession); + session.loginSessions().removeLoginSession(realm, loginSession); RestartLoginCookie.expireRestartCookie(realm, session.getContext().getConnection(), uriInfo); return redirectUri.build(); } @@ -256,13 +258,13 @@ public class OIDCLoginProtocol implements LoginProtocol { } @Override - public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) { + public void backchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession) { ClientModel client = clientSession.getClient(); new ResourceAdminManager(session).logoutClientSession(uriInfo.getRequestUri(), realm, client, clientSession); } @Override - public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) { + public Response frontchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession) { // todo oidc redirect support throw new RuntimeException("NOT IMPLEMENTED"); } @@ -289,18 +291,18 @@ public class OIDCLoginProtocol implements LoginProtocol { @Override - public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) { - return isPromptLogin(clientSession) || isAuthTimeExpired(userSession, clientSession); + public boolean requireReauthentication(UserSessionModel userSession, LoginSessionModel loginSession) { + return isPromptLogin(loginSession) || isAuthTimeExpired(userSession, loginSession); } - protected boolean isPromptLogin(ClientSessionModel clientSession) { - String prompt = clientSession.getNote(OIDCLoginProtocol.PROMPT_PARAM); + protected boolean isPromptLogin(LoginSessionModel loginSession) { + String prompt = loginSession.getNote(OIDCLoginProtocol.PROMPT_PARAM); return TokenUtil.hasPrompt(prompt, OIDCLoginProtocol.PROMPT_VALUE_LOGIN); } - protected boolean isAuthTimeExpired(UserSessionModel userSession, ClientSessionModel clientSession) { + protected boolean isAuthTimeExpired(UserSessionModel userSession, LoginSessionModel loginSession) { String authTime = userSession.getNote(AuthenticationManager.AUTH_TIME); - String maxAge = clientSession.getNote(OIDCLoginProtocol.MAX_AGE_PARAM); + String maxAge = loginSession.getNote(OIDCLoginProtocol.MAX_AGE_PARAM); if (maxAge == null) { return false; } @@ -310,7 +312,7 @@ public class OIDCLoginProtocol implements LoginProtocol { if (authTimeInt + maxAgeInt < Time.currentTime()) { logger.debugf("Authentication time is expired, needs to reauthenticate. userSession=%s, clientId=%s, maxAge=%d, authTime=%d", userSession.getId(), - clientSession.getClient().getId(), maxAgeInt, authTimeInt); + loginSession.getClient().getId(), maxAgeInt, authTimeInt); return true; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java index 4cedd6bd98..49a47a1c2d 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java @@ -31,6 +31,7 @@ import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInputException; import org.keycloak.jose.jws.crypto.HashProvider; import org.keycloak.jose.jws.crypto.RSAProvider; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ClientTemplateModel; @@ -38,7 +39,6 @@ import org.keycloak.models.GroupModel; import org.keycloak.models.KeyManager; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; -import org.keycloak.models.ModelException; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; @@ -60,6 +60,7 @@ import org.keycloak.services.ErrorResponseException; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.UserSessionManager; +import org.keycloak.sessions.LoginSessionModel; import org.keycloak.util.TokenUtil; import org.keycloak.common.util.Time; @@ -107,10 +108,10 @@ public class TokenManager { public static class TokenValidation { public final UserModel user; public final UserSessionModel userSession; - public final ClientSessionModel clientSession; + public final ClientLoginSessionModel clientSession; public final AccessToken newToken; - public TokenValidation(UserModel user, UserSessionModel userSession, ClientSessionModel clientSession, AccessToken newToken) { + public TokenValidation(UserModel user, UserSessionModel userSession, ClientLoginSessionModel clientSession, AccessToken newToken) { this.user = user; this.userSession = userSession; this.clientSession = clientSession; @@ -129,29 +130,18 @@ public class TokenManager { } UserSessionModel userSession = null; - ClientSessionModel clientSession = null; if (TokenUtil.TOKEN_TYPE_OFFLINE.equals(oldToken.getType())) { UserSessionManager sessionManager = new UserSessionManager(session); - clientSession = sessionManager.findOfflineClientSession(realm, oldToken.getClientSession()); - if (clientSession != null) { - userSession = clientSession.getUserSession(); - - if (userSession == null) { - throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Offline user session not found", "Offline user session not found"); - } - - String userSessionId = oldToken.getSessionState(); - if (!userSessionId.equals(userSession.getId())) { - throw new ModelException("User session don't match. Offline client session " + clientSession.getId() + ", It's user session " + userSession.getId() + - " Wanted user session: " + userSessionId); - } + userSession = sessionManager.findOfflineUserSession(realm, oldToken.getSessionState()); + if (userSession != null) { // Revoke timeouted offline userSession if (userSession.getLastSessionRefresh() < Time.currentTime() - realm.getOfflineSessionIdleTimeout()) { sessionManager.revokeOfflineUserSession(userSession); - throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Offline user session not active", "Offline user session session not active"); + throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Offline session not active", "Offline session not active"); } + } } else { // Find userSession regularly for online tokens @@ -160,20 +150,14 @@ public class TokenManager { AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, connection, headers, true); throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Session not active", "Session not active"); } - - for (ClientSessionModel clientSessionModel : userSession.getClientSessions()) { - if (clientSessionModel.getId().equals(oldToken.getClientSession())) { - clientSession = clientSessionModel; - break; - } - } } - if (clientSession == null) { - throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Client session not active", "Client session not active"); + if (userSession == null) { + throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Offline user session not found", "Offline user session not found"); } - ClientModel client = clientSession.getClient(); + ClientModel client = session.getContext().getClient(); + ClientLoginSessionModel clientSession = userSession.getClientLoginSessions().get(client.getId()); if (!client.getClientId().equals(oldToken.getIssuedFor())) { throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Unmatching clients", "Unmatching clients"); @@ -221,18 +205,30 @@ public class TokenManager { } } +<<<<<<< f392e79ad781014387c9fe5724815b24eab7a35f userSession = session.sessions().getOfflineUserSession(realm, token.getSessionState()); if (AuthenticationManager.isOfflineSessionValid(realm, userSession)) { ClientSessionModel clientSession = session.sessions().getOfflineClientSession(realm, token.getClientSession()); if (clientSession != null) { return true; } +======= + ClientModel client = realm.getClientByClientId(token.getIssuedFor()); + if (client == null || !client.isEnabled()) { + return false; + } + + ClientLoginSessionModel clientSession = userSession.getClientLoginSessions().get(client.getId()); + if (clientSession == null) { + return false; +>>>>>>> KEYCLOAK-4626 AuthenticationSessions: start } return false; } - public RefreshResult refreshAccessToken(KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, HttpHeaders headers) throws OAuthErrorException { + public RefreshResult refreshAccessToken(KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, + String encodedRefreshToken, EventBuilder event, HttpHeaders headers) throws OAuthErrorException { RefreshToken refreshToken = verifyRefreshToken(session, realm, encodedRefreshToken); event.user(refreshToken.getSubject()).session(refreshToken.getSessionState()) @@ -349,7 +345,8 @@ public class TokenManager { } } - public AccessToken createClientAccessToken(KeycloakSession session, Set requestedRoles, RealmModel realm, ClientModel client, UserModel user, UserSessionModel userSession, ClientSessionModel clientSession) { + public AccessToken createClientAccessToken(KeycloakSession session, Set requestedRoles, RealmModel realm, ClientModel client, UserModel user, UserSessionModel userSession, + ClientLoginSessionModel clientSession) { AccessToken token = initToken(realm, client, user, userSession, clientSession, session.getContext().getUri()); for (RoleModel role : requestedRoles) { addComposites(token, role); @@ -358,17 +355,14 @@ public class TokenManager { return token; } - public static void attachClientSession(UserSessionModel session, ClientSessionModel clientSession) { - if (clientSession.getUserSession() != null) { - return; - } + public static ClientLoginSessionModel attachLoginSession(KeycloakSession session, UserSessionModel userSession, LoginSessionModel loginSession) { + UserModel user = userSession.getUser(); + ClientModel client = loginSession.getClient(); + ClientLoginSessionModel clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession); - UserModel user = session.getUser(); - clientSession.setUserSession(session); Set requestedRoles = new HashSet(); // todo scope param protocol independent - String scopeParam = clientSession.getNote(OAuth2Constants.SCOPE); - ClientModel client = clientSession.getClient(); + String scopeParam = loginSession.getNote(OAuth2Constants.SCOPE); for (RoleModel r : TokenManager.getAccess(scopeParam, true, client, user)) { requestedRoles.add(r.getId()); } @@ -378,28 +372,41 @@ public class TokenManager { ClientTemplateModel clientTemplate = client.getClientTemplate(); if (clientTemplate != null && client.useTemplateMappers()) { for (ProtocolMapperModel protocolMapper : clientTemplate.getProtocolMappers()) { - if (protocolMapper.getProtocol().equals(clientSession.getAuthMethod())) { + if (protocolMapper.getProtocol().equals(loginSession.getProtocol())) { requestedProtocolMappers.add(protocolMapper.getId()); } } } for (ProtocolMapperModel protocolMapper : client.getProtocolMappers()) { - if (protocolMapper.getProtocol().equals(clientSession.getAuthMethod())) { + if (protocolMapper.getProtocol().equals(loginSession.getProtocol())) { requestedProtocolMappers.add(protocolMapper.getId()); } } clientSession.setProtocolMappers(requestedProtocolMappers); - Map transferredNotes = clientSession.getUserSessionNotes(); + Map transferredNotes = loginSession.getNotes(); for (Map.Entry entry : transferredNotes.entrySet()) { - session.setNote(entry.getKey(), entry.getValue()); + clientSession.setNote(entry.getKey(), entry.getValue()); } + Map transferredUserSessionNotes = loginSession.getUserSessionNotes(); + for (Map.Entry entry : transferredUserSessionNotes.entrySet()) { + userSession.setNote(entry.getKey(), entry.getValue()); + } + + clientSession.setTimestamp(Time.currentTime()); + + userSession.getClientLoginSessions().put(client.getId(), clientSession); + + // Remove login session now + session.loginSessions().removeLoginSession(userSession.getRealm(), loginSession); + + return clientSession; } - public static void dettachClientSession(UserSessionProvider sessions, RealmModel realm, ClientSessionModel clientSession) { + public static void dettachClientSession(UserSessionProvider sessions, RealmModel realm, ClientLoginSessionModel clientSession) { UserSessionModel userSession = clientSession.getUserSession(); if (userSession == null) { return; @@ -543,8 +550,8 @@ public class TokenManager { } public AccessToken transformAccessToken(KeycloakSession session, AccessToken token, RealmModel realm, ClientModel client, UserModel user, - UserSessionModel userSession, ClientSessionModel clientSession) { - Set mappings = new ClientSessionCode(session, realm, clientSession).getRequestedProtocolMappers(); + UserSessionModel userSession, ClientLoginSessionModel clientSession) { + Set mappings = ClientSessionCode.getRequestedProtocolMappers(clientSession.getProtocolMappers(), client); KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); for (ProtocolMapperModel mapping : mappings) { @@ -558,8 +565,8 @@ public class TokenManager { } public AccessToken transformUserInfoAccessToken(KeycloakSession session, AccessToken token, RealmModel realm, ClientModel client, UserModel user, - UserSessionModel userSession, ClientSessionModel clientSession) { - Set mappings = new ClientSessionCode(session, realm, clientSession).getRequestedProtocolMappers(); + UserSessionModel userSession, ClientLoginSessionModel clientSession) { + Set mappings = ClientSessionCode.getRequestedProtocolMappers(clientSession.getProtocolMappers(), client); KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); for (ProtocolMapperModel mapping : mappings) { @@ -573,8 +580,8 @@ public class TokenManager { } public void transformIDToken(KeycloakSession session, IDToken token, RealmModel realm, ClientModel client, UserModel user, - UserSessionModel userSession, ClientSessionModel clientSession) { - Set mappings = new ClientSessionCode(session, realm, clientSession).getRequestedProtocolMappers(); + UserSessionModel userSession, ClientLoginSessionModel clientSession) { + Set mappings = ClientSessionCode.getRequestedProtocolMappers(clientSession.getProtocolMappers(), client); KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); for (ProtocolMapperModel mapping : mappings) { @@ -585,9 +592,9 @@ public class TokenManager { } } - protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientSessionModel clientSession, UriInfo uriInfo) { + protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientLoginSessionModel clientSession, UriInfo uriInfo) { AccessToken token = new AccessToken(); - if (clientSession != null) token.clientSession(clientSession.getId()); + token.clientSession(clientSession.getId()); token.id(KeycloakModelUtils.generateId()); token.type(TokenUtil.TOKEN_TYPE_BEARER); token.subject(user.getId()); @@ -607,9 +614,9 @@ public class TokenManager { token.setAuthTime(Integer.parseInt(authTime)); } - if (session != null) { - token.setSessionState(session.getId()); - } + + token.setSessionState(session.getId()); + int tokenLifespan = getTokenLifespan(realm, clientSession); if (tokenLifespan > 0) { token.expiration(Time.currentTime() + tokenLifespan); @@ -621,7 +628,7 @@ public class TokenManager { return token; } - private int getTokenLifespan(RealmModel realm, ClientSessionModel clientSession) { + private int getTokenLifespan(RealmModel realm, ClientLoginSessionModel clientSession) { boolean implicitFlow = false; String responseType = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); if (responseType != null) { @@ -663,7 +670,7 @@ public class TokenManager { return new JWSBuilder().type(JWT).kid(activeRsaKey.getKid()).jsonContent(token).sign(jwsAlgorithm, activeRsaKey.getPrivateKey()); } - public AccessTokenResponseBuilder responseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public AccessTokenResponseBuilder responseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { return new AccessTokenResponseBuilder(realm, client, event, session, userSession, clientSession); } @@ -673,7 +680,7 @@ public class TokenManager { EventBuilder event; KeycloakSession session; UserSessionModel userSession; - ClientSessionModel clientSession; + ClientLoginSessionModel clientSession; AccessToken accessToken; RefreshToken refreshToken; @@ -682,7 +689,7 @@ public class TokenManager { boolean generateAccessTokenHash = false; String codeHash; - public AccessTokenResponseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public AccessTokenResponseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { this.realm = realm; this.client = client; this.event = event; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java index 1588321f31..3a41f92daa 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java @@ -44,6 +44,7 @@ import org.keycloak.services.Urls; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.util.CacheControlUtil; +import org.keycloak.sessions.LoginSessionModel; import org.keycloak.util.TokenUtil; import javax.ws.rs.GET; @@ -63,12 +64,12 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { public static final String CODE_AUTH_TYPE = "code"; /** - * Prefix used to store additional HTTP GET params from original client request into {@link ClientSessionModel} note to be available later in Authenticators, RequiredActions etc. Prefix is used to + * Prefix used to store additional HTTP GET params from original client request into {@link LoginSessionModel} note to be available later in Authenticators, RequiredActions etc. Prefix is used to * prevent collisions with internally used notes. * - * @see ClientSessionModel#getNote(String) + * @see LoginSessionModel#getNote(String) */ - public static final String CLIENT_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX = "client_request_param_"; + public static final String LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX = "client_request_param_"; // https://tools.ietf.org/html/rfc7636#section-4.2 private static final Pattern VALID_CODE_CHALLENGE_PATTERN = Pattern.compile("^[0-9a-zA-Z\\-\\.~_]+$"); @@ -78,7 +79,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { } private ClientModel client; - private ClientSessionModel clientSession; + private LoginSessionModel loginSession; private Action action; private OIDCResponseType parsedResponseType; @@ -125,7 +126,8 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { return errorResponse; } - createClientSession(); + createLoginSession(); + // So back button doesn't work CacheControlUtil.noBackButtonCacheControlHeader(); switch (action) { @@ -356,44 +358,44 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { } } - private void createClientSession() { - clientSession = session.sessions().createClientSession(realm, client); - clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); - clientSession.setRedirectUri(redirectUri); - clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - clientSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, request.getResponseType()); - clientSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, request.getRedirectUriParam()); - clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + private void createLoginSession() { + loginSession = session.loginSessions().createLoginSession(realm, client, true); + loginSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + loginSession.setRedirectUri(redirectUri); + loginSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + loginSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, request.getResponseType()); + loginSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, request.getRedirectUriParam()); + loginSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); - if (request.getState() != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, request.getState()); - if (request.getNonce() != null) clientSession.setNote(OIDCLoginProtocol.NONCE_PARAM, request.getNonce()); - if (request.getMaxAge() != null) clientSession.setNote(OIDCLoginProtocol.MAX_AGE_PARAM, String.valueOf(request.getMaxAge())); - if (request.getScope() != null) clientSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, request.getScope()); - if (request.getLoginHint() != null) clientSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, request.getLoginHint()); - if (request.getPrompt() != null) clientSession.setNote(OIDCLoginProtocol.PROMPT_PARAM, request.getPrompt()); - if (request.getIdpHint() != null) clientSession.setNote(AdapterConstants.KC_IDP_HINT, request.getIdpHint()); - if (request.getResponseMode() != null) clientSession.setNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM, request.getResponseMode()); + if (request.getState() != null) loginSession.setNote(OIDCLoginProtocol.STATE_PARAM, request.getState()); + if (request.getNonce() != null) loginSession.setNote(OIDCLoginProtocol.NONCE_PARAM, request.getNonce()); + if (request.getMaxAge() != null) loginSession.setNote(OIDCLoginProtocol.MAX_AGE_PARAM, String.valueOf(request.getMaxAge())); + if (request.getScope() != null) loginSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, request.getScope()); + if (request.getLoginHint() != null) loginSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, request.getLoginHint()); + if (request.getPrompt() != null) loginSession.setNote(OIDCLoginProtocol.PROMPT_PARAM, request.getPrompt()); + if (request.getIdpHint() != null) loginSession.setNote(AdapterConstants.KC_IDP_HINT, request.getIdpHint()); + if (request.getResponseMode() != null) loginSession.setNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM, request.getResponseMode()); // https://tools.ietf.org/html/rfc7636#section-4 - if (request.getCodeChallenge() != null) clientSession.setNote(OIDCLoginProtocol.CODE_CHALLENGE_PARAM, request.getCodeChallenge()); + if (request.getCodeChallenge() != null) loginSession.setNote(OIDCLoginProtocol.CODE_CHALLENGE_PARAM, request.getCodeChallenge()); if (request.getCodeChallengeMethod() != null) { - clientSession.setNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, request.getCodeChallengeMethod()); + loginSession.setNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, request.getCodeChallengeMethod()); } else { - clientSession.setNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, OIDCLoginProtocol.PKCE_METHOD_PLAIN); + loginSession.setNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, OIDCLoginProtocol.PKCE_METHOD_PLAIN); } if (request.getAdditionalReqParams() != null) { for (String paramName : request.getAdditionalReqParams().keySet()) { - clientSession.setNote(CLIENT_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + paramName, request.getAdditionalReqParams().get(paramName)); + loginSession.setNote(LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + paramName, request.getAdditionalReqParams().get(paramName)); } } } private Response buildAuthorizationCodeAuthorizationResponse() { this.event.event(EventType.LOGIN); - clientSession.setNote(Details.AUTH_TYPE, CODE_AUTH_TYPE); + loginSession.setNote(Details.AUTH_TYPE, CODE_AUTH_TYPE); - return handleBrowserAuthenticationRequest(clientSession, new OIDCLoginProtocol(session, realm, uriInfo, headers, event), TokenUtil.hasPrompt(request.getPrompt(), OIDCLoginProtocol.PROMPT_VALUE_NONE), false); + return handleBrowserAuthenticationRequest(loginSession, new OIDCLoginProtocol(session, realm, uriInfo, headers, event), TokenUtil.hasPrompt(request.getPrompt(), OIDCLoginProtocol.PROMPT_VALUE_NONE), false); } private Response buildRegister() { @@ -402,7 +404,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { AuthenticationFlowModel flow = realm.getRegistrationFlow(); String flowId = flow.getId(); - AuthenticationProcessor processor = createProcessor(clientSession, flowId, LoginActionsService.REGISTRATION_PATH); + AuthenticationProcessor processor = createProcessor(loginSession, flowId, LoginActionsService.REGISTRATION_PATH); return processor.authenticate(); } @@ -413,7 +415,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { AuthenticationFlowModel flow = realm.getResetCredentialsFlow(); String flowId = flow.getId(); - AuthenticationProcessor processor = createProcessor(clientSession, flowId, LoginActionsService.RESET_CREDENTIALS_PATH); + AuthenticationProcessor processor = createProcessor(loginSession, flowId, LoginActionsService.RESET_CREDENTIALS_PATH); return processor.authenticate(); } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java index 8fa4341344..e308bc9f51 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java @@ -32,13 +32,12 @@ import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.models.AuthenticationFlowModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; -import org.keycloak.models.UserSessionProvider; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.TokenManager; import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil; @@ -52,6 +51,7 @@ import org.keycloak.services.managers.ClientManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.RealmManager; import org.keycloak.services.resources.Cors; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.OPTIONS; import javax.ws.rs.POST; @@ -62,7 +62,6 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; -import java.util.List; import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -208,29 +207,37 @@ public class TokenEndpoint { throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Missing parameter: " + OAuth2Constants.CODE, Response.Status.BAD_REQUEST); } - ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm); - if (parseResult.isClientSessionNotFound() || parseResult.isIllegalHash()) { + ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm, ClientLoginSessionModel.class); + if (parseResult.isLoginSessionNotFound() || parseResult.isIllegalHash()) { String[] parts = code.split("\\."); if (parts.length == 2) { event.detail(Details.CODE_ID, parts[1]); } event.error(Errors.INVALID_CODE); - if (parseResult.getClientSession() != null) { - session.sessions().removeClientSession(realm, parseResult.getClientSession()); + + // Attempt to use same code twice should invalidate existing clientSession + ClientLoginSessionModel clientSession = parseResult.getClientSession(); + if (clientSession != null) { + UserSessionModel userSession = clientSession.getUserSession(); + String clientUUID = clientSession.getClient().getId(); + userSession.getClientLoginSessions().remove(clientUUID); } + throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Code not valid", Response.Status.BAD_REQUEST); } - ClientSessionModel clientSession = parseResult.getClientSession(); + ClientLoginSessionModel clientSession = parseResult.getClientSession(); event.detail(Details.CODE_ID, clientSession.getId()); - if (!parseResult.getCode().isValid(ClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) { + if (!parseResult.getCode().isValid(ClientLoginSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) { event.error(Errors.INVALID_CODE); throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Code is expired", Response.Status.BAD_REQUEST); } + // TODO: This shouldn't be needed to write into the clientLoginSessionModel itself parseResult.getCode().setAction(null); + // TODO: Maybe rather create userSession even at this stage? Not sure... UserSessionModel userSession = clientSession.getUserSession(); if (userSession == null) { @@ -355,7 +362,8 @@ public class TokenEndpoint { if (!result.isOfflineToken()) { UserSessionModel userSession = session.sessions().getUserSession(realm, res.getSessionState()); - updateClientSessions(userSession.getClientSessions()); + ClientLoginSessionModel clientSession = userSession.getClientLoginSessions().get(client.getId()); + updateClientSession(clientSession); updateUserSessionFromClientAuth(userSession); } @@ -369,7 +377,7 @@ public class TokenEndpoint { return Cors.add(request, Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).auth().allowedOrigins(uriInfo, client).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build(); } - private void updateClientSession(ClientSessionModel clientSession) { + private void updateClientSession(ClientLoginSessionModel clientSession) { if(clientSession == null) { ServicesLogger.LOGGER.clientSessionNull(); @@ -388,26 +396,6 @@ public class TokenEndpoint { } } - private void updateClientSessions(List clientSessions) { - if(clientSessions == null) { - ServicesLogger.LOGGER.clientSessionNull(); - return; - } - for (ClientSessionModel clientSession : clientSessions) { - if(clientSession == null) { - ServicesLogger.LOGGER.clientSessionNull(); - continue; - } - if(clientSession.getClient() == null) { - ServicesLogger.LOGGER.clientModelNull(); - continue; - } - if(client.getId().equals(clientSession.getClient().getId())) { - updateClientSession(clientSession); - } - } - } - private void updateUserSessionFromClientAuth(UserSessionModel userSession) { for (Map.Entry attr : clientAuthAttributes.entrySet()) { userSession.setNote(attr.getKey(), attr.getValue()); @@ -428,17 +416,16 @@ public class TokenEndpoint { } String scope = formParams.getFirst(OAuth2Constants.SCOPE); - UserSessionProvider sessions = session.sessions(); - ClientSessionModel clientSession = sessions.createClientSession(realm, client); - clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); - clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); - clientSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); + LoginSessionModel loginSession = session.loginSessions().createLoginSession(realm, client, false); + loginSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + loginSession.setAction(ClientLoginSessionModel.Action.AUTHENTICATE.name()); + loginSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + loginSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); AuthenticationFlowModel flow = realm.getDirectGrantFlow(); String flowId = flow.getId(); AuthenticationProcessor processor = new AuthenticationProcessor(); - processor.setClientSession(clientSession) + processor.setLoginSession(loginSession) .setFlowId(flowId) .setConnection(clientConnection) .setEventBuilder(event) @@ -449,13 +436,13 @@ public class TokenEndpoint { Response challenge = processor.authenticateOnly(); if (challenge != null) return challenge; processor.evaluateRequiredActionTriggers(); - UserModel user = clientSession.getAuthenticatedUser(); + UserModel user = loginSession.getAuthenticatedUser(); if (user.getRequiredActions() != null && user.getRequiredActions().size() > 0) { event.error(Errors.RESOLVE_REQUIRED_ACTIONS); throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Account is not fully set up", Response.Status.BAD_REQUEST); } - processor.attachSession(); + ClientLoginSessionModel clientSession = processor.attachSession(); UserSessionModel userSession = processor.getUserSession(); updateUserSessionFromClientAuth(userSession); @@ -505,17 +492,15 @@ public class TokenEndpoint { String scope = formParams.getFirst(OAuth2Constants.SCOPE); - UserSessionProvider sessions = session.sessions(); + LoginSessionModel loginSession = session.loginSessions().createLoginSession(realm, client, false); + loginSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + loginSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + loginSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); - ClientSessionModel clientSession = sessions.createClientSession(realm, client); - clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); - clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); - clientSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); - - UserSessionModel userSession = sessions.createUserSession(realm, clientUser, clientUsername, clientConnection.getRemoteAddr(), ServiceAccountConstants.CLIENT_AUTH, false, null, null); + UserSessionModel userSession = session.sessions().createUserSession(realm, clientUser, clientUsername, clientConnection.getRemoteAddr(), ServiceAccountConstants.CLIENT_AUTH, false, null, null); event.session(userSession); - TokenManager.attachClientSession(userSession, clientSession); + ClientLoginSessionModel clientSession = TokenManager.attachLoginSession(session, userSession, loginSession); // Notes about client details userSession.setNote(ServiceAccountConstants.CLIENT_ID, client.getClientId()); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java index 8984a4db56..763da1e38c 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java @@ -29,6 +29,7 @@ import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.jose.jws.Algorithm; import org.keycloak.jose.jws.JWSBuilder; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.java index efe9434b84..d43934370c 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.oidc.mappers; import org.keycloak.Config; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.ProtocolMapperModel; @@ -61,7 +61,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper { } public AccessToken transformUserInfoToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession) { + UserSessionModel userSession, ClientLoginSessionModel clientSession) { if (!OIDCAttributeMapperHelper.includeInUserInfo(mappingModel)) { return token; @@ -72,7 +72,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper { } public AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession) { + UserSessionModel userSession, ClientLoginSessionModel clientSession) { if (!OIDCAttributeMapperHelper.includeInAccessToken(mappingModel)){ return token; @@ -83,7 +83,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper { } public IDToken transformIDToken(IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession) { + UserSessionModel userSession, ClientLoginSessionModel clientSession) { if (!OIDCAttributeMapperHelper.includeInIDToken(mappingModel)){ return token; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractPairwiseSubMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractPairwiseSubMapper.java index 4666034705..4b8b1f3a47 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractPairwiseSubMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractPairwiseSubMapper.java @@ -1,7 +1,7 @@ package org.keycloak.protocol.oidc.mappers; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperContainerModel; import org.keycloak.models.ProtocolMapperModel; @@ -64,19 +64,19 @@ public abstract class AbstractPairwiseSubMapper extends AbstractOIDCProtocolMapp } @Override - public final IDToken transformIDToken(IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public final IDToken transformIDToken(IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { setSubject(token, generateSub(mappingModel, getSectorIdentifier(clientSession.getClient(), mappingModel), userSession.getUser().getId())); return token; } @Override - public final AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public final AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { setSubject(token, generateSub(mappingModel, getSectorIdentifier(clientSession.getClient(), mappingModel), userSession.getUser().getId())); return token; } @Override - public final AccessToken transformUserInfoToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public final AccessToken transformUserInfoToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { setSubject(token, generateSub(mappingModel, getSectorIdentifier(clientSession.getClient(), mappingModel), userSession.getUser().getId())); return token; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/FullNameMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/FullNameMapper.java index 1e4ad9df09..1e9b3e251f 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/FullNameMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/FullNameMapper.java @@ -17,14 +17,11 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.provider.ProviderConfigProperty; -import org.keycloak.representations.AccessToken; import org.keycloak.representations.IDToken; import java.util.ArrayList; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/GroupMembershipMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/GroupMembershipMapper.java index 41dbb47db9..b733f5c1e1 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/GroupMembershipMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/GroupMembershipMapper.java @@ -17,15 +17,12 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.GroupModel; -import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.ModelToRepresentation; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.provider.ProviderConfigProperty; -import org.keycloak.representations.AccessToken; import org.keycloak.representations.IDToken; import java.util.ArrayList; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedClaim.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedClaim.java index 40628245dd..8d48ccf47d 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedClaim.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedClaim.java @@ -17,13 +17,10 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.provider.ProviderConfigProperty; -import org.keycloak.representations.AccessToken; import org.keycloak.representations.IDToken; import java.util.ArrayList; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedRole.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedRole.java index 03ecb91eb6..7ebb435695 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedRole.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedRole.java @@ -17,7 +17,7 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -82,7 +82,7 @@ public class HardcodedRole extends AbstractOIDCProtocolMapper implements OIDCAcc @Override public AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession) { + UserSessionModel userSession, ClientLoginSessionModel clientSession) { String role = mappingModel.getConfig().get(ROLE_CONFIG); String[] scopedRole = KeycloakModelUtils.parseRole(role); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAccessTokenMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAccessTokenMapper.java index 71dce26829..387ef5c79b 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAccessTokenMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAccessTokenMapper.java @@ -17,7 +17,7 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -30,5 +30,5 @@ import org.keycloak.representations.AccessToken; public interface OIDCAccessTokenMapper { AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession); + UserSessionModel userSession, ClientLoginSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCIDTokenMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCIDTokenMapper.java index dabc4a35cd..ca80ed5113 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCIDTokenMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCIDTokenMapper.java @@ -17,7 +17,7 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -30,5 +30,5 @@ import org.keycloak.representations.IDToken; public interface OIDCIDTokenMapper { IDToken transformIDToken(IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession); + UserSessionModel userSession, ClientLoginSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/RoleNameMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/RoleNameMapper.java index fcdc373904..c91040054f 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/RoleNameMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/RoleNameMapper.java @@ -17,7 +17,7 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -25,7 +25,6 @@ import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.provider.ProviderConfigProperty; import org.keycloak.representations.AccessToken; -import org.keycloak.representations.IDToken; import java.util.ArrayList; import java.util.HashMap; @@ -90,7 +89,7 @@ public class RoleNameMapper extends AbstractOIDCProtocolMapper implements OIDCAc @Override public AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession) { + UserSessionModel userSession, ClientLoginSessionModel clientSession) { String role = mappingModel.getConfig().get(ROLE_CONFIG); String newName = mappingModel.getConfig().get(NEW_ROLE_NAME); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserAttributeMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserAttributeMapper.java index e6d0d209f5..9b2cf0f24a 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserAttributeMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserAttributeMapper.java @@ -17,15 +17,12 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.ProtocolMapperUtils; import org.keycloak.provider.ProviderConfigProperty; -import org.keycloak.representations.AccessToken; import org.keycloak.representations.IDToken; import java.util.ArrayList; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserInfoTokenMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserInfoTokenMapper.java index 67ac1a2797..af5084c5f6 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserInfoTokenMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserInfoTokenMapper.java @@ -17,7 +17,7 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -29,5 +29,5 @@ import org.keycloak.representations.AccessToken; public interface UserInfoTokenMapper { AccessToken transformUserInfoToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession); + UserSessionModel userSession, ClientLoginSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserPropertyMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserPropertyMapper.java index 6fd649199d..2fc84ff1e9 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserPropertyMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserPropertyMapper.java @@ -17,14 +17,11 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.protocol.ProtocolMapperUtils; import org.keycloak.provider.ProviderConfigProperty; -import org.keycloak.representations.AccessToken; import org.keycloak.representations.IDToken; import java.util.ArrayList; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserSessionNoteMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserSessionNoteMapper.java index fd6bfe1c68..aadee6c9db 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserSessionNoteMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserSessionNoteMapper.java @@ -17,14 +17,11 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; import org.keycloak.protocol.ProtocolMapperUtils; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.provider.ProviderConfigProperty; -import org.keycloak.representations.AccessToken; import org.keycloak.representations.IDToken; import java.util.ArrayList; diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java b/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java index 20d86c0404..04da54a76e 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java @@ -30,8 +30,8 @@ import org.keycloak.dom.saml.v2.assertion.AssertionType; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; import org.keycloak.dom.saml.v2.protocol.ResponseType; import org.keycloak.events.EventBuilder; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeyManager; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; @@ -40,7 +40,6 @@ import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.protocol.LoginProtocol; import org.keycloak.protocol.ProtocolMapper; -import org.keycloak.protocol.RestartLoginCookie; import org.keycloak.protocol.saml.mappers.SAMLAttributeStatementMapper; import org.keycloak.protocol.saml.mappers.SAMLLoginResponseMapper; import org.keycloak.protocol.saml.mappers.SAMLRoleListMapper; @@ -61,6 +60,8 @@ import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ResourceAdminManager; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.RealmsResource; +import org.keycloak.sessions.CommonClientSessionModel; +import org.keycloak.sessions.LoginSessionModel; import org.w3c.dom.Document; import javax.ws.rs.core.HttpHeaders; @@ -156,9 +157,9 @@ public class SamlProtocol implements LoginProtocol { } @Override - public Response sendError(ClientSessionModel clientSession, Error error) { + public Response sendError(LoginSessionModel loginSession, Error error) { try { - ClientModel client = clientSession.getClient(); + ClientModel client = loginSession.getClient(); if ("true".equals(client.getAttribute(SAML_IDP_INITIATED_LOGIN))) { if (error == Error.CANCELLED_BY_USER) { @@ -173,9 +174,9 @@ public class SamlProtocol implements LoginProtocol { return ErrorPage.error(session, translateErrorToIdpInitiatedErrorMessage(error)); } } else { - SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(clientSession.getRedirectUri()).issuer(getResponseIssuer(realm)).status(translateErrorToSAMLStatus(error).get()); + SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(loginSession.getRedirectUri()).issuer(getResponseIssuer(realm)).status(translateErrorToSAMLStatus(error).get()); try { - JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder().relayState(clientSession.getNote(GeneralConstants.RELAY_STATE)); + JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder().relayState(loginSession.getNote(GeneralConstants.RELAY_STATE)); SamlClient samlClient = new SamlClient(client); KeyManager keyManager = session.keys(); if (samlClient.requiresRealmSignature()) { @@ -198,22 +199,23 @@ public class SamlProtocol implements LoginProtocol { binding.encrypt(publicKey); } Document document = builder.buildDocument(); - return buildErrorResponse(clientSession, binding, document); + return buildErrorResponse(loginSession, binding, document); } catch (Exception e) { return ErrorPage.error(session, Messages.FAILED_TO_PROCESS_RESPONSE); } } } finally { - RestartLoginCookie.expireRestartCookie(realm, session.getContext().getConnection(), uriInfo); - session.sessions().removeClientSession(realm, clientSession); + // TODO:mposolda + //RestartLoginCookie.expireRestartCookie(realm, session.getContext().getConnection(), uriInfo); + session.loginSessions().removeLoginSession(realm, loginSession); } } - protected Response buildErrorResponse(ClientSessionModel clientSession, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException { - if (isPostBinding(clientSession)) { - return binding.postBinding(document).response(clientSession.getRedirectUri()); + protected Response buildErrorResponse(LoginSessionModel loginSession, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException { + if (isPostBinding(loginSession)) { + return binding.postBinding(document).response(loginSession.getRedirectUri()); } else { - return binding.redirectBinding(document).response(clientSession.getRedirectUri()); + return binding.redirectBinding(document).response(loginSession.getRedirectUri()); } } @@ -248,10 +250,10 @@ public class SamlProtocol implements LoginProtocol { return RealmsResource.realmBaseUrl(uriInfo).build(realm.getName()).toString(); } - protected boolean isPostBinding(ClientSessionModel clientSession) { - ClientModel client = clientSession.getClient(); + protected boolean isPostBinding(CommonClientSessionModel loginSession) { + ClientModel client = loginSession.getClient(); SamlClient samlClient = new SamlClient(client); - return SamlProtocol.SAML_POST_BINDING.equals(clientSession.getNote(SamlProtocol.SAML_BINDING)) || samlClient.forcePostBinding(); + return SamlProtocol.SAML_POST_BINDING.equals(loginSession.getNote(SamlProtocol.SAML_BINDING)) || samlClient.forcePostBinding(); } public static boolean isLogoutPostBindingForInitiator(UserSessionModel session) { @@ -259,7 +261,7 @@ public class SamlProtocol implements LoginProtocol { return SamlProtocol.SAML_POST_BINDING.equals(note); } - protected boolean isLogoutPostBindingForClient(ClientSessionModel clientSession) { + protected boolean isLogoutPostBindingForClient(ClientLoginSessionModel clientSession) { ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); String logoutPostUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE); @@ -284,7 +286,7 @@ public class SamlProtocol implements LoginProtocol { return (logoutRedirectUrl == null || logoutRedirectUrl.trim().isEmpty()); } - protected String getNameIdFormat(SamlClient samlClient, ClientSessionModel clientSession) { + protected String getNameIdFormat(SamlClient samlClient, CommonClientSessionModel clientSession) { String nameIdFormat = clientSession.getNote(GeneralConstants.NAMEID_FORMAT); boolean forceFormat = samlClient.forceNameIDFormat(); @@ -297,7 +299,7 @@ public class SamlProtocol implements LoginProtocol { return nameIdFormat; } - protected String getNameId(String nameIdFormat, ClientSessionModel clientSession, UserSessionModel userSession) { + protected String getNameId(String nameIdFormat, CommonClientSessionModel clientSession, UserSessionModel userSession) { if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) { return userSession.getUser().getEmail(); } else if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) { @@ -327,7 +329,7 @@ public class SamlProtocol implements LoginProtocol { * * @return the user's persistent NameId */ - protected String getPersistentNameId(final ClientSessionModel clientSession, final UserSessionModel userSession) { + protected String getPersistentNameId(final CommonClientSessionModel clientSession, final UserSessionModel userSession) { // attempt to retrieve the UserID for the client-specific attribute final UserModel user = userSession.getUser(); final String clientNameId = String.format("%s.%s", SAML_PERSISTENT_NAME_ID_FOR, @@ -351,8 +353,8 @@ public class SamlProtocol implements LoginProtocol { } @Override - public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { - ClientSessionModel clientSession = accessCode.getClientSession(); + public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { + ClientLoginSessionModel clientSession = accessCode.getClientSession(); ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); String requestID = clientSession.getNote(SAML_REQUEST_ID); @@ -460,7 +462,7 @@ public class SamlProtocol implements LoginProtocol { } } - protected Response buildAuthenticatedResponse(ClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException { + protected Response buildAuthenticatedResponse(ClientLoginSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException { if (isPostBinding(clientSession)) { return bindingBuilder.postBinding(samlDocument).response(redirectUri); } else { @@ -479,7 +481,7 @@ public class SamlProtocol implements LoginProtocol { } public AttributeStatementType populateAttributeStatements(List> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession, - ClientSessionModel clientSession) { + ClientLoginSessionModel clientSession) { AttributeStatementType attributeStatement = new AttributeStatementType(); for (ProtocolMapperProcessor processor : attributeStatementMappers) { processor.mapper.transformAttributeStatement(attributeStatement, processor.model, session, userSession, clientSession); @@ -488,14 +490,14 @@ public class SamlProtocol implements LoginProtocol { return attributeStatement; } - public ResponseType transformLoginResponse(List> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public ResponseType transformLoginResponse(List> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { for (ProtocolMapperProcessor processor : mappers) { response = processor.mapper.transformLoginResponse(response, processor.model, session, userSession, clientSession); } return response; } - public void populateRoles(ProtocolMapperProcessor roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession, + public void populateRoles(ProtocolMapperProcessor roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession, final AttributeStatementType existingAttributeStatement) { if (roleListMapper == null) return; @@ -509,8 +511,8 @@ public class SamlProtocol implements LoginProtocol { } else { logoutServiceUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE); } - if (logoutServiceUrl == null && client instanceof ClientModel) - logoutServiceUrl = ((ClientModel) client).getManagementUrl(); + if (logoutServiceUrl == null) + logoutServiceUrl = client.getManagementUrl(); if (logoutServiceUrl == null || logoutServiceUrl.trim().equals("")) return null; return ResourceAdminManager.resolveUri(uriInfo.getRequestUri(), client.getRootUrl(), logoutServiceUrl); @@ -518,11 +520,9 @@ public class SamlProtocol implements LoginProtocol { } @Override - public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) { + public Response frontchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession) { ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); - if (!(client instanceof ClientModel)) - return null; try { boolean postBinding = isLogoutPostBindingForClient(clientSession); String bindingUri = getLogoutServiceUrl(uriInfo, client, postBinding ? SAML_POST_BINDING : SAML_REDIRECT_BINDING); @@ -615,7 +615,7 @@ public class SamlProtocol implements LoginProtocol { } @Override - public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) { + public void backchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession) { ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); String logoutUrl = getLogoutServiceUrl(uriInfo, client, SAML_POST_BINDING); @@ -674,7 +674,7 @@ public class SamlProtocol implements LoginProtocol { } - protected SAML2LogoutRequestBuilder createLogoutRequest(String logoutUrl, ClientSessionModel clientSession, ClientModel client) { + protected SAML2LogoutRequestBuilder createLogoutRequest(String logoutUrl, ClientLoginSessionModel clientSession, ClientModel client) { // build userPrincipal with subject used at login SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder().assertionExpiration(realm.getAccessCodeLifespan()).issuer(getResponseIssuer(realm)).sessionIndex(clientSession.getId()) .userPrincipal(clientSession.getNote(SAML_NAME_ID), clientSession.getNote(SAML_NAME_ID_FORMAT)).destination(logoutUrl); @@ -682,7 +682,7 @@ public class SamlProtocol implements LoginProtocol { } @Override - public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) { + public boolean requireReauthentication(UserSessionModel userSession, LoginSessionModel clientSession) { // Not yet supported return false; } diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java index d67faa2b27..83445a6352 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java @@ -86,6 +86,7 @@ import org.keycloak.rotation.HardcodedKeyLocator; import org.keycloak.rotation.KeyLocator; import org.keycloak.saml.SPMetadataDescriptor; import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator; +import org.keycloak.sessions.LoginSessionModel; /** * Resource class for the oauth/openid connect token service @@ -270,13 +271,13 @@ public class SamlService extends AuthorizationEndpointBase { return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI); } - ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); - clientSession.setAuthMethod(SamlProtocol.LOGIN_PROTOCOL); - clientSession.setRedirectUri(redirect); - clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - clientSession.setNote(SamlProtocol.SAML_BINDING, bindingType); - clientSession.setNote(GeneralConstants.RELAY_STATE, relayState); - clientSession.setNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID()); + LoginSessionModel loginSession = session.loginSessions().createLoginSession(realm, client, true); + loginSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL); + loginSession.setRedirectUri(redirect); + loginSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + loginSession.setNote(SamlProtocol.SAML_BINDING, bindingType); + loginSession.setNote(GeneralConstants.RELAY_STATE, relayState); + loginSession.setNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID()); // Handle NameIDPolicy from SP NameIDPolicyType nameIdPolicy = requestAbstractType.getNameIDPolicy(); @@ -285,7 +286,7 @@ public class SamlService extends AuthorizationEndpointBase { String nameIdFormat = nameIdFormatUri.toString(); // TODO: Handle AllowCreate too, relevant for persistent NameID. if (isSupportedNameIdFormat(nameIdFormat)) { - clientSession.setNote(GeneralConstants.NAMEID_FORMAT, nameIdFormat); + loginSession.setNote(GeneralConstants.NAMEID_FORMAT, nameIdFormat); } else { event.detail(Details.REASON, "unsupported_nameid_format"); event.error(Errors.INVALID_SAML_AUTHN_REQUEST); @@ -301,13 +302,13 @@ public class SamlService extends AuthorizationEndpointBase { BaseIDAbstractType baseID = subject.getSubType().getBaseID(); if (baseID != null && baseID instanceof NameIDType) { NameIDType nameID = (NameIDType) baseID; - clientSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, nameID.getValue()); + loginSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, nameID.getValue()); } } } - return newBrowserAuthentication(clientSession, requestAbstractType.isIsPassive(), redirectToAuthentication); + return newBrowserAuthentication(loginSession, requestAbstractType.isIsPassive(), redirectToAuthentication); } protected String getBindingType(AuthnRequestType requestAbstractType) { @@ -518,13 +519,13 @@ public class SamlService extends AuthorizationEndpointBase { } - protected Response newBrowserAuthentication(ClientSessionModel clientSession, boolean isPassive, boolean redirectToAuthentication) { + protected Response newBrowserAuthentication(LoginSessionModel loginSession, boolean isPassive, boolean redirectToAuthentication) { SamlProtocol samlProtocol = new SamlProtocol().setEventBuilder(event).setHttpHeaders(headers).setRealm(realm).setSession(session).setUriInfo(uriInfo); - return newBrowserAuthentication(clientSession, isPassive, redirectToAuthentication, samlProtocol); + return newBrowserAuthentication(loginSession, isPassive, redirectToAuthentication, samlProtocol); } - protected Response newBrowserAuthentication(ClientSessionModel clientSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol) { - return handleBrowserAuthenticationRequest(clientSession, samlProtocol, isPassive, redirectToAuthentication); + protected Response newBrowserAuthentication(LoginSessionModel loginSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol) { + return handleBrowserAuthenticationRequest(loginSession, samlProtocol, isPassive, redirectToAuthentication); } /** @@ -615,9 +616,9 @@ public class SamlService extends AuthorizationEndpointBase { return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI); } - ClientSessionModel clientSession = createClientSessionForIdpInitiatedSso(this.session, this.realm, client, relayState); + LoginSessionModel loginSession = createLoginSessionForIdpInitiatedSso(this.session, this.realm, client, relayState); - return newBrowserAuthentication(clientSession, false, false); + return newBrowserAuthentication(loginSession, false, false); } /** @@ -631,7 +632,7 @@ public class SamlService extends AuthorizationEndpointBase { * @param relayState Optional relay state - free field as per SAML specification * @return */ - public static ClientSessionModel createClientSessionForIdpInitiatedSso(KeycloakSession session, RealmModel realm, ClientModel client, String relayState) { + public static LoginSessionModel createLoginSessionForIdpInitiatedSso(KeycloakSession session, RealmModel realm, ClientModel client, String relayState) { String bindingType = SamlProtocol.SAML_POST_BINDING; if (client.getManagementUrl() == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) != null) { bindingType = SamlProtocol.SAML_REDIRECT_BINDING; @@ -647,21 +648,21 @@ public class SamlService extends AuthorizationEndpointBase { redirect = client.getManagementUrl(); } - ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); - clientSession.setAuthMethod(SamlProtocol.LOGIN_PROTOCOL); - clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - clientSession.setNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING); - clientSession.setNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true"); - clientSession.setRedirectUri(redirect); + LoginSessionModel loginSession = session.loginSessions().createLoginSession(realm, client, true); + loginSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL); + loginSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + loginSession.setNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING); + loginSession.setNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true"); + loginSession.setRedirectUri(redirect); if (relayState == null) { relayState = client.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE); } if (relayState != null && !relayState.trim().equals("")) { - clientSession.setNote(GeneralConstants.RELAY_STATE, relayState); + loginSession.setNote(GeneralConstants.RELAY_STATE, relayState); } - return clientSession; + return loginSession; } @POST diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/GroupMembershipMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/GroupMembershipMapper.java index 1a2db26f59..3ffdec4353 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/GroupMembershipMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/GroupMembershipMapper.java @@ -19,7 +19,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; import org.keycloak.dom.saml.v2.assertion.AttributeType; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.GroupModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; @@ -117,7 +117,7 @@ public class GroupMembershipMapper extends AbstractSAMLProtocolMapper implements @Override - public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { String single = mappingModel.getConfig().get(SINGLE_GROUP_ATTRIBUTE); boolean singleAttribute = Boolean.parseBoolean(single); diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java index b8a62313d9..79092096f3 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -76,7 +76,7 @@ public class HardcodedAttributeMapper extends AbstractSAMLProtocolMapper impleme } @Override - public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { String attributeValue = mappingModel.getConfig().get(ATTRIBUTE_VALUE); AttributeStatementHelper.addAttribute(attributeStatement, mappingModel, attributeValue); diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java index 5650333c11..169f25ac38 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java @@ -19,7 +19,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; import org.keycloak.dom.saml.v2.assertion.AttributeType; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.ProtocolMapperModel; @@ -111,14 +111,14 @@ public class RoleListMapper extends AbstractSAMLProtocolMapper implements SAMLRo } @Override - public void mapRoles(AttributeStatementType roleAttributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public void mapRoles(AttributeStatementType roleAttributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { String single = mappingModel.getConfig().get(SINGLE_ROLE_ATTRIBUTE); boolean singleAttribute = Boolean.parseBoolean(single); List> roleNameMappers = new LinkedList<>(); KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); AttributeType singleAttributeType = null; - Set requestedProtocolMappers = new ClientSessionCode(session, clientSession.getRealm(), clientSession).getRequestedProtocolMappers(); + Set requestedProtocolMappers = ClientSessionCode.getRequestedProtocolMappers(clientSession.getProtocolMappers(), clientSession.getClient()); for (ProtocolMapperModel mapping : requestedProtocolMappers) { ProtocolMapper mapper = (ProtocolMapper)sessionFactory.getProviderFactory(ProtocolMapper.class, mapping.getProtocolMapper()); diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java index 48edfaa81b..8e33f92e55 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -30,5 +30,5 @@ import org.keycloak.models.UserSessionModel; public interface SAMLAttributeStatementMapper { void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession); + UserSessionModel userSession, ClientLoginSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java index cf5c9c8bd4..329f1ac60b 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.protocol.ResponseType; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -30,5 +30,5 @@ import org.keycloak.models.UserSessionModel; public interface SAMLLoginResponseMapper { ResponseType transformLoginResponse(ResponseType response, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession); + UserSessionModel userSession, ClientLoginSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java index a822d8cff0..e74c79f12f 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -30,5 +30,5 @@ import org.keycloak.models.UserSessionModel; public interface SAMLRoleListMapper { void mapRoles(AttributeStatementType roleAttributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientSessionModel clientSession); + UserSessionModel userSession, ClientLoginSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java index f29d972234..661c9b6e62 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserModel; @@ -77,7 +77,7 @@ public class UserAttributeStatementMapper extends AbstractSAMLProtocolMapper imp } @Override - public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { UserModel user = userSession.getUser(); String attributeName = mappingModel.getConfig().get(ProtocolMapperUtils.USER_ATTRIBUTE); List attributeValues = KeycloakModelUtils.resolveAttribute(user, attributeName); diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java index fd0de2a87c..adfc9aac81 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserModel; @@ -76,7 +76,7 @@ public class UserPropertyAttributeStatementMapper extends AbstractSAMLProtocolMa } @Override - public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { UserModel user = userSession.getUser(); String propertyName = mappingModel.getConfig().get(ProtocolMapperUtils.USER_ATTRIBUTE); String propertyValue = ProtocolMapperUtils.getUserModelValue(user, propertyName); diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserSessionNoteStatementMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserSessionNoteStatementMapper.java index d6fd4d05a6..d633e2c70f 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserSessionNoteStatementMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserSessionNoteStatementMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -74,7 +74,7 @@ public class UserSessionNoteStatementMapper extends AbstractSAMLProtocolMapper i } @Override - public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { + public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { String note = mappingModel.getConfig().get("note"); String value = userSession.getNote(note); if (value == null) return; diff --git a/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/SamlEcpProfileService.java b/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/SamlEcpProfileService.java index d2aaad68e6..f578f3d872 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/SamlEcpProfileService.java +++ b/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/SamlEcpProfileService.java @@ -20,8 +20,8 @@ package org.keycloak.protocol.saml.profile.ecp; import org.keycloak.dom.saml.v2.protocol.AuthnRequestType; import org.keycloak.events.EventBuilder; import org.keycloak.models.AuthenticationFlowModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.DefaultAuthenticationFlows; @@ -35,6 +35,7 @@ import org.keycloak.saml.common.constants.JBossSAMLConstants; import org.keycloak.saml.common.constants.JBossSAMLURIConstants; import org.keycloak.saml.common.exceptions.ConfigurationException; import org.keycloak.saml.common.exceptions.ProcessingException; +import org.keycloak.sessions.LoginSessionModel; import org.w3c.dom.Document; import javax.ws.rs.core.Response; @@ -85,15 +86,15 @@ public class SamlEcpProfileService extends SamlService { } @Override - protected Response newBrowserAuthentication(ClientSessionModel clientSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol) { - return super.newBrowserAuthentication(clientSession, isPassive, redirectToAuthentication, createEcpSamlProtocol()); + protected Response newBrowserAuthentication(LoginSessionModel loginSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol) { + return super.newBrowserAuthentication(loginSession, isPassive, redirectToAuthentication, createEcpSamlProtocol()); } private SamlProtocol createEcpSamlProtocol() { return new SamlProtocol() { // method created to send a SOAP Binding response instead of a HTTP POST response @Override - protected Response buildAuthenticatedResponse(ClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException { + protected Response buildAuthenticatedResponse(ClientLoginSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException { Document document = bindingBuilder.postBinding(samlDocument).getDocument(); try { @@ -113,7 +114,7 @@ public class SamlEcpProfileService extends SamlService { } } - private void createRequestAuthenticatedHeader(ClientSessionModel clientSession, Soap.SoapMessageBuilder messageBuilder) { + private void createRequestAuthenticatedHeader(ClientLoginSessionModel clientSession, Soap.SoapMessageBuilder messageBuilder) { ClientModel client = clientSession.getClient(); if ("true".equals(client.getAttribute(SamlConfigAttributes.SAML_CLIENT_SIGNATURE_ATTRIBUTE))) { @@ -133,7 +134,7 @@ public class SamlEcpProfileService extends SamlService { } @Override - protected Response buildErrorResponse(ClientSessionModel clientSession, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException { + protected Response buildErrorResponse(LoginSessionModel clientSession, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException { return Soap.createMessage().addToBody(document).build(); } diff --git a/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.java b/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.java index ddaec72b80..81496fcb09 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.java +++ b/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.java @@ -104,7 +104,7 @@ public class HttpBasicAuthenticator implements AuthenticatorFactory { boolean valid = context.getSession().userCredentialManager().isValid(realm, user, UserCredentialModel.password(password)); if (valid) { - context.getClientSession().setAuthenticatedUser(user); + context.getLoginSession().setAuthenticatedUser(user); context.success(); } else { context.getEvent().user(user); diff --git a/services/src/main/java/org/keycloak/services/DefaultKeycloakSession.java b/services/src/main/java/org/keycloak/services/DefaultKeycloakSession.java index 9d615a5c36..7d45f15a3a 100644 --- a/services/src/main/java/org/keycloak/services/DefaultKeycloakSession.java +++ b/services/src/main/java/org/keycloak/services/DefaultKeycloakSession.java @@ -33,6 +33,7 @@ import org.keycloak.models.cache.CacheRealmProvider; import org.keycloak.models.cache.UserCache; import org.keycloak.provider.Provider; import org.keycloak.provider.ProviderFactory; +import org.keycloak.sessions.LoginSessionProvider; import org.keycloak.storage.UserStorageManager; import org.keycloak.storage.federated.UserFederatedStorageProvider; @@ -54,10 +55,10 @@ public class DefaultKeycloakSession implements KeycloakSession { private final DefaultKeycloakTransactionManager transactionManager; private final Map attributes = new HashMap<>(); private RealmProvider model; - private UserProvider userModel; private UserStorageManager userStorageManager; private UserCredentialStoreManager userCredentialStorageManager; private UserSessionProvider sessionProvider; + private LoginSessionProvider loginSessionProvider; private UserFederatedStorageProvider userFederatedStorageProvider; private KeycloakContext context; private KeyManager keyManager; @@ -236,6 +237,14 @@ public class DefaultKeycloakSession implements KeycloakSession { return sessionProvider; } + @Override + public LoginSessionProvider loginSessions() { + if (loginSessionProvider == null) { + loginSessionProvider = getProvider(LoginSessionProvider.class); + } + return loginSessionProvider; + } + @Override public KeyManager keys() { if (keyManager == null) { diff --git a/services/src/main/java/org/keycloak/services/managers/Auth.java b/services/src/main/java/org/keycloak/services/managers/Auth.java index 714a3a2c70..2ac758442d 100755 --- a/services/src/main/java/org/keycloak/services/managers/Auth.java +++ b/services/src/main/java/org/keycloak/services/managers/Auth.java @@ -17,6 +17,7 @@ package org.keycloak.services.managers; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.RealmModel; @@ -35,7 +36,7 @@ public class Auth { private final UserModel user; private final ClientModel client; private final UserSessionModel session; - private ClientSessionModel clientSession; + private ClientLoginSessionModel clientSession; public Auth(RealmModel realm, AccessToken token, UserModel user, ClientModel client, UserSessionModel session, boolean cookie) { this.cookie = cookie; @@ -71,11 +72,11 @@ public class Auth { return session; } - public ClientSessionModel getClientSession() { + public ClientLoginSessionModel getClientSession() { return clientSession; } - public void setClientSession(ClientSessionModel clientSession) { + public void setClientSession(ClientLoginSessionModel clientSession) { this.clientSession = clientSession; } diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index cf7d73cbd1..3cb8c68655 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -20,6 +20,7 @@ import org.jboss.logging.Logger; import org.jboss.resteasy.specimpl.MultivaluedMapImpl; import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.TokenVerifier; +import org.keycloak.authentication.AuthenticationProcessor; import org.keycloak.authentication.RequiredActionContext; import org.keycloak.authentication.RequiredActionContextResult; import org.keycloak.authentication.RequiredActionFactory; @@ -35,8 +36,8 @@ import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.jose.jws.AlgorithmType; import org.keycloak.jose.jws.JWSBuilder; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeyManager; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; @@ -58,6 +59,7 @@ import org.keycloak.services.resources.IdentityBrokerService; import org.keycloak.services.resources.RealmsResource; import org.keycloak.services.util.CookieHelper; import org.keycloak.services.util.P3PHelper; +import org.keycloak.sessions.LoginSessionModel; import javax.crypto.SecretKey; import javax.ws.rs.core.Cookie; @@ -68,6 +70,7 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; import java.net.URI; import java.security.PublicKey; +import java.util.Collection; import java.util.LinkedList; import java.util.List; import java.util.Set; @@ -159,7 +162,7 @@ public class AuthenticationManager { logger.debugv("Logging out: {0} ({1})", user.getUsername(), userSession.getId()); expireUserSessionCookie(session, userSession, realm, uriInfo, headers, connection); - for (ClientSessionModel clientSession : userSession.getClientSessions()) { + for (ClientLoginSessionModel clientSession : userSession.getClientLoginSessions().values()) { backchannelLogoutClientSession(session, realm, clientSession, userSession, uriInfo, headers); } if (logoutBroker) { @@ -169,6 +172,7 @@ public class AuthenticationManager { try { identityProvider.backchannelLogout(session, userSession, uriInfo, realm); } catch (Exception e) { + logger.warn("Exception at broker backchannel logout for broker " + brokerId, e); } } } @@ -176,17 +180,17 @@ public class AuthenticationManager { session.sessions().removeUserSession(realm, userSession); } - public static void backchannelLogoutClientSession(KeycloakSession session, RealmModel realm, ClientSessionModel clientSession, UserSessionModel userSession, UriInfo uriInfo, HttpHeaders headers) { + public static void backchannelLogoutClientSession(KeycloakSession session, RealmModel realm, ClientLoginSessionModel clientSession, UserSessionModel userSession, UriInfo uriInfo, HttpHeaders headers) { ClientModel client = clientSession.getClient(); - if (client instanceof ClientModel && !client.isFrontchannelLogout() && !ClientSessionModel.Action.LOGGED_OUT.name().equals(clientSession.getAction())) { - String authMethod = clientSession.getAuthMethod(); + if (!client.isFrontchannelLogout() && !ClientLoginSessionModel.Action.LOGGED_OUT.name().equals(clientSession.getAction())) { + String authMethod = clientSession.getProtocol(); if (authMethod == null) return; // must be a keycloak service like account LoginProtocol protocol = session.getProvider(LoginProtocol.class, authMethod); protocol.setRealm(realm) .setHttpHeaders(headers) .setUriInfo(uriInfo); protocol.backchannelLogout(userSession, clientSession); - clientSession.setAction(ClientSessionModel.Action.LOGGED_OUT.name()); + clientSession.setAction(ClientLoginSessionModel.Action.LOGGED_OUT.name()); } } @@ -197,8 +201,8 @@ public class AuthenticationManager { List userSessions = session.sessions().getUserSessions(realm, user); for (UserSessionModel userSession : userSessions) { - List clientSessions = userSession.getClientSessions(); - for (ClientSessionModel clientSession : clientSessions) { + Collection clientSessions = userSession.getClientLoginSessions().values(); + for (ClientLoginSessionModel clientSession : clientSessions) { if (clientSession.getClient().getId().equals(clientId)) { AuthenticationManager.backchannelLogoutClientSession(session, realm, clientSession, userSession, uriInfo, headers); TokenManager.dettachClientSession(session.sessions(), realm, clientSession); @@ -215,16 +219,16 @@ public class AuthenticationManager { if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) { userSession.setState(UserSessionModel.State.LOGGING_OUT); } - List redirectClients = new LinkedList(); - for (ClientSessionModel clientSession : userSession.getClientSessions()) { + List redirectClients = new LinkedList<>(); + for (ClientLoginSessionModel clientSession : userSession.getClientLoginSessions().values()) { ClientModel client = clientSession.getClient(); - if (ClientSessionModel.Action.LOGGED_OUT.name().equals(clientSession.getAction())) continue; + if (ClientLoginSessionModel.Action.LOGGED_OUT.name().equals(clientSession.getAction())) continue; if (client.isFrontchannelLogout()) { - String authMethod = clientSession.getAuthMethod(); + String authMethod = clientSession.getProtocol(); if (authMethod == null) continue; // must be a keycloak service like account redirectClients.add(clientSession); } else { - String authMethod = clientSession.getAuthMethod(); + String authMethod = clientSession.getProtocol(); if (authMethod == null) continue; // must be a keycloak service like account LoginProtocol protocol = session.getProvider(LoginProtocol.class, authMethod); protocol.setRealm(realm) @@ -233,21 +237,21 @@ public class AuthenticationManager { try { logger.debugv("backchannel logout to: {0}", client.getClientId()); protocol.backchannelLogout(userSession, clientSession); - clientSession.setAction(ClientSessionModel.Action.LOGGED_OUT.name()); + clientSession.setAction(ClientLoginSessionModel.Action.LOGGED_OUT.name()); } catch (Exception e) { ServicesLogger.LOGGER.failedToLogoutClient(e); } } } - for (ClientSessionModel nextRedirectClient : redirectClients) { - String authMethod = nextRedirectClient.getAuthMethod(); + for (ClientLoginSessionModel nextRedirectClient : redirectClients) { + String authMethod = nextRedirectClient.getProtocol(); LoginProtocol protocol = session.getProvider(LoginProtocol.class, authMethod); protocol.setRealm(realm) .setHttpHeaders(headers) .setUriInfo(uriInfo); // setting this to logged out cuz I"m not sure protocols can always verify that the client was logged out or not - nextRedirectClient.setAction(ClientSessionModel.Action.LOGGED_OUT.name()); + nextRedirectClient.setAction(ClientLoginSessionModel.Action.LOGGED_OUT.name()); try { logger.debugv("frontchannel logout to: {0}", nextRedirectClient.getClient().getClientId()); Response response = protocol.frontchannelLogout(userSession, nextRedirectClient); @@ -410,11 +414,11 @@ public class AuthenticationManager { public static Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, - ClientSessionModel clientSession, + ClientLoginSessionModel clientSession, HttpRequest request, UriInfo uriInfo, ClientConnection clientConnection, - EventBuilder event) { - LoginProtocol protocol = session.getProvider(LoginProtocol.class, clientSession.getAuthMethod()); - protocol.setRealm(realm) + EventBuilder event, String protocol) { + LoginProtocol protocolImpl = session.getProvider(LoginProtocol.class, protocol); + protocolImpl.setRealm(realm) .setHttpHeaders(request.getHttpHeaders()) .setUriInfo(uriInfo) .setEventBuilder(event); @@ -423,7 +427,7 @@ public class AuthenticationManager { } public static Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, - ClientSessionModel clientSession, + ClientLoginSessionModel clientSession, HttpRequest request, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, LoginProtocol protocol) { Cookie sessionCookie = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_SESSION_COOKIE); @@ -460,32 +464,33 @@ public class AuthenticationManager { userSession.setNote(AUTH_TIME, String.valueOf(authTime)); } - return protocol.authenticated(userSession, new ClientSessionCode(session, realm, clientSession)); + return protocol.authenticated(userSession, new ClientSessionCode<>(session, realm, clientSession)); } - public static boolean isSSOAuthentication(ClientSessionModel clientSession) { + public static boolean isSSOAuthentication(ClientLoginSessionModel clientSession) { String ssoAuth = clientSession.getNote(SSO_AUTH); return Boolean.parseBoolean(ssoAuth); } - public static Response nextActionAfterAuthentication(KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession, + public static Response nextActionAfterAuthentication(KeycloakSession session, LoginSessionModel loginSession, ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event) { - Response requiredAction = actionRequired(session, userSession, clientSession, clientConnection, request, uriInfo, event); + Response requiredAction = actionRequired(session, loginSession, clientConnection, request, uriInfo, event); if (requiredAction != null) return requiredAction; - return finishedRequiredActions(session, userSession, clientSession, clientConnection, request, uriInfo, event); + return finishedRequiredActions(session, loginSession, clientConnection, request, uriInfo, event); } - public static Response finishedRequiredActions(KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession, ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event) { - if (clientSession.getNote(END_AFTER_REQUIRED_ACTIONS) != null) { + public static Response finishedRequiredActions(KeycloakSession session, LoginSessionModel loginSession, + ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event) { + if (loginSession.getNote(END_AFTER_REQUIRED_ACTIONS) != null) { LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class) .setSuccess(Messages.ACCOUNT_UPDATED); - if (clientSession.getNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) != null) { - if (clientSession.getRedirectUri() != null) { - infoPage.setAttribute("pageRedirectUri", clientSession.getRedirectUri()); + if (loginSession.getNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) != null) { + if (loginSession.getRedirectUri() != null) { + infoPage.setAttribute("pageRedirectUri", loginSession.getRedirectUri()); } } else { @@ -493,31 +498,32 @@ public class AuthenticationManager { } Response response = infoPage .createInfoPage(); - session.sessions().removeUserSession(session.getContext().getRealm(), userSession); return response; } event.success(); - RealmModel realm = clientSession.getRealm(); - return redirectAfterSuccessfulFlow(session, realm , userSession, clientSession, request, uriInfo, clientConnection, event); + RealmModel realm = loginSession.getRealm(); + + ClientLoginSessionModel clientSession = AuthenticationProcessor.attachSession(loginSession, null, session, realm, clientConnection, event); + return redirectAfterSuccessfulFlow(session, realm , clientSession.getUserSession(), clientSession, request, uriInfo, clientConnection, event, loginSession.getProtocol()); } - public static boolean isActionRequired(final KeycloakSession session, final UserSessionModel userSession, final ClientSessionModel clientSession, + public static boolean isActionRequired(final KeycloakSession session, final LoginSessionModel loginSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event) { - final RealmModel realm = clientSession.getRealm(); - final UserModel user = userSession.getUser(); - final ClientModel client = clientSession.getClient(); + final RealmModel realm = loginSession.getRealm(); + final UserModel user = loginSession.getAuthenticatedUser(); + final ClientModel client = loginSession.getClient(); - evaluateRequiredActionTriggers(session, userSession, clientSession, clientConnection, request, uriInfo, event, realm, user); + evaluateRequiredActionTriggers(session, loginSession, clientConnection, request, uriInfo, event, realm, user); - if (!user.getRequiredActions().isEmpty() || !clientSession.getRequiredActions().isEmpty()) return true; + if (!user.getRequiredActions().isEmpty() || !loginSession.getRequiredActions().isEmpty()) return true; if (client.isConsentRequired()) { UserConsentModel grantedConsent = session.users().getConsentByClient(realm, user.getId(), client.getId()); - ClientSessionCode accessCode = new ClientSessionCode(session, realm, clientSession); + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, loginSession); for (RoleModel r : accessCode.getRequestedRoles()) { // Consent already granted by user @@ -544,27 +550,27 @@ public class AuthenticationManager { } - public static Response actionRequired(final KeycloakSession session, final UserSessionModel userSession, final ClientSessionModel clientSession, + public static Response actionRequired(final KeycloakSession session, final LoginSessionModel loginSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event) { - final RealmModel realm = clientSession.getRealm(); - final UserModel user = userSession.getUser(); - final ClientModel client = clientSession.getClient(); + final RealmModel realm = loginSession.getRealm(); + final UserModel user = loginSession.getAuthenticatedUser(); + final ClientModel client = loginSession.getClient(); - evaluateRequiredActionTriggers(session, userSession, clientSession, clientConnection, request, uriInfo, event, realm, user); + evaluateRequiredActionTriggers(session, loginSession, clientConnection, request, uriInfo, event, realm, user); logger.debugv("processAccessCode: go to oauth page?: {0}", client.isConsentRequired()); - event.detail(Details.CODE_ID, clientSession.getId()); + event.detail(Details.CODE_ID, loginSession.getId()); Set requiredActions = user.getRequiredActions(); - Response action = executionActions(session, userSession, clientSession, request, event, realm, user, requiredActions); + Response action = executionActions(session, loginSession, request, event, realm, user, requiredActions); if (action != null) return action; // executionActions() method should remove any duplicate actions that might be in the clientSession - requiredActions = clientSession.getRequiredActions(); - action = executionActions(session, userSession, clientSession, request, event, realm, user, requiredActions); + requiredActions = loginSession.getRequiredActions(); + action = executionActions(session, loginSession, request, event, realm, user, requiredActions); if (action != null) return action; if (client.isConsentRequired()) { @@ -573,7 +579,7 @@ public class AuthenticationManager { List realmRoles = new LinkedList<>(); MultivaluedMap resourceRoles = new MultivaluedMapImpl<>(); - ClientSessionCode accessCode = new ClientSessionCode(session, realm, clientSession); + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, loginSession); for (RoleModel r : accessCode.getRequestedRoles()) { // Consent already granted by user @@ -599,13 +605,15 @@ public class AuthenticationManager { // Skip grant screen if everything was already approved by this user if (realmRoles.size() > 0 || resourceRoles.size() > 0 || protocolMappers.size() > 0) { - accessCode.setAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name()); - clientSession.setNote(CURRENT_REQUIRED_ACTION, ClientSessionModel.Action.OAUTH_GRANT.name()); + accessCode. + + setAction(ClientLoginSessionModel.Action.REQUIRED_ACTIONS.name()); + loginSession.setNote(CURRENT_REQUIRED_ACTION, ClientLoginSessionModel.Action.OAUTH_GRANT.name()); return session.getProvider(LoginFormsProvider.class) .setClientSessionCode(accessCode.getCode()) .setAccessRequest(realmRoles, resourceRoles, protocolMappers) - .createOAuthGrant(clientSession); + .createOAuthGrant(); } else { String consentDetail = (grantedConsent != null) ? Details.CONSENT_VALUE_PERSISTED_CONSENT : Details.CONSENT_VALUE_NO_CONSENT_REQUIRED; event.detail(Details.CONSENT, consentDetail); @@ -617,7 +625,7 @@ public class AuthenticationManager { } - protected static Response executionActions(KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession, + protected static Response executionActions(KeycloakSession session, LoginSessionModel loginSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Set requiredActions) { for (String action : requiredActions) { @@ -635,34 +643,34 @@ public class AuthenticationManager { throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?"); } RequiredActionProvider actionProvider = factory.create(session); - RequiredActionContextResult context = new RequiredActionContextResult(userSession, clientSession, realm, event, session, request, user, factory); + RequiredActionContextResult context = new RequiredActionContextResult(loginSession, realm, event, session, request, user, factory); actionProvider.requiredActionChallenge(context); if (context.getStatus() == RequiredActionContext.Status.FAILURE) { - LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, context.getClientSession().getAuthMethod()); + LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, context.getLoginSession().getProtocol()); protocol.setRealm(context.getRealm()) .setHttpHeaders(context.getHttpRequest().getHttpHeaders()) .setUriInfo(context.getUriInfo()) .setEventBuilder(event); - Response response = protocol.sendError(context.getClientSession(), Error.CONSENT_DENIED); + Response response = protocol.sendError(context.getLoginSession(), Error.CONSENT_DENIED); event.error(Errors.REJECTED_BY_USER); return response; } else if (context.getStatus() == RequiredActionContext.Status.CHALLENGE) { - clientSession.setNote(CURRENT_REQUIRED_ACTION, model.getProviderId()); + loginSession.setNote(CURRENT_REQUIRED_ACTION, model.getProviderId()); return context.getChallenge(); } else if (context.getStatus() == RequiredActionContext.Status.SUCCESS) { event.clone().event(EventType.CUSTOM_REQUIRED_ACTION).detail(Details.CUSTOM_REQUIRED_ACTION, factory.getId()).success(); // don't have to perform the same action twice, so remove it from both the user and session required actions - clientSession.getUserSession().getUser().removeRequiredAction(factory.getId()); - clientSession.removeRequiredAction(factory.getId()); + loginSession.getAuthenticatedUser().removeRequiredAction(factory.getId()); + loginSession.removeRequiredAction(factory.getId()); } } return null; } - public static void evaluateRequiredActionTriggers(final KeycloakSession session, final UserSessionModel userSession, final ClientSessionModel clientSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event, final RealmModel realm, final UserModel user) { + public static void evaluateRequiredActionTriggers(final KeycloakSession session, final LoginSessionModel loginSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event, final RealmModel realm, final UserModel user) { // see if any required actions need triggering, i.e. an expired password for (RequiredActionProviderModel model : realm.getRequiredActionProviders()) { @@ -672,7 +680,7 @@ public class AuthenticationManager { throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?"); } RequiredActionProvider provider = factory.create(session); - RequiredActionContextResult result = new RequiredActionContextResult(userSession, clientSession, realm, event, session, request, user, factory) { + RequiredActionContextResult result = new RequiredActionContextResult(loginSession, realm, event, session, request, user, factory) { @Override public void challenge(Response response) { throw new RuntimeException("Not allowed to call challenge() within evaluateTriggers()"); diff --git a/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java b/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java index 12e0449b32..baf7eaddfc 100755 --- a/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java +++ b/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java @@ -24,8 +24,8 @@ import org.keycloak.common.util.StringPropertyReplacer; import org.keycloak.common.util.Time; import org.keycloak.connections.httpclient.HttpClientProvider; import org.keycloak.constants.AdapterConstants; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; @@ -113,7 +113,7 @@ public class ResourceAdminManager { protected void logoutUserSessions(URI requestUri, RealmModel realm, List userSessions) { // Map from "app" to clientSessions for this app - MultivaluedHashMap clientSessions = new MultivaluedHashMap(); + MultivaluedHashMap clientSessions = new MultivaluedHashMap<>(); for (UserSessionModel userSession : userSessions) { putClientSessions(clientSessions, userSession); } @@ -121,37 +121,40 @@ public class ResourceAdminManager { logger.debugv("logging out {0} resources ", clientSessions.size()); //logger.infov("logging out resources: {0}", clientSessions); - for (Map.Entry> entry : clientSessions.entrySet()) { - logoutClientSessions(requestUri, realm, entry.getKey(), entry.getValue()); + for (Map.Entry> entry : clientSessions.entrySet()) { + if (entry.getValue().size() == 0) { + continue; + } + logoutClientSessions(requestUri, realm, entry.getValue().get(0).getClient(), entry.getValue()); } } - private void putClientSessions(MultivaluedHashMap clientSessions, UserSessionModel userSession) { - for (ClientSessionModel clientSession : userSession.getClientSessions()) { - ClientModel client = clientSession.getClient(); - clientSessions.add(client, clientSession); + private void putClientSessions(MultivaluedHashMap clientSessions, UserSessionModel userSession) { + for (Map.Entry entry : userSession.getClientLoginSessions().entrySet()) { + clientSessions.add(entry.getKey(), entry.getValue()); } } public void logoutUserFromClient(URI requestUri, RealmModel realm, ClientModel resource, UserModel user) { List userSessions = session.sessions().getUserSessions(realm, user); - List ourAppClientSessions = null; + List ourAppClientSessions = new LinkedList<>(); if (userSessions != null) { - MultivaluedHashMap clientSessions = new MultivaluedHashMap(); for (UserSessionModel userSession : userSessions) { - putClientSessions(clientSessions, userSession); + ClientLoginSessionModel clientSession = userSession.getClientLoginSessions().get(resource.getId()); + if (clientSession != null) { + ourAppClientSessions.add(clientSession); + } } - ourAppClientSessions = clientSessions.get(resource); } logoutClientSessions(requestUri, realm, resource, ourAppClientSessions); } - public boolean logoutClientSession(URI requestUri, RealmModel realm, ClientModel resource, ClientSessionModel clientSession) { + public boolean logoutClientSession(URI requestUri, RealmModel realm, ClientModel resource, ClientLoginSessionModel clientSession) { return logoutClientSessions(requestUri, realm, resource, Arrays.asList(clientSession)); } - protected boolean logoutClientSessions(URI requestUri, RealmModel realm, ClientModel resource, List clientSessions) { + protected boolean logoutClientSessions(URI requestUri, RealmModel realm, ClientModel resource, List clientSessions) { String managementUrl = getManagementUrl(requestUri, resource); if (managementUrl != null) { @@ -160,7 +163,7 @@ public class ResourceAdminManager { List userSessions = new LinkedList<>(); if (clientSessions != null && clientSessions.size() > 0) { adapterSessionIds = new MultivaluedHashMap(); - for (ClientSessionModel clientSession : clientSessions) { + for (ClientLoginSessionModel clientSession : clientSessions) { String adapterSessionId = clientSession.getNote(AdapterConstants.CLIENT_SESSION_STATE); if (adapterSessionId != null) { String host = clientSession.getNote(AdapterConstants.CLIENT_SESSION_HOST); diff --git a/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java b/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java index 4c8c2fe89e..a70c6f63f1 100644 --- a/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java +++ b/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java @@ -18,11 +18,10 @@ package org.keycloak.services.managers; import org.jboss.logging.Logger; import org.keycloak.common.util.Time; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.Constants; import org.keycloak.models.KeycloakSession; -import org.keycloak.models.ModelException; import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; import org.keycloak.models.UserModel; @@ -31,7 +30,6 @@ import org.keycloak.models.session.UserSessionPersisterProvider; import org.keycloak.services.ServicesLogger; import java.util.HashSet; -import java.util.LinkedList; import java.util.List; import java.util.Set; @@ -52,7 +50,7 @@ public class UserSessionManager { this.persister = session.getProvider(UserSessionPersisterProvider.class); } - public void createOrUpdateOfflineSession(ClientSessionModel clientSession, UserSessionModel userSession) { + public void createOrUpdateOfflineSession(ClientLoginSessionModel clientSession, UserSessionModel userSession) { UserModel user = userSession.getUser(); // Create and persist offline userSession if we don't have one @@ -65,50 +63,50 @@ public class UserSessionManager { } // Create and persist clientSession - ClientSessionModel offlineClientSession = kcSession.sessions().getOfflineClientSession(clientSession.getRealm(), clientSession.getId()); + ClientLoginSessionModel offlineClientSession = offlineUserSession.getClientLoginSessions().get(clientSession.getClient().getId()); if (offlineClientSession == null) { createOfflineClientSession(user, clientSession, offlineUserSession); } } - // userSessionId is provided from offline token. It's used just to verify if it match the ID from clientSession representation - public ClientSessionModel findOfflineClientSession(RealmModel realm, String clientSessionId) { - return kcSession.sessions().getOfflineClientSession(realm, clientSessionId); + + public UserSessionModel findOfflineUserSession(RealmModel realm, String userSessionId) { + return kcSession.sessions().getOfflineUserSession(realm, userSessionId); } public Set findClientsWithOfflineToken(RealmModel realm, UserModel user) { - List clientSessions = kcSession.sessions().getOfflineClientSessions(realm, user); + List userSessions = kcSession.sessions().getOfflineUserSessions(realm, user); Set clients = new HashSet<>(); - for (ClientSessionModel clientSession : clientSessions) { - clients.add(clientSession.getClient()); + for (UserSessionModel userSession : userSessions) { + Set clientIds = userSession.getClientLoginSessions().keySet(); + for (String clientUUID : clientIds) { + ClientModel client = realm.getClientById(clientUUID); + clients.add(client); + } } return clients; } - public List findOfflineSessions(RealmModel realm, ClientModel client, UserModel user) { - List clientSessions = kcSession.sessions().getOfflineClientSessions(realm, user); - List userSessions = new LinkedList<>(); - for (ClientSessionModel clientSession : clientSessions) { - userSessions.add(clientSession.getUserSession()); - } - return userSessions; + public List findOfflineSessions(RealmModel realm, UserModel user) { + return kcSession.sessions().getOfflineUserSessions(realm, user); } public boolean revokeOfflineToken(UserModel user, ClientModel client) { RealmModel realm = client.getRealm(); - List clientSessions = kcSession.sessions().getOfflineClientSessions(realm, user); + List userSessions = kcSession.sessions().getOfflineUserSessions(realm, user); boolean anyRemoved = false; - for (ClientSessionModel clientSession : clientSessions) { - if (clientSession.getClient().getId().equals(client.getId())) { + for (UserSessionModel userSession : userSessions) { + ClientLoginSessionModel clientSession = userSession.getClientLoginSessions().get(client.getId()); + if (clientSession != null) { if (logger.isTraceEnabled()) { - logger.tracef("Removing existing offline token for user '%s' and client '%s' . ClientSessionID was '%s' .", - user.getUsername(), client.getClientId(), clientSession.getId()); + logger.tracef("Removing existing offline token for user '%s' and client '%s' .", + user.getUsername(), client.getClientId()); } - kcSession.sessions().removeOfflineClientSession(realm, clientSession.getId()); + userSession.getClientLoginSessions().remove(client.getClientId()); persister.removeClientSession(clientSession.getId(), true); - checkOfflineUserSessionHasClientSessions(realm, user, clientSession.getUserSession(), clientSessions); + checkOfflineUserSessionHasClientSessions(realm, user, userSession); anyRemoved = true; } } @@ -124,7 +122,7 @@ public class UserSessionManager { persister.removeUserSession(userSession.getId(), true); } - public boolean isOfflineTokenAllowed(ClientSessionModel clientSession) { + public boolean isOfflineTokenAllowed(ClientLoginSessionModel clientSession) { RoleModel offlineAccessRole = clientSession.getRealm().getRole(Constants.OFFLINE_ACCESS_ROLE); if (offlineAccessRole == null) { ServicesLogger.LOGGER.roleNotInRealm(Constants.OFFLINE_ACCESS_ROLE); @@ -144,30 +142,27 @@ public class UserSessionManager { return offlineUserSession; } - private void createOfflineClientSession(UserModel user, ClientSessionModel clientSession, UserSessionModel userSession) { + private void createOfflineClientSession(UserModel user, ClientLoginSessionModel clientSession, UserSessionModel offlineUserSession) { if (logger.isTraceEnabled()) { logger.tracef("Creating new offline token client session. ClientSessionId: '%s', UserSessionID: '%s' , Username: '%s', Client: '%s'" , - clientSession.getId(), userSession.getId(), user.getUsername(), clientSession.getClient().getClientId()); + clientSession.getId(), offlineUserSession.getId(), user.getUsername(), clientSession.getClient().getClientId()); } - ClientSessionModel offlineClientSession = kcSession.sessions().createOfflineClientSession(clientSession); - offlineClientSession.setUserSession(userSession); - persister.createClientSession(clientSession, true); + ClientLoginSessionModel offlineClientSession = kcSession.sessions().createOfflineClientSession(clientSession); + offlineUserSession.getClientLoginSessions().put(clientSession.getClient().getId(), offlineClientSession); + persister.createClientSession(offlineUserSession, clientSession, true); } // Check if userSession has any offline clientSessions attached to it. Remove userSession if not - private void checkOfflineUserSessionHasClientSessions(RealmModel realm, UserModel user, UserSessionModel userSession, List clientSessions) { - String userSessionId = userSession.getId(); - for (ClientSessionModel clientSession : clientSessions) { - if (clientSession.getUserSession().getId().equals(userSessionId)) { - return; - } + private void checkOfflineUserSessionHasClientSessions(RealmModel realm, UserModel user, UserSessionModel userSession) { + if (userSession.getClientLoginSessions().size() > 0) { + return; } if (logger.isTraceEnabled()) { - logger.tracef("Removing offline userSession for user %s as it doesn't have any client sessions attached. UserSessionID: %s", user.getUsername(), userSessionId); + logger.tracef("Removing offline userSession for user %s as it doesn't have any client sessions attached. UserSessionID: %s", user.getUsername(), userSession.getId()); } kcSession.sessions().removeOfflineUserSession(realm, userSession); - persister.removeUserSession(userSessionId, true); + persister.removeUserSession(userSession.getId(), true); } } diff --git a/services/src/main/java/org/keycloak/services/resources/AccountService.java b/services/src/main/java/org/keycloak/services/resources/AccountService.java index e0e5f8b55d..f4737ad0b6 100755 --- a/services/src/main/java/org/keycloak/services/resources/AccountService.java +++ b/services/src/main/java/org/keycloak/services/resources/AccountService.java @@ -30,6 +30,7 @@ import org.keycloak.forms.account.AccountPages; import org.keycloak.forms.account.AccountProvider; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AccountRoles; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.FederatedIdentityModel; @@ -164,16 +165,9 @@ public class AccountService extends AbstractSecuredLocalService { if (authResult != null) { UserSessionModel userSession = authResult.getSession(); if (userSession != null) { - boolean associated = false; - for (ClientSessionModel c : userSession.getClientSessions()) { - if (c.getClient().equals(client)) { - auth.setClientSession(c); - associated = true; - break; - } - } + boolean associated = userSession.getClientLoginSessions().get(client.getId()) != null; if (!associated) { - ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); + ClientLoginSessionModel clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession); clientSession.setUserSession(userSession); auth.setClientSession(clientSession); } diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java index f9efe19ab6..9dd9f9561c 100755 --- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java +++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java @@ -45,6 +45,7 @@ import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AuthenticationFlowModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.Constants; @@ -78,6 +79,7 @@ import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; import org.keycloak.services.util.CacheControlUtil; import org.keycloak.services.validation.Validation; +import org.keycloak.sessions.LoginSessionModel; import org.keycloak.util.JsonSerialization; import javax.ws.rs.GET; @@ -108,7 +110,6 @@ import java.util.UUID; import static org.keycloak.models.AccountRoles.MANAGE_ACCOUNT; import static org.keycloak.models.AccountRoles.MANAGE_ACCOUNT_LINKS; -import static org.keycloak.models.ClientSessionModel.Action.AUTHENTICATE; import static org.keycloak.models.Constants.ACCOUNT_MANAGEMENT_CLIENT_ID; /** @@ -116,981 +117,958 @@ import static org.keycloak.models.Constants.ACCOUNT_MANAGEMENT_CLIENT_ID; * * @author Pedro Igor */ -public class IdentityBrokerService implements IdentityProvider.AuthenticationCallback { - - private static final Logger logger = Logger.getLogger(IdentityBrokerService.class); - - private final RealmModel realmModel; - - @Context - private UriInfo uriInfo; - - @Context - private KeycloakSession session; - - @Context - private ClientConnection clientConnection; - - @Context - private HttpRequest request; - - @Context - private HttpHeaders headers; - - private EventBuilder event; - - - public IdentityBrokerService(RealmModel realmModel) { - if (realmModel == null) { - throw new IllegalArgumentException("Realm can not be null."); - } - this.realmModel = realmModel; - } - - public void init() { - this.event = new EventBuilder(realmModel, session, clientConnection).event(EventType.IDENTITY_PROVIDER_LOGIN); - } - - private void checkRealm() { - if (!realmModel.isEnabled()) { - event.error(Errors.REALM_DISABLED); - throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED); - } - } - - private ClientModel checkClient(String clientId) { - if (clientId == null) { - event.error(Errors.INVALID_REQUEST); - throw new ErrorPageException(session, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM); - } - - event.client(clientId); - - ClientModel client = realmModel.getClientByClientId(clientId); - if (client == null) { - event.error(Errors.CLIENT_NOT_FOUND); - throw new ErrorPageException(session, Messages.INVALID_REQUEST); - } - - if (!client.isEnabled()) { - event.error(Errors.CLIENT_DISABLED); - throw new ErrorPageException(session, Messages.INVALID_REQUEST); - } - return client; - - } - - /** - * Closes off CORS preflight requests for account linking - * - * @param providerId - * @return - */ - @OPTIONS - @Path("/{provider_id}/link") - public Response clientIntiatedAccountLinkingPreflight(@PathParam("provider_id") String providerId) { - return Response.status(403).build(); // don't allow preflight - } - - - @GET - @NoCache - @Path("/{provider_id}/link") - public Response clientInitiatedAccountLinking(@PathParam("provider_id") String providerId, - @QueryParam("redirect_uri") String redirectUri, - @QueryParam("client_id") String clientId, - @QueryParam("nonce") String nonce, - @QueryParam("hash") String hash - ) { - this.event.event(EventType.CLIENT_INITIATED_ACCOUNT_LINKING); - checkRealm(); - ClientModel client = checkClient(clientId); - AuthenticationManager authenticationManager = new AuthenticationManager(); - redirectUri = RedirectUtils.verifyRedirectUri(uriInfo, redirectUri, realmModel, client); - if (redirectUri == null) { - event.error(Errors.INVALID_REDIRECT_URI); - throw new ErrorPageException(session, Messages.INVALID_REQUEST); - } - - if (nonce == null || hash == null) { - event.error(Errors.INVALID_REDIRECT_URI); - throw new ErrorPageException(session, Messages.INVALID_REQUEST); - - } - - // only allow origins from client. Not sure we need this as I don't believe cookies can be - // sent if CORS preflight requests can't execute. - String origin = headers.getRequestHeaders().getFirst("Origin"); - if (origin != null) { - String redirectOrigin = UriUtils.getOrigin(redirectUri); - if (!redirectOrigin.equals(origin)) { - event.error(Errors.ILLEGAL_ORIGIN); - throw new ErrorPageException(session, Messages.INVALID_REQUEST); - - } - } - - AuthResult cookieResult = authenticationManager.authenticateIdentityCookie(session, realmModel, true); - String errorParam = "link_error"; - if (cookieResult == null) { - event.error(Errors.NOT_LOGGED_IN); - UriBuilder builder = UriBuilder.fromUri(redirectUri) - .queryParam(errorParam, Errors.NOT_LOGGED_IN) - .queryParam("nonce", nonce); - - return Response.status(302).location(builder.build()).build(); - } - - - - ClientSessionModel clientSession = null; - for (ClientSessionModel cs : cookieResult.getSession().getClientSessions()) { - if (cs.getClient().getClientId().equals(clientId)) { - byte[] decoded = Base64Url.decode(hash); - MessageDigest md = null; - try { - md = MessageDigest.getInstance("SHA-256"); - } catch (NoSuchAlgorithmException e) { - throw new ErrorPageException(session, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST); - } - String input = nonce + cookieResult.getSession().getId() + cs.getId() + providerId; - byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8)); - if (MessageDigest.isEqual(decoded, check)) { - clientSession = cs; - break; - } - } - } - if (clientSession == null) { - event.error(Errors.INVALID_TOKEN); - throw new ErrorPageException(session, Messages.INVALID_REQUEST); - } - - - - ClientModel accountService = this.realmModel.getClientByClientId(ACCOUNT_MANAGEMENT_CLIENT_ID); - if (!accountService.getId().equals(client.getId())) { - RoleModel manageAccountRole = accountService.getRole(MANAGE_ACCOUNT); - - if (!clientSession.getRoles().contains(manageAccountRole.getId())) { - RoleModel linkRole = accountService.getRole(MANAGE_ACCOUNT_LINKS); - if (!clientSession.getRoles().contains(linkRole.getId())) { - event.error(Errors.NOT_ALLOWED); - UriBuilder builder = UriBuilder.fromUri(redirectUri) - .queryParam(errorParam, Errors.NOT_ALLOWED) - .queryParam("nonce", nonce); - return Response.status(302).location(builder.build()).build(); - } - } - } - - - IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId); - if (identityProviderModel == null) { - event.error(Errors.UNKNOWN_IDENTITY_PROVIDER); - UriBuilder builder = UriBuilder.fromUri(redirectUri) - .queryParam(errorParam, Errors.UNKNOWN_IDENTITY_PROVIDER) - .queryParam("nonce", nonce); - return Response.status(302).location(builder.build()).build(); - - } - - - - ClientSessionCode clientSessionCode = new ClientSessionCode(session, realmModel, clientSession); - clientSessionCode.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - clientSessionCode.getCode(); - clientSession.setRedirectUri(redirectUri); - clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, UUID.randomUUID().toString()); - - event.success(); - - - try { - IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); - Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode)); - - if (response != null) { - if (isDebugEnabled()) { - logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response); - } - return response; - } - } catch (IdentityBrokerException e) { - return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId); - } catch (Exception e) { - return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId); - } - - return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST); - - } - - - @POST - @Path("/{provider_id}/login") - public Response performPostLogin(@PathParam("provider_id") String providerId, @QueryParam("code") String code) { - return performLogin(providerId, code); - } - - @GET - @NoCache - @Path("/{provider_id}/login") - public Response performLogin(@PathParam("provider_id") String providerId, @QueryParam("code") String code) { - this.event.detail(Details.IDENTITY_PROVIDER, providerId); - - if (isDebugEnabled()) { - logger.debugf("Sending authentication request to identity provider [%s].", providerId); - } - - try { - ParsedCodeContext parsedCode = parseClientSessionCode(code); - if (parsedCode.response != null) { - return parsedCode.response; - } - - ClientSessionCode clientSessionCode = parsedCode.clientSessionCode; - IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId); - if (identityProviderModel == null) { - throw new IdentityBrokerException("Identity Provider [" + providerId + "] not found."); - } - if (identityProviderModel.isLinkOnly()) { - throw new IdentityBrokerException("Identity Provider [" + providerId + "] is not allowed to perform a login."); - - } - IdentityProviderFactory providerFactory = getIdentityProviderFactory(session, identityProviderModel); - - IdentityProvider identityProvider = providerFactory.create(session, identityProviderModel); - - Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode)); - - if (response != null) { - if (isDebugEnabled()) { - logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response); - } - return response; - } - } catch (IdentityBrokerException e) { - return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId); - } catch (Exception e) { - return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId); - } - - return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST); - } - - @Path("{provider_id}/endpoint") - public Object getEndpoint(@PathParam("provider_id") String providerId) { - IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); - Object callback = identityProvider.callback(realmModel, this, event); - ResteasyProviderFactory.getInstance().injectProperties(callback); - //resourceContext.initResource(brokerService); - return callback; - - - } - - @Path("{provider_id}/token") - @OPTIONS - public Response retrieveTokenPreflight() { - return Cors.add(this.request, Response.ok()).auth().preflight().build(); - } - - @GET - @NoCache - @Path("{provider_id}/token") - public Response retrieveToken(@PathParam("provider_id") String providerId) { - return getToken(providerId, false); - } - - private boolean canReadBrokerToken(AccessToken token) { - Map resourceAccess = token.getResourceAccess(); - AccessToken.Access brokerRoles = resourceAccess == null ? null : resourceAccess.get(Constants.BROKER_SERVICE_CLIENT_ID); - return brokerRoles != null && brokerRoles.isUserInRole(Constants.READ_TOKEN_ROLE); - } - - private Response getToken(String providerId, boolean forceRetrieval) { - this.event.event(EventType.IDENTITY_PROVIDER_RETRIEVE_TOKEN); - - try { - AppAuthManager authManager = new AppAuthManager(); - AuthResult authResult = authManager.authenticateBearerToken(this.session, this.realmModel, this.uriInfo, this.clientConnection, this.request.getHttpHeaders()); - - if (authResult != null) { - AccessToken token = authResult.getToken(); - String[] audience = token.getAudience(); - ClientModel clientModel = this.realmModel.getClientByClientId(audience[0]); - - if (clientModel == null) { - return badRequest("Invalid client."); - } - - session.getContext().setClient(clientModel); - - ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID); - if (brokerClient == null) { - return corsResponse(forbidden("Realm has not migrated to support the broker token exchange service"), clientModel); - - } - if (!canReadBrokerToken(token)) { - return corsResponse(forbidden("Client [" + clientModel.getClientId() + "] not authorized to retrieve tokens from identity provider [" + providerId + "]."), clientModel); - - } - - IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); - IdentityProviderModel identityProviderConfig = getIdentityProviderConfig(providerId); - - if (identityProviderConfig.isStoreToken()) { - FederatedIdentityModel identity = this.session.users().getFederatedIdentity(authResult.getUser(), providerId, this.realmModel); - - if (identity == null) { - return corsResponse(badRequest("User [" + authResult.getUser().getId() + "] is not associated with identity provider [" + providerId + "]."), clientModel); - } - - this.event.success(); - - return corsResponse(identityProvider.retrieveToken(session, identity), clientModel); - } - - return corsResponse(badRequest("Identity Provider [" + providerId + "] does not support this operation."), clientModel); - } - - return badRequest("Invalid token."); - } catch (IdentityBrokerException e) { - return redirectToErrorPage(Messages.COULD_NOT_OBTAIN_TOKEN, e, providerId); - } catch (Exception e) { - return redirectToErrorPage(Messages.UNEXPECTED_ERROR_RETRIEVING_TOKEN, e, providerId); - } - } - - public Response authenticated(BrokeredIdentityContext context) { - IdentityProviderModel identityProviderConfig = context.getIdpConfig(); - - final ParsedCodeContext parsedCode; - if (context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID) != null) { - parsedCode = samlIdpInitiatedSSO((String) context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID)); - } else { - parsedCode = parseClientSessionCode(context.getCode()); - } - if (parsedCode.response != null) { - return parsedCode.response; - } - ClientSessionCode clientCode = parsedCode.clientSessionCode; - - String providerId = identityProviderConfig.getAlias(); - if (!identityProviderConfig.isStoreToken()) { - if (isDebugEnabled()) { - logger.debugf("Token will not be stored for identity provider [%s].", providerId); - } - context.setToken(null); - } - - ClientSessionModel clientSession = clientCode.getClientSession(); - context.setClientSession(clientSession); - - session.getContext().setClient(clientSession.getClient()); - - context.getIdp().preprocessFederatedIdentity(session, realmModel, context); - Set mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); - if (mappers != null) { - KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); - for (IdentityProviderMapperModel mapper : mappers) { - IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); - target.preprocessFederatedIdentity(session, realmModel, mapper, context); - } - } - - FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(providerId, context.getId(), - context.getUsername(), context.getToken()); - - this.event.event(EventType.IDENTITY_PROVIDER_LOGIN) - .detail(Details.REDIRECT_URI, clientSession.getRedirectUri()) - .detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); - - UserModel federatedUser = this.session.users().getUserByFederatedIdentity(federatedIdentityModel, this.realmModel); - - // Check if federatedUser is already authenticated (this means linking social into existing federatedUser account) - if (clientSession.getUserSession() != null) { - return performAccountLinking(clientSession, context, federatedIdentityModel, federatedUser); - } - - if (federatedUser == null) { - - logger.debugf("Federated user not found for provider '%s' and broker username '%s' . Redirecting to flow for firstBrokerLogin", providerId, context.getUsername()); - - String username = context.getModelUsername(); - if (username == null) { - if (this.realmModel.isRegistrationEmailAsUsername() && !Validation.isBlank(context.getEmail())) { - username = context.getEmail(); - } else if (context.getUsername() == null) { - username = context.getIdpConfig().getAlias() + "." + context.getId(); - } else { - username = context.getUsername(); - } - } - username = username.trim(); - context.setModelUsername(username); - - clientSession.setTimestamp(Time.currentTime()); - - SerializedBrokeredIdentityContext ctx = SerializedBrokeredIdentityContext.serialize(context); - ctx.saveToClientSession(clientSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); - - URI redirect = LoginActionsService.firstBrokerLoginProcessor(uriInfo) - .queryParam(OAuth2Constants.CODE, clientCode.getCode()) - .build(realmModel.getName()); - return Response.status(302).location(redirect).build(); - - } else { - Response response = validateUser(federatedUser, realmModel); - if (response != null) { - return response; - } - - updateFederatedIdentity(context, federatedUser); - clientSession.setAuthenticatedUser(federatedUser); - - return finishOrRedirectToPostBrokerLogin(clientSession, context, false, parsedCode.clientSessionCode); - } - } - - public Response validateUser(UserModel user, RealmModel realm) { - if (!user.isEnabled()) { - event.error(Errors.USER_DISABLED); - return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); - } - if (realm.isBruteForceProtected()) { - if (session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(session, realm, user)) { - event.error(Errors.USER_TEMPORARILY_DISABLED); - return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); - } - } - return null; - } - - // Callback from LoginActionsService after first login with broker was done and Keycloak account is successfully linked/created - @GET - @NoCache - @Path("/after-first-broker-login") - public Response afterFirstBrokerLogin(@QueryParam("code") String code) { - ParsedCodeContext parsedCode = parseClientSessionCode(code); - if (parsedCode.response != null) { - return parsedCode.response; - } - return afterFirstBrokerLogin(parsedCode.clientSessionCode); - } - - private Response afterFirstBrokerLogin(ClientSessionCode clientSessionCode) { - ClientSessionModel clientSession = clientSessionCode.getClientSession(); - - try { - this.event.detail(Details.CODE_ID, clientSession.getId()) - .removeDetail("auth_method"); - - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); - if (serializedCtx == null) { - throw new IdentityBrokerException("Not found serialized context in clientSession"); - } - BrokeredIdentityContext context = serializedCtx.deserialize(session, clientSession); - String providerId = context.getIdpConfig().getAlias(); - - event.detail(Details.IDENTITY_PROVIDER, providerId); - event.detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); - - // firstBrokerLogin workflow finished. Removing note now - clientSession.removeNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); - - UserModel federatedUser = clientSession.getAuthenticatedUser(); - if (federatedUser == null) { - throw new IdentityBrokerException("Couldn't found authenticated federatedUser in clientSession"); - } - - event.user(federatedUser); - event.detail(Details.USERNAME, federatedUser.getUsername()); - - if (context.getIdpConfig().isAddReadTokenRoleOnCreate()) { - ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID); - if (brokerClient == null) { - throw new IdentityBrokerException("Client 'broker' not available. Maybe realm has not migrated to support the broker token exchange service"); - } - RoleModel readTokenRole = brokerClient.getRole(Constants.READ_TOKEN_ROLE); - federatedUser.grantRole(readTokenRole); - } - - // Add federated identity link here - FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(context.getIdpConfig().getAlias(), context.getId(), - context.getUsername(), context.getToken()); - session.users().addFederatedIdentity(realmModel, federatedUser, federatedIdentityModel); - - - String isRegisteredNewUser = clientSession.getNote(AbstractIdpAuthenticator.BROKER_REGISTERED_NEW_USER); - if (Boolean.parseBoolean(isRegisteredNewUser)) { - - logger.debugf("Registered new user '%s' after first login with identity provider '%s'. Identity provider username is '%s' . ", federatedUser.getUsername(), providerId, context.getUsername()); - - context.getIdp().importNewUser(session, realmModel, federatedUser, context); - Set mappers = realmModel.getIdentityProviderMappersByAlias(providerId); - if (mappers != null) { - KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); - for (IdentityProviderMapperModel mapper : mappers) { - IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); - target.importNewUser(session, realmModel, federatedUser, mapper, context); - } - } - - if (context.getIdpConfig().isTrustEmail() && !Validation.isBlank(federatedUser.getEmail()) && !Boolean.parseBoolean(clientSession.getNote(AbstractIdpAuthenticator.UPDATE_PROFILE_EMAIL_CHANGED))) { - logger.debugf("Email verified automatically after registration of user '%s' through Identity provider '%s' ", federatedUser.getUsername(), context.getIdpConfig().getAlias()); - federatedUser.setEmailVerified(true); - } - - event.event(EventType.REGISTER) - .detail(Details.REGISTER_METHOD, "broker") - .detail(Details.EMAIL, federatedUser.getEmail()) - .success(); - - } else { - logger.debugf("Linked existing keycloak user '%s' with identity provider '%s' . Identity provider username is '%s' .", federatedUser.getUsername(), providerId, context.getUsername()); - - event.event(EventType.FEDERATED_IDENTITY_LINK) - .success(); - - updateFederatedIdentity(context, federatedUser); - } - - return finishOrRedirectToPostBrokerLogin(clientSession, context, true, clientSessionCode); - - } catch (Exception e) { - return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); - } - } - - - private Response finishOrRedirectToPostBrokerLogin(ClientSessionModel clientSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode clientSessionCode) { - String postBrokerLoginFlowId = context.getIdpConfig().getPostBrokerLoginFlowId(); - if (postBrokerLoginFlowId == null) { - - logger.debugf("Skip redirect to postBrokerLogin flow. PostBrokerLogin flow not set for identityProvider '%s'.", context.getIdpConfig().getAlias()); - return afterPostBrokerLoginFlowSuccess(clientSession, context, wasFirstBrokerLogin, clientSessionCode); - } else { - - logger.debugf("Redirect to postBrokerLogin flow after authentication with identityProvider '%s'.", context.getIdpConfig().getAlias()); - - clientSession.setTimestamp(Time.currentTime()); - - SerializedBrokeredIdentityContext ctx = SerializedBrokeredIdentityContext.serialize(context); - ctx.saveToClientSession(clientSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); - - clientSession.setNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN, String.valueOf(wasFirstBrokerLogin)); - - URI redirect = LoginActionsService.postBrokerLoginProcessor(uriInfo) - .queryParam(OAuth2Constants.CODE, clientSessionCode.getCode()) - .build(realmModel.getName()); - return Response.status(302).location(redirect).build(); - } - } - - - // Callback from LoginActionsService after postBrokerLogin flow is finished - @GET - @NoCache - @Path("/after-post-broker-login") - public Response afterPostBrokerLoginFlow(@QueryParam("code") String code) { - ParsedCodeContext parsedCode = parseClientSessionCode(code); - if (parsedCode.response != null) { - return parsedCode.response; - } - ClientSessionModel clientSession = parsedCode.clientSessionCode.getClientSession(); - - try { - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); - if (serializedCtx == null) { - throw new IdentityBrokerException("Not found serialized context in clientSession. Note " + PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT + " was null"); - } - BrokeredIdentityContext context = serializedCtx.deserialize(session, clientSession); - - String wasFirstBrokerLoginNote = clientSession.getNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); - boolean wasFirstBrokerLogin = Boolean.parseBoolean(wasFirstBrokerLoginNote); - - // Ensure the post-broker-login flow was successfully finished - String authStateNoteKey = PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + context.getIdpConfig().getAlias(); - String authState = clientSession.getNote(authStateNoteKey); - if (!Boolean.parseBoolean(authState)) { - throw new IdentityBrokerException("Invalid request. Not found the flag that post-broker-login flow was finished"); - } - - // remove notes - clientSession.removeNote(PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); - clientSession.removeNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); - - return afterPostBrokerLoginFlowSuccess(clientSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode); - } catch (IdentityBrokerException e) { - return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); - } - } - - private Response afterPostBrokerLoginFlowSuccess(ClientSessionModel clientSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode clientSessionCode) { - String providerId = context.getIdpConfig().getAlias(); - UserModel federatedUser = clientSession.getAuthenticatedUser(); - - if (wasFirstBrokerLogin) { - - String isDifferentBrowser = clientSession.getNote(AbstractIdpAuthenticator.IS_DIFFERENT_BROWSER); - if (Boolean.parseBoolean(isDifferentBrowser)) { - session.sessions().removeClientSession(realmModel, clientSession); - return session.getProvider(LoginFormsProvider.class) - .setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, context.getIdpConfig().getAlias(), context.getUsername()) - .createInfoPage(); - } else { - return finishBrokerAuthentication(context, federatedUser, clientSession, providerId); - } - - } else { - - boolean firstBrokerLoginInProgress = (clientSession.getNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); - if (firstBrokerLoginInProgress) { - logger.debugf("Reauthenticated with broker '%s' when linking user '%s' with other broker", context.getIdpConfig().getAlias(), federatedUser.getUsername()); - - UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realmModel, clientSession); - if (!linkingUser.getId().equals(federatedUser.getId())) { - return redirectToErrorPage(Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, federatedUser.getUsername(), linkingUser.getUsername()); - } - - return afterFirstBrokerLogin(clientSessionCode); - } else { - return finishBrokerAuthentication(context, federatedUser, clientSession, providerId); - } - } - } - - - private Response finishBrokerAuthentication(BrokeredIdentityContext context, UserModel federatedUser, ClientSessionModel clientSession, String providerId) { - UserSessionModel userSession = this.session.sessions() - .createUserSession(this.realmModel, federatedUser, federatedUser.getUsername(), this.clientConnection.getRemoteAddr(), "broker", false, context.getBrokerSessionId(), context.getBrokerUserId()); - - this.event.user(federatedUser); - this.event.session(userSession); - - TokenManager.attachClientSession(userSession, clientSession); - context.getIdp().attachUserSession(userSession, clientSession, context); - userSession.setNote(Details.IDENTITY_PROVIDER, providerId); - userSession.setNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); - - if (isDebugEnabled()) { - logger.debugf("Performing local authentication for user [%s].", federatedUser); - } - - return AuthenticationProcessor.redirectToRequiredActions(session, realmModel, clientSession, uriInfo); - } - - - @Override - public Response cancelled(String code) { - ParsedCodeContext parsedCode = parseClientSessionCode(code); - if (parsedCode.response != null) { - return parsedCode.response; - } - ClientSessionCode clientCode = parsedCode.clientSessionCode; - - Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.CONSENT_DENIED); - if (accountManagementFailedLinking != null) { - return accountManagementFailedLinking; - } - - return browserAuthentication(clientCode.getClientSession(), null); - } - - @Override - public Response error(String code, String message) { - ParsedCodeContext parsedCode = parseClientSessionCode(code); - if (parsedCode.response != null) { - return parsedCode.response; - } - ClientSessionCode clientCode = parsedCode.clientSessionCode; - - Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), message); - if (accountManagementFailedLinking != null) { - return accountManagementFailedLinking; - } - - return browserAuthentication(clientCode.getClientSession(), message); - } - - private Response performAccountLinking(ClientSessionModel clientSession, BrokeredIdentityContext context, FederatedIdentityModel newModel, UserModel federatedUser) { - this.event.event(EventType.FEDERATED_IDENTITY_LINK); - - - - UserModel authenticatedUser = clientSession.getUserSession().getUser(); - - if (federatedUser != null && !authenticatedUser.getId().equals(federatedUser.getId())) { - return redirectToAccountErrorPage(clientSession, Messages.IDENTITY_PROVIDER_ALREADY_LINKED, context.getIdpConfig().getAlias()); - } - - if (!authenticatedUser.hasRole(this.realmModel.getClientByClientId(ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(MANAGE_ACCOUNT))) { - return redirectToErrorPage(Messages.INSUFFICIENT_PERMISSION); - } - - if (!authenticatedUser.isEnabled()) { - return redirectToAccountErrorPage(clientSession, Messages.ACCOUNT_DISABLED); - } - - - - if (federatedUser != null) { - if (context.getIdpConfig().isStoreToken()) { - FederatedIdentityModel oldModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel); - if (!ObjectUtil.isEqualOrBothNull(context.getToken(), oldModel.getToken())) { - this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, newModel); - if (isDebugEnabled()) { - logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias()); - } - } - } - } else { - this.session.users().addFederatedIdentity(this.realmModel, authenticatedUser, newModel); - } - context.getIdp().attachUserSession(clientSession.getUserSession(), clientSession, context); - - - if (isDebugEnabled()) { - logger.debugf("Linking account [%s] from identity provider [%s] to user [%s].", newModel, context.getIdpConfig().getAlias(), authenticatedUser); - } - - this.event.user(authenticatedUser) - .detail(Details.USERNAME, authenticatedUser.getUsername()) - .detail(Details.IDENTITY_PROVIDER, newModel.getIdentityProvider()) - .detail(Details.IDENTITY_PROVIDER_USERNAME, newModel.getUserName()) - .success(); - - // we do this to make sure that the parent IDP is logged out when this user session is complete. - - clientSession.getUserSession().setNote(Details.IDENTITY_PROVIDER, context.getIdpConfig().getAlias()); - clientSession.getUserSession().setNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); - - return Response.status(302).location(UriBuilder.fromUri(clientSession.getRedirectUri()).build()).build(); - } - - private void updateFederatedIdentity(BrokeredIdentityContext context, UserModel federatedUser) { - FederatedIdentityModel federatedIdentityModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel); - - // Skip DB write if tokens are null or equal - updateToken(context, federatedUser, federatedIdentityModel); - context.getIdp().updateBrokeredUser(session, realmModel, federatedUser, context); - Set mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); - if (mappers != null) { - KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); - for (IdentityProviderMapperModel mapper : mappers) { - IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); - target.updateBrokeredUser(session, realmModel, federatedUser, mapper, context); - } - } - - } - - private void updateToken(BrokeredIdentityContext context, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel) { - if (context.getIdpConfig().isStoreToken() && !ObjectUtil.isEqualOrBothNull(context.getToken(), federatedIdentityModel.getToken())) { - federatedIdentityModel.setToken(context.getToken()); - - this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel); - - if (isDebugEnabled()) { - logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias()); - } - } - } - - private ParsedCodeContext parseClientSessionCode(String code) { - ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel); - - if (clientCode != null) { - ClientSessionModel clientSession = clientCode.getClientSession(); - - if (clientSession.getUserSession() != null) { - this.event.session(clientSession.getUserSession()); - } - - ClientModel client = clientSession.getClient(); - - if (client != null) { - - logger.debugf("Got authorization code from client [%s].", client.getClientId()); - this.event.client(client); - this.session.getContext().setClient(client); - - if (!clientCode.isValid(AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { - logger.debugf("Authorization code is not valid. Client session ID: %s, Client session's action: %s", clientSession.getId(), clientSession.getAction()); - - // Check if error happened during login or during linking from account management - Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.STALE_CODE_ACCOUNT); - Response staleCodeError = (accountManagementFailedLinking != null) ? accountManagementFailedLinking : redirectToErrorPage(Messages.STALE_CODE); - - - return ParsedCodeContext.response(staleCodeError); - } - - if (isDebugEnabled()) { - logger.debugf("Authorization code is valid."); - } - - return ParsedCodeContext.clientSessionCode(clientCode); - } - } - - logger.debugf("Authorization code is not valid. Code: %s", code); - Response staleCodeError = redirectToErrorPage(Messages.STALE_CODE); - return ParsedCodeContext.response(staleCodeError); - } - - /** - * If there is a client whose SAML IDP-initiated SSO URL name is set to the - * given {@code clientUrlName}, creates a fresh client session for that - * client and returns a {@link ParsedCodeContext} object with that session. - * Otherwise returns "client not found" response. - * - * @param clientUrlName - * @return see description - */ - private ParsedCodeContext samlIdpInitiatedSSO(final String clientUrlName) { - event.event(EventType.LOGIN); - CacheControlUtil.noBackButtonCacheControlHeader(); - Optional oClient = this.realmModel.getClients().stream() - .filter(c -> Objects.equals(c.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME), clientUrlName)) - .findFirst(); - - if (! oClient.isPresent()) { - event.error(Errors.CLIENT_NOT_FOUND); - return ParsedCodeContext.response(redirectToErrorPage(Messages.CLIENT_NOT_FOUND)); - } - - ClientSessionModel clientSession = SamlService.createClientSessionForIdpInitiatedSso(session, realmModel, oClient.get(), null); - - return ParsedCodeContext.clientSessionCode(new ClientSessionCode(session, this.realmModel, clientSession)); - } - - /** - * Returns {@code true} if the client session is defined for the given code - * in the current session and for the current realm. - * Does not check the session validity. To obtain client session if - * and only if it exists and is valid, use {@link ClientSessionCode#parse}. - * - * @param code - * @return - */ - protected boolean isClientSessionRegistered(String code) { - if (code == null) { - return false; - } - - try { - return ClientSessionCode.getClientSession(code, this.session, this.realmModel) != null; - } catch (RuntimeException e) { - return false; - } - } - - private Response checkAccountManagementFailedLinking(ClientSessionModel clientSession, String error, Object... parameters) { - if (clientSession.getUserSession() != null && clientSession.getClient() != null && clientSession.getClient().getClientId().equals(ACCOUNT_MANAGEMENT_CLIENT_ID)) { - - this.event.event(EventType.FEDERATED_IDENTITY_LINK); - UserModel user = clientSession.getUserSession().getUser(); - this.event.user(user); - this.event.detail(Details.USERNAME, user.getUsername()); - - return redirectToAccountErrorPage(clientSession, error, parameters); - } else { - return null; - } - } - - private AuthenticationRequest createAuthenticationRequest(String providerId, ClientSessionCode clientSessionCode) { - ClientSessionModel clientSession = null; - String relayState = null; - - if (clientSessionCode != null) { - clientSession = clientSessionCode.getClientSession(); - relayState = clientSessionCode.getCode(); - } - - return new AuthenticationRequest(this.session, this.realmModel, clientSession, this.request, this.uriInfo, relayState, getRedirectUri(providerId)); - } - - private String getRedirectUri(String providerId) { - return Urls.identityProviderAuthnResponse(this.uriInfo.getBaseUri(), providerId, this.realmModel.getName()).toString(); - } - - private Response redirectToErrorPage(String message, Object ... parameters) { - return redirectToErrorPage(message, null, parameters); - } - - private Response redirectToErrorPage(String message, Throwable throwable, Object ... parameters) { - if (message == null) { - message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR; - } - - fireErrorEvent(message, throwable); - return ErrorPage.error(this.session, message, parameters); - } - - private Response redirectToAccountErrorPage(ClientSessionModel clientSession, String message, Object ... parameters) { - fireErrorEvent(message); - - FormMessage errorMessage = new FormMessage(message, parameters); - try { - String serializedError = JsonSerialization.writeValueAsString(errorMessage); - clientSession.setNote(AccountService.ACCOUNT_MGMT_FORWARDED_ERROR_NOTE, serializedError); - } catch (IOException ioe) { - throw new RuntimeException(ioe); - } - - return Response.status(302).location(UriBuilder.fromUri(clientSession.getRedirectUri()).build()).build(); - } - - private Response redirectToLoginPage(Throwable t, ClientSessionCode clientCode) { - String message = t.getMessage(); - - if (message == null) { - message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR; - } - - fireErrorEvent(message); - return browserAuthentication(clientCode.getClientSession(), message); - } - - protected Response browserAuthentication(ClientSessionModel clientSession, String errorMessage) { - this.event.event(EventType.LOGIN); - AuthenticationFlowModel flow = realmModel.getBrowserFlow(); - String flowId = flow.getId(); - AuthenticationProcessor processor = new AuthenticationProcessor(); - processor.setClientSession(clientSession) - .setFlowPath(LoginActionsService.AUTHENTICATE_PATH) - .setFlowId(flowId) - .setBrowserFlow(true) - .setConnection(clientConnection) - .setEventBuilder(event) - .setRealm(realmModel) - .setSession(session) - .setUriInfo(uriInfo) - .setRequest(request); - if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage)); - - try { - CacheControlUtil.noBackButtonCacheControlHeader(); - return processor.authenticate(); - } catch (Exception e) { - return processor.handleBrowserException(e); - } - } - - - private Response badRequest(String message) { - fireErrorEvent(message); - return ErrorResponse.error(message, Status.BAD_REQUEST); - } - - private Response forbidden(String message) { - fireErrorEvent(message); - return ErrorResponse.error(message, Status.FORBIDDEN); - } +public class IdentityBrokerService { +//public class IdentityBrokerService implements IdentityProvider.AuthenticationCallback { +// +// private static final Logger logger = Logger.getLogger(IdentityBrokerService.class); +// +// private final RealmModel realmModel; +// +// @Context +// private UriInfo uriInfo; +// +// @Context +// private KeycloakSession session; +// +// @Context +// private ClientConnection clientConnection; +// +// @Context +// private HttpRequest request; +// +// @Context +// private HttpHeaders headers; +// +// private EventBuilder event; +// +// +// public IdentityBrokerService(RealmModel realmModel) { +// if (realmModel == null) { +// throw new IllegalArgumentException("Realm can not be null."); +// } +// this.realmModel = realmModel; +// } +// +// public void init() { +// this.event = new EventBuilder(realmModel, session, clientConnection).event(EventType.IDENTITY_PROVIDER_LOGIN); +// } +// +// private void checkRealm() { +// if (!realmModel.isEnabled()) { +// event.error(Errors.REALM_DISABLED); +// throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED); +// } +// } +// +// private ClientModel checkClient(String clientId) { +// if (clientId == null) { +// event.error(Errors.INVALID_REQUEST); +// throw new ErrorPageException(session, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM); +// } +// +// event.client(clientId); +// +// ClientModel client = realmModel.getClientByClientId(clientId); +// if (client == null) { +// event.error(Errors.CLIENT_NOT_FOUND); +// throw new ErrorPageException(session, Messages.INVALID_REQUEST); +// } +// +// if (!client.isEnabled()) { +// event.error(Errors.CLIENT_DISABLED); +// throw new ErrorPageException(session, Messages.INVALID_REQUEST); +// } +// return client; +// +// } +// +// /** +// * Closes off CORS preflight requests for account linking +// * +// * @param providerId +// * @return +// */ +// @OPTIONS +// @Path("/{provider_id}/link") +// public Response clientIntiatedAccountLinkingPreflight(@PathParam("provider_id") String providerId) { +// return Response.status(403).build(); // don't allow preflight +// } +// +// +// @GET +// @NoCache +// @Path("/{provider_id}/link") +// public Response clientInitiatedAccountLinking(@PathParam("provider_id") String providerId, +// @QueryParam("redirect_uri") String redirectUri, +// @QueryParam("client_id") String clientId, +// @QueryParam("nonce") String nonce, +// @QueryParam("hash") String hash +// ) { +// this.event.event(EventType.CLIENT_INITIATED_ACCOUNT_LINKING); +// checkRealm(); +// ClientModel client = checkClient(clientId); +// AuthenticationManager authenticationManager = new AuthenticationManager(); +// redirectUri = RedirectUtils.verifyRedirectUri(uriInfo, redirectUri, realmModel, client); +// if (redirectUri == null) { +// event.error(Errors.INVALID_REDIRECT_URI); +// throw new ErrorPageException(session, Messages.INVALID_REQUEST); +// } +// +// if (nonce == null || hash == null) { +// event.error(Errors.INVALID_REDIRECT_URI); +// throw new ErrorPageException(session, Messages.INVALID_REQUEST); +// +// } +// +// // only allow origins from client. Not sure we need this as I don't believe cookies can be +// // sent if CORS preflight requests can't execute. +// String origin = headers.getRequestHeaders().getFirst("Origin"); +// if (origin != null) { +// String redirectOrigin = UriUtils.getOrigin(redirectUri); +// if (!redirectOrigin.equals(origin)) { +// event.error(Errors.ILLEGAL_ORIGIN); +// throw new ErrorPageException(session, Messages.INVALID_REQUEST); +// +// } +// } +// +// AuthResult cookieResult = authenticationManager.authenticateIdentityCookie(session, realmModel, true); +// String errorParam = "link_error"; +// if (cookieResult == null) { +// event.error(Errors.NOT_LOGGED_IN); +// UriBuilder builder = UriBuilder.fromUri(redirectUri) +// .queryParam(errorParam, Errors.NOT_LOGGED_IN) +// .queryParam("nonce", nonce); +// +// return Response.status(302).location(builder.build()).build(); +// } +// +// +// +// ClientLoginSessionModel clientSession = null; +// for (ClientLoginSessionModel cs : cookieResult.getSession().getClientLoginSessions().values()) { +// if (cs.getClient().getClientId().equals(clientId)) { +// byte[] decoded = Base64Url.decode(hash); +// MessageDigest md = null; +// try { +// md = MessageDigest.getInstance("SHA-256"); +// } catch (NoSuchAlgorithmException e) { +// throw new ErrorPageException(session, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST); +// } +// String input = nonce + cookieResult.getSession().getId() + cs.getId() + providerId; +// byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8)); +// if (MessageDigest.isEqual(decoded, check)) { +// clientSession = cs; +// break; +// } +// } +// } +// if (clientSession == null) { +// event.error(Errors.INVALID_TOKEN); +// throw new ErrorPageException(session, Messages.INVALID_REQUEST); +// } +// +// +// +// ClientModel accountService = this.realmModel.getClientByClientId(ACCOUNT_MANAGEMENT_CLIENT_ID); +// if (!accountService.getId().equals(client.getId())) { +// RoleModel manageAccountRole = accountService.getRole(MANAGE_ACCOUNT); +// +// if (!clientSession.getRoles().contains(manageAccountRole.getId())) { +// RoleModel linkRole = accountService.getRole(MANAGE_ACCOUNT_LINKS); +// if (!clientSession.getRoles().contains(linkRole.getId())) { +// event.error(Errors.NOT_ALLOWED); +// UriBuilder builder = UriBuilder.fromUri(redirectUri) +// .queryParam(errorParam, Errors.NOT_ALLOWED) +// .queryParam("nonce", nonce); +// return Response.status(302).location(builder.build()).build(); +// } +// } +// } +// +// +// IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId); +// if (identityProviderModel == null) { +// event.error(Errors.UNKNOWN_IDENTITY_PROVIDER); +// UriBuilder builder = UriBuilder.fromUri(redirectUri) +// .queryParam(errorParam, Errors.UNKNOWN_IDENTITY_PROVIDER) +// .queryParam("nonce", nonce); +// return Response.status(302).location(builder.build()).build(); +// +// } +// +// +// // TODO: Create LoginSessionModel and Login cookie and set the state inside. See my notes document +// ClientSessionCode clientSessionCode = new ClientSessionCode(session, realmModel, clientSession); +// clientSessionCode.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); +// clientSessionCode.getCode(); +// clientSession.setRedirectUri(redirectUri); +// clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, UUID.randomUUID().toString()); +// +// event.success(); +// +// +// try { +// IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); +// Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode)); +// +// if (response != null) { +// if (isDebugEnabled()) { +// logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response); +// } +// return response; +// } +// } catch (IdentityBrokerException e) { +// return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId); +// } catch (Exception e) { +// return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId); +// } +// +// return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST); +// +// } +// +// +// @POST +// @Path("/{provider_id}/login") +// public Response performPostLogin(@PathParam("provider_id") String providerId, @QueryParam("code") String code) { +// return performLogin(providerId, code); +// } +// +// @GET +// @NoCache +// @Path("/{provider_id}/login") +// public Response performLogin(@PathParam("provider_id") String providerId, @QueryParam("code") String code) { +// this.event.detail(Details.IDENTITY_PROVIDER, providerId); +// +// if (isDebugEnabled()) { +// logger.debugf("Sending authentication request to identity provider [%s].", providerId); +// } +// +// try { +// ParsedCodeContext parsedCode = parseClientSessionCode(code); +// if (parsedCode.response != null) { +// return parsedCode.response; +// } +// +// ClientSessionCode clientSessionCode = parsedCode.clientSessionCode; +// IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId); +// if (identityProviderModel == null) { +// throw new IdentityBrokerException("Identity Provider [" + providerId + "] not found."); +// } +// if (identityProviderModel.isLinkOnly()) { +// throw new IdentityBrokerException("Identity Provider [" + providerId + "] is not allowed to perform a login."); +// +// } +// IdentityProviderFactory providerFactory = getIdentityProviderFactory(session, identityProviderModel); +// +// IdentityProvider identityProvider = providerFactory.create(session, identityProviderModel); +// +// Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode)); +// +// if (response != null) { +// if (isDebugEnabled()) { +// logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response); +// } +// return response; +// } +// } catch (IdentityBrokerException e) { +// return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId); +// } catch (Exception e) { +// return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId); +// } +// +// return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST); +// } +// +// @Path("{provider_id}/endpoint") +// public Object getEndpoint(@PathParam("provider_id") String providerId) { +// IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); +// Object callback = identityProvider.callback(realmModel, this, event); +// ResteasyProviderFactory.getInstance().injectProperties(callback); +// //resourceContext.initResource(brokerService); +// return callback; +// +// +// } +// +// @Path("{provider_id}/token") +// @OPTIONS +// public Response retrieveTokenPreflight() { +// return Cors.add(this.request, Response.ok()).auth().preflight().build(); +// } +// +// @GET +// @NoCache +// @Path("{provider_id}/token") +// public Response retrieveToken(@PathParam("provider_id") String providerId) { +// return getToken(providerId, false); +// } +// +// private boolean canReadBrokerToken(AccessToken token) { +// Map resourceAccess = token.getResourceAccess(); +// AccessToken.Access brokerRoles = resourceAccess == null ? null : resourceAccess.get(Constants.BROKER_SERVICE_CLIENT_ID); +// return brokerRoles != null && brokerRoles.isUserInRole(Constants.READ_TOKEN_ROLE); +// } +// +// private Response getToken(String providerId, boolean forceRetrieval) { +// this.event.event(EventType.IDENTITY_PROVIDER_RETRIEVE_TOKEN); +// +// try { +// AppAuthManager authManager = new AppAuthManager(); +// AuthResult authResult = authManager.authenticateBearerToken(this.session, this.realmModel, this.uriInfo, this.clientConnection, this.request.getHttpHeaders()); +// +// if (authResult != null) { +// AccessToken token = authResult.getToken(); +// String[] audience = token.getAudience(); +// ClientModel clientModel = this.realmModel.getClientByClientId(audience[0]); +// +// if (clientModel == null) { +// return badRequest("Invalid client."); +// } +// +// session.getContext().setClient(clientModel); +// +// ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID); +// if (brokerClient == null) { +// return corsResponse(forbidden("Realm has not migrated to support the broker token exchange service"), clientModel); +// +// } +// if (!canReadBrokerToken(token)) { +// return corsResponse(forbidden("Client [" + clientModel.getClientId() + "] not authorized to retrieve tokens from identity provider [" + providerId + "]."), clientModel); +// +// } +// +// IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); +// IdentityProviderModel identityProviderConfig = getIdentityProviderConfig(providerId); +// +// if (identityProviderConfig.isStoreToken()) { +// FederatedIdentityModel identity = this.session.users().getFederatedIdentity(authResult.getUser(), providerId, this.realmModel); +// +// if (identity == null) { +// return corsResponse(badRequest("User [" + authResult.getUser().getId() + "] is not associated with identity provider [" + providerId + "]."), clientModel); +// } +// +// this.event.success(); +// +// return corsResponse(identityProvider.retrieveToken(session, identity), clientModel); +// } +// +// return corsResponse(badRequest("Identity Provider [" + providerId + "] does not support this operation."), clientModel); +// } +// +// return badRequest("Invalid token."); +// } catch (IdentityBrokerException e) { +// return redirectToErrorPage(Messages.COULD_NOT_OBTAIN_TOKEN, e, providerId); +// } catch (Exception e) { +// return redirectToErrorPage(Messages.UNEXPECTED_ERROR_RETRIEVING_TOKEN, e, providerId); +// } +// } +// +// public Response authenticated(BrokeredIdentityContext context) { +// IdentityProviderModel identityProviderConfig = context.getIdpConfig(); +// +// final ParsedCodeContext parsedCode; +// if (context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID) != null) { +// parsedCode = samlIdpInitiatedSSO((String) context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID)); +// } else { +// parsedCode = parseClientSessionCode(context.getCode()); +// } +// if (parsedCode.response != null) { +// return parsedCode.response; +// } +// ClientSessionCode clientCode = parsedCode.clientSessionCode; +// +// String providerId = identityProviderConfig.getAlias(); +// if (!identityProviderConfig.isStoreToken()) { +// if (isDebugEnabled()) { +// logger.debugf("Token will not be stored for identity provider [%s].", providerId); +// } +// context.setToken(null); +// } +// +// LoginSessionModel loginSession = clientCode.getClientSession(); +// context.setLoginSession(loginSession); +// +// session.getContext().setClient(loginSession.getClient()); +// +// context.getIdp().preprocessFederatedIdentity(session, realmModel, context); +// Set mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); +// if (mappers != null) { +// KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); +// for (IdentityProviderMapperModel mapper : mappers) { +// IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); +// target.preprocessFederatedIdentity(session, realmModel, mapper, context); +// } +// } +// +// FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(providerId, context.getId(), +// context.getUsername(), context.getToken()); +// +// this.event.event(EventType.IDENTITY_PROVIDER_LOGIN) +// .detail(Details.REDIRECT_URI, loginSession.getRedirectUri()) +// .detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); +// +// UserModel federatedUser = this.session.users().getUserByFederatedIdentity(federatedIdentityModel, this.realmModel); +// +// // Check if federatedUser is already authenticated (this means linking social into existing federatedUser account) +// if (loginSession.getUserSession() != null) { +// return performAccountLinking(clientSession, context, federatedIdentityModel, federatedUser); +// } +// +// if (federatedUser == null) { +// +// logger.debugf("Federated user not found for provider '%s' and broker username '%s' . Redirecting to flow for firstBrokerLogin", providerId, context.getUsername()); +// +// String username = context.getModelUsername(); +// if (username == null) { +// if (this.realmModel.isRegistrationEmailAsUsername() && !Validation.isBlank(context.getEmail())) { +// username = context.getEmail(); +// } else if (context.getUsername() == null) { +// username = context.getIdpConfig().getAlias() + "." + context.getId(); +// } else { +// username = context.getUsername(); +// } +// } +// username = username.trim(); +// context.setModelUsername(username); +// +// clientSession.setTimestamp(Time.currentTime()); +// +// SerializedBrokeredIdentityContext ctx = SerializedBrokeredIdentityContext.serialize(context); +// ctx.saveToClientSession(clientSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); +// +// URI redirect = LoginActionsService.firstBrokerLoginProcessor(uriInfo) +// .queryParam(OAuth2Constants.CODE, clientCode.getCode()) +// .build(realmModel.getName()); +// return Response.status(302).location(redirect).build(); +// +// } else { +// Response response = validateUser(federatedUser, realmModel); +// if (response != null) { +// return response; +// } +// +// updateFederatedIdentity(context, federatedUser); +// clientSession.setAuthenticatedUser(federatedUser); +// +// return finishOrRedirectToPostBrokerLogin(clientSession, context, false, parsedCode.clientSessionCode); +// } +// } +// +// public Response validateUser(UserModel user, RealmModel realm) { +// if (!user.isEnabled()) { +// event.error(Errors.USER_DISABLED); +// return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); +// } +// if (realm.isBruteForceProtected()) { +// if (session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(session, realm, user)) { +// event.error(Errors.USER_TEMPORARILY_DISABLED); +// return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); +// } +// } +// return null; +// } +// +// // Callback from LoginActionsService after first login with broker was done and Keycloak account is successfully linked/created +// @GET +// @NoCache +// @Path("/after-first-broker-login") +// public Response afterFirstBrokerLogin(@QueryParam("code") String code) { +// ParsedCodeContext parsedCode = parseClientSessionCode(code); +// if (parsedCode.response != null) { +// return parsedCode.response; +// } +// return afterFirstBrokerLogin(parsedCode.clientSessionCode); +// } +// +// private Response afterFirstBrokerLogin(ClientSessionCode clientSessionCode) { +// ClientSessionModel clientSession = clientSessionCode.getClientSession(); +// +// try { +// this.event.detail(Details.CODE_ID, clientSession.getId()) +// .removeDetail("auth_method"); +// +// SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); +// if (serializedCtx == null) { +// throw new IdentityBrokerException("Not found serialized context in clientSession"); +// } +// BrokeredIdentityContext context = serializedCtx.deserialize(session, clientSession); +// String providerId = context.getIdpConfig().getAlias(); +// +// event.detail(Details.IDENTITY_PROVIDER, providerId); +// event.detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); +// +// // firstBrokerLogin workflow finished. Removing note now +// clientSession.removeNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); +// +// UserModel federatedUser = clientSession.getAuthenticatedUser(); +// if (federatedUser == null) { +// throw new IdentityBrokerException("Couldn't found authenticated federatedUser in clientSession"); +// } +// +// event.user(federatedUser); +// event.detail(Details.USERNAME, federatedUser.getUsername()); +// +// if (context.getIdpConfig().isAddReadTokenRoleOnCreate()) { +// ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID); +// if (brokerClient == null) { +// throw new IdentityBrokerException("Client 'broker' not available. Maybe realm has not migrated to support the broker token exchange service"); +// } +// RoleModel readTokenRole = brokerClient.getRole(Constants.READ_TOKEN_ROLE); +// federatedUser.grantRole(readTokenRole); +// } +// +// // Add federated identity link here +// FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(context.getIdpConfig().getAlias(), context.getId(), +// context.getUsername(), context.getToken()); +// session.users().addFederatedIdentity(realmModel, federatedUser, federatedIdentityModel); +// +// +// String isRegisteredNewUser = clientSession.getNote(AbstractIdpAuthenticator.BROKER_REGISTERED_NEW_USER); +// if (Boolean.parseBoolean(isRegisteredNewUser)) { +// +// logger.debugf("Registered new user '%s' after first login with identity provider '%s'. Identity provider username is '%s' . ", federatedUser.getUsername(), providerId, context.getUsername()); +// +// context.getIdp().importNewUser(session, realmModel, federatedUser, context); +// Set mappers = realmModel.getIdentityProviderMappersByAlias(providerId); +// if (mappers != null) { +// KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); +// for (IdentityProviderMapperModel mapper : mappers) { +// IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); +// target.importNewUser(session, realmModel, federatedUser, mapper, context); +// } +// } +// +// if (context.getIdpConfig().isTrustEmail() && !Validation.isBlank(federatedUser.getEmail()) && !Boolean.parseBoolean(clientSession.getNote(AbstractIdpAuthenticator.UPDATE_PROFILE_EMAIL_CHANGED))) { +// logger.debugf("Email verified automatically after registration of user '%s' through Identity provider '%s' ", federatedUser.getUsername(), context.getIdpConfig().getAlias()); +// federatedUser.setEmailVerified(true); +// } +// +// event.event(EventType.REGISTER) +// .detail(Details.REGISTER_METHOD, "broker") +// .detail(Details.EMAIL, federatedUser.getEmail()) +// .success(); +// +// } else { +// logger.debugf("Linked existing keycloak user '%s' with identity provider '%s' . Identity provider username is '%s' .", federatedUser.getUsername(), providerId, context.getUsername()); +// +// event.event(EventType.FEDERATED_IDENTITY_LINK) +// .success(); +// +// updateFederatedIdentity(context, federatedUser); +// } +// +// return finishOrRedirectToPostBrokerLogin(clientSession, context, true, clientSessionCode); +// +// } catch (Exception e) { +// return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); +// } +// } +// +// +// private Response finishOrRedirectToPostBrokerLogin(ClientSessionModel clientSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode clientSessionCode) { +// String postBrokerLoginFlowId = context.getIdpConfig().getPostBrokerLoginFlowId(); +// if (postBrokerLoginFlowId == null) { +// +// logger.debugf("Skip redirect to postBrokerLogin flow. PostBrokerLogin flow not set for identityProvider '%s'.", context.getIdpConfig().getAlias()); +// return afterPostBrokerLoginFlowSuccess(clientSession, context, wasFirstBrokerLogin, clientSessionCode); +// } else { +// +// logger.debugf("Redirect to postBrokerLogin flow after authentication with identityProvider '%s'.", context.getIdpConfig().getAlias()); +// +// clientSession.setTimestamp(Time.currentTime()); +// +// SerializedBrokeredIdentityContext ctx = SerializedBrokeredIdentityContext.serialize(context); +// ctx.saveToClientSession(clientSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); +// +// clientSession.setNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN, String.valueOf(wasFirstBrokerLogin)); +// +// URI redirect = LoginActionsService.postBrokerLoginProcessor(uriInfo) +// .queryParam(OAuth2Constants.CODE, clientSessionCode.getCode()) +// .build(realmModel.getName()); +// return Response.status(302).location(redirect).build(); +// } +// } +// +// +// // Callback from LoginActionsService after postBrokerLogin flow is finished +// @GET +// @NoCache +// @Path("/after-post-broker-login") +// public Response afterPostBrokerLoginFlow(@QueryParam("code") String code) { +// ParsedCodeContext parsedCode = parseClientSessionCode(code); +// if (parsedCode.response != null) { +// return parsedCode.response; +// } +// LoginSessionModel loginSession = parsedCode.clientSessionCode.getClientSession(); +// +// try { +// SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(loginSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); +// if (serializedCtx == null) { +// throw new IdentityBrokerException("Not found serialized context in clientSession. Note " + PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT + " was null"); +// } +// BrokeredIdentityContext context = serializedCtx.deserialize(session, loginSession); +// +// String wasFirstBrokerLoginNote = loginSession.getNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); +// boolean wasFirstBrokerLogin = Boolean.parseBoolean(wasFirstBrokerLoginNote); +// +// // Ensure the post-broker-login flow was successfully finished +// String authStateNoteKey = PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + context.getIdpConfig().getAlias(); +// String authState = loginSession.getNote(authStateNoteKey); +// if (!Boolean.parseBoolean(authState)) { +// throw new IdentityBrokerException("Invalid request. Not found the flag that post-broker-login flow was finished"); +// } +// +// // remove notes +// loginSession.removeNote(PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); +// loginSession.removeNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); +// +// return afterPostBrokerLoginFlowSuccess(loginSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode); +// } catch (IdentityBrokerException e) { +// return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); +// } +// } +// +// private Response afterPostBrokerLoginFlowSuccess(ClientSessionModel clientSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode clientSessionCode) { +// String providerId = context.getIdpConfig().getAlias(); +// UserModel federatedUser = clientSession.getAuthenticatedUser(); +// +// if (wasFirstBrokerLogin) { +// +// String isDifferentBrowser = clientSession.getNote(AbstractIdpAuthenticator.IS_DIFFERENT_BROWSER); +// if (Boolean.parseBoolean(isDifferentBrowser)) { +// session.sessions().removeClientSession(realmModel, clientSession); +// return session.getProvider(LoginFormsProvider.class) +// .setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, context.getIdpConfig().getAlias(), context.getUsername()) +// .createInfoPage(); +// } else { +// return finishBrokerAuthentication(context, federatedUser, clientSession, providerId); +// } +// +// } else { +// +// boolean firstBrokerLoginInProgress = (clientSession.getNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); +// if (firstBrokerLoginInProgress) { +// logger.debugf("Reauthenticated with broker '%s' when linking user '%s' with other broker", context.getIdpConfig().getAlias(), federatedUser.getUsername()); +// +// UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realmModel, clientSession); +// if (!linkingUser.getId().equals(federatedUser.getId())) { +// return redirectToErrorPage(Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, federatedUser.getUsername(), linkingUser.getUsername()); +// } +// +// return afterFirstBrokerLogin(clientSessionCode); +// } else { +// return finishBrokerAuthentication(context, federatedUser, clientSession, providerId); +// } +// } +// } +// +// +// private Response finishBrokerAuthentication(BrokeredIdentityContext context, UserModel federatedUser, ClientSessionModel clientSession, String providerId) { +// UserSessionModel userSession = this.session.sessions() +// .createUserSession(this.realmModel, federatedUser, federatedUser.getUsername(), this.clientConnection.getRemoteAddr(), "broker", false, context.getBrokerSessionId(), context.getBrokerUserId()); +// +// this.event.user(federatedUser); +// this.event.session(userSession); +// +// // TODO: This is supposed to be called after requiredActions are processed +// TokenManager.attachClientSession(userSession, clientSession); +// context.getIdp().attachUserSession(userSession, clientSession, context); +// userSession.setNote(Details.IDENTITY_PROVIDER, providerId); +// userSession.setNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); +// +// if (isDebugEnabled()) { +// logger.debugf("Performing local authentication for user [%s].", federatedUser); +// } +// +// return AuthenticationProcessor.redirectToRequiredActions(session, realmModel, clientSession, uriInfo); +// } +// +// +// @Override +// public Response cancelled(String code) { +// ParsedCodeContext parsedCode = parseClientSessionCode(code); +// if (parsedCode.response != null) { +// return parsedCode.response; +// } +// ClientSessionCode clientCode = parsedCode.clientSessionCode; +// +// Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.CONSENT_DENIED); +// if (accountManagementFailedLinking != null) { +// return accountManagementFailedLinking; +// } +// +// return browserAuthentication(clientCode.getClientSession(), null); +// } +// +// @Override +// public Response error(String code, String message) { +// ParsedCodeContext parsedCode = parseClientSessionCode(code); +// if (parsedCode.response != null) { +// return parsedCode.response; +// } +// ClientSessionCode clientCode = parsedCode.clientSessionCode; +// +// Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), message); +// if (accountManagementFailedLinking != null) { +// return accountManagementFailedLinking; +// } +// +// return browserAuthentication(clientCode.getClientSession(), message); +// } +// +// private Response performAccountLinking(ClientSessionModel clientSession, BrokeredIdentityContext context, FederatedIdentityModel newModel, UserModel federatedUser) { +// this.event.event(EventType.FEDERATED_IDENTITY_LINK); +// +// +// +// UserModel authenticatedUser = clientSession.getUserSession().getUser(); +// +// if (federatedUser != null && !authenticatedUser.getId().equals(federatedUser.getId())) { +// return redirectToAccountErrorPage(clientSession, Messages.IDENTITY_PROVIDER_ALREADY_LINKED, context.getIdpConfig().getAlias()); +// } +// +// if (!authenticatedUser.hasRole(this.realmModel.getClientByClientId(ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(MANAGE_ACCOUNT))) { +// return redirectToErrorPage(Messages.INSUFFICIENT_PERMISSION); +// } +// +// if (!authenticatedUser.isEnabled()) { +// return redirectToAccountErrorPage(clientSession, Messages.ACCOUNT_DISABLED); +// } +// +// +// +// if (federatedUser != null) { +// if (context.getIdpConfig().isStoreToken()) { +// FederatedIdentityModel oldModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel); +// if (!ObjectUtil.isEqualOrBothNull(context.getToken(), oldModel.getToken())) { +// this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, newModel); +// if (isDebugEnabled()) { +// logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias()); +// } +// } +// } +// } else { +// this.session.users().addFederatedIdentity(this.realmModel, authenticatedUser, newModel); +// } +// context.getIdp().attachUserSession(clientSession.getUserSession(), clientSession, context); +// +// +// if (isDebugEnabled()) { +// logger.debugf("Linking account [%s] from identity provider [%s] to user [%s].", newModel, context.getIdpConfig().getAlias(), authenticatedUser); +// } +// +// this.event.user(authenticatedUser) +// .detail(Details.USERNAME, authenticatedUser.getUsername()) +// .detail(Details.IDENTITY_PROVIDER, newModel.getIdentityProvider()) +// .detail(Details.IDENTITY_PROVIDER_USERNAME, newModel.getUserName()) +// .success(); +// +// // we do this to make sure that the parent IDP is logged out when this user session is complete. +// +// clientSession.getUserSession().setNote(Details.IDENTITY_PROVIDER, context.getIdpConfig().getAlias()); +// clientSession.getUserSession().setNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); +// +// return Response.status(302).location(UriBuilder.fromUri(clientSession.getRedirectUri()).build()).build(); +// } +// +// private void updateFederatedIdentity(BrokeredIdentityContext context, UserModel federatedUser) { +// FederatedIdentityModel federatedIdentityModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel); +// +// // Skip DB write if tokens are null or equal +// updateToken(context, federatedUser, federatedIdentityModel); +// context.getIdp().updateBrokeredUser(session, realmModel, federatedUser, context); +// Set mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); +// if (mappers != null) { +// KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); +// for (IdentityProviderMapperModel mapper : mappers) { +// IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); +// target.updateBrokeredUser(session, realmModel, federatedUser, mapper, context); +// } +// } +// +// } +// +// private void updateToken(BrokeredIdentityContext context, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel) { +// if (context.getIdpConfig().isStoreToken() && !ObjectUtil.isEqualOrBothNull(context.getToken(), federatedIdentityModel.getToken())) { +// federatedIdentityModel.setToken(context.getToken()); +// +// this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel); +// +// if (isDebugEnabled()) { +// logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias()); +// } +// } +// } +// +// private ParsedCodeContext parseClientSessionCode(String code) { +// ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel, LoginSessionModel.class); +// +// if (clientCode != null) { +// LoginSessionModel loginSession = clientCode.getClientSession(); +// +// ClientModel client = loginSession.getClient(); +// +// if (client != null) { +// +// logger.debugf("Got authorization code from client [%s].", client.getClientId()); +// this.event.client(client); +// this.session.getContext().setClient(client); +// +// if (!clientCode.isValid(AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { +// logger.debugf("Authorization code is not valid. Client session ID: %s, Client session's action: %s", loginSession.getId(), loginSession.getAction()); +// +// // Check if error happened during login or during linking from account management +// Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.STALE_CODE_ACCOUNT); +// Response staleCodeError = (accountManagementFailedLinking != null) ? accountManagementFailedLinking : redirectToErrorPage(Messages.STALE_CODE); +// +// +// return ParsedCodeContext.response(staleCodeError); +// } +// +// if (isDebugEnabled()) { +// logger.debugf("Authorization code is valid."); +// } +// +// return ParsedCodeContext.clientSessionCode(clientCode); +// } +// } +// +// logger.debugf("Authorization code is not valid. Code: %s", code); +// Response staleCodeError = redirectToErrorPage(Messages.STALE_CODE); +// return ParsedCodeContext.response(staleCodeError); +// } +// +// /** +// * If there is a client whose SAML IDP-initiated SSO URL name is set to the +// * given {@code clientUrlName}, creates a fresh client session for that +// * client and returns a {@link ParsedCodeContext} object with that session. +// * Otherwise returns "client not found" response. +// * +// * @param clientUrlName +// * @return see description +// */ +// private ParsedCodeContext samlIdpInitiatedSSO(final String clientUrlName) { +// event.event(EventType.LOGIN); +// CacheControlUtil.noBackButtonCacheControlHeader(); +// Optional oClient = this.realmModel.getClients().stream() +// .filter(c -> Objects.equals(c.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME), clientUrlName)) +// .findFirst(); +// +// if (! oClient.isPresent()) { +// event.error(Errors.CLIENT_NOT_FOUND); +// return ParsedCodeContext.response(redirectToErrorPage(Messages.CLIENT_NOT_FOUND)); +// } +// +// ClientSessionModel clientSession = SamlService.createClientSessionForIdpInitiatedSso(session, realmModel, oClient.get(), null); +// +// return ParsedCodeContext.clientSessionCode(new ClientSessionCode(session, this.realmModel, clientSession)); +// } +// +// private Response checkAccountManagementFailedLinking(LoginSessionModel loginSession, String error, Object... parameters) { +// if (clientSession.getUserSession() != null && clientSession.getClient() != null && clientSession.getClient().getClientId().equals(ACCOUNT_MANAGEMENT_CLIENT_ID)) { +// +// this.event.event(EventType.FEDERATED_IDENTITY_LINK); +// UserModel user = clientSession.getUserSession().getUser(); +// this.event.user(user); +// this.event.detail(Details.USERNAME, user.getUsername()); +// +// return redirectToAccountErrorPage(clientSession, error, parameters); +// } else { +// return null; +// } +// } +// +// private AuthenticationRequest createAuthenticationRequest(String providerId, ClientSessionCode clientSessionCode) { +// LoginSessionModel loginSession = null; +// String relayState = null; +// +// if (clientSessionCode != null) { +// loginSession = clientSessionCode.getClientSession(); +// relayState = clientSessionCode.getCode(); +// } +// +// return new AuthenticationRequest(this.session, this.realmModel, clientSession, this.request, this.uriInfo, relayState, getRedirectUri(providerId)); +// } +// +// private String getRedirectUri(String providerId) { +// return Urls.identityProviderAuthnResponse(this.uriInfo.getBaseUri(), providerId, this.realmModel.getName()).toString(); +// } +// +// private Response redirectToErrorPage(String message, Object ... parameters) { +// return redirectToErrorPage(message, null, parameters); +// } +// +// private Response redirectToErrorPage(String message, Throwable throwable, Object ... parameters) { +// if (message == null) { +// message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR; +// } +// +// fireErrorEvent(message, throwable); +// return ErrorPage.error(this.session, message, parameters); +// } +// +// private Response redirectToAccountErrorPage(ClientSessionModel clientSession, String message, Object ... parameters) { +// fireErrorEvent(message); +// +// FormMessage errorMessage = new FormMessage(message, parameters); +// try { +// String serializedError = JsonSerialization.writeValueAsString(errorMessage); +// clientSession.setNote(AccountService.ACCOUNT_MGMT_FORWARDED_ERROR_NOTE, serializedError); +// } catch (IOException ioe) { +// throw new RuntimeException(ioe); +// } +// +// return Response.status(302).location(UriBuilder.fromUri(clientSession.getRedirectUri()).build()).build(); +// } +// +// private Response redirectToLoginPage(Throwable t, ClientSessionCode clientCode) { +// String message = t.getMessage(); +// +// if (message == null) { +// message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR; +// } +// +// fireErrorEvent(message); +// return browserAuthentication(clientCode.getClientSession(), message); +// } +// +// protected Response browserAuthentication(ClientSessionModel clientSession, String errorMessage) { +// this.event.event(EventType.LOGIN); +// AuthenticationFlowModel flow = realmModel.getBrowserFlow(); +// String flowId = flow.getId(); +// AuthenticationProcessor processor = new AuthenticationProcessor(); +// processor.setClientSession(clientSession) +// .setFlowPath(LoginActionsService.AUTHENTICATE_PATH) +// .setFlowId(flowId) +// .setBrowserFlow(true) +// .setConnection(clientConnection) +// .setEventBuilder(event) +// .setRealm(realmModel) +// .setSession(session) +// .setUriInfo(uriInfo) +// .setRequest(request); +// if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage)); +// +// try { +// CacheControlUtil.noBackButtonCacheControlHeader(); +// return processor.authenticate(); +// } catch (Exception e) { +// return processor.handleBrowserException(e); +// } +// } +// +// +// private Response badRequest(String message) { +// fireErrorEvent(message); +// return ErrorResponse.error(message, Status.BAD_REQUEST); +// } +// +// private Response forbidden(String message) { +// fireErrorEvent(message); +// return ErrorResponse.error(message, Status.FORBIDDEN); +// } public static IdentityProvider getIdentityProvider(KeycloakSession session, RealmModel realm, String alias) { IdentityProviderModel identityProviderModel = realm.getIdentityProviderByAlias(alias); @@ -1121,7 +1099,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal return availableProviders.get(model.getProviderId()); } - +/* private IdentityProviderModel getIdentityProviderConfig(String providerId) { IdentityProviderModel model = this.realmModel.getIdentityProviderByAlias(providerId); if (model == null) { @@ -1177,10 +1155,10 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal private static class ParsedCodeContext { - private ClientSessionCode clientSessionCode; + private ClientSessionCode clientSessionCode; private Response response; - public static ParsedCodeContext clientSessionCode(ClientSessionCode clientSessionCode) { + public static ParsedCodeContext clientSessionCode(ClientSessionCode clientSessionCode) { ParsedCodeContext ctx = new ParsedCodeContext(); ctx.clientSessionCode = clientSessionCode; return ctx; @@ -1192,4 +1170,5 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal return ctx; } } + */ } diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 14df1dc222..3c9b40b4af 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -38,6 +38,7 @@ import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AuthenticationFlowModel; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.Constants; @@ -64,6 +65,8 @@ import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; import org.keycloak.services.util.CacheControlUtil; import org.keycloak.services.util.CookieHelper; +import org.keycloak.sessions.CommonClientSessionModel; +import org.keycloak.sessions.LoginSessionModel; import javax.ws.rs.Consumes; import javax.ws.rs.GET; @@ -165,7 +168,8 @@ public class LoginActionsService { private class Checks { - ClientSessionCode clientCode; + // TODO: Merge with Hynek's code. This may not be just loginSession + ClientSessionCode clientCode; Response response; ClientSessionCode.ParseResult result; @@ -174,16 +178,18 @@ public class LoginActionsService { return false; } if (!clientCode.isValidAction(requiredAction)) { - ClientSessionModel clientSession = clientCode.getClientSession(); - if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(clientSession.getAction())) { + LoginSessionModel loginSession = clientCode.getClientSession(); + if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(loginSession.getAction())) { response = redirectToRequiredActions(code); return false; - } else if (clientSession.getUserSession() != null && clientSession.getUserSession().getState() == UserSessionModel.State.LOGGED_IN) { + + } // TODO:mposolda + /*else if (clientSession.getUserSession() != null && clientSession.getUserSession().getState() == UserSessionModel.State.LOGGED_IN) { response = session.getProvider(LoginFormsProvider.class) .setSuccess(Messages.ALREADY_LOGGED_IN) .createInfoPage(); return false; - } + }*/ } if (!isActionActive(actionType)) return false; return true; @@ -229,10 +235,14 @@ public class LoginActionsService { response = ErrorPage.error(session, Messages.REALM_NOT_ENABLED); return false; } - result = ClientSessionCode.parseResult(code, session, realm); + + // TODO:mposolda it may not be just loginSessionModel + result = ClientSessionCode.parseResult(code, session, realm, LoginSessionModel.class); clientCode = result.getCode(); if (clientCode == null) { - if (result.isClientSessionNotFound()) { // timeout + // TODO:mposolda + /* + if (result.isLoginSessionNotFound()) { // timeout try { ClientSessionModel clientSession = RestartLoginCookie.restartSession(session, realm, code); if (clientSession != null) { @@ -245,10 +255,10 @@ public class LoginActionsService { } } event.error(Errors.INVALID_CODE); - response = ErrorPage.error(session, Messages.INVALID_CODE); + response = ErrorPage.error(session, Messages.INVALID_CODE);*/ return false; } - ClientSessionModel clientSession = clientCode.getClientSession(); + LoginSessionModel clientSession = clientCode.getClientSession(); if (clientSession == null) { event.error(Errors.INVALID_CODE); response = ErrorPage.error(session, Messages.INVALID_CODE); @@ -259,13 +269,13 @@ public class LoginActionsService { if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); response = ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); - session.sessions().removeClientSession(realm, clientSession); + session.loginSessions().removeLoginSession(realm, clientSession); return false; } if (!client.isEnabled()) { event.error(Errors.CLIENT_NOT_FOUND); response = ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); - session.sessions().removeClientSession(realm, clientSession); + session.loginSessions().removeLoginSession(realm, clientSession); return false; } session.getContext().setClient(client); @@ -273,6 +283,8 @@ public class LoginActionsService { } public boolean verifyRequiredAction(String code, String executedAction) { + // TODO:mposolda + /* if (!verifyCode(code)) { return false; } @@ -306,7 +318,7 @@ public class LoginActionsService { clientSession.removeNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); response = redirectToRequiredActions(code); return false; - } + }*/ return true; } @@ -325,8 +337,8 @@ public class LoginActionsService { @QueryParam("execution") String execution) { event.event(EventType.LOGIN); - ClientSessionModel clientSession = ClientSessionCode.getClientSession(code, session, realm); - if (clientSession != null && code.equals(clientSession.getNote(LAST_PROCESSED_CODE))) { + LoginSessionModel loginSession = ClientSessionCode.getClientSession(code, session, realm, LoginSessionModel.class); + if (loginSession != null && code.equals(loginSession.getNote(LAST_PROCESSED_CODE))) { // Allow refresh of previous page } else { Checks checks = new Checks(); @@ -334,21 +346,21 @@ public class LoginActionsService { return checks.response; } - ClientSessionCode clientSessionCode = checks.clientCode; - clientSession = clientSessionCode.getClientSession(); + ClientSessionCode clientSessionCode = checks.clientCode; + loginSession = clientSessionCode.getClientSession(); } event.detail(Details.CODE_ID, code); - clientSession.setNote(LAST_PROCESSED_CODE, code); - return processAuthentication(execution, clientSession, null); + loginSession.setNote(LAST_PROCESSED_CODE, code); + return processAuthentication(execution, loginSession, null); } - protected Response processAuthentication(String execution, ClientSessionModel clientSession, String errorMessage) { - return processFlow(execution, clientSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), errorMessage, new AuthenticationProcessor()); + protected Response processAuthentication(String execution, LoginSessionModel loginSession, String errorMessage) { + return processFlow(execution, loginSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), errorMessage, new AuthenticationProcessor()); } - protected Response processFlow(String execution, ClientSessionModel clientSession, String flowPath, AuthenticationFlowModel flow, String errorMessage, AuthenticationProcessor processor) { - processor.setClientSession(clientSession) + protected Response processFlow(String execution, LoginSessionModel loginSession, String flowPath, AuthenticationFlowModel flow, String errorMessage, AuthenticationProcessor processor) { + processor.setLoginSession(loginSession) .setFlowPath(flowPath) .setBrowserFlow(true) .setFlowId(flow.getId()) @@ -383,8 +395,8 @@ public class LoginActionsService { @QueryParam("execution") String execution) { event.event(EventType.LOGIN); - ClientSessionModel clientSession = ClientSessionCode.getClientSession(code, session, realm); - if (clientSession != null && code.equals(clientSession.getNote(LAST_PROCESSED_CODE))) { + LoginSessionModel loginSession = ClientSessionCode.getClientSession(code, session, realm, LoginSessionModel.class); + if (loginSession != null && code.equals(loginSession.getNote(LAST_PROCESSED_CODE))) { // Post already processed (refresh) - ignore form post and return next form request.getFormParameters().clear(); return authenticate(code, null); @@ -394,18 +406,20 @@ public class LoginActionsService { if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response; } - final ClientSessionCode clientCode = checks.clientCode; - clientSession = clientCode.getClientSession(); - clientSession.setNote(LAST_PROCESSED_CODE, code); + final ClientSessionCode clientCode = checks.clientCode; + loginSession = clientCode.getClientSession(); + loginSession.setNote(LAST_PROCESSED_CODE, code); - return processAuthentication(execution, clientSession, null); + return processAuthentication(execution, loginSession, null); } @Path(RESET_CREDENTIALS_PATH) @POST public Response resetCredentialsPOST(@QueryParam("code") String code, @QueryParam("execution") String execution) { - return resetCredentials(code, execution); + // TODO:mposolda + //return resetCredentials(code, execution); + return null; } /** @@ -422,6 +436,8 @@ public class LoginActionsService { @QueryParam("execution") String execution) { // we allow applications to link to reset credentials without going through OAuth or SAML handshakes // + // TODO:mposolda + /* if (code == null) { if (!realm.isResetPasswordAllowed()) { event.event(EventType.RESET_PASSWORD); @@ -444,8 +460,11 @@ public class LoginActionsService { return processResetCredentials(null, clientSession, null); } return resetCredentials(code, execution); + */ + return null; } + /* protected Response resetCredentials(String code, String execution) { event.event(EventType.RESET_PASSWORD); Checks checks = new Checks(); @@ -488,11 +507,11 @@ public class LoginActionsService { }; return processFlow(execution, clientSession, RESET_CREDENTIALS_PATH, realm.getResetCredentialsFlow(), errorMessage, authProcessor); - } + }*/ - protected Response processRegistration(String execution, ClientSessionModel clientSession, String errorMessage) { - return processFlow(execution, clientSession, REGISTRATION_PATH, realm.getRegistrationFlow(), errorMessage, new AuthenticationProcessor()); + protected Response processRegistration(String execution, LoginSessionModel loginSession, String errorMessage) { + return processFlow(execution, loginSession, REGISTRATION_PATH, realm.getRegistrationFlow(), errorMessage, new AuthenticationProcessor()); } @@ -517,8 +536,8 @@ public class LoginActionsService { return checks.response; } event.detail(Details.CODE_ID, code); - ClientSessionCode clientSessionCode = checks.clientCode; - ClientSessionModel clientSession = clientSessionCode.getClientSession(); + ClientSessionCode clientSessionCode = checks.clientCode; + LoginSessionModel clientSession = clientSessionCode.getClientSession(); AuthenticationManager.expireIdentityCookie(realm, uriInfo, clientConnection); @@ -547,13 +566,14 @@ public class LoginActionsService { return checks.response; } - ClientSessionCode clientCode = checks.clientCode; - ClientSessionModel clientSession = clientCode.getClientSession(); + ClientSessionCode clientCode = checks.clientCode; + LoginSessionModel loginSession = clientCode.getClientSession(); - return processRegistration(execution, clientSession, null); + return processRegistration(execution, loginSession, null); } - + // TODO:mposolda broker login +/* @Path(FIRST_BROKER_LOGIN_PATH) @GET public Response firstBrokerLoginGet(@QueryParam("code") String code, @@ -647,6 +667,7 @@ public class LoginActionsService { return Response.status(302).location(redirect).build(); } +*/ /** * OAuth grant page. You should not invoked this directly! @@ -664,23 +685,22 @@ public class LoginActionsService { if (!checks.verifyRequiredAction(code, ClientSessionModel.Action.OAUTH_GRANT.name())) { return checks.response; } - ClientSessionCode accessCode = checks.clientCode; - ClientSessionModel clientSession = accessCode.getClientSession(); + ClientSessionCode accessCode = checks.clientCode; + LoginSessionModel loginSession = accessCode.getClientSession(); - initEvent(clientSession); + initLoginEvent(loginSession); - UserSessionModel userSession = clientSession.getUserSession(); - UserModel user = userSession.getUser(); - ClientModel client = clientSession.getClient(); + UserModel user = loginSession.getAuthenticatedUser(); + ClientModel client = loginSession.getClient(); if (formData.containsKey("cancel")) { - LoginProtocol protocol = session.getProvider(LoginProtocol.class, clientSession.getAuthMethod()); + LoginProtocol protocol = session.getProvider(LoginProtocol.class, loginSession.getProtocol()); protocol.setRealm(realm) .setHttpHeaders(headers) .setUriInfo(uriInfo) .setEventBuilder(event); - Response response = protocol.sendError(clientSession, Error.CONSENT_DENIED); + Response response = protocol.sendError(loginSession, Error.CONSENT_DENIED); event.error(Errors.REJECTED_BY_USER); return response; } @@ -703,12 +723,16 @@ public class LoginActionsService { event.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED); event.success(); - return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, userSession, clientSession, request, uriInfo, clientConnection, event); + // TODO:mposolda So assume that requiredActions were already done in this stage. Doublecheck... + ClientLoginSessionModel clientSession = AuthenticationProcessor.attachSession(loginSession, null, session, realm, clientConnection, event); + return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, clientSession.getUserSession(), clientSession, request, uriInfo, clientConnection, event, loginSession.getProtocol()); } @Path("email-verification") @GET public Response emailVerification(@QueryParam("code") String code, @QueryParam("key") String key) { + // TODO:mposolda + /* event.event(EventType.VERIFY_EMAIL); if (key != null) { ClientSessionModel clientSession = null; @@ -783,7 +807,8 @@ public class LoginActionsService { .setClientSession(clientSession) .setUser(userSession.getUser()) .createResponse(RequiredAction.VERIFY_EMAIL); - } + }*/ + return null; } /** @@ -795,6 +820,8 @@ public class LoginActionsService { @Path("execute-actions") @GET public Response executeActions(@QueryParam("key") String key) { + // TODO:mposolda + /* event.event(EventType.EXECUTE_ACTIONS); if (key != null) { Checks checks = new Checks(); @@ -810,7 +837,8 @@ public class LoginActionsService { } else { event.error(Errors.INVALID_CODE); return ErrorPage.error(session, Messages.INVALID_CODE); - } + }*/ + return null; } private String getActionCookie() { @@ -823,6 +851,7 @@ public class LoginActionsService { return cookie != null ? cookie.getValue() : null; } + // TODO: Remove this method. We will be able to use login-session-cookie public static void createActionCookie(RealmModel realm, UriInfo uriInfo, ClientConnection clientConnection, String sessionId) { CookieHelper.addCookie(ACTION_COOKIE, sessionId, AuthenticationManager.getRealmCookiePath(realm, uriInfo), null, null, -1, realm.getSslRequired().isRequired(clientConnection), true); } @@ -855,6 +884,36 @@ public class LoginActionsService { } } + private void initLoginEvent(LoginSessionModel loginSession) { + String responseType = loginSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); + if (responseType == null) { + responseType = "code"; + } + String respMode = loginSession.getNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM); + OIDCResponseMode responseMode = OIDCResponseMode.parse(respMode, OIDCResponseType.parse(responseType)); + + event.event(EventType.LOGIN).client(loginSession.getClient()) + .detail(Details.CODE_ID, loginSession.getId()) + .detail(Details.REDIRECT_URI, loginSession.getRedirectUri()) + .detail(Details.AUTH_METHOD, loginSession.getProtocol()) + .detail(Details.RESPONSE_TYPE, responseType) + .detail(Details.RESPONSE_MODE, responseMode.toString().toLowerCase()); + + UserModel authenticatedUser = loginSession.getAuthenticatedUser(); + if (authenticatedUser != null) { + event.user(authenticatedUser) + .detail(Details.USERNAME, authenticatedUser.getUsername()); + } else { + event.detail(Details.USERNAME, loginSession.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME)); + } + + // TODO:mposolda Fix if this is called at firstBroker or postBroker login + /* + .detail(Details.IDENTITY_PROVIDER, userSession.getNote(Details.IDENTITY_PROVIDER)) + .detail(Details.IDENTITY_PROVIDER_USERNAME, userSession.getNote(Details.IDENTITY_PROVIDER_USERNAME)); + */ + } + @Path(REQUIRED_ACTION) @POST public Response requiredActionPOST(@QueryParam("code") final String code, @@ -872,7 +931,9 @@ public class LoginActionsService { return processRequireAction(code, action); } - public Response processRequireAction(final String code, String action) { + private Response processRequireAction(final String code, String action) { + // TODO:mposolda + /* event.event(EventType.CUSTOM_REQUIRED_ACTION); event.detail(Details.CUSTOM_REQUIRED_ACTION, action); Checks checks = new Checks(); @@ -937,9 +998,11 @@ public class LoginActionsService { } throw new RuntimeException("Unreachable"); + */ + return null; } - public Response redirectToRequiredActions(String code) { + private Response redirectToRequiredActions(String code) { URI redirect = LoginActionsService.loginActionsBaseUrl(uriInfo) .path(LoginActionsService.REQUIRED_ACTION) .queryParam(OAuth2Constants.CODE, code).build(realm.getName()); diff --git a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java index bb8de2d918..ab99d5d65c 100755 --- a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java +++ b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java @@ -234,12 +234,16 @@ public class RealmsResource { public IdentityBrokerService getBrokerService(final @PathParam("realm") String name) { RealmModel realm = init(name); + // TODO:mposolda + /* IdentityBrokerService brokerService = new IdentityBrokerService(realm); ResteasyProviderFactory.getInstance().injectProperties(brokerService); brokerService.init(); return brokerService; + */ + return null; } @OPTIONS diff --git a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java index 3259982457..d74521370f 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java @@ -33,6 +33,7 @@ import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.events.admin.OperationType; import org.keycloak.events.admin.ResourceType; +import org.keycloak.models.ClientLoginSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.Constants; @@ -396,7 +397,7 @@ public class UsersResource { @GET @NoCache @Produces(MediaType.APPLICATION_JSON) - public List getSessions(final @PathParam("id") String id, final @PathParam("clientId") String clientId) { + public List getOfflineSessions(final @PathParam("id") String id, final @PathParam("clientId") String clientId) { auth.requireView(); UserModel user = session.users().getUserById(id, realm); @@ -407,19 +408,21 @@ public class UsersResource { if (client == null) { throw new NotFoundException("Client not found"); } - List sessions = new UserSessionManager(session).findOfflineSessions(realm, client, user); + List sessions = new UserSessionManager(session).findOfflineSessions(realm, user); List reps = new ArrayList(); for (UserSessionModel session : sessions) { UserSessionRepresentation rep = ModelToRepresentation.toRepresentation(session); // Update lastSessionRefresh with the timestamp from clientSession - for (ClientSessionModel clientSession : session.getClientSessions()) { - if (clientId.equals(clientSession.getClient().getId())) { - rep.setLastAccess(Time.toMillis(clientSession.getTimestamp())); - break; - } + ClientLoginSessionModel clientSession = session.getClientLoginSessions().get(clientId); + + // Skip if userSession is not for this client + if (clientSession == null) { + continue; } + rep.setLastAccess(clientSession.getTimestamp()); + reps.add(rep); } return reps; @@ -864,6 +867,8 @@ public class UsersResource { List actions) { auth.requireManage(); + // TODO: This stuff must be refactored for actionTickets (clientSessions) + /* UserModel user = session.users().getUserById(id, realm); if (user == null) { return ErrorResponse.error("User not found", Response.Status.NOT_FOUND); @@ -884,6 +889,7 @@ public class UsersResource { ClientSessionCode accessCode = new ClientSessionCode(session, realm, clientSession); accessCode.setAction(ClientSessionModel.Action.EXECUTE_ACTIONS.name()); + try { UriBuilder builder = Urls.executeActionsBuilder(uriInfo.getBaseUri()); builder.queryParam("key", accessCode.getCode()); @@ -901,7 +907,8 @@ public class UsersResource { } catch (EmailException e) { ServicesLogger.LOGGER.failedToSendActionsEmail(e); return ErrorResponse.error("Failed to send execute actions email", Response.Status.INTERNAL_SERVER_ERROR); - } + }*/ + return null; } /** @@ -925,6 +932,7 @@ public class UsersResource { return executeActionsEmail(id, redirectUri, clientId, actions); } + /* private ClientSessionModel createClientSession(UserModel user, String redirectUri, String clientId) { if (!user.isEnabled()) { @@ -965,7 +973,7 @@ public class UsersResource { clientSession.setUserSession(userSession); return clientSession; - } + }*/ @GET @Path("{id}/groups") diff --git a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java index c6b340fb1b..f81abc91ae 100755 --- a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java +++ b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java @@ -26,7 +26,6 @@ import org.keycloak.broker.social.SocialIdentityProvider; import org.keycloak.common.ClientConnection; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; -import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.KeycloakSession; @@ -48,8 +47,6 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; import java.net.URI; -import static org.keycloak.models.ClientSessionModel.Action.AUTHENTICATE; - /** * @author Stian Thorgersen */ @@ -118,6 +115,8 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider loadedSessions = session.sessions().getOfflineUserSessions(realm, testApp, 0, 10); - UserSessionProviderTest.assertSessions(loadedSessions, origSessions); - - UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[0].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, serverStartTime, "test-app", "third-party"); - UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[1].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, serverStartTime, "test-app"); - UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[2].getId(), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, serverStartTime, "test-app"); - } - - private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { - ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); - if (userSession != null) clientSession.setUserSession(userSession); - clientSession.setRedirectUri(redirect); - if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); - if (roles != null) clientSession.setRoles(roles); - if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); - return clientSession; - } - - private UserSessionModel[] createSessions() { - UserSessionModel[] sessions = new UserSessionModel[3]; - sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); - - Set roles = new HashSet(); - roles.add("one"); - roles.add("two"); - - Set protocolMappers = new HashSet(); - protocolMappers.add("mapper-one"); - protocolMappers.add("mapper-two"); - - createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); - createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); - - sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); - createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); - - sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); - createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); - - resetSession(); - - return sessions; - } - - private void resetSession() { - kc.stopSession(session, true); - session = kc.startSession(); - realm = session.realms().getRealm("test"); - sessionManager = new UserSessionManager(session); - } + // TODO:mposolda +// @ClassRule +// public static KeycloakRule kc = new KeycloakRule(); +// +// private KeycloakSession session; +// private RealmModel realm; +// private UserSessionManager sessionManager; +// +// @Before +// public void before() { +// session = kc.startSession(); +// realm = session.realms().getRealm("test"); +// session.users().addUser(realm, "user1").setEmail("user1@localhost"); +// session.users().addUser(realm, "user2").setEmail("user2@localhost"); +// sessionManager = new UserSessionManager(session); +// } +// +// @After +// public void after() { +// resetSession(); +// session.sessions().removeUserSessions(realm); +// UserModel user1 = session.users().getUserByUsername("user1", realm); +// UserModel user2 = session.users().getUserByUsername("user2", realm); +// +// UserManager um = new UserManager(session); +// um.removeUser(realm, user1); +// um.removeUser(realm, user2); +// kc.stopSession(session, true); +// } +// +// @Test +// public void testUserSessionInitializer() { +// UserSessionModel[] origSessions = createSessions(); +// +// resetSession(); +// +// // Create and persist offline sessions +// int started = Time.currentTime(); +// int serverStartTime = session.getProvider(ClusterProvider.class).getClusterStartupTime(); +// +// for (UserSessionModel origSession : origSessions) { +// UserSessionModel userSession = session.sessions().getUserSession(realm, origSession.getId()); +// for (ClientSessionModel clientSession : userSession.getClientSessions()) { +// sessionManager.createOrUpdateOfflineSession(clientSession, userSession); +// } +// } +// +// resetSession(); +// +// // Delete cache (persisted sessions are still kept) +// session.sessions().onRealmRemoved(realm); +// +// // Clear ispn cache to ensure initializerState is removed as well +// InfinispanConnectionProvider infinispan = session.getProvider(InfinispanConnectionProvider.class); +// infinispan.getCache(InfinispanConnectionProvider.WORK_CACHE_NAME).clear(); +// +// resetSession(); +// +// ClientModel testApp = realm.getClientByClientId("test-app"); +// ClientModel thirdparty = realm.getClientByClientId("third-party"); +// Assert.assertEquals(0, session.sessions().getOfflineSessionsCount(realm, testApp)); +// Assert.assertEquals(0, session.sessions().getOfflineSessionsCount(realm, thirdparty)); +// +// // Load sessions from persister into infinispan/memory +// UserSessionProviderFactory userSessionFactory = (UserSessionProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(UserSessionProvider.class); +// userSessionFactory.loadPersistentSessions(session.getKeycloakSessionFactory(), 1, 2); +// +// resetSession(); +// +// // Assert sessions are in +// testApp = realm.getClientByClientId("test-app"); +// Assert.assertEquals(3, session.sessions().getOfflineSessionsCount(realm, testApp)); +// Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); +// +// List loadedSessions = session.sessions().getOfflineUserSessions(realm, testApp, 0, 10); +// UserSessionProviderTest.assertSessions(loadedSessions, origSessions); +// +// UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[0].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, serverStartTime, "test-app", "third-party"); +// UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[1].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, serverStartTime, "test-app"); +// UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[2].getId(), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, serverStartTime, "test-app"); +// } +// +// private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { +// ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); +// if (userSession != null) clientSession.setUserSession(userSession); +// clientSession.setRedirectUri(redirect); +// if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); +// if (roles != null) clientSession.setRoles(roles); +// if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); +// return clientSession; +// } +// +// private UserSessionModel[] createSessions() { +// UserSessionModel[] sessions = new UserSessionModel[3]; +// sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); +// +// Set roles = new HashSet(); +// roles.add("one"); +// roles.add("two"); +// +// Set protocolMappers = new HashSet(); +// protocolMappers.add("mapper-one"); +// protocolMappers.add("mapper-two"); +// +// createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); +// createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); +// +// sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); +// createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); +// +// sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); +// createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); +// +// resetSession(); +// +// return sessions; +// } +// +// private void resetSession() { +// kc.stopSession(session, true); +// session = kc.startSession(); +// realm = session.realms().getRealm("test"); +// sessionManager = new UserSessionManager(session); +// } } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionPersisterProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionPersisterProviderTest.java index 60d92d9891..9e46ec6a1a 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionPersisterProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionPersisterProviderTest.java @@ -45,397 +45,398 @@ import java.util.Set; * @author Marek Posolda */ public class UserSessionPersisterProviderTest { - - @ClassRule - public static KeycloakRule kc = new KeycloakRule(); - - private KeycloakSession session; - private RealmModel realm; - private UserSessionPersisterProvider persister; - - @Before - public void before() { - session = kc.startSession(); - realm = session.realms().getRealm("test"); - session.users().addUser(realm, "user1").setEmail("user1@localhost"); - session.users().addUser(realm, "user2").setEmail("user2@localhost"); - persister = session.getProvider(UserSessionPersisterProvider.class); - } - - @After - public void after() { - resetSession(); - session.sessions().removeUserSessions(realm); - UserModel user1 = session.users().getUserByUsername("user1", realm); - UserModel user2 = session.users().getUserByUsername("user2", realm); - - UserManager um = new UserManager(session); - if (user1 != null) { - um.removeUser(realm, user1); - } - if (user2 != null) { - um.removeUser(realm, user2); - } - kc.stopSession(session, true); - } - - @Test - public void testPersistenceWithLoad() { - // Create some sessions in infinispan - int started = Time.currentTime(); - UserSessionModel[] origSessions = createSessions(); - - resetSession(); - - // Persist 3 created userSessions and clientSessions as offline - ClientModel testApp = realm.getClientByClientId("test-app"); - List userSessions = session.sessions().getUserSessions(realm, testApp); - for (UserSessionModel userSession : userSessions) { - persistUserSession(userSession, true); - } - - // Persist 1 online session - UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[0].getId()); - persistUserSession(userSession, false); - - resetSession(); - - // Assert online session - List loadedSessions = loadPersistedSessionsPaginated(false, 1, 1, 1); - UserSessionProviderTest.assertSession(loadedSessions.get(0), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); - - // Assert offline sessions - loadedSessions = loadPersistedSessionsPaginated(true, 2, 2, 3); - UserSessionProviderTest.assertSessions(loadedSessions, origSessions); - - assertSessionLoaded(loadedSessions, origSessions[0].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); - assertSessionLoaded(loadedSessions, origSessions[1].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); - assertSessionLoaded(loadedSessions, origSessions[2].getId(), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); - } - - @Test - public void testUpdateTimestamps() { - // Create some sessions in infinispan - int started = Time.currentTime(); - UserSessionModel[] origSessions = createSessions(); - - resetSession(); - - // Persist 3 created userSessions and clientSessions as offline - ClientModel testApp = realm.getClientByClientId("test-app"); - List userSessions = session.sessions().getUserSessions(realm, testApp); - for (UserSessionModel userSession : userSessions) { - persistUserSession(userSession, true); - } - - // Persist 1 online session - UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[0].getId()); - persistUserSession(userSession, false); - - resetSession(); - - // update timestamps - int newTime = started + 50; - persister.updateAllTimestamps(newTime); - - // Assert online session - List loadedSessions = loadPersistedSessionsPaginated(false, 1, 1, 1); - Assert.assertEquals(2, assertTimestampsUpdated(loadedSessions, newTime)); - - // Assert offline sessions - loadedSessions = loadPersistedSessionsPaginated(true, 2, 2, 3); - Assert.assertEquals(4, assertTimestampsUpdated(loadedSessions, newTime)); - } - - private int assertTimestampsUpdated(List loadedSessions, int expectedTime) { - int clientSessionsCount = 0; - for (UserSessionModel loadedSession : loadedSessions) { - Assert.assertEquals(expectedTime, loadedSession.getLastSessionRefresh()); - for (ClientSessionModel clientSession : loadedSession.getClientSessions()) { - Assert.assertEquals(expectedTime, clientSession.getTimestamp()); - clientSessionsCount++; - } - } - return clientSessionsCount; - } - - @Test - public void testUpdateAndRemove() { - // Create some sessions in infinispan - int started = Time.currentTime(); - UserSessionModel[] origSessions = createSessions(); - - resetSession(); - - // Persist 1 offline session - UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[1].getId()); - persistUserSession(userSession, true); - - resetSession(); - - // Load offline session - List loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); - UserSessionModel persistedSession = loadedSessions.get(0); - UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); - - // Update userSession - Time.setOffset(10); - try { - persistedSession.setLastSessionRefresh(Time.currentTime()); - persistedSession.setNote("foo", "bar"); - persistedSession.setState(UserSessionModel.State.LOGGING_IN); - persister.updateUserSession(persistedSession, true); - - // create new clientSession - ClientSessionModel clientSession = createClientSession(realm.getClientByClientId("third-party"), session.sessions().getUserSession(realm, persistedSession.getId()), - "http://redirect", "state", new HashSet(), new HashSet()); - persister.createClientSession(clientSession, true); - - resetSession(); - - // Assert session updated - loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); - persistedSession = loadedSessions.get(0); - UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started+10, "test-app", "third-party"); - Assert.assertEquals("bar", persistedSession.getNote("foo")); - Assert.assertEquals(UserSessionModel.State.LOGGING_IN, persistedSession.getState()); - - // Remove clientSession - persister.removeClientSession(clientSession.getId(), true); - - resetSession(); - - // Assert clientSession removed - loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); - persistedSession = loadedSessions.get(0); - UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started + 10, "test-app"); - - // Remove userSession - persister.removeUserSession(persistedSession.getId(), true); - - resetSession(); - - // Assert nothing found - loadPersistedSessionsPaginated(true, 10, 0, 0); - } finally { - Time.setOffset(0); - } - } - - @Test - public void testOnRealmRemoved() { - RealmModel fooRealm = session.realms().createRealm("foo", "foo"); - fooRealm.addClient("foo-app"); - session.users().addUser(fooRealm, "user3"); - - UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); - createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); - - resetSession(); - - // Persist offline session - fooRealm = session.realms().getRealm("foo"); - userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); - persistUserSession(userSession, true); - - resetSession(); - - // Assert session was persisted - loadPersistedSessionsPaginated(true, 10, 1, 1); - - // Remove realm - RealmManager realmMgr = new RealmManager(session); - realmMgr.removeRealm(realmMgr.getRealm("foo")); - - resetSession(); - - // Assert nothing loaded - loadPersistedSessionsPaginated(true, 10, 0, 0); - } - - @Test - public void testOnClientRemoved() { - int started = Time.currentTime(); - - RealmModel fooRealm = session.realms().createRealm("foo", "foo"); - fooRealm.addClient("foo-app"); - fooRealm.addClient("bar-app"); - session.users().addUser(fooRealm, "user3"); - - UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); - createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); - createClientSession(fooRealm.getClientByClientId("bar-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); - - resetSession(); - - // Persist offline session - fooRealm = session.realms().getRealm("foo"); - userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); - persistUserSession(userSession, true); - - resetSession(); - - RealmManager realmMgr = new RealmManager(session); - ClientManager clientMgr = new ClientManager(realmMgr); - fooRealm = realmMgr.getRealm("foo"); - - // Assert session was persisted with both clientSessions - UserSessionModel persistedSession = loadPersistedSessionsPaginated(true, 10, 1, 1).get(0); - UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "foo-app", "bar-app"); - - // Remove foo-app client - ClientModel client = fooRealm.getClientByClientId("foo-app"); - clientMgr.removeClient(fooRealm, client); - - resetSession(); - - realmMgr = new RealmManager(session); - clientMgr = new ClientManager(realmMgr); - fooRealm = realmMgr.getRealm("foo"); - - // Assert just one bar-app clientSession persisted now - persistedSession = loadPersistedSessionsPaginated(true, 10, 1, 1).get(0); - UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "bar-app"); - - // Remove bar-app client - client = fooRealm.getClientByClientId("bar-app"); - clientMgr.removeClient(fooRealm, client); - - resetSession(); - - // Assert nothing loaded - userSession was removed as well because it was last userSession - loadPersistedSessionsPaginated(true, 10, 0, 0); - - // Cleanup - realmMgr = new RealmManager(session); - realmMgr.removeRealm(realmMgr.getRealm("foo")); - } - - @Test - public void testOnUserRemoved() { - // Create some sessions in infinispan - int started = Time.currentTime(); - UserSessionModel[] origSessions = createSessions(); - - resetSession(); - - // Persist 2 offline sessions of 2 users - UserSessionModel userSession1 = session.sessions().getUserSession(realm, origSessions[1].getId()); - UserSessionModel userSession2 = session.sessions().getUserSession(realm, origSessions[2].getId()); - persistUserSession(userSession1, true); - persistUserSession(userSession2, true); - - resetSession(); - - // Load offline sessions - List loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 2); - - // Properly delete user and assert his offlineSession removed - UserModel user1 = session.users().getUserByUsername("user1", realm); - new UserManager(session).removeUser(realm, user1); - - resetSession(); - - Assert.assertEquals(1, persister.getUserSessionsCount(true)); - loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); - UserSessionModel persistedSession = loadedSessions.get(0); - UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); - - // KEYCLOAK-2431 Assert that userSessionPersister is resistent even to situation, when users are deleted "directly" - UserModel user2 = session.users().getUserByUsername("user2", realm); - session.users().removeUser(realm, user2); - - loadedSessions = loadPersistedSessionsPaginated(true, 10, 0, 0); - - } - - // KEYCLOAK-1999 - @Test - public void testNoSessions() { - UserSessionPersisterProvider persister = session.getProvider(UserSessionPersisterProvider.class); - List sessions = persister.loadUserSessions(0, 1, true); - Assert.assertEquals(0, sessions.size()); - } - - - private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { - ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); - if (userSession != null) clientSession.setUserSession(userSession); - clientSession.setRedirectUri(redirect); - if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); - if (roles != null) clientSession.setRoles(roles); - if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); - return clientSession; - } - - private UserSessionModel[] createSessions() { - UserSessionModel[] sessions = new UserSessionModel[3]; - sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); - - Set roles = new HashSet(); - roles.add("one"); - roles.add("two"); - - Set protocolMappers = new HashSet(); - protocolMappers.add("mapper-one"); - protocolMappers.add("mapper-two"); - - createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); - createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); - - sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); - createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); - - sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); - createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); - - return sessions; - } - - private void persistUserSession(UserSessionModel userSession, boolean offline) { - persister.createUserSession(userSession, offline); - for (ClientSessionModel clientSession : userSession.getClientSessions()) { - persister.createClientSession(clientSession, offline); - } - } - - private void resetSession() { - kc.stopSession(session, true); - session = kc.startSession(); - realm = session.realms().getRealm("test"); - persister = session.getProvider(UserSessionPersisterProvider.class); - } - - public static void assertSessionLoaded(List sessions, String id, UserModel user, String ipAddress, int started, int lastRefresh, String... clients) { - for (UserSessionModel session : sessions) { - if (session.getId().equals(id)) { - UserSessionProviderTest.assertSession(session, user, ipAddress, started, lastRefresh, clients); - return; - } - } - Assert.fail("Session with ID " + id + " not found in the list"); - } - - private List loadPersistedSessionsPaginated(boolean offline, int sessionsPerPage, int expectedPageCount, int expectedSessionsCount) { - int count = persister.getUserSessionsCount(offline); - - int start = 0; - int pageCount = 0; - boolean next = true; - List result = new ArrayList<>(); - while (next && start < count) { - List sess = persister.loadUserSessions(start, sessionsPerPage, offline); - if (sess.size() == 0) { - next = false; - } else { - pageCount++; - start += sess.size(); - result.addAll(sess); - } - } - - Assert.assertEquals(pageCount, expectedPageCount); - Assert.assertEquals(result.size(), expectedSessionsCount); - return result; - } +// TODO:mposolda + +// @ClassRule +// public static KeycloakRule kc = new KeycloakRule(); +// +// private KeycloakSession session; +// private RealmModel realm; +// private UserSessionPersisterProvider persister; +// +// @Before +// public void before() { +// session = kc.startSession(); +// realm = session.realms().getRealm("test"); +// session.users().addUser(realm, "user1").setEmail("user1@localhost"); +// session.users().addUser(realm, "user2").setEmail("user2@localhost"); +// persister = session.getProvider(UserSessionPersisterProvider.class); +// } +// +// @After +// public void after() { +// resetSession(); +// session.sessions().removeUserSessions(realm); +// UserModel user1 = session.users().getUserByUsername("user1", realm); +// UserModel user2 = session.users().getUserByUsername("user2", realm); +// +// UserManager um = new UserManager(session); +// if (user1 != null) { +// um.removeUser(realm, user1); +// } +// if (user2 != null) { +// um.removeUser(realm, user2); +// } +// kc.stopSession(session, true); +// } +// +// @Test +// public void testPersistenceWithLoad() { +// // Create some sessions in infinispan +// int started = Time.currentTime(); +// UserSessionModel[] origSessions = createSessions(); +// +// resetSession(); +// +// // Persist 3 created userSessions and clientSessions as offline +// ClientModel testApp = realm.getClientByClientId("test-app"); +// List userSessions = session.sessions().getUserSessions(realm, testApp); +// for (UserSessionModel userSession : userSessions) { +// persistUserSession(userSession, true); +// } +// +// // Persist 1 online session +// UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[0].getId()); +// persistUserSession(userSession, false); +// +// resetSession(); +// +// // Assert online session +// List loadedSessions = loadPersistedSessionsPaginated(false, 1, 1, 1); +// UserSessionProviderTest.assertSession(loadedSessions.get(0), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); +// +// // Assert offline sessions +// loadedSessions = loadPersistedSessionsPaginated(true, 2, 2, 3); +// UserSessionProviderTest.assertSessions(loadedSessions, origSessions); +// +// assertSessionLoaded(loadedSessions, origSessions[0].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); +// assertSessionLoaded(loadedSessions, origSessions[1].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); +// assertSessionLoaded(loadedSessions, origSessions[2].getId(), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); +// } +// +// @Test +// public void testUpdateTimestamps() { +// // Create some sessions in infinispan +// int started = Time.currentTime(); +// UserSessionModel[] origSessions = createSessions(); +// +// resetSession(); +// +// // Persist 3 created userSessions and clientSessions as offline +// ClientModel testApp = realm.getClientByClientId("test-app"); +// List userSessions = session.sessions().getUserSessions(realm, testApp); +// for (UserSessionModel userSession : userSessions) { +// persistUserSession(userSession, true); +// } +// +// // Persist 1 online session +// UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[0].getId()); +// persistUserSession(userSession, false); +// +// resetSession(); +// +// // update timestamps +// int newTime = started + 50; +// persister.updateAllTimestamps(newTime); +// +// // Assert online session +// List loadedSessions = loadPersistedSessionsPaginated(false, 1, 1, 1); +// Assert.assertEquals(2, assertTimestampsUpdated(loadedSessions, newTime)); +// +// // Assert offline sessions +// loadedSessions = loadPersistedSessionsPaginated(true, 2, 2, 3); +// Assert.assertEquals(4, assertTimestampsUpdated(loadedSessions, newTime)); +// } +// +// private int assertTimestampsUpdated(List loadedSessions, int expectedTime) { +// int clientSessionsCount = 0; +// for (UserSessionModel loadedSession : loadedSessions) { +// Assert.assertEquals(expectedTime, loadedSession.getLastSessionRefresh()); +// for (ClientSessionModel clientSession : loadedSession.getClientSessions()) { +// Assert.assertEquals(expectedTime, clientSession.getTimestamp()); +// clientSessionsCount++; +// } +// } +// return clientSessionsCount; +// } +// +// @Test +// public void testUpdateAndRemove() { +// // Create some sessions in infinispan +// int started = Time.currentTime(); +// UserSessionModel[] origSessions = createSessions(); +// +// resetSession(); +// +// // Persist 1 offline session +// UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[1].getId()); +// persistUserSession(userSession, true); +// +// resetSession(); +// +// // Load offline session +// List loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); +// UserSessionModel persistedSession = loadedSessions.get(0); +// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); +// +// // Update userSession +// Time.setOffset(10); +// try { +// persistedSession.setLastSessionRefresh(Time.currentTime()); +// persistedSession.setNote("foo", "bar"); +// persistedSession.setState(UserSessionModel.State.LOGGING_IN); +// persister.updateUserSession(persistedSession, true); +// +// // create new clientSession +// ClientSessionModel clientSession = createClientSession(realm.getClientByClientId("third-party"), session.sessions().getUserSession(realm, persistedSession.getId()), +// "http://redirect", "state", new HashSet(), new HashSet()); +// persister.createClientSession(clientSession, true); +// +// resetSession(); +// +// // Assert session updated +// loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); +// persistedSession = loadedSessions.get(0); +// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started+10, "test-app", "third-party"); +// Assert.assertEquals("bar", persistedSession.getNote("foo")); +// Assert.assertEquals(UserSessionModel.State.LOGGING_IN, persistedSession.getState()); +// +// // Remove clientSession +// persister.removeClientSession(clientSession.getId(), true); +// +// resetSession(); +// +// // Assert clientSession removed +// loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); +// persistedSession = loadedSessions.get(0); +// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started + 10, "test-app"); +// +// // Remove userSession +// persister.removeUserSession(persistedSession.getId(), true); +// +// resetSession(); +// +// // Assert nothing found +// loadPersistedSessionsPaginated(true, 10, 0, 0); +// } finally { +// Time.setOffset(0); +// } +// } +// +// @Test +// public void testOnRealmRemoved() { +// RealmModel fooRealm = session.realms().createRealm("foo", "foo"); +// fooRealm.addClient("foo-app"); +// session.users().addUser(fooRealm, "user3"); +// +// UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); +// createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); +// +// resetSession(); +// +// // Persist offline session +// fooRealm = session.realms().getRealm("foo"); +// userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); +// persistUserSession(userSession, true); +// +// resetSession(); +// +// // Assert session was persisted +// loadPersistedSessionsPaginated(true, 10, 1, 1); +// +// // Remove realm +// RealmManager realmMgr = new RealmManager(session); +// realmMgr.removeRealm(realmMgr.getRealm("foo")); +// +// resetSession(); +// +// // Assert nothing loaded +// loadPersistedSessionsPaginated(true, 10, 0, 0); +// } +// +// @Test +// public void testOnClientRemoved() { +// int started = Time.currentTime(); +// +// RealmModel fooRealm = session.realms().createRealm("foo", "foo"); +// fooRealm.addClient("foo-app"); +// fooRealm.addClient("bar-app"); +// session.users().addUser(fooRealm, "user3"); +// +// UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); +// createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); +// createClientSession(fooRealm.getClientByClientId("bar-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); +// +// resetSession(); +// +// // Persist offline session +// fooRealm = session.realms().getRealm("foo"); +// userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); +// persistUserSession(userSession, true); +// +// resetSession(); +// +// RealmManager realmMgr = new RealmManager(session); +// ClientManager clientMgr = new ClientManager(realmMgr); +// fooRealm = realmMgr.getRealm("foo"); +// +// // Assert session was persisted with both clientSessions +// UserSessionModel persistedSession = loadPersistedSessionsPaginated(true, 10, 1, 1).get(0); +// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "foo-app", "bar-app"); +// +// // Remove foo-app client +// ClientModel client = fooRealm.getClientByClientId("foo-app"); +// clientMgr.removeClient(fooRealm, client); +// +// resetSession(); +// +// realmMgr = new RealmManager(session); +// clientMgr = new ClientManager(realmMgr); +// fooRealm = realmMgr.getRealm("foo"); +// +// // Assert just one bar-app clientSession persisted now +// persistedSession = loadPersistedSessionsPaginated(true, 10, 1, 1).get(0); +// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "bar-app"); +// +// // Remove bar-app client +// client = fooRealm.getClientByClientId("bar-app"); +// clientMgr.removeClient(fooRealm, client); +// +// resetSession(); +// +// // Assert nothing loaded - userSession was removed as well because it was last userSession +// loadPersistedSessionsPaginated(true, 10, 0, 0); +// +// // Cleanup +// realmMgr = new RealmManager(session); +// realmMgr.removeRealm(realmMgr.getRealm("foo")); +// } +// +// @Test +// public void testOnUserRemoved() { +// // Create some sessions in infinispan +// int started = Time.currentTime(); +// UserSessionModel[] origSessions = createSessions(); +// +// resetSession(); +// +// // Persist 2 offline sessions of 2 users +// UserSessionModel userSession1 = session.sessions().getUserSession(realm, origSessions[1].getId()); +// UserSessionModel userSession2 = session.sessions().getUserSession(realm, origSessions[2].getId()); +// persistUserSession(userSession1, true); +// persistUserSession(userSession2, true); +// +// resetSession(); +// +// // Load offline sessions +// List loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 2); +// +// // Properly delete user and assert his offlineSession removed +// UserModel user1 = session.users().getUserByUsername("user1", realm); +// new UserManager(session).removeUser(realm, user1); +// +// resetSession(); +// +// Assert.assertEquals(1, persister.getUserSessionsCount(true)); +// loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); +// UserSessionModel persistedSession = loadedSessions.get(0); +// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); +// +// // KEYCLOAK-2431 Assert that userSessionPersister is resistent even to situation, when users are deleted "directly" +// UserModel user2 = session.users().getUserByUsername("user2", realm); +// session.users().removeUser(realm, user2); +// +// loadedSessions = loadPersistedSessionsPaginated(true, 10, 0, 0); +// +// } +// +// // KEYCLOAK-1999 +// @Test +// public void testNoSessions() { +// UserSessionPersisterProvider persister = session.getProvider(UserSessionPersisterProvider.class); +// List sessions = persister.loadUserSessions(0, 1, true); +// Assert.assertEquals(0, sessions.size()); +// } +// +// +// private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { +// ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); +// if (userSession != null) clientSession.setUserSession(userSession); +// clientSession.setRedirectUri(redirect); +// if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); +// if (roles != null) clientSession.setRoles(roles); +// if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); +// return clientSession; +// } +// +// private UserSessionModel[] createSessions() { +// UserSessionModel[] sessions = new UserSessionModel[3]; +// sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); +// +// Set roles = new HashSet(); +// roles.add("one"); +// roles.add("two"); +// +// Set protocolMappers = new HashSet(); +// protocolMappers.add("mapper-one"); +// protocolMappers.add("mapper-two"); +// +// createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); +// createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); +// +// sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); +// createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); +// +// sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); +// createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); +// +// return sessions; +// } +// +// private void persistUserSession(UserSessionModel userSession, boolean offline) { +// persister.createUserSession(userSession, offline); +// for (ClientSessionModel clientSession : userSession.getClientSessions()) { +// persister.createClientSession(clientSession, offline); +// } +// } +// +// private void resetSession() { +// kc.stopSession(session, true); +// session = kc.startSession(); +// realm = session.realms().getRealm("test"); +// persister = session.getProvider(UserSessionPersisterProvider.class); +// } +// +// public static void assertSessionLoaded(List sessions, String id, UserModel user, String ipAddress, int started, int lastRefresh, String... clients) { +// for (UserSessionModel session : sessions) { +// if (session.getId().equals(id)) { +// UserSessionProviderTest.assertSession(session, user, ipAddress, started, lastRefresh, clients); +// return; +// } +// } +// Assert.fail("Session with ID " + id + " not found in the list"); +// } +// +// private List loadPersistedSessionsPaginated(boolean offline, int sessionsPerPage, int expectedPageCount, int expectedSessionsCount) { +// int count = persister.getUserSessionsCount(offline); +// +// int start = 0; +// int pageCount = 0; +// boolean next = true; +// List result = new ArrayList<>(); +// while (next && start < count) { +// List sess = persister.loadUserSessions(start, sessionsPerPage, offline); +// if (sess.size() == 0) { +// next = false; +// } else { +// pageCount++; +// start += sess.size(); +// result.addAll(sess); +// } +// } +// +// Assert.assertEquals(pageCount, expectedPageCount); +// Assert.assertEquals(result.size(), expectedSessionsCount); +// return result; +// } } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderOfflineTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderOfflineTest.java index fb4b3af81b..c69f8f96bc 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderOfflineTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderOfflineTest.java @@ -51,409 +51,410 @@ import java.util.Set; */ public class UserSessionProviderOfflineTest { - @ClassRule - public static KeycloakRule kc = new KeycloakRule(); - - @Rule - public LoggingRule loggingRule = new LoggingRule(this); - - private KeycloakSession session; - private RealmModel realm; - private UserSessionManager sessionManager; - private UserSessionPersisterProvider persister; - - @Before - public void before() { - session = kc.startSession(); - realm = session.realms().getRealm("test"); - session.users().addUser(realm, "user1").setEmail("user1@localhost"); - session.users().addUser(realm, "user2").setEmail("user2@localhost"); - sessionManager = new UserSessionManager(session); - persister = session.getProvider(UserSessionPersisterProvider.class); - } - - @After - public void after() { - resetSession(); - session.sessions().removeUserSessions(realm); - UserModel user1 = session.users().getUserByUsername("user1", realm); - UserModel user2 = session.users().getUserByUsername("user2", realm); - - UserManager um = new UserManager(session); - um.removeUser(realm, user1); - um.removeUser(realm, user2); - kc.stopSession(session, true); - } - - - @Test - public void testOfflineSessionsCrud() { - // Create some online sessions in infinispan - int started = Time.currentTime(); - UserSessionModel[] origSessions = createSessions(); - - resetSession(); - - Map offlineSessions = new HashMap<>(); - - // Persist 3 created userSessions and clientSessions as offline - ClientModel testApp = realm.getClientByClientId("test-app"); - List userSessions = session.sessions().getUserSessions(realm, testApp); - for (UserSessionModel userSession : userSessions) { - offlineSessions.putAll(createOfflineSessionIncludeClientSessions(userSession)); - } - - resetSession(); - - // Assert all previously saved offline sessions found - for (Map.Entry entry : offlineSessions.entrySet()) { - Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); - - UserSessionModel offlineSession = session.sessions().getUserSession(realm, entry.getValue()); - boolean found = false; - for (ClientSessionModel clientSession : offlineSession.getClientSessions()) { - if (clientSession.getId().equals(entry.getKey())) { - found = true; - } - } - Assert.assertTrue(found); - } - - // Find clients with offline token - UserModel user1 = session.users().getUserByUsername("user1", realm); - Set clients = sessionManager.findClientsWithOfflineToken(realm, user1); - Assert.assertEquals(clients.size(), 2); - for (ClientModel client : clients) { - Assert.assertTrue(client.getClientId().equals("test-app") || client.getClientId().equals("third-party")); - } - - UserModel user2 = session.users().getUserByUsername("user2", realm); - clients = sessionManager.findClientsWithOfflineToken(realm, user2); - Assert.assertEquals(clients.size(), 1); - Assert.assertTrue(clients.iterator().next().getClientId().equals("test-app")); - - // Test count - testApp = realm.getClientByClientId("test-app"); - ClientModel thirdparty = realm.getClientByClientId("third-party"); - Assert.assertEquals(3, session.sessions().getOfflineSessionsCount(realm, testApp)); - Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); - - // Revoke "test-app" for user1 - sessionManager.revokeOfflineToken(user1, testApp); - - resetSession(); - - // Assert userSession revoked - testApp = realm.getClientByClientId("test-app"); - thirdparty = realm.getClientByClientId("third-party"); - Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, testApp)); - Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); - - List testAppSessions = session.sessions().getOfflineUserSessions(realm, testApp, 0, 10); - List thirdpartySessions = session.sessions().getOfflineUserSessions(realm, thirdparty, 0, 10); - Assert.assertEquals(1, testAppSessions.size()); - Assert.assertEquals("127.0.0.3", testAppSessions.get(0).getIpAddress()); - Assert.assertEquals("user2", testAppSessions.get(0).getUser().getUsername()); - Assert.assertEquals(1, thirdpartySessions.size()); - Assert.assertEquals("127.0.0.1", thirdpartySessions.get(0).getIpAddress()); - Assert.assertEquals("user1", thirdpartySessions.get(0).getUser().getUsername()); - - user1 = session.users().getUserByUsername("user1", realm); - user2 = session.users().getUserByUsername("user2", realm); - clients = sessionManager.findClientsWithOfflineToken(realm, user1); - Assert.assertEquals(1, clients.size()); - Assert.assertEquals("third-party", clients.iterator().next().getClientId()); - clients = sessionManager.findClientsWithOfflineToken(realm, user2); - Assert.assertEquals(1, clients.size()); - Assert.assertEquals("test-app", clients.iterator().next().getClientId()); - } - - @Test - public void testOnRealmRemoved() { - RealmModel fooRealm = session.realms().createRealm("foo", "foo"); - fooRealm.addClient("foo-app"); - session.users().addUser(fooRealm, "user3"); - - UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); - ClientSessionModel clientSession = createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); - - resetSession(); - - // Persist offline session - fooRealm = session.realms().getRealm("foo"); - userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); - clientSession = session.sessions().getClientSession(fooRealm, clientSession.getId()); - sessionManager.createOrUpdateOfflineSession(userSession.getClientSessions().get(0), userSession); - - resetSession(); - - ClientSessionModel offlineClientSession = sessionManager.findOfflineClientSession(fooRealm, clientSession.getId()); - Assert.assertEquals("foo-app", offlineClientSession.getClient().getClientId()); - Assert.assertEquals("user3", offlineClientSession.getUserSession().getUser().getUsername()); - Assert.assertEquals(offlineClientSession.getId(), offlineClientSession.getUserSession().getClientSessions().get(0).getId()); - - // Remove realm - RealmManager realmMgr = new RealmManager(session); - realmMgr.removeRealm(realmMgr.getRealm("foo")); - - resetSession(); - - fooRealm = session.realms().createRealm("foo", "foo"); - fooRealm.addClient("foo-app"); - session.users().addUser(fooRealm, "user3"); - - resetSession(); - - // Assert nothing loaded - fooRealm = session.realms().getRealm("foo"); - Assert.assertNull(sessionManager.findOfflineClientSession(fooRealm, clientSession.getId())); - Assert.assertEquals(0, session.sessions().getOfflineSessionsCount(fooRealm, fooRealm.getClientByClientId("foo-app"))); - - // Cleanup - realmMgr = new RealmManager(session); - realmMgr.removeRealm(realmMgr.getRealm("foo")); - } - - @Test - public void testOnClientRemoved() { - int started = Time.currentTime(); - - RealmModel fooRealm = session.realms().createRealm("foo", "foo"); - fooRealm.addClient("foo-app"); - fooRealm.addClient("bar-app"); - session.users().addUser(fooRealm, "user3"); - - UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); - createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); - createClientSession(fooRealm.getClientByClientId("bar-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); - - resetSession(); - - // Create offline session - fooRealm = session.realms().getRealm("foo"); - userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); - createOfflineSessionIncludeClientSessions(userSession); - - resetSession(); - - RealmManager realmMgr = new RealmManager(session); - ClientManager clientMgr = new ClientManager(realmMgr); - fooRealm = realmMgr.getRealm("foo"); - - // Assert session was persisted with both clientSessions - UserSessionModel offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); - UserSessionProviderTest.assertSession(offlineSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "foo-app", "bar-app"); - - // Remove foo-app client - ClientModel client = fooRealm.getClientByClientId("foo-app"); - clientMgr.removeClient(fooRealm, client); - - resetSession(); - - realmMgr = new RealmManager(session); - clientMgr = new ClientManager(realmMgr); - fooRealm = realmMgr.getRealm("foo"); - - // Assert just one bar-app clientSession persisted now - offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); - Assert.assertEquals(1, offlineSession.getClientSessions().size()); - Assert.assertEquals("bar-app", offlineSession.getClientSessions().get(0).getClient().getClientId()); - - // Remove bar-app client - client = fooRealm.getClientByClientId("bar-app"); - clientMgr.removeClient(fooRealm, client); - - resetSession(); - - // Assert nothing loaded - userSession was removed as well because it was last userSession - offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); - Assert.assertEquals(0, offlineSession.getClientSessions().size()); - - // Cleanup - realmMgr = new RealmManager(session); - realmMgr.removeRealm(realmMgr.getRealm("foo")); - } - - @Test - public void testOnUserRemoved() { - int started = Time.currentTime(); - - RealmModel fooRealm = session.realms().createRealm("foo", "foo"); - fooRealm.addClient("foo-app"); - session.users().addUser(fooRealm, "user3"); - - UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); - ClientSessionModel clientSession = createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); - - resetSession(); - - // Create offline session - fooRealm = session.realms().getRealm("foo"); - userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); - createOfflineSessionIncludeClientSessions(userSession); - - resetSession(); - - RealmManager realmMgr = new RealmManager(session); - fooRealm = realmMgr.getRealm("foo"); - UserModel user3 = session.users().getUserByUsername("user3", fooRealm); - - // Assert session was persisted with both clientSessions - UserSessionModel offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); - UserSessionProviderTest.assertSession(offlineSession, user3, "127.0.0.1", started, started, "foo-app"); - - // Remove user3 - new UserManager(session).removeUser(fooRealm, user3); - - resetSession(); - - // Assert userSession removed as well - Assert.assertNull(session.sessions().getOfflineUserSession(fooRealm, userSession.getId())); - Assert.assertNull(session.sessions().getOfflineClientSession(fooRealm, clientSession.getId())); - - // Cleanup - realmMgr = new RealmManager(session); - realmMgr.removeRealm(realmMgr.getRealm("foo")); - - } - - @Test - public void testExpired() { - // Create some online sessions in infinispan - int started = Time.currentTime(); - UserSessionModel[] origSessions = createSessions(); - - resetSession(); - - Map offlineSessions = new HashMap<>(); - - // Persist 3 created userSessions and clientSessions as offline - ClientModel testApp = realm.getClientByClientId("test-app"); - List userSessions = session.sessions().getUserSessions(realm, testApp); - for (UserSessionModel userSession : userSessions) { - offlineSessions.putAll(createOfflineSessionIncludeClientSessions(userSession)); - } - - resetSession(); - - // Assert all previously saved offline sessions found - for (Map.Entry entry : offlineSessions.entrySet()) { - Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); - } - - UserSessionModel session0 = session.sessions().getOfflineUserSession(realm, origSessions[0].getId()); - Assert.assertNotNull(session0); - List clientSessions = new LinkedList<>(); - for (ClientSessionModel clientSession : session0.getClientSessions()) { - clientSessions.add(clientSession.getId()); - Assert.assertNotNull(session.sessions().getOfflineClientSession(realm, clientSession.getId())); - } - - UserSessionModel session1 = session.sessions().getOfflineUserSession(realm, origSessions[1].getId()); - Assert.assertEquals(1, session1.getClientSessions().size()); - ClientSessionModel cls1 = session1.getClientSessions().get(0); - - // sessions are in persister too - Assert.assertEquals(3, persister.getUserSessionsCount(true)); - - // Set lastSessionRefresh to session[0] to 0 - session0.setLastSessionRefresh(0); - - // Set timestamp to cls1 to 0 - cls1.setTimestamp(0); - - resetSession(); - - session.sessions().removeExpired(realm); - - resetSession(); - - // assert session0 not found now - Assert.assertNull(session.sessions().getOfflineUserSession(realm, origSessions[0].getId())); - for (String clientSession : clientSessions) { - Assert.assertNull(session.sessions().getOfflineClientSession(realm, origSessions[0].getId())); - offlineSessions.remove(clientSession); - } - - // Assert cls1 not found too - for (Map.Entry entry : offlineSessions.entrySet()) { - String userSessionId = entry.getValue(); - if (userSessionId.equals(session1.getId())) { - Assert.assertFalse(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); - } else { - Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); - } - } - Assert.assertEquals(1, persister.getUserSessionsCount(true)); - - // Expire everything and assert nothing found - Time.setOffset(3000000); - try { - session.sessions().removeExpired(realm); - - resetSession(); - - for (Map.Entry entry : offlineSessions.entrySet()) { - Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) == null); - } - Assert.assertEquals(0, persister.getUserSessionsCount(true)); - - } finally { - Time.setOffset(0); - } - } - - private Map createOfflineSessionIncludeClientSessions(UserSessionModel userSession) { - Map offlineSessions = new HashMap<>(); - - for (ClientSessionModel clientSession : userSession.getClientSessions()) { - sessionManager.createOrUpdateOfflineSession(clientSession, userSession); - offlineSessions.put(clientSession.getId(), userSession.getId()); - } - return offlineSessions; - } - - - - private void resetSession() { - kc.stopSession(session, true); - session = kc.startSession(); - realm = session.realms().getRealm("test"); - sessionManager = new UserSessionManager(session); - persister = session.getProvider(UserSessionPersisterProvider.class); - } - - private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { - ClientSessionModel clientSession = session.sessions().createClientSession(client.getRealm(), client); - if (userSession != null) clientSession.setUserSession(userSession); - clientSession.setRedirectUri(redirect); - if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); - if (roles != null) clientSession.setRoles(roles); - if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); - return clientSession; - } - - private UserSessionModel[] createSessions() { - UserSessionModel[] sessions = new UserSessionModel[3]; - sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); - - Set roles = new HashSet(); - roles.add("one"); - roles.add("two"); - - Set protocolMappers = new HashSet(); - protocolMappers.add("mapper-one"); - protocolMappers.add("mapper-two"); - - createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); - createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); - - sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); - createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); - - sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); - createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); - - return sessions; - } + // TODO:mposolda +// @ClassRule +// public static KeycloakRule kc = new KeycloakRule(); +// +// @Rule +// public LoggingRule loggingRule = new LoggingRule(this); +// +// private KeycloakSession session; +// private RealmModel realm; +// private UserSessionManager sessionManager; +// private UserSessionPersisterProvider persister; +// +// @Before +// public void before() { +// session = kc.startSession(); +// realm = session.realms().getRealm("test"); +// session.users().addUser(realm, "user1").setEmail("user1@localhost"); +// session.users().addUser(realm, "user2").setEmail("user2@localhost"); +// sessionManager = new UserSessionManager(session); +// persister = session.getProvider(UserSessionPersisterProvider.class); +// } +// +// @After +// public void after() { +// resetSession(); +// session.sessions().removeUserSessions(realm); +// UserModel user1 = session.users().getUserByUsername("user1", realm); +// UserModel user2 = session.users().getUserByUsername("user2", realm); +// +// UserManager um = new UserManager(session); +// um.removeUser(realm, user1); +// um.removeUser(realm, user2); +// kc.stopSession(session, true); +// } +// +// +// @Test +// public void testOfflineSessionsCrud() { +// // Create some online sessions in infinispan +// int started = Time.currentTime(); +// UserSessionModel[] origSessions = createSessions(); +// +// resetSession(); +// +// Map offlineSessions = new HashMap<>(); +// +// // Persist 3 created userSessions and clientSessions as offline +// ClientModel testApp = realm.getClientByClientId("test-app"); +// List userSessions = session.sessions().getUserSessions(realm, testApp); +// for (UserSessionModel userSession : userSessions) { +// offlineSessions.putAll(createOfflineSessionIncludeClientSessions(userSession)); +// } +// +// resetSession(); +// +// // Assert all previously saved offline sessions found +// for (Map.Entry entry : offlineSessions.entrySet()) { +// Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); +// +// UserSessionModel offlineSession = session.sessions().getUserSession(realm, entry.getValue()); +// boolean found = false; +// for (ClientSessionModel clientSession : offlineSession.getClientSessions()) { +// if (clientSession.getId().equals(entry.getKey())) { +// found = true; +// } +// } +// Assert.assertTrue(found); +// } +// +// // Find clients with offline token +// UserModel user1 = session.users().getUserByUsername("user1", realm); +// Set clients = sessionManager.findClientsWithOfflineToken(realm, user1); +// Assert.assertEquals(clients.size(), 2); +// for (ClientModel client : clients) { +// Assert.assertTrue(client.getClientId().equals("test-app") || client.getClientId().equals("third-party")); +// } +// +// UserModel user2 = session.users().getUserByUsername("user2", realm); +// clients = sessionManager.findClientsWithOfflineToken(realm, user2); +// Assert.assertEquals(clients.size(), 1); +// Assert.assertTrue(clients.iterator().next().getClientId().equals("test-app")); +// +// // Test count +// testApp = realm.getClientByClientId("test-app"); +// ClientModel thirdparty = realm.getClientByClientId("third-party"); +// Assert.assertEquals(3, session.sessions().getOfflineSessionsCount(realm, testApp)); +// Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); +// +// // Revoke "test-app" for user1 +// sessionManager.revokeOfflineToken(user1, testApp); +// +// resetSession(); +// +// // Assert userSession revoked +// testApp = realm.getClientByClientId("test-app"); +// thirdparty = realm.getClientByClientId("third-party"); +// Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, testApp)); +// Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); +// +// List testAppSessions = session.sessions().getOfflineUserSessions(realm, testApp, 0, 10); +// List thirdpartySessions = session.sessions().getOfflineUserSessions(realm, thirdparty, 0, 10); +// Assert.assertEquals(1, testAppSessions.size()); +// Assert.assertEquals("127.0.0.3", testAppSessions.get(0).getIpAddress()); +// Assert.assertEquals("user2", testAppSessions.get(0).getUser().getUsername()); +// Assert.assertEquals(1, thirdpartySessions.size()); +// Assert.assertEquals("127.0.0.1", thirdpartySessions.get(0).getIpAddress()); +// Assert.assertEquals("user1", thirdpartySessions.get(0).getUser().getUsername()); +// +// user1 = session.users().getUserByUsername("user1", realm); +// user2 = session.users().getUserByUsername("user2", realm); +// clients = sessionManager.findClientsWithOfflineToken(realm, user1); +// Assert.assertEquals(1, clients.size()); +// Assert.assertEquals("third-party", clients.iterator().next().getClientId()); +// clients = sessionManager.findClientsWithOfflineToken(realm, user2); +// Assert.assertEquals(1, clients.size()); +// Assert.assertEquals("test-app", clients.iterator().next().getClientId()); +// } +// +// @Test +// public void testOnRealmRemoved() { +// RealmModel fooRealm = session.realms().createRealm("foo", "foo"); +// fooRealm.addClient("foo-app"); +// session.users().addUser(fooRealm, "user3"); +// +// UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); +// ClientSessionModel clientSession = createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); +// +// resetSession(); +// +// // Persist offline session +// fooRealm = session.realms().getRealm("foo"); +// userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); +// clientSession = session.sessions().getClientSession(fooRealm, clientSession.getId()); +// sessionManager.createOrUpdateOfflineSession(userSession.getClientSessions().get(0), userSession); +// +// resetSession(); +// +// ClientSessionModel offlineClientSession = sessionManager.findOfflineClientSession(fooRealm, clientSession.getId()); +// Assert.assertEquals("foo-app", offlineClientSession.getClient().getClientId()); +// Assert.assertEquals("user3", offlineClientSession.getUserSession().getUser().getUsername()); +// Assert.assertEquals(offlineClientSession.getId(), offlineClientSession.getUserSession().getClientSessions().get(0).getId()); +// +// // Remove realm +// RealmManager realmMgr = new RealmManager(session); +// realmMgr.removeRealm(realmMgr.getRealm("foo")); +// +// resetSession(); +// +// fooRealm = session.realms().createRealm("foo", "foo"); +// fooRealm.addClient("foo-app"); +// session.users().addUser(fooRealm, "user3"); +// +// resetSession(); +// +// // Assert nothing loaded +// fooRealm = session.realms().getRealm("foo"); +// Assert.assertNull(sessionManager.findOfflineClientSession(fooRealm, clientSession.getId())); +// Assert.assertEquals(0, session.sessions().getOfflineSessionsCount(fooRealm, fooRealm.getClientByClientId("foo-app"))); +// +// // Cleanup +// realmMgr = new RealmManager(session); +// realmMgr.removeRealm(realmMgr.getRealm("foo")); +// } +// +// @Test +// public void testOnClientRemoved() { +// int started = Time.currentTime(); +// +// RealmModel fooRealm = session.realms().createRealm("foo", "foo"); +// fooRealm.addClient("foo-app"); +// fooRealm.addClient("bar-app"); +// session.users().addUser(fooRealm, "user3"); +// +// UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); +// createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); +// createClientSession(fooRealm.getClientByClientId("bar-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); +// +// resetSession(); +// +// // Create offline session +// fooRealm = session.realms().getRealm("foo"); +// userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); +// createOfflineSessionIncludeClientSessions(userSession); +// +// resetSession(); +// +// RealmManager realmMgr = new RealmManager(session); +// ClientManager clientMgr = new ClientManager(realmMgr); +// fooRealm = realmMgr.getRealm("foo"); +// +// // Assert session was persisted with both clientSessions +// UserSessionModel offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); +// UserSessionProviderTest.assertSession(offlineSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "foo-app", "bar-app"); +// +// // Remove foo-app client +// ClientModel client = fooRealm.getClientByClientId("foo-app"); +// clientMgr.removeClient(fooRealm, client); +// +// resetSession(); +// +// realmMgr = new RealmManager(session); +// clientMgr = new ClientManager(realmMgr); +// fooRealm = realmMgr.getRealm("foo"); +// +// // Assert just one bar-app clientSession persisted now +// offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); +// Assert.assertEquals(1, offlineSession.getClientSessions().size()); +// Assert.assertEquals("bar-app", offlineSession.getClientSessions().get(0).getClient().getClientId()); +// +// // Remove bar-app client +// client = fooRealm.getClientByClientId("bar-app"); +// clientMgr.removeClient(fooRealm, client); +// +// resetSession(); +// +// // Assert nothing loaded - userSession was removed as well because it was last userSession +// offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); +// Assert.assertEquals(0, offlineSession.getClientSessions().size()); +// +// // Cleanup +// realmMgr = new RealmManager(session); +// realmMgr.removeRealm(realmMgr.getRealm("foo")); +// } +// +// @Test +// public void testOnUserRemoved() { +// int started = Time.currentTime(); +// +// RealmModel fooRealm = session.realms().createRealm("foo", "foo"); +// fooRealm.addClient("foo-app"); +// session.users().addUser(fooRealm, "user3"); +// +// UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); +// ClientSessionModel clientSession = createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); +// +// resetSession(); +// +// // Create offline session +// fooRealm = session.realms().getRealm("foo"); +// userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); +// createOfflineSessionIncludeClientSessions(userSession); +// +// resetSession(); +// +// RealmManager realmMgr = new RealmManager(session); +// fooRealm = realmMgr.getRealm("foo"); +// UserModel user3 = session.users().getUserByUsername("user3", fooRealm); +// +// // Assert session was persisted with both clientSessions +// UserSessionModel offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); +// UserSessionProviderTest.assertSession(offlineSession, user3, "127.0.0.1", started, started, "foo-app"); +// +// // Remove user3 +// new UserManager(session).removeUser(fooRealm, user3); +// +// resetSession(); +// +// // Assert userSession removed as well +// Assert.assertNull(session.sessions().getOfflineUserSession(fooRealm, userSession.getId())); +// Assert.assertNull(session.sessions().getOfflineClientSession(fooRealm, clientSession.getId())); +// +// // Cleanup +// realmMgr = new RealmManager(session); +// realmMgr.removeRealm(realmMgr.getRealm("foo")); +// +// } +// +// @Test +// public void testExpired() { +// // Create some online sessions in infinispan +// int started = Time.currentTime(); +// UserSessionModel[] origSessions = createSessions(); +// +// resetSession(); +// +// Map offlineSessions = new HashMap<>(); +// +// // Persist 3 created userSessions and clientSessions as offline +// ClientModel testApp = realm.getClientByClientId("test-app"); +// List userSessions = session.sessions().getUserSessions(realm, testApp); +// for (UserSessionModel userSession : userSessions) { +// offlineSessions.putAll(createOfflineSessionIncludeClientSessions(userSession)); +// } +// +// resetSession(); +// +// // Assert all previously saved offline sessions found +// for (Map.Entry entry : offlineSessions.entrySet()) { +// Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); +// } +// +// UserSessionModel session0 = session.sessions().getOfflineUserSession(realm, origSessions[0].getId()); +// Assert.assertNotNull(session0); +// List clientSessions = new LinkedList<>(); +// for (ClientSessionModel clientSession : session0.getClientSessions()) { +// clientSessions.add(clientSession.getId()); +// Assert.assertNotNull(session.sessions().getOfflineClientSession(realm, clientSession.getId())); +// } +// +// UserSessionModel session1 = session.sessions().getOfflineUserSession(realm, origSessions[1].getId()); +// Assert.assertEquals(1, session1.getClientSessions().size()); +// ClientSessionModel cls1 = session1.getClientSessions().get(0); +// +// // sessions are in persister too +// Assert.assertEquals(3, persister.getUserSessionsCount(true)); +// +// // Set lastSessionRefresh to session[0] to 0 +// session0.setLastSessionRefresh(0); +// +// // Set timestamp to cls1 to 0 +// cls1.setTimestamp(0); +// +// resetSession(); +// +// session.sessions().removeExpired(realm); +// +// resetSession(); +// +// // assert session0 not found now +// Assert.assertNull(session.sessions().getOfflineUserSession(realm, origSessions[0].getId())); +// for (String clientSession : clientSessions) { +// Assert.assertNull(session.sessions().getOfflineClientSession(realm, origSessions[0].getId())); +// offlineSessions.remove(clientSession); +// } +// +// // Assert cls1 not found too +// for (Map.Entry entry : offlineSessions.entrySet()) { +// String userSessionId = entry.getValue(); +// if (userSessionId.equals(session1.getId())) { +// Assert.assertFalse(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); +// } else { +// Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); +// } +// } +// Assert.assertEquals(1, persister.getUserSessionsCount(true)); +// +// // Expire everything and assert nothing found +// Time.setOffset(3000000); +// try { +// session.sessions().removeExpired(realm); +// +// resetSession(); +// +// for (Map.Entry entry : offlineSessions.entrySet()) { +// Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) == null); +// } +// Assert.assertEquals(0, persister.getUserSessionsCount(true)); +// +// } finally { +// Time.setOffset(0); +// } +// } +// +// private Map createOfflineSessionIncludeClientSessions(UserSessionModel userSession) { +// Map offlineSessions = new HashMap<>(); +// +// for (ClientSessionModel clientSession : userSession.getClientSessions()) { +// sessionManager.createOrUpdateOfflineSession(clientSession, userSession); +// offlineSessions.put(clientSession.getId(), userSession.getId()); +// } +// return offlineSessions; +// } +// +// +// +// private void resetSession() { +// kc.stopSession(session, true); +// session = kc.startSession(); +// realm = session.realms().getRealm("test"); +// sessionManager = new UserSessionManager(session); +// persister = session.getProvider(UserSessionPersisterProvider.class); +// } +// +// private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { +// ClientSessionModel clientSession = session.sessions().createClientSession(client.getRealm(), client); +// if (userSession != null) clientSession.setUserSession(userSession); +// clientSession.setRedirectUri(redirect); +// if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); +// if (roles != null) clientSession.setRoles(roles); +// if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); +// return clientSession; +// } +// +// private UserSessionModel[] createSessions() { +// UserSessionModel[] sessions = new UserSessionModel[3]; +// sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); +// +// Set roles = new HashSet(); +// roles.add("one"); +// roles.add("two"); +// +// Set protocolMappers = new HashSet(); +// protocolMappers.add("mapper-one"); +// protocolMappers.add("mapper-two"); +// +// createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); +// createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); +// +// sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); +// createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); +// +// sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); +// createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); +// +// return sessions; +// } } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java index 824200d521..534bff342b 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java @@ -52,575 +52,577 @@ import static org.junit.Assert.assertTrue; */ public class UserSessionProviderTest { - @ClassRule - public static KeycloakRule kc = new KeycloakRule(); - - private KeycloakSession session; - private RealmModel realm; - - @Before - public void before() { - session = kc.startSession(); - realm = session.realms().getRealm("test"); - session.users().addUser(realm, "user1").setEmail("user1@localhost"); - session.users().addUser(realm, "user2").setEmail("user2@localhost"); - } - - @After - public void after() { - resetSession(); - session.sessions().removeUserSessions(realm); - UserModel user1 = session.users().getUserByUsername("user1", realm); - UserModel user2 = session.users().getUserByUsername("user2", realm); - - UserManager um = new UserManager(session); - if (user1 != null) { - um.removeUser(realm, user1); - } - if (user2 != null) { - um.removeUser(realm, user2); - } - kc.stopSession(session, true); - } - - @Test - public void testCreateSessions() { - int started = Time.currentTime(); - UserSessionModel[] sessions = createSessions(); - - assertSession(session.sessions().getUserSession(realm, sessions[0].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); - assertSession(session.sessions().getUserSession(realm, sessions[1].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); - assertSession(session.sessions().getUserSession(realm, sessions[2].getId()), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); - } - - @Test - public void testUpdateSession() { - UserSessionModel[] sessions = createSessions(); - session.sessions().getUserSession(realm, sessions[0].getId()).setLastSessionRefresh(1000); - - resetSession(); - - assertEquals(1000, session.sessions().getUserSession(realm, sessions[0].getId()).getLastSessionRefresh()); - } - - @Test - public void testCreateClientSession() { - UserSessionModel[] sessions = createSessions(); - - List clientSessions = session.sessions().getUserSession(realm, sessions[0].getId()).getClientSessions(); - assertEquals(2, clientSessions.size()); - - String client1 = realm.getClientByClientId("test-app").getId(); - - ClientSessionModel session1; - - if (clientSessions.get(0).getClient().getId().equals(client1)) { - session1 = clientSessions.get(0); - } else { - session1 = clientSessions.get(1); - } - - assertEquals(null, session1.getAction()); - assertEquals(realm.getClientByClientId("test-app").getClientId(), session1.getClient().getClientId()); - assertEquals(sessions[0].getId(), session1.getUserSession().getId()); - assertEquals("http://redirect", session1.getRedirectUri()); - assertEquals("state", session1.getNote(OIDCLoginProtocol.STATE_PARAM)); - assertEquals(2, session1.getRoles().size()); - assertTrue(session1.getRoles().contains("one")); - assertTrue(session1.getRoles().contains("two")); - assertEquals(2, session1.getProtocolMappers().size()); - assertTrue(session1.getProtocolMappers().contains("mapper-one")); - assertTrue(session1.getProtocolMappers().contains("mapper-two")); - } - - @Test - public void testUpdateClientSession() { - UserSessionModel[] sessions = createSessions(); - - String id = sessions[0].getClientSessions().get(0).getId(); - - ClientSessionModel clientSession = session.sessions().getClientSession(realm, id); - - int time = clientSession.getTimestamp(); - assertEquals(null, clientSession.getAction()); - - clientSession.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name()); - clientSession.setTimestamp(time + 10); - - kc.stopSession(session, true); - session = kc.startSession(); - - ClientSessionModel updated = session.sessions().getClientSession(realm, id); - assertEquals(ClientSessionModel.Action.CODE_TO_TOKEN.name(), updated.getAction()); - assertEquals(time + 10, updated.getTimestamp()); - } - - @Test - public void testGetUserSessions() { - UserSessionModel[] sessions = createSessions(); - - assertSessions(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)), sessions[0], sessions[1]); - assertSessions(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)), sessions[2]); - } - - @Test - public void testRemoveUserSessionsByUser() { - UserSessionModel[] sessions = createSessions(); - - List clientSessionsRemoved = new LinkedList(); - List clientSessionsKept = new LinkedList(); - for (UserSessionModel s : sessions) { - s = session.sessions().getUserSession(realm, s.getId()); - - for (ClientSessionModel c : s.getClientSessions()) { - if (c.getUserSession().getUser().getUsername().equals("user1")) { - clientSessionsRemoved.add(c.getId()); - } else { - clientSessionsKept.add(c.getId()); - } - } - } - - session.sessions().removeUserSessions(realm, session.users().getUserByUsername("user1", realm)); - resetSession(); - - assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)).isEmpty()); - assertFalse(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); - - for (String c : clientSessionsRemoved) { - assertNull(session.sessions().getClientSession(realm, c)); - } - for (String c : clientSessionsKept) { - assertNotNull(session.sessions().getClientSession(realm, c)); - } - } - - @Test - public void testRemoveUserSession() { - UserSessionModel userSession = createSessions()[0]; - - List clientSessionsRemoved = new LinkedList(); - for (ClientSessionModel c : userSession.getClientSessions()) { - clientSessionsRemoved.add(c.getId()); - } - - session.sessions().removeUserSession(realm, userSession); - resetSession(); - - assertNull(session.sessions().getUserSession(realm, userSession.getId())); - for (String c : clientSessionsRemoved) { - assertNull(session.sessions().getClientSession(realm, c)); - } - } - - @Test - public void testRemoveUserSessionsByRealm() { - UserSessionModel[] sessions = createSessions(); - - List clientSessions = new LinkedList(); - for (UserSessionModel s : sessions) { - clientSessions.addAll(s.getClientSessions()); - } - - session.sessions().removeUserSessions(realm); - resetSession(); - - assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)).isEmpty()); - assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); - - for (ClientSessionModel c : clientSessions) { - assertNull(session.sessions().getClientSession(realm, c.getId())); - } - } - - @Test - public void testOnClientRemoved() { - UserSessionModel[] sessions = createSessions(); - - List clientSessionsRemoved = new LinkedList(); - List clientSessionsKept = new LinkedList(); - for (UserSessionModel s : sessions) { - s = session.sessions().getUserSession(realm, s.getId()); - for (ClientSessionModel c : s.getClientSessions()) { - if (c.getClient().getClientId().equals("third-party")) { - clientSessionsRemoved.add(c.getId()); - } else { - clientSessionsKept.add(c.getId()); - } - } - } - - session.sessions().onClientRemoved(realm, realm.getClientByClientId("third-party")); - resetSession(); - - for (String c : clientSessionsRemoved) { - assertNull(session.sessions().getClientSession(realm, c)); - } - for (String c : clientSessionsKept) { - assertNotNull(session.sessions().getClientSession(realm, c)); - } - - session.sessions().onClientRemoved(realm, realm.getClientByClientId("test-app")); - resetSession(); - - for (String c : clientSessionsRemoved) { - assertNull(session.sessions().getClientSession(realm, c)); - } - for (String c : clientSessionsKept) { - assertNull(session.sessions().getClientSession(realm, c)); - } - } - - @Test - public void testRemoveUserSessionsByExpired() { - session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)); - ClientModel client = realm.getClientByClientId("test-app"); - - try { - Set expired = new HashSet(); - Set expiredClientSessions = new HashSet(); - - Time.setOffset(-(realm.getSsoSessionMaxLifespan() + 1)); - expired.add(session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); - expiredClientSessions.add(session.sessions().createClientSession(realm, client).getId()); - - Time.setOffset(0); - UserSessionModel s = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.1", "form", true, null, null); - //s.setLastSessionRefresh(Time.currentTime() - (realm.getSsoSessionIdleTimeout() + 1)); - s.setLastSessionRefresh(0); - expired.add(s.getId()); - - ClientSessionModel clSession = session.sessions().createClientSession(realm, client); - clSession.setUserSession(s); - expiredClientSessions.add(clSession.getId()); - - Set valid = new HashSet(); - Set validClientSessions = new HashSet(); - - valid.add(session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); - validClientSessions.add(session.sessions().createClientSession(realm, client).getId()); - - resetSession(); - - session.sessions().removeExpired(realm); - resetSession(); - - for (String e : expired) { - assertNull(session.sessions().getUserSession(realm, e)); - } - for (String e : expiredClientSessions) { - assertNull(session.sessions().getClientSession(realm, e)); - } - - for (String v : valid) { - assertNotNull(session.sessions().getUserSession(realm, v)); - } - for (String e : validClientSessions) { - assertNotNull(session.sessions().getClientSession(realm, e)); - } - } finally { - Time.setOffset(0); - } - } - - @Test - public void testExpireDetachedClientSessions() { - try { - realm.setAccessCodeLifespan(10); - realm.setAccessCodeLifespanUserAction(10); - realm.setAccessCodeLifespanLogin(30); - - // Login lifespan is largest - String clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); - resetSession(); - - Time.setOffset(25); - session.sessions().removeExpired(realm); - resetSession(); - - assertNotNull(session.sessions().getClientSession(clientSessionId)); - - Time.setOffset(35); - session.sessions().removeExpired(realm); - resetSession(); - - assertNull(session.sessions().getClientSession(clientSessionId)); - - // User action is largest - realm.setAccessCodeLifespanUserAction(40); - - Time.setOffset(0); - clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); - resetSession(); - - Time.setOffset(35); - session.sessions().removeExpired(realm); - resetSession(); - - assertNotNull(session.sessions().getClientSession(clientSessionId)); - - Time.setOffset(45); - session.sessions().removeExpired(realm); - resetSession(); - - assertNull(session.sessions().getClientSession(clientSessionId)); - - // Access code is largest - realm.setAccessCodeLifespan(50); - - Time.setOffset(0); - clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); - resetSession(); - - Time.setOffset(45); - session.sessions().removeExpired(realm); - resetSession(); - - assertNotNull(session.sessions().getClientSession(clientSessionId)); - - Time.setOffset(55); - session.sessions().removeExpired(realm); - resetSession(); - - assertNull(session.sessions().getClientSession(clientSessionId)); - } finally { - Time.setOffset(0); - - realm.setAccessCodeLifespan(60); - realm.setAccessCodeLifespanUserAction(300); - realm.setAccessCodeLifespanLogin(1800); - - } - } - - // KEYCLOAK-2508 - @Test - public void testRemovingExpiredSession() { - UserSessionModel[] sessions = createSessions(); - try { - Time.setOffset(3600000); - UserSessionModel userSession = sessions[0]; - RealmModel realm = userSession.getRealm(); - session.sessions().removeExpired(realm); - - resetSession(); - - // Assert no exception is thrown here - session.sessions().removeUserSession(realm, userSession); - } finally { - Time.setOffset(0); - } - } - - @Test - public void testGetByClient() { - UserSessionModel[] sessions = createSessions(); - - assertSessions(session.sessions().getUserSessions(realm, realm.getClientByClientId("test-app")), sessions[0], sessions[1], sessions[2]); - assertSessions(session.sessions().getUserSessions(realm, realm.getClientByClientId("third-party")), sessions[0]); - } - - @Test - public void testGetByClientPaginated() { - try { - for (int i = 0; i < 25; i++) { - Time.setOffset(i); - UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0." + i, "form", false, null, null); - ClientSessionModel clientSession = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")); - clientSession.setUserSession(userSession); - clientSession.setRedirectUri("http://redirect"); - clientSession.setRoles(new HashSet()); - clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, "state"); - clientSession.setTimestamp(userSession.getStarted()); - } - } finally { - Time.setOffset(0); - } - - resetSession(); - - assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 0, 1, 1); - assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 0, 10, 10); - assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 10, 10, 10); - assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 20, 10, 5); - assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 30, 10, 0); - } - - @Test - public void testCreateAndGetInSameTransaction() { - UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); - ClientSessionModel clientSession = createClientSession(realm.getClientByClientId("test-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); - - Assert.assertNotNull(session.sessions().getUserSession(realm, userSession.getId())); - Assert.assertNotNull(session.sessions().getClientSession(realm, clientSession.getId())); - - Assert.assertEquals(userSession.getId(), clientSession.getUserSession().getId()); - Assert.assertEquals(1, userSession.getClientSessions().size()); - Assert.assertEquals(clientSession.getId(), userSession.getClientSessions().get(0).getId()); - } - - private void assertPaginatedSession(RealmModel realm, ClientModel client, int start, int max, int expectedSize) { - List sessions = session.sessions().getUserSessions(realm, client, start, max); - String[] actualIps = new String[sessions.size()]; - for (int i = 0; i < actualIps.length; i++) { - actualIps[i] = sessions.get(i).getIpAddress(); - } - - String[] expectedIps = new String[expectedSize]; - for (int i = 0; i < expectedSize; i++) { - expectedIps[i] = "127.0.0." + (i + start); - } - - assertArrayEquals(expectedIps, actualIps); - } - - @Test - public void testGetCountByClient() { - createSessions(); - - assertEquals(3, session.sessions().getActiveUserSessions(realm, realm.getClientByClientId("test-app"))); - assertEquals(1, session.sessions().getActiveUserSessions(realm, realm.getClientByClientId("third-party"))); - } - - @Test - public void loginFailures() { - UserLoginFailureModel failure1 = session.sessions().addUserLoginFailure(realm, "user1"); - failure1.incrementFailures(); - - UserLoginFailureModel failure2 = session.sessions().addUserLoginFailure(realm, "user2"); - failure2.incrementFailures(); - failure2.incrementFailures(); - - resetSession(); - - failure1 = session.sessions().getUserLoginFailure(realm, "user1"); - assertEquals(1, failure1.getNumFailures()); - - failure2 = session.sessions().getUserLoginFailure(realm, "user2"); - assertEquals(2, failure2.getNumFailures()); - - resetSession(); - - failure1 = session.sessions().getUserLoginFailure(realm, "user1"); - failure1.clearFailures(); - - resetSession(); - - failure1 = session.sessions().getUserLoginFailure(realm, "user1"); - assertEquals(0, failure1.getNumFailures()); - - session.sessions().removeUserLoginFailure(realm, "user1"); - - resetSession(); - - assertNull(session.sessions().getUserLoginFailure(realm, "user1")); - - session.sessions().removeAllUserLoginFailures(realm); - - resetSession(); - - assertNull(session.sessions().getUserLoginFailure(realm, "user2")); - } - - @Test - public void testOnUserRemoved() { - createSessions(); - - session.sessions().addUserLoginFailure(realm, "user1"); - session.sessions().addUserLoginFailure(realm, "user1@localhost"); - session.sessions().addUserLoginFailure(realm, "user2"); - - resetSession(); - - UserModel user1 = session.users().getUserByUsername("user1", realm); - new UserManager(session).removeUser(realm, user1); - - resetSession(); - - assertTrue(session.sessions().getUserSessions(realm, user1).isEmpty()); - assertFalse(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); - - assertNull(session.sessions().getUserLoginFailure(realm, "user1")); - assertNull(session.sessions().getUserLoginFailure(realm, "user1@localhost")); - assertNotNull(session.sessions().getUserLoginFailure(realm, "user2")); - } - - private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { - ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); - if (userSession != null) clientSession.setUserSession(userSession); - clientSession.setRedirectUri(redirect); - if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); - if (roles != null) clientSession.setRoles(roles); - if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); - return clientSession; - } - - private UserSessionModel[] createSessions() { - UserSessionModel[] sessions = new UserSessionModel[3]; - sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); - - Set roles = new HashSet(); - roles.add("one"); - roles.add("two"); - - Set protocolMappers = new HashSet(); - protocolMappers.add("mapper-one"); - protocolMappers.add("mapper-two"); - - createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); - createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); - - sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); - createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); - - sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); - createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); - - resetSession(); - - return sessions; - } - - private void resetSession() { - kc.stopSession(session, true); - session = kc.startSession(); - realm = session.realms().getRealm("test"); - } - - public static void assertSessions(List actualSessions, UserSessionModel... expectedSessions) { - String[] expected = new String[expectedSessions.length]; - for (int i = 0; i < expected.length; i++) { - expected[i] = expectedSessions[i].getId(); - } - - String[] actual = new String[actualSessions.size()]; - for (int i = 0; i < actual.length; i++) { - actual[i] = actualSessions.get(i).getId(); - } - - Arrays.sort(expected); - Arrays.sort(actual); - - assertArrayEquals(expected, actual); - } - - public static void assertSession(UserSessionModel session, UserModel user, String ipAddress, int started, int lastRefresh, String... clients) { - assertEquals(user.getId(), session.getUser().getId()); - assertEquals(ipAddress, session.getIpAddress()); - assertEquals(user.getUsername(), session.getLoginUsername()); - assertEquals("form", session.getAuthMethod()); - assertEquals(true, session.isRememberMe()); - assertTrue(session.getStarted() >= started - 1 && session.getStarted() <= started + 1); - assertTrue(session.getLastSessionRefresh() >= lastRefresh - 1 && session.getLastSessionRefresh() <= lastRefresh + 1); - - String[] actualClients = new String[session.getClientSessions().size()]; - for (int i = 0; i < actualClients.length; i++) { - actualClients[i] = session.getClientSessions().get(i).getClient().getClientId(); - } - - Arrays.sort(clients); - Arrays.sort(actualClients); - - assertArrayEquals(clients, actualClients); - } + // TODO:mposolda +// +// @ClassRule +// public static KeycloakRule kc = new KeycloakRule(); +// +// private KeycloakSession session; +// private RealmModel realm; +// +// @Before +// public void before() { +// session = kc.startSession(); +// realm = session.realms().getRealm("test"); +// session.users().addUser(realm, "user1").setEmail("user1@localhost"); +// session.users().addUser(realm, "user2").setEmail("user2@localhost"); +// } +// +// @After +// public void after() { +// resetSession(); +// session.sessions().removeUserSessions(realm); +// UserModel user1 = session.users().getUserByUsername("user1", realm); +// UserModel user2 = session.users().getUserByUsername("user2", realm); +// +// UserManager um = new UserManager(session); +// if (user1 != null) { +// um.removeUser(realm, user1); +// } +// if (user2 != null) { +// um.removeUser(realm, user2); +// } +// kc.stopSession(session, true); +// } +// +// @Test +// public void testCreateSessions() { +// int started = Time.currentTime(); +// UserSessionModel[] sessions = createSessions(); +// +// assertSession(session.sessions().getUserSession(realm, sessions[0].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); +// assertSession(session.sessions().getUserSession(realm, sessions[1].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); +// assertSession(session.sessions().getUserSession(realm, sessions[2].getId()), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); +// } +// +// @Test +// public void testUpdateSession() { +// UserSessionModel[] sessions = createSessions(); +// session.sessions().getUserSession(realm, sessions[0].getId()).setLastSessionRefresh(1000); +// +// resetSession(); +// +// assertEquals(1000, session.sessions().getUserSession(realm, sessions[0].getId()).getLastSessionRefresh()); +// } +// +// @Test +// public void testCreateClientSession() { +// UserSessionModel[] sessions = createSessions(); +// +// List clientSessions = session.sessions().getUserSession(realm, sessions[0].getId()).getClientSessions(); +// assertEquals(2, clientSessions.size()); +// +// String client1 = realm.getClientByClientId("test-app").getId(); +// +// ClientSessionModel session1; +// +// if (clientSessions.get(0).getClient().getId().equals(client1)) { +// session1 = clientSessions.get(0); +// } else { +// session1 = clientSessions.get(1); +// } +// +// assertEquals(null, session1.getAction()); +// assertEquals(realm.getClientByClientId("test-app").getClientId(), session1.getClient().getClientId()); +// assertEquals(sessions[0].getId(), session1.getUserSession().getId()); +// assertEquals("http://redirect", session1.getRedirectUri()); +// assertEquals("state", session1.getNote(OIDCLoginProtocol.STATE_PARAM)); +// assertEquals(2, session1.getRoles().size()); +// assertTrue(session1.getRoles().contains("one")); +// assertTrue(session1.getRoles().contains("two")); +// assertEquals(2, session1.getProtocolMappers().size()); +// assertTrue(session1.getProtocolMappers().contains("mapper-one")); +// assertTrue(session1.getProtocolMappers().contains("mapper-two")); +// } +// +// @Test +// public void testUpdateClientSession() { +// UserSessionModel[] sessions = createSessions(); +// +// String id = sessions[0].getClientSessions().get(0).getId(); +// +// ClientSessionModel clientSession = session.sessions().getClientSession(realm, id); +// +// int time = clientSession.getTimestamp(); +// assertEquals(null, clientSession.getAction()); +// +// clientSession.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name()); +// clientSession.setTimestamp(time + 10); +// +// kc.stopSession(session, true); +// session = kc.startSession(); +// +// ClientSessionModel updated = session.sessions().getClientSession(realm, id); +// assertEquals(ClientSessionModel.Action.CODE_TO_TOKEN.name(), updated.getAction()); +// assertEquals(time + 10, updated.getTimestamp()); +// } +// +// @Test +// public void testGetUserSessions() { +// UserSessionModel[] sessions = createSessions(); +// +// assertSessions(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)), sessions[0], sessions[1]); +// assertSessions(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)), sessions[2]); +// } +// +// @Test +// public void testRemoveUserSessionsByUser() { +// UserSessionModel[] sessions = createSessions(); +// +// List clientSessionsRemoved = new LinkedList(); +// List clientSessionsKept = new LinkedList(); +// for (UserSessionModel s : sessions) { +// s = session.sessions().getUserSession(realm, s.getId()); +// +// for (ClientSessionModel c : s.getClientSessions()) { +// if (c.getUserSession().getUser().getUsername().equals("user1")) { +// clientSessionsRemoved.add(c.getId()); +// } else { +// clientSessionsKept.add(c.getId()); +// } +// } +// } +// +// session.sessions().removeUserSessions(realm, session.users().getUserByUsername("user1", realm)); +// resetSession(); +// +// assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)).isEmpty()); +// assertFalse(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); +// +// for (String c : clientSessionsRemoved) { +// assertNull(session.sessions().getClientSession(realm, c)); +// } +// for (String c : clientSessionsKept) { +// assertNotNull(session.sessions().getClientSession(realm, c)); +// } +// } +// +// @Test +// public void testRemoveUserSession() { +// UserSessionModel userSession = createSessions()[0]; +// +// List clientSessionsRemoved = new LinkedList(); +// for (ClientSessionModel c : userSession.getClientSessions()) { +// clientSessionsRemoved.add(c.getId()); +// } +// +// session.sessions().removeUserSession(realm, userSession); +// resetSession(); +// +// assertNull(session.sessions().getUserSession(realm, userSession.getId())); +// for (String c : clientSessionsRemoved) { +// assertNull(session.sessions().getClientSession(realm, c)); +// } +// } +// +// @Test +// public void testRemoveUserSessionsByRealm() { +// UserSessionModel[] sessions = createSessions(); +// +// List clientSessions = new LinkedList(); +// for (UserSessionModel s : sessions) { +// clientSessions.addAll(s.getClientSessions()); +// } +// +// session.sessions().removeUserSessions(realm); +// resetSession(); +// +// assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)).isEmpty()); +// assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); +// +// for (ClientSessionModel c : clientSessions) { +// assertNull(session.sessions().getClientSession(realm, c.getId())); +// } +// } +// +// @Test +// public void testOnClientRemoved() { +// UserSessionModel[] sessions = createSessions(); +// +// List clientSessionsRemoved = new LinkedList(); +// List clientSessionsKept = new LinkedList(); +// for (UserSessionModel s : sessions) { +// s = session.sessions().getUserSession(realm, s.getId()); +// for (ClientSessionModel c : s.getClientSessions()) { +// if (c.getClient().getClientId().equals("third-party")) { +// clientSessionsRemoved.add(c.getId()); +// } else { +// clientSessionsKept.add(c.getId()); +// } +// } +// } +// +// session.sessions().onClientRemoved(realm, realm.getClientByClientId("third-party")); +// resetSession(); +// +// for (String c : clientSessionsRemoved) { +// assertNull(session.sessions().getClientSession(realm, c)); +// } +// for (String c : clientSessionsKept) { +// assertNotNull(session.sessions().getClientSession(realm, c)); +// } +// +// session.sessions().onClientRemoved(realm, realm.getClientByClientId("test-app")); +// resetSession(); +// +// for (String c : clientSessionsRemoved) { +// assertNull(session.sessions().getClientSession(realm, c)); +// } +// for (String c : clientSessionsKept) { +// assertNull(session.sessions().getClientSession(realm, c)); +// } +// } +// +// @Test +// public void testRemoveUserSessionsByExpired() { +// session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)); +// ClientModel client = realm.getClientByClientId("test-app"); +// +// try { +// Set expired = new HashSet(); +// Set expiredClientSessions = new HashSet(); +// +// Time.setOffset(-(realm.getSsoSessionMaxLifespan() + 1)); +// expired.add(session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); +// expiredClientSessions.add(session.sessions().createClientSession(realm, client).getId()); +// +// Time.setOffset(0); +// UserSessionModel s = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.1", "form", true, null, null); +// //s.setLastSessionRefresh(Time.currentTime() - (realm.getSsoSessionIdleTimeout() + 1)); +// s.setLastSessionRefresh(0); +// expired.add(s.getId()); +// +// ClientSessionModel clSession = session.sessions().createClientSession(realm, client); +// clSession.setUserSession(s); +// expiredClientSessions.add(clSession.getId()); +// +// Set valid = new HashSet(); +// Set validClientSessions = new HashSet(); +// +// valid.add(session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); +// validClientSessions.add(session.sessions().createClientSession(realm, client).getId()); +// +// resetSession(); +// +// session.sessions().removeExpired(realm); +// resetSession(); +// +// for (String e : expired) { +// assertNull(session.sessions().getUserSession(realm, e)); +// } +// for (String e : expiredClientSessions) { +// assertNull(session.sessions().getClientSession(realm, e)); +// } +// +// for (String v : valid) { +// assertNotNull(session.sessions().getUserSession(realm, v)); +// } +// for (String e : validClientSessions) { +// assertNotNull(session.sessions().getClientSession(realm, e)); +// } +// } finally { +// Time.setOffset(0); +// } +// } +// +// @Test +// public void testExpireDetachedClientSessions() { +// try { +// realm.setAccessCodeLifespan(10); +// realm.setAccessCodeLifespanUserAction(10); +// realm.setAccessCodeLifespanLogin(30); +// +// // Login lifespan is largest +// String clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); +// resetSession(); +// +// Time.setOffset(25); +// session.sessions().removeExpired(realm); +// resetSession(); +// +// assertNotNull(session.sessions().getClientSession(clientSessionId)); +// +// Time.setOffset(35); +// session.sessions().removeExpired(realm); +// resetSession(); +// +// assertNull(session.sessions().getClientSession(clientSessionId)); +// +// // User action is largest +// realm.setAccessCodeLifespanUserAction(40); +// +// Time.setOffset(0); +// clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); +// resetSession(); +// +// Time.setOffset(35); +// session.sessions().removeExpired(realm); +// resetSession(); +// +// assertNotNull(session.sessions().getClientSession(clientSessionId)); +// +// Time.setOffset(45); +// session.sessions().removeExpired(realm); +// resetSession(); +// +// assertNull(session.sessions().getClientSession(clientSessionId)); +// +// // Access code is largest +// realm.setAccessCodeLifespan(50); +// +// Time.setOffset(0); +// clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); +// resetSession(); +// +// Time.setOffset(45); +// session.sessions().removeExpired(realm); +// resetSession(); +// +// assertNotNull(session.sessions().getClientSession(clientSessionId)); +// +// Time.setOffset(55); +// session.sessions().removeExpired(realm); +// resetSession(); +// +// assertNull(session.sessions().getClientSession(clientSessionId)); +// } finally { +// Time.setOffset(0); +// +// realm.setAccessCodeLifespan(60); +// realm.setAccessCodeLifespanUserAction(300); +// realm.setAccessCodeLifespanLogin(1800); +// +// } +// } +// +// // KEYCLOAK-2508 +// @Test +// public void testRemovingExpiredSession() { +// UserSessionModel[] sessions = createSessions(); +// try { +// Time.setOffset(3600000); +// UserSessionModel userSession = sessions[0]; +// RealmModel realm = userSession.getRealm(); +// session.sessions().removeExpired(realm); +// +// resetSession(); +// +// // Assert no exception is thrown here +// session.sessions().removeUserSession(realm, userSession); +// } finally { +// Time.setOffset(0); +// } +// } +// +// @Test +// public void testGetByClient() { +// UserSessionModel[] sessions = createSessions(); +// +// assertSessions(session.sessions().getUserSessions(realm, realm.getClientByClientId("test-app")), sessions[0], sessions[1], sessions[2]); +// assertSessions(session.sessions().getUserSessions(realm, realm.getClientByClientId("third-party")), sessions[0]); +// } +// +// @Test +// public void testGetByClientPaginated() { +// try { +// for (int i = 0; i < 25; i++) { +// Time.setOffset(i); +// UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0." + i, "form", false, null, null); +// ClientSessionModel clientSession = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")); +// clientSession.setUserSession(userSession); +// clientSession.setRedirectUri("http://redirect"); +// clientSession.setRoles(new HashSet()); +// clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, "state"); +// clientSession.setTimestamp(userSession.getStarted()); +// } +// } finally { +// Time.setOffset(0); +// } +// +// resetSession(); +// +// assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 0, 1, 1); +// assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 0, 10, 10); +// assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 10, 10, 10); +// assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 20, 10, 5); +// assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 30, 10, 0); +// } +// +// @Test +// public void testCreateAndGetInSameTransaction() { +// UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); +// ClientSessionModel clientSession = createClientSession(realm.getClientByClientId("test-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); +// +// Assert.assertNotNull(session.sessions().getUserSession(realm, userSession.getId())); +// Assert.assertNotNull(session.sessions().getClientSession(realm, clientSession.getId())); +// +// Assert.assertEquals(userSession.getId(), clientSession.getUserSession().getId()); +// Assert.assertEquals(1, userSession.getClientSessions().size()); +// Assert.assertEquals(clientSession.getId(), userSession.getClientSessions().get(0).getId()); +// } +// +// private void assertPaginatedSession(RealmModel realm, ClientModel client, int start, int max, int expectedSize) { +// List sessions = session.sessions().getUserSessions(realm, client, start, max); +// String[] actualIps = new String[sessions.size()]; +// for (int i = 0; i < actualIps.length; i++) { +// actualIps[i] = sessions.get(i).getIpAddress(); +// } +// +// String[] expectedIps = new String[expectedSize]; +// for (int i = 0; i < expectedSize; i++) { +// expectedIps[i] = "127.0.0." + (i + start); +// } +// +// assertArrayEquals(expectedIps, actualIps); +// } +// +// @Test +// public void testGetCountByClient() { +// createSessions(); +// +// assertEquals(3, session.sessions().getActiveUserSessions(realm, realm.getClientByClientId("test-app"))); +// assertEquals(1, session.sessions().getActiveUserSessions(realm, realm.getClientByClientId("third-party"))); +// } +// +// @Test +// public void loginFailures() { +// UserLoginFailureModel failure1 = session.sessions().addUserLoginFailure(realm, "user1"); +// failure1.incrementFailures(); +// +// UserLoginFailureModel failure2 = session.sessions().addUserLoginFailure(realm, "user2"); +// failure2.incrementFailures(); +// failure2.incrementFailures(); +// +// resetSession(); +// +// failure1 = session.sessions().getUserLoginFailure(realm, "user1"); +// assertEquals(1, failure1.getNumFailures()); +// +// failure2 = session.sessions().getUserLoginFailure(realm, "user2"); +// assertEquals(2, failure2.getNumFailures()); +// +// resetSession(); +// +// failure1 = session.sessions().getUserLoginFailure(realm, "user1"); +// failure1.clearFailures(); +// +// resetSession(); +// +// failure1 = session.sessions().getUserLoginFailure(realm, "user1"); +// assertEquals(0, failure1.getNumFailures()); +// +// session.sessions().removeUserLoginFailure(realm, "user1"); +// +// resetSession(); +// +// assertNull(session.sessions().getUserLoginFailure(realm, "user1")); +// +// session.sessions().removeAllUserLoginFailures(realm); +// +// resetSession(); +// +// assertNull(session.sessions().getUserLoginFailure(realm, "user2")); +// } +// +// @Test +// public void testOnUserRemoved() { +// createSessions(); +// +// session.sessions().addUserLoginFailure(realm, "user1"); +// session.sessions().addUserLoginFailure(realm, "user1@localhost"); +// session.sessions().addUserLoginFailure(realm, "user2"); +// +// resetSession(); +// +// UserModel user1 = session.users().getUserByUsername("user1", realm); +// new UserManager(session).removeUser(realm, user1); +// +// resetSession(); +// +// assertTrue(session.sessions().getUserSessions(realm, user1).isEmpty()); +// assertFalse(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); +// +// assertNull(session.sessions().getUserLoginFailure(realm, "user1")); +// assertNull(session.sessions().getUserLoginFailure(realm, "user1@localhost")); +// assertNotNull(session.sessions().getUserLoginFailure(realm, "user2")); +// } +// +// private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { +// ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); +// if (userSession != null) clientSession.setUserSession(userSession); +// clientSession.setRedirectUri(redirect); +// if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); +// if (roles != null) clientSession.setRoles(roles); +// if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); +// return clientSession; +// } +// +// private UserSessionModel[] createSessions() { +// UserSessionModel[] sessions = new UserSessionModel[3]; +// sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); +// +// Set roles = new HashSet(); +// roles.add("one"); +// roles.add("two"); +// +// Set protocolMappers = new HashSet(); +// protocolMappers.add("mapper-one"); +// protocolMappers.add("mapper-two"); +// +// createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); +// createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); +// +// sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); +// createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); +// +// sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); +// createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); +// +// resetSession(); +// +// return sessions; +// } +// +// private void resetSession() { +// kc.stopSession(session, true); +// session = kc.startSession(); +// realm = session.realms().getRealm("test"); +// } +// +// public static void assertSessions(List actualSessions, UserSessionModel... expectedSessions) { +// String[] expected = new String[expectedSessions.length]; +// for (int i = 0; i < expected.length; i++) { +// expected[i] = expectedSessions[i].getId(); +// } +// +// String[] actual = new String[actualSessions.size()]; +// for (int i = 0; i < actual.length; i++) { +// actual[i] = actualSessions.get(i).getId(); +// } +// +// Arrays.sort(expected); +// Arrays.sort(actual); +// +// assertArrayEquals(expected, actual); +// } +// +// public static void assertSession(UserSessionModel session, UserModel user, String ipAddress, int started, int lastRefresh, String... clients) { +// assertEquals(user.getId(), session.getUser().getId()); +// assertEquals(ipAddress, session.getIpAddress()); +// assertEquals(user.getUsername(), session.getLoginUsername()); +// assertEquals("form", session.getAuthMethod()); +// assertEquals(true, session.isRememberMe()); +// assertTrue(session.getStarted() >= started - 1 && session.getStarted() <= started + 1); +// assertTrue(session.getLastSessionRefresh() >= lastRefresh - 1 && session.getLastSessionRefresh() <= lastRefresh + 1); +// +// String[] actualClients = new String[session.getClientSessions().size()]; +// for (int i = 0; i < actualClients.length; i++) { +// actualClients[i] = session.getClientSessions().get(i).getClient().getClientId(); +// } +// +// Arrays.sort(clients); +// Arrays.sort(actualClients); +// +// assertArrayEquals(clients, actualClients); +// } } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KeycloakRule.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KeycloakRule.java index 050bcf3ece..9c61e05c46 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KeycloakRule.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KeycloakRule.java @@ -90,24 +90,6 @@ public class KeycloakRule extends AbstractKeycloakRule { stopSession(session, true); } - public ClientSessionCode verifyCode(String code) { - KeycloakSession session = startSession(); - try { - RealmModel realm = session.realms().getRealm("test"); - try { - ClientSessionCode accessCode = ClientSessionCode.parse(code, session, realm); - if (accessCode == null) { - Assert.fail("Invalid code"); - } - return accessCode; - } catch (Throwable t) { - throw new AssertionError("Failed to parse code", t); - } - } finally { - stopSession(session, false); - } - } - public abstract static class KeycloakSetup { protected KeycloakSession session; diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/PersistSessionsCommand.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/PersistSessionsCommand.java index b2ede3ecae..39b4d48e09 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/PersistSessionsCommand.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/PersistSessionsCommand.java @@ -65,8 +65,9 @@ public class PersistSessionsCommand extends AbstractCommand { }); } + // TODO:mposolda private void createSessionsBatch(final int countInThisBatch) { - final List userSessionIds = new LinkedList<>(); + /*final List userSessionIds = new LinkedList<>(); final List clientSessionIds = new LinkedList<>(); KeycloakModelUtils.runJobInTransaction(sessionFactory, new KeycloakSessionTask() { @@ -120,7 +121,7 @@ public class PersistSessionsCommand extends AbstractCommand { log.infof("%d client sessions persisted. Continue", counter); } - }); + });*/ } @Override diff --git a/testsuite/integration/src/test/resources/log4j.properties b/testsuite/integration/src/test/resources/log4j.properties index cac26aebae..decc0aacd4 100755 --- a/testsuite/integration/src/test/resources/log4j.properties +++ b/testsuite/integration/src/test/resources/log4j.properties @@ -80,4 +80,7 @@ log4j.logger.org.apache.directory.server.ldap.LdapProtocolHandler=error #log4j.logger.org.apache.http.impl.conn=debug # Enable to view details from identity provider authenticator -# log4j.logger.org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator=trace \ No newline at end of file +# log4j.logger.org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator=trace + +# TODO: Remove +log4j.logger.org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider=debug \ No newline at end of file From 19a41c8704b8d26f78a8bf07060e03777dfab8ea Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Mon, 6 Mar 2017 14:45:57 +0100 Subject: [PATCH 03/30] KEYCLOAK-4627 Refactor TokenVerifier to support more than just access token checks. Action tokens implementation with reset e-mail action converted to AT --- .../java/org/keycloak/RSATokenVerifier.java | 4 +- .../main/java/org/keycloak/TokenVerifier.java | 288 +++++++++--- .../exceptions/TokenNotActiveException.java | 43 ++ .../TokenSignatureInvalidException.java | 42 ++ .../authentication/DefaultActionToken.java | 103 ++++ .../authentication/DefaultActionTokenKey.java | 43 ++ .../ResetCredentialsActionToken.java | 148 ++++++ .../resetcred/ResetCredentialEmail.java | 98 ++-- .../keycloak/protocol/RestartLoginCookie.java | 7 +- .../managers/AuthenticationManager.java | 7 +- .../resources/LoginActionsService.java | 445 +++++++++++++----- .../LoginActionsServiceException.java | 53 +++ .../testsuite/forms/ResetPasswordTest.java | 234 ++++----- 13 files changed, 1171 insertions(+), 344 deletions(-) create mode 100644 core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java create mode 100644 core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java create mode 100644 services/src/main/java/org/keycloak/authentication/DefaultActionToken.java create mode 100644 services/src/main/java/org/keycloak/authentication/DefaultActionTokenKey.java create mode 100644 services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java create mode 100644 services/src/main/java/org/keycloak/services/resources/LoginActionsServiceException.java diff --git a/core/src/main/java/org/keycloak/RSATokenVerifier.java b/core/src/main/java/org/keycloak/RSATokenVerifier.java index db8fc5ae5b..653f205d33 100755 --- a/core/src/main/java/org/keycloak/RSATokenVerifier.java +++ b/core/src/main/java/org/keycloak/RSATokenVerifier.java @@ -29,10 +29,10 @@ import java.security.PublicKey; */ public class RSATokenVerifier { - private TokenVerifier tokenVerifier; + private final TokenVerifier tokenVerifier; private RSATokenVerifier(String tokenString) { - this.tokenVerifier = TokenVerifier.create(tokenString); + this.tokenVerifier = TokenVerifier.create(tokenString, AccessToken.class); } public static RSATokenVerifier create(String tokenString) { diff --git a/core/src/main/java/org/keycloak/TokenVerifier.java b/core/src/main/java/org/keycloak/TokenVerifier.java index 9c30bfdc69..6bfcb3bf32 100755 --- a/core/src/main/java/org/keycloak/TokenVerifier.java +++ b/core/src/main/java/org/keycloak/TokenVerifier.java @@ -18,7 +18,8 @@ package org.keycloak; import org.keycloak.common.VerificationException; -import org.keycloak.jose.jws.Algorithm; +import org.keycloak.exceptions.TokenNotActiveException; +import org.keycloak.exceptions.TokenSignatureInvalidException; import org.keycloak.jose.jws.AlgorithmType; import org.keycloak.jose.jws.JWSHeader; import org.keycloak.jose.jws.JWSInput; @@ -26,67 +27,235 @@ import org.keycloak.jose.jws.JWSInputException; import org.keycloak.jose.jws.crypto.HMACProvider; import org.keycloak.jose.jws.crypto.RSAProvider; import org.keycloak.representations.AccessToken; +import org.keycloak.representations.JsonWebToken; import org.keycloak.util.TokenUtil; import javax.crypto.SecretKey; import java.security.PublicKey; +import java.util.*; /** * @author Bill Burke * @version $Revision: 1 $ */ -public class TokenVerifier { +public class TokenVerifier { - private final String tokenString; + // This interface is here as JDK 7 is a requirement for this project. + // Once JDK 8 would become mandatory, java.util.function.Predicate would be used instead. + + // @FunctionalInterface + public static interface Predicate { + /** + * Performs a single check on the given token verifier. + * @param t Token, guaranteed to be non-null. + * @return + * @throws VerificationException + */ + boolean test(T t) throws VerificationException; + } + + public static final Predicate SUBJECT_EXISTS_CHECK = new Predicate() { + @Override + public boolean test(JsonWebToken t) throws VerificationException { + String subject = t.getSubject(); + if (subject == null) { + throw new VerificationException("Subject missing in token"); + } + + return true; + } + }; + + public static final Predicate IS_ACTIVE = new Predicate() { + @Override + public boolean test(JsonWebToken t) throws VerificationException { + if (! t.isActive()) { + throw new TokenNotActiveException("Token is not active"); + } + + return true; + } + }; + + public static class RealmUrlCheck implements Predicate { + + private static final RealmUrlCheck NULL_INSTANCE = new RealmUrlCheck(null); + + private final String realmUrl; + + public RealmUrlCheck(String realmUrl) { + this.realmUrl = realmUrl; + } + + @Override + public boolean test(JsonWebToken t) throws VerificationException { + if (this.realmUrl == null) { + throw new VerificationException("Realm URL not set"); + } + + if (! this.realmUrl.equals(t.getIssuer())) { + throw new VerificationException("Invalid token issuer. Expected '" + this.realmUrl + "', but was '" + t.getIssuer() + "'"); + } + + return true; + } + }; + + public static class TokenTypeCheck implements Predicate { + + private static final TokenTypeCheck INSTANCE_BEARER = new TokenTypeCheck(TokenUtil.TOKEN_TYPE_BEARER); + + private final String tokenType; + + public TokenTypeCheck(String tokenType) { + this.tokenType = tokenType; + } + + @Override + public boolean test(JsonWebToken t) throws VerificationException { + if (! tokenType.equalsIgnoreCase(t.getType())) { + throw new VerificationException("Token type is incorrect. Expected '" + tokenType + "' but was '" + t.getType() + "'"); + } + return true; + } + }; + + private String tokenString; + private Class clazz; private PublicKey publicKey; private SecretKey secretKey; private String realmUrl; + private String expectedTokenType = TokenUtil.TOKEN_TYPE_BEARER; private boolean checkTokenType = true; - private boolean checkActive = true; private boolean checkRealmUrl = true; + private final LinkedList> checks = new LinkedList<>(); private JWSInput jws; - private AccessToken token; + private T token; - protected TokenVerifier(String tokenString) { + protected TokenVerifier(String tokenString, Class clazz) { this.tokenString = tokenString; + this.clazz = clazz; } - public static TokenVerifier create(String tokenString) { - return new TokenVerifier(tokenString); + protected TokenVerifier(T token) { + this.token = token; } - public TokenVerifier publicKey(PublicKey publicKey) { + /** + * Creates a {@code TokenVerifier instance. The method is here for backwards compatibility. + * @param tokenString + * @return + * @deprecated use {@link #create(java.lang.String, java.lang.Class) } instead + */ + public static TokenVerifier create(String tokenString) { + return create(tokenString, AccessToken.class); + } + + public static TokenVerifier create(String tokenString, Class clazz) { + return new TokenVerifier(tokenString, clazz) + .check(RealmUrlCheck.NULL_INSTANCE) + .check(SUBJECT_EXISTS_CHECK) + .check(TokenTypeCheck.INSTANCE_BEARER) + .check(IS_ACTIVE); + } + + public static TokenVerifier from(T token) { + return new TokenVerifier(token) + .check(RealmUrlCheck.NULL_INSTANCE) + .check(SUBJECT_EXISTS_CHECK) + .check(TokenTypeCheck.INSTANCE_BEARER) + .check(IS_ACTIVE); + } + + private void removeCheck(Class> checkClass) { + for (Iterator> it = checks.iterator(); it.hasNext();) { + if (it.next().getClass() == checkClass) { + it.remove(); + } + } + } + + private void removeCheck(Predicate check) { + checks.remove(check); + } + + private

> TokenVerifier replaceCheck(Class> checkClass, boolean active, P predicate) { + removeCheck(checkClass); + if (active) { + checks.add(predicate); + } + return this; + } + + private

> TokenVerifier replaceCheck(Predicate check, boolean active, P predicate) { + removeCheck(check); + if (active) { + checks.add(predicate); + } + return this; + } + + /** + * Resets all preset checks and will test the given checks in {@link #verify()} method. + * @param checks + * @return + */ + public TokenVerifier checkOnly(Predicate... checks) { + this.checks.clear(); + if (checks != null) { + this.checks.addAll(Arrays.asList(checks)); + } + return this; + } + + /** + * Will test the given checks in {@link #verify()} method in addition to already set checks. + * @param checks + * @return + */ + public TokenVerifier check(Predicate... checks) { + if (checks != null) { + this.checks.addAll(Arrays.asList(checks)); + } + return this; + } + + public TokenVerifier publicKey(PublicKey publicKey) { this.publicKey = publicKey; return this; } - public TokenVerifier secretKey(SecretKey secretKey) { + public TokenVerifier secretKey(SecretKey secretKey) { this.secretKey = secretKey; return this; } - public TokenVerifier realmUrl(String realmUrl) { + public TokenVerifier realmUrl(String realmUrl) { this.realmUrl = realmUrl; - return this; + return replaceCheck(RealmUrlCheck.class, checkRealmUrl, new RealmUrlCheck(realmUrl)); } - public TokenVerifier checkTokenType(boolean checkTokenType) { + public TokenVerifier checkTokenType(boolean checkTokenType) { this.checkTokenType = checkTokenType; - return this; + return replaceCheck(TokenTypeCheck.class, this.checkTokenType, new TokenTypeCheck(expectedTokenType)); } - public TokenVerifier checkActive(boolean checkActive) { - this.checkActive = checkActive; - return this; + public TokenVerifier tokenType(String tokenType) { + this.expectedTokenType = tokenType; + return replaceCheck(TokenTypeCheck.class, this.checkTokenType, new TokenTypeCheck(expectedTokenType)); } - public TokenVerifier checkRealmUrl(boolean checkRealmUrl) { + public TokenVerifier checkActive(boolean checkActive) { + return replaceCheck(IS_ACTIVE, checkActive, IS_ACTIVE); + } + + public TokenVerifier checkRealmUrl(boolean checkRealmUrl) { this.checkRealmUrl = checkRealmUrl; - return this; + return replaceCheck(RealmUrlCheck.class, this.checkRealmUrl, new RealmUrlCheck(realmUrl)); } - public TokenVerifier parse() throws VerificationException { + public TokenVerifier parse() throws VerificationException { if (jws == null) { if (tokenString == null) { throw new VerificationException("Token not set"); @@ -100,7 +269,7 @@ public class TokenVerifier { try { - token = jws.readJsonContent(AccessToken.class); + token = jws.readJsonContent(clazz); } catch (JWSInputException e) { throw new VerificationException("Failed to read access token from JWT", e); } @@ -108,8 +277,10 @@ public class TokenVerifier { return this; } - public AccessToken getToken() throws VerificationException { - parse(); + public T getToken() throws VerificationException { + if (token == null) { + parse(); + } return token; } @@ -118,50 +289,43 @@ public class TokenVerifier { return jws.getHeader(); } - public TokenVerifier verify() throws VerificationException { - parse(); - - if (checkRealmUrl && realmUrl == null) { - throw new VerificationException("Realm URL not set"); - } - + public void verifySignature() throws VerificationException { AlgorithmType algorithmType = getHeader().getAlgorithm().getType(); - if (AlgorithmType.RSA.equals(algorithmType)) { - if (publicKey == null) { - throw new VerificationException("Public key not set"); - } + if (null == algorithmType) { + throw new VerificationException("Unknown or unsupported token algorithm"); + } else switch (algorithmType) { + case RSA: + if (publicKey == null) { + throw new VerificationException("Public key not set"); + } + if (!RSAProvider.verify(jws, publicKey)) { + throw new TokenSignatureInvalidException("Invalid token signature"); + } break; + case HMAC: + if (secretKey == null) { + throw new VerificationException("Secret key not set"); + } + if (!HMACProvider.verify(jws, secretKey)) { + throw new TokenSignatureInvalidException("Invalid token signature"); + } break; + default: + throw new VerificationException("Unknown or unsupported token algorithm"); + } + } - if (!RSAProvider.verify(jws, publicKey)) { - throw new VerificationException("Invalid token signature"); - } - } else if (AlgorithmType.HMAC.equals(algorithmType)) { - if (secretKey == null) { - throw new VerificationException("Secret key not set"); - } - - if (!HMACProvider.verify(jws, secretKey)) { - throw new VerificationException("Invalid token signature"); - } - } else { - throw new VerificationException("Unknown or unsupported token algorith"); + public TokenVerifier verify() throws VerificationException { + if (getToken() == null) { + parse(); + } + if (jws != null) { + verifySignature(); } - String user = token.getSubject(); - if (user == null) { - throw new VerificationException("Subject missing in token"); - } - - if (checkRealmUrl && !realmUrl.equals(token.getIssuer())) { - throw new VerificationException("Invalid token issuer. Expected '" + realmUrl + "', but was '" + token.getIssuer() + "'"); - } - - if (checkTokenType && !TokenUtil.TOKEN_TYPE_BEARER.equalsIgnoreCase(token.getType())) { - throw new VerificationException("Token type is incorrect. Expected '" + TokenUtil.TOKEN_TYPE_BEARER + "' but was '" + token.getType() + "'"); - } - - if (checkActive && !token.isActive()) { - throw new VerificationException("Token is not active"); + for (Predicate check : checks) { + if (! check.test(getToken())) { + throw new VerificationException("JWT check failed for check " + check); + } } return this; diff --git a/core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java b/core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java new file mode 100644 index 0000000000..2253f5ed7d --- /dev/null +++ b/core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java @@ -0,0 +1,43 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.exceptions; + +import org.keycloak.common.VerificationException; + +/** + * Exception thrown for cases when token is invalid due to time constraints (expired, or not yet valid). + * Cf. {@link JsonWebToken#isActive()}. + * @author hmlnarik + */ +public class TokenNotActiveException extends VerificationException { + + public TokenNotActiveException() { + } + + public TokenNotActiveException(String message) { + super(message); + } + + public TokenNotActiveException(String message, Throwable cause) { + super(message, cause); + } + + public TokenNotActiveException(Throwable cause) { + super(cause); + } + +} diff --git a/core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java b/core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java new file mode 100644 index 0000000000..13225fa9cd --- /dev/null +++ b/core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java @@ -0,0 +1,42 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.exceptions; + +import org.keycloak.common.VerificationException; + +/** + * Thrown when token signature is invalid. + * @author hmlnarik + */ +public class TokenSignatureInvalidException extends VerificationException { + + public TokenSignatureInvalidException() { + } + + public TokenSignatureInvalidException(String message) { + super(message); + } + + public TokenSignatureInvalidException(String message, Throwable cause) { + super(message, cause); + } + + public TokenSignatureInvalidException(Throwable cause) { + super(cause); + } + +} diff --git a/services/src/main/java/org/keycloak/authentication/DefaultActionToken.java b/services/src/main/java/org/keycloak/authentication/DefaultActionToken.java new file mode 100644 index 0000000000..8c51d1f83a --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/DefaultActionToken.java @@ -0,0 +1,103 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.authentication; + +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.common.VerificationException; + +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.*; + +/** + * Part of action token that is intended to be used e.g. in link sent in password-reset email. + * The token encapsulates user, expected action and its time of expiry. + * + * @author hmlnarik + */ +public class DefaultActionToken extends DefaultActionTokenKey { + + public static final String JSON_FIELD_ACTION_VERIFICATION_NONCE = "nonce"; + + public static Predicate ACTION_TOKEN_BASIC_CHECKS = t -> { + if (t.getActionVerificationNonce() == null) { + throw new VerificationException("Nonce not present."); + } + + return true; + }; + + /** + * Single-use random value used for verification whether the relevant action is allowed. + */ + @JsonProperty(value = JSON_FIELD_ACTION_VERIFICATION_NONCE, required = true) + private final UUID actionVerificationNonce; + + public DefaultActionToken(String userId, String actionId, int expirationInSecs) { + this(userId, actionId, expirationInSecs, UUID.randomUUID()); + } + + /** + * + * @param userId User ID + * @param actionId Action ID + * @param absoluteExpirationInSecs Absolute expiration time in seconds in timezone of Keycloak. + * @param actionVerificationNonce + */ + protected DefaultActionToken(String userId, String actionId, int absoluteExpirationInSecs, UUID actionVerificationNonce) { + super(userId, actionId); + this.actionVerificationNonce = actionVerificationNonce == null ? UUID.randomUUID() : actionVerificationNonce; + expiration = absoluteExpirationInSecs; + } + + public UUID getActionVerificationNonce() { + return actionVerificationNonce; + } + + @JsonIgnore + public Map getNotes() { + Map res = new HashMap<>(); + return res; + } + + public String getNote(String name) { + Object res = getOtherClaims().get(name); + return res instanceof String ? (String) res : null; + } + + /** + * Sets value of the given note + * @return original value (or {@code null} when no value was present) + */ + public final String setNote(String name, String value) { + Object res = value == null + ? getOtherClaims().remove(name) + : getOtherClaims().put(name, value); + return res instanceof String ? (String) res : null; + } + + /** + * Removes given note, and returns original value (or {@code null} when no value was present) + * @return see description + */ + public final String removeNote(String name) { + Object res = getOtherClaims().remove(name); + return res instanceof String ? (String) res : null; + } + +} diff --git a/services/src/main/java/org/keycloak/authentication/DefaultActionTokenKey.java b/services/src/main/java/org/keycloak/authentication/DefaultActionTokenKey.java new file mode 100644 index 0000000000..f9d44db254 --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/DefaultActionTokenKey.java @@ -0,0 +1,43 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication; + +import org.keycloak.representations.JsonWebToken; +import com.fasterxml.jackson.annotation.JsonIgnore; + +/** + * + * @author hmlnarik + */ +public class DefaultActionTokenKey extends JsonWebToken { + + public DefaultActionTokenKey(String userId, String actionId) { + subject = userId; + type = actionId; + } + + @JsonIgnore + public String getUserId() { + return getSubject(); + } + + @JsonIgnore + public String getActionId() { + return getType(); + } + +} diff --git a/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java b/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java new file mode 100644 index 0000000000..ef9277090f --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java @@ -0,0 +1,148 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication; + +import org.keycloak.TokenVerifier; +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.common.VerificationException; +import org.keycloak.common.util.Time; +import org.keycloak.jose.jws.*; +import org.keycloak.models.*; +import org.keycloak.services.Urls; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.Map; +import java.util.UUID; +import javax.ws.rs.core.UriInfo; +import org.jboss.logging.Logger; + +/** + * Representation of a token that represents a time-limited reset credentials action. + *

+ * This implementation handles signature. + * + * @author hmlnarik + */ +public class ResetCredentialsActionToken extends DefaultActionToken { + + private static final Logger LOG = Logger.getLogger(ResetCredentialsActionToken.class); + + private static final String RESET_CREDENTIALS_ACTION = "reset-credentials"; + public static final String NOTE_CLIENT_SESSION_ID = "clientSessionId"; + private static final String JSON_FIELD_CLIENT_SESSION_ID = "csid"; + private static final String JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP = "lcpt"; + + @JsonIgnore + private ClientSessionModel clientSession; + + @JsonProperty(value = JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP) + private Long lastChangedPasswordTimestamp; + + public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, Long lastChangedPasswordTimestamp, String clientSessionId) { + super(userId, RESET_CREDENTIALS_ACTION, absoluteExpirationInSecs, actionVerificationNonce); + setNote(NOTE_CLIENT_SESSION_ID, clientSessionId); + this.lastChangedPasswordTimestamp = lastChangedPasswordTimestamp; + } + + public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, Long lastChangedPasswordTimestamp, ClientSessionModel clientSession) { + this(userId, absoluteExpirationInSecs, actionVerificationNonce, lastChangedPasswordTimestamp, clientSession == null ? null : clientSession.getId()); + this.clientSession = clientSession; + } + + private ResetCredentialsActionToken() { + super(null, null, -1, null); + } + + public ClientSessionModel getClientSession() { + return this.clientSession; + } + + public void setClientSession(ClientSessionModel clientSession) { + this.clientSession = clientSession; + setClientSessionId(clientSession == null ? null : clientSession.getId()); + } + + @JsonProperty(value = JSON_FIELD_CLIENT_SESSION_ID) + public String getClientSessionId() { + return getNote(NOTE_CLIENT_SESSION_ID); + } + + public void setClientSessionId(String clientSessionId) { + setNote(NOTE_CLIENT_SESSION_ID, clientSessionId); + } + + public Long getLastChangedPasswordTimestamp() { + return lastChangedPasswordTimestamp; + } + + public void setLastChangedPasswordTimestamp(Long lastChangedPasswordTimestamp) { + this.lastChangedPasswordTimestamp = lastChangedPasswordTimestamp; + } + + @Override + @JsonIgnore + public Map getNotes() { + Map res = super.getNotes(); + if (this.clientSession != null) { + res.put(NOTE_CLIENT_SESSION_ID, getNote(NOTE_CLIENT_SESSION_ID)); + } + return res; + } + + public String serialize(KeycloakSession session, RealmModel realm, UriInfo uri) { + String issuerUri = getIssuer(realm, uri); + KeyManager.ActiveHmacKey keys = session.keys().getActiveHmacKey(realm); + + this + .issuedAt(Time.currentTime()) + .id(getActionVerificationNonce().toString()) + .issuer(issuerUri) + .audience(issuerUri); + + return new JWSBuilder() + .kid(keys.getKid()) + .jsonContent(this) + .hmac512(keys.getSecretKey()); + } + + private static String getIssuer(RealmModel realm, UriInfo uri) { + return Urls.realmIssuer(uri.getBaseUri(), realm.getName()); + } + + /** + * Returns a {@code DefaultActionToken} instance decoded from the given string. If decoding fails, returns {@code null} + * + * @param session + * @param actionTokenString + * @return + */ + public static ResetCredentialsActionToken deserialize(KeycloakSession session, RealmModel realm, UriInfo uri, String token, + Predicate... checks) throws VerificationException { + return TokenVerifier.create(token, ResetCredentialsActionToken.class) + .secretKey(session.keys().getActiveHmacKey(realm).getSecretKey()) + .realmUrl(getIssuer(realm, uri)) + .tokenType(RESET_CREDENTIALS_ACTION) + + .checkActive(false) // TODO: If this line is omitted, the following tests in ResetPasswordTest fail: resetPasswordExpiredCodeShort, resetPasswordExpiredCode + + .check(ACTION_TOKEN_BASIC_CHECKS) + .check(checks) + .verify() + .getToken() + ; + } +} diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java index e74fa20882..8f21ddf4f6 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java @@ -19,33 +19,27 @@ package org.keycloak.authentication.authenticators.resetcred; import org.jboss.logging.Logger; import org.keycloak.Config; -import org.keycloak.authentication.AuthenticationFlowContext; -import org.keycloak.authentication.AuthenticationFlowError; -import org.keycloak.authentication.Authenticator; -import org.keycloak.authentication.AuthenticatorFactory; +import org.keycloak.authentication.*; import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; +import org.keycloak.common.VerificationException; +import org.keycloak.common.util.Time; +import org.keycloak.credential.*; import org.keycloak.email.EmailException; import org.keycloak.email.EmailTemplateProvider; import org.keycloak.events.Details; import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; -import org.keycloak.models.AuthenticationExecutionModel; -import org.keycloak.models.Constants; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.KeycloakSessionFactory; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserModel; +import org.keycloak.models.*; import org.keycloak.models.utils.FormMessage; -import org.keycloak.models.utils.HmacOTP; import org.keycloak.provider.ProviderConfigProperty; import org.keycloak.services.ServicesLogger; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; +import java.util.*; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; -import java.util.List; import java.util.concurrent.TimeUnit; /** @@ -53,9 +47,6 @@ import java.util.concurrent.TimeUnit; * @version $Revision: 1 $ */ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory { - public static final String RESET_CREDENTIAL_SECRET = "RESET_CREDENTIAL_SECRET"; - - private static final Logger logger = Logger.getLogger(ResetCredentialEmail.class); public static final String PROVIDER_ID = "reset-credential-email"; @@ -85,15 +76,25 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory return; } - // We send the secret in the email in a link as a query param. We don't need to sign it or anything because - // it can only be guessed once, and it must match watch is stored in the client session. - String secret = HmacOTP.generateSecret(10); - context.getClientSession().setNote(RESET_CREDENTIAL_SECRET, secret); - String link = UriBuilder.fromUri(context.getActionUrl()).queryParam(Constants.KEY, secret).build().toString(); - long expiration = TimeUnit.SECONDS.toMinutes(context.getRealm().getAccessCodeLifespanUserAction()); + int validityInSecs = context.getRealm().getAccessCodeLifespanUserAction(); + int absoluteExpirationInSecs = Time.currentTime() + validityInSecs; + + PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider) context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID); + CredentialModel password = passwordProvider.getPassword(context.getRealm(), user); + Long lastCreatedPassword = password == null ? null : password.getCreatedDate(); + + // We send the secret in the email in a link as a query param. + ResetCredentialsActionToken token = new ResetCredentialsActionToken(user.getId(), absoluteExpirationInSecs, null, lastCreatedPassword, context.getClientSession()); + KeycloakSession keycloakSession = context.getSession(); + String link = UriBuilder + .fromUri(context.getActionUrl()) + .queryParam(Constants.KEY, token.serialize(keycloakSession, context.getRealm(), context.getUriInfo())) + .build() + .toString(); + long expirationInMinutes = TimeUnit.SECONDS.toMinutes(validityInSecs); try { - context.getSession().getProvider(EmailTemplateProvider.class).setRealm(context.getRealm()).setUser(user).sendPasswordReset(link, expiration); + context.getSession().getProvider(EmailTemplateProvider.class).setRealm(context.getRealm()).setUser(user).sendPasswordReset(link, expirationInMinutes); event.clone().event(EventType.SEND_RESET_PASSWORD) .user(user) .detail(Details.USERNAME, username) @@ -114,19 +115,56 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory @Override public void action(AuthenticationFlowContext context) { - /*String secret = context.getClientSession().getNote(RESET_CREDENTIAL_SECRET); - String key = context.getUriInfo().getQueryParameters().getFirst(Constants.KEY); - - // Can only guess once! We remove the note so another guess can't happen - context.getClientSession().removeNote(RESET_CREDENTIAL_SECRET); - if (secret == null || key == null || !secret.equals(key)) { - context.getEvent().error(Errors.INVALID_USER_CREDENTIALS); + /* + KeycloakSession keycloakSession = context.getSession(); + String actionTokenString = context.getUriInfo().getQueryParameters().getFirst(Constants.KEY); + ResetCredentialsActionToken tokenFromMail = null; + try { + tokenFromMail = ResetCredentialsActionToken.deserialize(keycloakSession, context.getRealm(), context.getUriInfo(), actionTokenString); + } catch (VerificationException ex) { + context.getEvent().detail(Details.REASON, ex.getMessage()).error(Errors.INVALID_CODE); Response challenge = context.form() - .setError(Messages.INVALID_ACCESS_CODE) + .setError(Messages.INVALID_CODE) + .createErrorPage(); + context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge); + } + + String userId = tokenFromMail == null ? null : tokenFromMail.getUserId(); + + if (tokenFromMail == null) { + context.getEvent() + .error(Errors.INVALID_CODE); + Response challenge = context.form() + .setError(Messages.INVALID_CODE) .createErrorPage(); context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge); return; } + + PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider) context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID); + CredentialModel password = passwordProvider.getPassword(context.getRealm(), context.getUser()); + + Long lastCreatedPasswordMail = tokenFromMail.getLastChangedPasswordTimestamp(); + Long lastCreatedPasswordFromStore = password == null ? null : password.getCreatedDate(); + + String clientSessionId = tokenFromMail.getClientSessionId(); + ClientSessionModel clientSession = clientSessionId == null ? null : keycloakSession.sessions().getClientSession(clientSessionId); + + if (clientSession == null + || ! Objects.equals(lastCreatedPasswordMail, lastCreatedPasswordFromStore) + || ! Objects.equals(userId, context.getUser().getId())) { + context.getEvent() + .user(userId) + .detail(Details.USERNAME, context.getUser().getUsername()) + .detail(Details.TOKEN_ID, tokenFromMail.getId()) + .error(Errors.EXPIRED_CODE); + Response challenge = context.form() + .setError(Messages.INVALID_CODE) + .createErrorPage(); + context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge); + return; + } + // We now know email is valid, so set it to valid. context.getUser().setEmailVerified(true); context.success();*/ diff --git a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java index 4fda88959f..109f2c935f 100644 --- a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java +++ b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java @@ -154,6 +154,11 @@ public class RestartLoginCookie { // TODO:mposolda /* public static ClientSessionModel restartSession(KeycloakSession session, RealmModel realm, String code) throws Exception { + String[] parts = code.split("\\."); + return restartSessionByClientSession(session, realm, parts[1]); + } + + public static ClientSessionModel restartSessionByClientSession(KeycloakSession session, RealmModel realm, String clientSessionId) throws Exception { Cookie cook = session.getContext().getRequestHeaders().getCookies().get(KC_RESTART); if (cook == null) { logger.debug("KC_RESTART cookie doesn't exist"); @@ -167,8 +172,6 @@ public class RestartLoginCookie { return null; } RestartLoginCookie cookie = input.readJsonContent(RestartLoginCookie.class); - String[] parts = code.split("\\."); - String clientSessionId = parts[1]; if (!clientSessionId.equals(cookie.getClientSession())) { logger.debug("RestartLoginCookie clientSession does not match code's clientSession"); return null; diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 3cb8c68655..e460a1dbcd 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -127,7 +127,10 @@ public class AuthenticationManager { if (cookie == null) return; String tokenString = cookie.getValue(); - TokenVerifier verifier = TokenVerifier.create(tokenString).realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())).checkActive(false).checkTokenType(false); + TokenVerifier verifier = TokenVerifier.create(tokenString, AccessToken.class) + .realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())) + .checkActive(false) + .checkTokenType(false); String kid = verifier.getHeader().getKeyId(); SecretKey secretKey = session.keys().getHmacSecretKey(realm, kid); @@ -710,7 +713,7 @@ public class AuthenticationManager { public static AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, boolean isCookie, String tokenString, HttpHeaders headers) { try { - TokenVerifier verifier = TokenVerifier.create(tokenString).realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())).checkActive(checkActive).checkTokenType(checkTokenType); + TokenVerifier verifier = TokenVerifier.create(tokenString).realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())).checkActive(checkActive).checkTokenType(checkTokenType); String kid = verifier.getHeader().getKeyId(); AlgorithmType algorithmType = verifier.getHeader().getAlgorithm().getType(); diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 3c9b40b4af..9633212828 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -24,13 +24,13 @@ import org.keycloak.authentication.RequiredActionContext; import org.keycloak.authentication.RequiredActionContextResult; import org.keycloak.authentication.RequiredActionFactory; import org.keycloak.authentication.RequiredActionProvider; +import org.keycloak.TokenVerifier; +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.authentication.ResetCredentialsActionToken; import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator; -import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants; -import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; -import org.keycloak.authentication.requiredactions.VerifyEmail; -import org.keycloak.broker.provider.BrokeredIdentityContext; import org.keycloak.common.ClientConnection; +import org.keycloak.common.VerificationException; import org.keycloak.common.util.Time; import org.keycloak.events.Details; import org.keycloak.events.Errors; @@ -48,7 +48,6 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; import org.keycloak.models.UserConsentModel; import org.keycloak.models.UserModel; -import org.keycloak.models.UserModel.RequiredAction; import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.protocol.LoginProtocol; @@ -57,11 +56,14 @@ import org.keycloak.protocol.RestartLoginCookie; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.utils.OIDCResponseMode; import org.keycloak.protocol.oidc.utils.OIDCResponseType; +import org.keycloak.representations.JsonWebToken; import org.keycloak.services.ErrorPage; import org.keycloak.services.ServicesLogger; import org.keycloak.services.Urls; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.ClientSessionCode; +import org.keycloak.services.managers.ClientSessionCode.ActionType; +import org.keycloak.services.managers.ClientSessionCode.ParseResult; import org.keycloak.services.messages.Messages; import org.keycloak.services.util.CacheControlUtil; import org.keycloak.services.util.CookieHelper; @@ -84,6 +86,7 @@ import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import javax.ws.rs.ext.Providers; import java.net.URI; +import java.util.Objects; /** * @author Stian Thorgersen @@ -166,24 +169,51 @@ public class LoginActionsService { } } + private SessionCodeChecks checksForCode(String code, Class expectedClazz) { + SessionCodeChecks res = new SessionCodeChecks<>(code, expectedClazz); + res.initialVerifyCode(); + return res; + } - private class Checks { - // TODO: Merge with Hynek's code. This may not be just loginSession - ClientSessionCode clientCode; + + + private class SessionCodeChecks { + ClientSessionCode clientCode; Response response; - ClientSessionCode.ParseResult result; + ClientSessionCode.ParseResult result; + Class expectedClazz; - boolean verifyCode(String code, String requiredAction, ClientSessionCode.ActionType actionType) { - if (!verifyCode(code)) { + private final String code; + + public SessionCodeChecks(String code, Class expectedClazz) { + this.code = code; + this.expectedClazz = expectedClazz; + } + + public C getClientSession() { + return clientCode == null ? null : clientCode.getClientSession(); + } + + public boolean passed() { + return response == null; + } + + public boolean failed() { + return response != null; + } + + + boolean verifyCode(String requiredAction, ClientSessionCode.ActionType actionType) { + if (failed()) { return false; } + if (!clientCode.isValidAction(requiredAction)) { - LoginSessionModel loginSession = clientCode.getClientSession(); - if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(loginSession.getAction())) { + C clientSession = getClientSession(); + if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(clientSession.getAction())) { response = redirectToRequiredActions(code); return false; - - } // TODO:mposolda + } // TODO:mposolda /*else if (clientSession.getUserSession() != null && clientSession.getUserSession().getState() == UserSessionModel.State.LOGGED_IN) { response = session.getProvider(LoginFormsProvider.class) .setSuccess(Messages.ALREADY_LOGGED_IN) @@ -191,9 +221,9 @@ public class LoginActionsService { return false; }*/ } - if (!isActionActive(actionType)) return false; - return true; - } + + return isActionActive(actionType); + } private boolean isValidAction(String requiredAction) { if (!clientCode.isValidAction(requiredAction)) { @@ -204,18 +234,19 @@ public class LoginActionsService { } private void invalidAction() { - event.client(clientCode.getClientSession().getClient()); + event.client(getClientSession().getClient()); event.error(Errors.INVALID_CODE); response = ErrorPage.error(session, Messages.INVALID_CODE); } private boolean isActionActive(ClientSessionCode.ActionType actionType) { if (!clientCode.isActionActive(actionType)) { - event.client(clientCode.getClientSession().getClient()); + event.client(getClientSession().getClient()); event.clone().error(Errors.EXPIRED_CODE); - if (clientCode.getClientSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) { - AuthenticationProcessor.resetFlow(clientCode.getClientSession()); - response = processAuthentication(null, clientCode.getClientSession(), Messages.LOGIN_TIMEOUT); + if (getClientSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) { + LoginSessionModel loginSession = (LoginSessionModel) getClientSession(); + AuthenticationProcessor.resetFlow(loginSession); + response = processAuthentication(null, loginSession, Messages.LOGIN_TIMEOUT); return false; } response = ErrorPage.error(session, Messages.EXPIRED_CODE); @@ -224,7 +255,7 @@ public class LoginActionsService { return true; } - public boolean verifyCode(String code) { + private boolean initialVerifyCode() { if (!checkSsl()) { event.error(Errors.SSL_REQUIRED); response = ErrorPage.error(session, Messages.HTTPS_REQUIRED); @@ -235,14 +266,12 @@ public class LoginActionsService { response = ErrorPage.error(session, Messages.REALM_NOT_ENABLED); return false; } - - // TODO:mposolda it may not be just loginSessionModel - result = ClientSessionCode.parseResult(code, session, realm, LoginSessionModel.class); + result = ClientSessionCode.parseResult(code, session, realm, expectedClazz); clientCode = result.getCode(); if (clientCode == null) { - // TODO:mposolda - /* - if (result.isLoginSessionNotFound()) { // timeout + if (result.isLoginSessionNotFound()) { // timeout or loginSession already logged + // TODO:mposolda + /* try { ClientSessionModel clientSession = RestartLoginCookie.restartSession(session, realm, code); if (clientSession != null) { @@ -252,13 +281,14 @@ public class LoginActionsService { } } catch (Exception e) { ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e); - } + }*/ } event.error(Errors.INVALID_CODE); - response = ErrorPage.error(session, Messages.INVALID_CODE);*/ + response = ErrorPage.error(session, Messages.INVALID_CODE); return false; } - LoginSessionModel clientSession = clientCode.getClientSession(); + + C clientSession = getClientSession(); if (clientSession == null) { event.error(Errors.INVALID_CODE); response = ErrorPage.error(session, Messages.INVALID_CODE); @@ -269,62 +299,48 @@ public class LoginActionsService { if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); response = ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); - session.loginSessions().removeLoginSession(realm, clientSession); + // TODO:mposolda + //session.sessions().removeClientSession(realm, clientSession); return false; } if (!client.isEnabled()) { event.error(Errors.CLIENT_NOT_FOUND); response = ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); - session.loginSessions().removeLoginSession(realm, clientSession); + // TODO:mposolda + //session.sessions().removeClientSession(realm, clientSession); return false; } session.getContext().setClient(client); return true; } - public boolean verifyRequiredAction(String code, String executedAction) { - // TODO:mposolda - /* - if (!verifyCode(code)) { + public boolean verifyRequiredAction(String executedAction) { + if (failed()) { return false; } + if (!isValidAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name())) return false; if (!isActionActive(ClientSessionCode.ActionType.USER)) return false; - final ClientSessionModel clientSession = clientCode.getClientSession(); + final LoginSessionModel loginSession = (LoginSessionModel) getClientSession(); - final UserSessionModel userSession = clientSession.getUserSession(); - if (userSession == null) { - ServicesLogger.LOGGER.userSessionNull(); - event.error(Errors.USER_SESSION_NOT_FOUND); - throw new WebApplicationException(ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE)); - } - if (!AuthenticationManager.isSessionValid(realm, userSession)) { - AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, clientConnection, headers, true); - event.error(Errors.INVALID_CODE); - response = ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE); - return false; - } - - if (executedAction == null && userSession != null) { // do next required action only if user is already authenticated - initEvent(clientSession); + if (executedAction == null) { // do next required action only if user is already authenticated + initLoginEvent(loginSession); event.event(EventType.LOGIN); - response = AuthenticationManager.nextActionAfterAuthentication(session, userSession, clientSession, clientConnection, request, uriInfo, event); + response = AuthenticationManager.nextActionAfterAuthentication(session, loginSession, clientConnection, request, uriInfo, event); return false; } - if (!executedAction.equals(clientSession.getNote(AuthenticationManager.CURRENT_REQUIRED_ACTION))) { + if (!executedAction.equals(loginSession.getNote(AuthenticationManager.CURRENT_REQUIRED_ACTION))) { logger.debug("required action doesn't match current required action"); - clientSession.removeNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); + loginSession.removeNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); response = redirectToRequiredActions(code); return false; - }*/ + } return true; - } } - /** * protocol independent login page entry point * @@ -341,8 +357,8 @@ public class LoginActionsService { if (loginSession != null && code.equals(loginSession.getNote(LAST_PROCESSED_CODE))) { // Allow refresh of previous page } else { - Checks checks = new Checks(); - if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); + if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response; } @@ -402,8 +418,8 @@ public class LoginActionsService { return authenticate(code, null); } - Checks checks = new Checks(); - if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); + if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response; } final ClientSessionCode clientCode = checks.clientCode; @@ -422,6 +438,163 @@ public class LoginActionsService { return null; } + private boolean isSslUsed(JsonWebToken t) throws VerificationException { + if (! checkSsl()) { + event.error(Errors.SSL_REQUIRED); + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.HTTPS_REQUIRED)); + } + return true; + } + + private boolean isRealmEnabled(JsonWebToken t) throws VerificationException { + if (! realm.isEnabled()) { + event.error(Errors.REALM_DISABLED); + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.REALM_NOT_ENABLED)); + } + return true; + } + + private boolean isResetCredentialsAllowed(ResetCredentialsActionToken t) throws VerificationException { + if (!realm.isResetPasswordAllowed()) { + event.client(t.getClientSession().getClient()); + event.error(Errors.NOT_ALLOWED); + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED)); + } + return true; + } + + private boolean canResolveClientSession(ResetCredentialsActionToken t) throws VerificationException { + // TODO:mposolda + /* + String clientSessionId = t == null ? null : t.getNote(ResetCredentialsActionToken.NOTE_CLIENT_SESSION_ID); + + if (t == null || clientSessionId == null) { + event.error(Errors.INVALID_CODE); + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.INVALID_CODE)); + } + + ClientSessionModel clientSession = session.sessions().getClientSession(clientSessionId); + t.setClientSession(clientSession); + + if (clientSession == null) { // timeout + try { + clientSession = RestartLoginCookie.restartSessionByClientSession(session, realm, clientSessionId); + } catch (Exception e) { + ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e); + } + + if (clientSession != null) { + event.clone().detail(Details.RESTART_AFTER_TIMEOUT, "true").error(Errors.EXPIRED_CODE); + throw new LoginActionsServiceException(processFlow(null, clientSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), Messages.LOGIN_TIMEOUT, new AuthenticationProcessor())); + } + } + + if (clientSession == null) { + event.error(Errors.INVALID_CODE); + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.INVALID_CODE)); + } + + event.detail(Details.CODE_ID, clientSession.getId());*/ + + return true; + } + + private boolean canResolveClient(ResetCredentialsActionToken t) throws VerificationException { + ClientModel client = t.getClientSession().getClient(); + if (client == null) { + event.error(Errors.CLIENT_NOT_FOUND); + session.sessions().removeClientSession(realm, t.getClientSession()); + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER)); + } + + if (! client.isEnabled()) { + event.error(Errors.CLIENT_NOT_FOUND); + session.sessions().removeClientSession(realm, t.getClientSession()); + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED)); + } + session.getContext().setClient(client); + + return true; + } + + private class IsValidAction implements Predicate { + + private final String requiredAction; + + public IsValidAction(String requiredAction) { + this.requiredAction = requiredAction; + } + + @Override + public boolean test(ResetCredentialsActionToken t) throws VerificationException { + ClientSessionModel clientSession = t.getClientSession(); + if (! Objects.equals(clientSession.getAction(), this.requiredAction)) { + + if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(clientSession.getAction())) { +// TODO: Once login tokens would be implemented, this would have to be rewritten +// String code = clientSession.getNote(ClientSessionCode.ACTIVE_CODE) + "." + clientSession.getId(); + String code = clientSession.getNote("active_code") + "." + clientSession.getId(); + throw new LoginActionsServiceException(redirectToRequiredActions(code)); + } else if (clientSession.getUserSession() != null && clientSession.getUserSession().getState() == UserSessionModel.State.LOGGED_IN) { + throw new LoginActionsServiceException( + session.getProvider(LoginFormsProvider.class) + .setSuccess(Messages.ALREADY_LOGGED_IN) + .createInfoPage()); + } + } + + return true; + } + } + + private class IsActiveAction implements Predicate { + private final ClientSessionCode.ActionType actionType; + + public IsActiveAction(ActionType actionType) { + this.actionType = actionType; + } + + @Override + public boolean test(ResetCredentialsActionToken t) throws VerificationException { + int timestamp = t.getClientSession().getTimestamp(); + if (! isActionActive(actionType, timestamp)) { + event.client(t.getClientSession().getClient()); + event.clone().error(Errors.EXPIRED_CODE); + + if (t.getClientSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) { + // TODO:mposolda incompatible types + LoginSessionModel loginSession = (LoginSessionModel) t.getClientSession(); + + AuthenticationProcessor.resetFlow(loginSession); + throw new LoginActionsServiceException(processAuthentication(null, loginSession, Messages.LOGIN_TIMEOUT)); + } + + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.EXPIRED_CODE)); + } + return true; + } + + public boolean isActionActive(ActionType actionType, int timestamp) { + int lifespan; + switch (actionType) { + case CLIENT: + lifespan = realm.getAccessCodeLifespan(); + break; + case LOGIN: + lifespan = realm.getAccessCodeLifespanLogin() > 0 ? realm.getAccessCodeLifespanLogin() : realm.getAccessCodeLifespanUserAction(); + break; + case USER: + lifespan = realm.getAccessCodeLifespanUserAction(); + break; + default: + throw new IllegalArgumentException(); + } + + return timestamp + lifespan > Time.currentTime(); + } + + } + /** * Endpoint for executing reset credentials flow. If code is null, a client session is created with the account * service as the client. Successful reset sends you to the account page. Note, account service must be enabled. @@ -433,12 +606,10 @@ public class LoginActionsService { @Path(RESET_CREDENTIALS_PATH) @GET public Response resetCredentialsGET(@QueryParam("code") String code, - @QueryParam("execution") String execution) { + @QueryParam("execution") String execution, + @QueryParam("key") String key) { // we allow applications to link to reset credentials without going through OAuth or SAML handshakes - // - // TODO:mposolda - /* - if (code == null) { + if (code == null && key == null) { if (!realm.isResetPasswordAllowed()) { event.event(EventType.RESET_PASSWORD); event.error(Errors.NOT_ALLOWED); @@ -450,7 +621,7 @@ public class LoginActionsService { ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); //clientSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); - clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); + clientSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); clientSession.setRedirectUri(redirectUri); clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); @@ -459,32 +630,96 @@ public class LoginActionsService { clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); return processResetCredentials(null, clientSession, null); } + + if (key != null) { + try { + ResetCredentialsActionToken token = ResetCredentialsActionToken.deserialize( + session, realm, session.getContext().getUri(), key); + return resetCredentials(code, token, execution); + } catch (VerificationException ex) { + event.event(EventType.RESET_PASSWORD) + .detail(Details.REASON, ex.getMessage()) + .error(Errors.NOT_ALLOWED); + return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); + } + } + return resetCredentials(code, execution); - */ - return null; } - /* + + /** + * @deprecated In favor of {@link #resetCredentials(String, org.keycloak.authentication.ResetCredentialsActionToken, java.lang.String)} + * @param code + * @param execution + * @return + */ protected Response resetCredentials(String code, String execution) { event.event(EventType.RESET_PASSWORD); - Checks checks = new Checks(); - if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) { + SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); + if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) { return checks.response; } - final ClientSessionCode clientCode = checks.clientCode; - final ClientSessionModel clientSession = clientCode.getClientSession(); + final LoginSessionModel clientSession = checks.getClientSession(); if (!realm.isResetPasswordAllowed()) { - event.client(clientCode.getClientSession().getClient()); + event.client(clientSession.getClient()); event.error(Errors.NOT_ALLOWED); return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } + // TODO:mposolda + //return processResetCredentials(execution, clientSession, null); + return null; + } + + protected Response resetCredentials(String code, ResetCredentialsActionToken token, String execution) { + event.event(EventType.RESET_PASSWORD); + + if (token == null) { + // TODO: Use more appropriate code + event.error(Errors.NOT_ALLOWED); + return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); + } + + try { + TokenVerifier.from(token).checkOnly( + // Start basic checks + this::isRealmEnabled, + this::isSslUsed, + this::isResetCredentialsAllowed, + this::canResolveClientSession, + this::canResolveClient, + // End basic checks + + new IsValidAction(ClientSessionModel.Action.AUTHENTICATE.name()), + new IsActiveAction(ActionType.USER) + ).verify(); + } catch (LoginActionsServiceException ex) { + if (ex.getResponse() == null) { + event.event(EventType.RESET_PASSWORD) + .detail(Details.REASON, ex.getMessage()) + .error(Errors.INVALID_REQUEST); + return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); + } else { + return ex.getResponse(); + } + } catch (VerificationException ex) { + event.event(EventType.RESET_PASSWORD) + .detail(Details.REASON, ex.getMessage()) + .error(Errors.NOT_ALLOWED); + return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); + } + + final ClientSessionModel clientSession = token.getClientSession(); + return processResetCredentials(execution, clientSession, null); } protected Response processResetCredentials(String execution, ClientSessionModel clientSession, String errorMessage) { + // TODO:mposolda + /* AuthenticationProcessor authProcessor = new AuthenticationProcessor() { @Override @@ -507,7 +742,9 @@ public class LoginActionsService { }; return processFlow(execution, clientSession, RESET_CREDENTIALS_PATH, realm.getResetCredentialsFlow(), errorMessage, authProcessor); - }*/ + */ + return null; + } protected Response processRegistration(String execution, LoginSessionModel loginSession, String errorMessage) { @@ -531,8 +768,8 @@ public class LoginActionsService { return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED); } - Checks checks = new Checks(); - if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); + if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response; } event.detail(Details.CODE_ID, code); @@ -561,14 +798,14 @@ public class LoginActionsService { event.error(Errors.REGISTRATION_DISABLED); return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED); } - Checks checks = new Checks(); - if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); + if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response; } + ClientSessionCode clientCode = checks.clientCode; LoginSessionModel loginSession = clientCode.getClientSession(); - return processRegistration(execution, loginSession, null); } @@ -607,13 +844,12 @@ public class LoginActionsService { EventType eventType = firstBrokerLogin ? EventType.IDENTITY_PROVIDER_FIRST_LOGIN : EventType.IDENTITY_PROVIDER_POST_LOGIN; event.event(eventType); - Checks checks = new Checks(); - if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + SessionCodeChecks checks = checksForCode(code); + if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response; } event.detail(Details.CODE_ID, code); - ClientSessionCode clientSessionCode = checks.clientCode; - final ClientSessionModel clientSessionn = clientSessionCode.getClientSession(); + final ClientSessionModel clientSessionn = checks.getClientSession(); String noteKey = firstBrokerLogin ? AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE : PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT; SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromClientSession(clientSessionn, noteKey); @@ -681,10 +917,11 @@ public class LoginActionsService { public Response processConsent(final MultivaluedMap formData) { event.event(EventType.LOGIN); String code = formData.getFirst("code"); - Checks checks = new Checks(); - if (!checks.verifyRequiredAction(code, ClientSessionModel.Action.OAUTH_GRANT.name())) { + SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); + if (!checks.verifyRequiredAction(ClientSessionModel.Action.OAUTH_GRANT.name())) { return checks.response; } + ClientSessionCode accessCode = checks.clientCode; LoginSessionModel loginSession = accessCode.getClientSession(); @@ -750,16 +987,15 @@ public class LoginActionsService { clientSession.removeNote(Constants.VERIFY_EMAIL_KEY); - Checks checks = new Checks(); - if (!checks.verifyCode(code, ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { + SessionCodeChecks checks = checksForCode(code); + if (!checks.verifyCode(ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { if (checks.clientCode == null && checks.result.isClientSessionNotFound() || checks.result.isIllegalHash()) { return ErrorPage.error(session, Messages.STALE_VERIFY_EMAIL_LINK); } return checks.response; } - ClientSessionCode accessCode = checks.clientCode; - clientSession = accessCode.getClientSession(); + clientSession = checks.getClientSession(); if (!ClientSessionModel.Action.VERIFY_EMAIL.name().equals(clientSession.getNote(AuthenticationManager.CURRENT_REQUIRED_ACTION))) { ServicesLogger.LOGGER.reqdActionDoesNotMatch(); event.error(Errors.INVALID_CODE); @@ -789,12 +1025,12 @@ public class LoginActionsService { return AuthenticationProcessor.redirectToRequiredActions(session, realm, clientSession, uriInfo); } else { - Checks checks = new Checks(); - if (!checks.verifyCode(code, ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { + SessionCodeChecks checks = checksForCode(code); + if (!checks.verifyCode(ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { return checks.response; } ClientSessionCode accessCode = checks.clientCode; - ClientSessionModel clientSession = accessCode.getClientSession(); + ClientSessionModel clientSession = checks.getClientSession(); UserSessionModel userSession = clientSession.getUserSession(); initEvent(clientSession); @@ -824,11 +1060,11 @@ public class LoginActionsService { /* event.event(EventType.EXECUTE_ACTIONS); if (key != null) { - Checks checks = new Checks(); - if (!checks.verifyCode(key, ClientSessionModel.Action.EXECUTE_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { + SessionCodeChecks checks = checksForCode(key); + if (!checks.verifyCode(ClientSessionModel.Action.EXECUTE_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { return checks.response; } - ClientSessionModel clientSession = checks.clientCode.getClientSession(); + ClientSessionModel clientSession = checks.getClientSession(); // verify user email as we know it is valid as this entry point would never have gotten here. clientSession.getUserSession().getUser().setEmailVerified(true); clientSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); @@ -936,12 +1172,11 @@ public class LoginActionsService { /* event.event(EventType.CUSTOM_REQUIRED_ACTION); event.detail(Details.CUSTOM_REQUIRED_ACTION, action); - Checks checks = new Checks(); - if (!checks.verifyRequiredAction(code, action)) { + SessionCodeChecks checks = checksForCode(code); + if (!checks.verifyRequiredAction(action)) { return checks.response; } - final ClientSessionCode clientCode = checks.clientCode; - final ClientSessionModel clientSession = clientCode.getClientSession(); + final ClientSessionModel clientSession = checks.getClientSession(); final UserSessionModel userSession = clientSession.getUserSession(); diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceException.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceException.java new file mode 100644 index 0000000000..3e758dfdf2 --- /dev/null +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceException.java @@ -0,0 +1,53 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.services.resources; + +import org.keycloak.common.VerificationException; +import javax.ws.rs.core.Response; + +/** + * + * @author hmlnarik + */ +public class LoginActionsServiceException extends VerificationException { + + private final Response response; + + public LoginActionsServiceException(Response response) { + this.response = response; + } + + public LoginActionsServiceException(Response response, String message) { + super(message); + this.response = response; + } + + public LoginActionsServiceException(Response response, String message, Throwable cause) { + super(message, cause); + this.response = response; + } + + public LoginActionsServiceException(Response response, Throwable cause) { + super(cause); + this.response = response; + } + + public Response getResponse() { + return response; + } + +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java index 3a12a76133..201a625ac4 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java @@ -50,6 +50,7 @@ import java.util.HashMap; import java.util.Map; import java.util.concurrent.atomic.AtomicInteger; +import org.junit.*; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; @@ -74,6 +75,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { .build(); userId = ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), user, "password"); + expectedMessagesCount = 0; getCleanup().addUserId(userId); } @@ -104,6 +106,8 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { @Rule public AssertEvents events = new AssertEvents(this); + private int expectedMessagesCount; + @Test public void resetPasswordLink() throws IOException, MessagingException { String username = "login-test"; @@ -167,6 +171,24 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { resetPassword("login-test"); } + @Test + @Ignore + public void resetPasswordTwice() throws IOException, MessagingException { + String changePasswordUrl = resetPassword("login-test"); + driver.navigate().to(changePasswordUrl.trim()); + + errorPage.assertCurrent(); + assertEquals("An error occurred, please login again through your application.", errorPage.getError()); + + events.expect(EventType.RESET_PASSWORD) + .client((String) null) + .session((String) null) + .user(userId) + .detail(Details.USERNAME, "login-test") + .error(Errors.EXPIRED_CODE) + .assertEvent(); + } + @Test public void resetPasswordWithSpacesInUsername() throws IOException, MessagingException { resetPassword(" login-test "); @@ -174,15 +196,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { @Test public void resetPasswordCancelChangeUser() throws IOException, MessagingException { - loginPage.open(); - loginPage.resetPassword(); - - resetPasswordPage.assertCurrent(); - - resetPasswordPage.changePassword("test-user@localhost"); - - loginPage.assertCurrent(); - assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); + initiateResetPasswordFromResetPasswordPage("test-user@localhost"); events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).detail(Details.USERNAME, "test-user@localhost") .session((String) null) @@ -206,16 +220,12 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { resetPassword("login@test.com"); } - private void resetPassword(String username) throws IOException, MessagingException { - loginPage.open(); - loginPage.resetPassword(); + private String resetPassword(String username) throws IOException, MessagingException { + return resetPassword(username, "resetPassword"); + } - resetPasswordPage.assertCurrent(); - - resetPasswordPage.changePassword(username); - - loginPage.assertCurrent(); - assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); + private String resetPassword(String username, String password) throws IOException, MessagingException { + initiateResetPasswordFromResetPasswordPage(username); events.expectRequiredAction(EventType.SEND_RESET_PASSWORD) .user(userId) @@ -224,9 +234,9 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { .session((String)null) .assertEvent(); - assertEquals(1, greenMail.getReceivedMessages().length); + assertEquals(expectedMessagesCount, greenMail.getReceivedMessages().length); - MimeMessage message = greenMail.getReceivedMessages()[0]; + MimeMessage message = greenMail.getReceivedMessages()[greenMail.getReceivedMessages().length - 1]; String changePasswordUrl = getPasswordResetEmailLink(message); @@ -234,7 +244,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { updatePasswordPage.assertCurrent(); - updatePasswordPage.changePassword("resetPassword", "resetPassword"); + updatePasswordPage.changePassword(password, password); String sessionId = events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).detail(Details.USERNAME, username.trim()).assertEvent().getSessionId(); @@ -248,63 +258,27 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { loginPage.open(); - loginPage.login("login-test", "resetPassword"); + loginPage.login("login-test", password); - events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent(); + sessionId = events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent().getSessionId(); assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - } - - private void resetPassword(String username, String password) throws IOException, MessagingException { - loginPage.open(); - loginPage.resetPassword(); - - resetPasswordPage.assertCurrent(); - - resetPasswordPage.changePassword(username); - - loginPage.assertCurrent(); - assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); - - events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).user(userId).session((String)null) - .detail(Details.USERNAME, username).detail(Details.EMAIL, "login@test.com").assertEvent(); - - MimeMessage message = greenMail.getReceivedMessages()[greenMail.getReceivedMessages().length - 1]; - - String changePasswordUrl = getPasswordResetEmailLink(message); - - driver.navigate().to(changePasswordUrl.trim()); - - updatePasswordPage.assertCurrent(); - - updatePasswordPage.changePassword(password, password); - - String sessionId = events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId) - .detail(Details.USERNAME, username).assertEvent().getSessionId(); - - assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - - events.expectLogin().user(userId).detail(Details.USERNAME, username).assertEvent(); oauth.openLogout(); events.expectLogout(sessionId).user(userId).session(sessionId).assertEvent(); + + return changePasswordUrl; } private void resetPasswordInvalidPassword(String username, String password, String error) throws IOException, MessagingException { - loginPage.open(); - loginPage.resetPassword(); - - resetPasswordPage.assertCurrent(); - - resetPasswordPage.changePassword(username); - - loginPage.assertCurrent(); - assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); + initiateResetPasswordFromResetPasswordPage(username); events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).user(userId).session((String)null) .detail(Details.USERNAME, username).detail(Details.EMAIL, "login@test.com").assertEvent(); + assertEquals(expectedMessagesCount, greenMail.getReceivedMessages().length); + MimeMessage message = greenMail.getReceivedMessages()[greenMail.getReceivedMessages().length - 1]; String changePasswordUrl = getPasswordResetEmailLink(message); @@ -320,17 +294,22 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { events.expectRequiredAction(EventType.UPDATE_PASSWORD_ERROR).error(Errors.PASSWORD_REJECTED).user(userId).detail(Details.USERNAME, "login-test").assertEvent().getSessionId(); } - @Test - public void resetPasswordWrongEmail() throws IOException, MessagingException, InterruptedException { + public void initiateResetPasswordFromResetPasswordPage(String username) { loginPage.open(); loginPage.resetPassword(); resetPasswordPage.assertCurrent(); - - resetPasswordPage.changePassword("invalid"); + + resetPasswordPage.changePassword(username); loginPage.assertCurrent(); assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); + expectedMessagesCount++; + } + + @Test + public void resetPasswordWrongEmail() throws IOException, MessagingException, InterruptedException { + initiateResetPasswordFromResetPasswordPage("invalid"); assertEquals(0, greenMail.getReceivedMessages().length); @@ -359,15 +338,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { @Test public void resetPasswordExpiredCode() throws IOException, MessagingException, InterruptedException { try { - loginPage.open(); - loginPage.resetPassword(); - - resetPasswordPage.assertCurrent(); - - resetPasswordPage.changePassword("login-test"); - - loginPage.assertCurrent(); - assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); + initiateResetPasswordFromResetPasswordPage("login-test"); events.expectRequiredAction(EventType.SEND_RESET_PASSWORD) .session((String)null) @@ -403,15 +374,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { testRealm().update(realmRep); try { - loginPage.open(); - loginPage.resetPassword(); - - resetPasswordPage.assertCurrent(); - - resetPasswordPage.changePassword("login-test"); - - loginPage.assertCurrent(); - assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); + initiateResetPasswordFromResetPasswordPage("login-test"); events.expectRequiredAction(EventType.SEND_RESET_PASSWORD) .session((String)null) @@ -434,55 +397,50 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { events.expectRequiredAction(EventType.RESET_PASSWORD).error("expired_code").client("test-app").user((String) null).session((String) null).clearDetails().assertEvent(); } finally { setTimeOffset(0); + + realmRep.setAccessCodeLifespanUserAction(originalValue.get()); + testRealm().update(realmRep); } } @Test public void resetPasswordDisabledUser() throws IOException, MessagingException, InterruptedException { UserRepresentation user = findUser("login-test"); - user.setEnabled(false); - updateUser(user); + try { + user.setEnabled(false); + updateUser(user); - loginPage.open(); - loginPage.resetPassword(); + initiateResetPasswordFromResetPasswordPage("login-test"); - resetPasswordPage.assertCurrent(); + assertEquals(0, greenMail.getReceivedMessages().length); - resetPasswordPage.changePassword("login-test"); - - loginPage.assertCurrent(); - assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); - - assertEquals(0, greenMail.getReceivedMessages().length); - - events.expectRequiredAction(EventType.RESET_PASSWORD).session((String) null).user(userId).detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).error("user_disabled").assertEvent(); - - user.setEnabled(true); - updateUser(user); + events.expectRequiredAction(EventType.RESET_PASSWORD).session((String) null).user(userId).detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).error("user_disabled").assertEvent(); + } finally { + user.setEnabled(true); + updateUser(user); + } } @Test public void resetPasswordNoEmail() throws IOException, MessagingException, InterruptedException { - final String[] email = new String[1]; + final String email; UserRepresentation user = findUser("login-test"); - email[0] = user.getEmail(); - user.setEmail(""); - updateUser(user); + email = user.getEmail(); - loginPage.open(); - loginPage.resetPassword(); + try { + user.setEmail(""); + updateUser(user); - resetPasswordPage.assertCurrent(); + initiateResetPasswordFromResetPasswordPage("login-test"); - resetPasswordPage.changePassword("login-test"); + assertEquals(0, greenMail.getReceivedMessages().length); - loginPage.assertCurrent(); - assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); - - assertEquals(0, greenMail.getReceivedMessages().length); - - events.expectRequiredAction(EventType.RESET_PASSWORD_ERROR).session((String) null).user(userId).detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).error("invalid_email").assertEvent(); + events.expectRequiredAction(EventType.RESET_PASSWORD_ERROR).session((String) null).user(userId).detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).error("invalid_email").assertEvent(); + } finally { + user.setEmail(email); + updateUser(user); + } } @Test @@ -496,29 +454,31 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { RealmRepresentation realmRep = testRealm().toRepresentation(); Map oldSmtp = realmRep.getSmtpServer(); - realmRep.setSmtpServer(smtpConfig); - testRealm().update(realmRep); + try { + realmRep.setSmtpServer(smtpConfig); + testRealm().update(realmRep); - loginPage.open(); - loginPage.resetPassword(); + loginPage.open(); + loginPage.resetPassword(); - resetPasswordPage.assertCurrent(); + resetPasswordPage.assertCurrent(); - resetPasswordPage.changePassword("login-test"); + resetPasswordPage.changePassword("login-test"); - errorPage.assertCurrent(); + errorPage.assertCurrent(); - assertEquals("Failed to send email, please try again later.", errorPage.getError()); + assertEquals("Failed to send email, please try again later.", errorPage.getError()); - assertEquals(0, greenMail.getReceivedMessages().length); + assertEquals(0, greenMail.getReceivedMessages().length); - events.expectRequiredAction(EventType.SEND_RESET_PASSWORD_ERROR).user(userId) - .session((String)null) - .detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).error(Errors.EMAIL_SEND_FAILED).assertEvent(); - - // Revert SMTP back - realmRep.setSmtpServer(oldSmtp); - testRealm().update(realmRep); + events.expectRequiredAction(EventType.SEND_RESET_PASSWORD_ERROR).user(userId) + .session((String)null) + .detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).error(Errors.EMAIL_SEND_FAILED).assertEvent(); + } finally { + // Revert SMTP back + realmRep.setSmtpServer(oldSmtp); + testRealm().update(realmRep); + } } private void setPasswordPolicy(String policy) { @@ -531,15 +491,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { public void resetPasswordWithLengthPasswordPolicy() throws IOException, MessagingException { setPasswordPolicy("length"); - loginPage.open(); - loginPage.resetPassword(); - - resetPasswordPage.assertCurrent(); - - resetPasswordPage.changePassword("login-test"); - - loginPage.assertCurrent(); - assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); + initiateResetPasswordFromResetPasswordPage("login-test"); assertEquals(1, greenMail.getReceivedMessages().length); From a9ec69e4242ab3279fd369c06bff0a0ceaf92ad4 Mon Sep 17 00:00:00 2001 From: mposolda Date: Mon, 27 Mar 2017 11:23:25 +0200 Subject: [PATCH 04/30] KEYCLOAK-4626: AuthenticationSessions - working login, registration, resetPassword flows --- ...ltInfinispanConnectionProviderFactory.java | 2 +- .../InfinispanConnectionProvider.java | 1 + .../AuthenticatedClientSessionAdapter.java | 195 +++ .../AuthenticationSessionAdapter.java} | 101 +- ...finispanAuthenticationSessionProvider.java | 183 +++ ...nAuthenticationSessionProviderFactory.java | 60 + .../InfinispanUserSessionProvider.java | 21 +- .../infinispan/UserSessionAdapter.java | 15 +- .../AuthenticationSessionEntity.java} | 26 +- .../entities/ClientLoginSessionEntity.java | 111 ++ .../entities/ClientSessionEntity.java | 1 - .../entities/UserSessionEntity.java | 10 + .../AuthenticationSessionPredicate.java | 105 ++ .../InfinispanLoginSessionProvider.java | 69 - ...sions.AuthenticationSessionProviderFactory | 18 + .../JpaUserSessionPersisterProvider.java | 12 +- .../AuthenticationFlowContext.java | 9 +- .../keycloak/authentication/FormContext.java | 7 +- .../authentication/RequiredActionContext.java | 6 +- .../provider/BrokeredIdentityContext.java | 13 +- .../java/org/keycloak/events/Details.java | 1 + .../keycloak/forms/login/LoginFormsPages.java | 2 +- .../forms/login/LoginFormsProvider.java | 6 +- .../DisabledUserSessionPersisterProvider.java | 5 +- ...entAuthenticatedClientSessionAdapter.java} | 10 +- .../session/PersistentUserSessionAdapter.java | 4 +- .../session/UserSessionPersisterProvider.java | 4 +- .../models/utils/ModelToRepresentation.java | 5 +- .../org/keycloak/protocol/LoginProtocol.java | 17 +- .../services/managers/ClientSessionCode.java | 56 +- .../services/managers/CodeGenerateUtil.java | 163 ++- .../keycloak/services/util/CookieHelper.java | 22 + ...AuthenticationSessionProviderFactory.java} | 2 +- ...Spi.java => AuthenticationSessionSpi.java} | 8 +- .../services/org.keycloak.provider.Spi | 2 +- ...a => AuthenticatedClientSessionModel.java} | 2 +- .../org/keycloak/models/KeycloakSession.java | 4 +- .../org/keycloak/models/UserSessionModel.java | 2 +- .../keycloak/models/UserSessionProvider.java | 5 +- ...l.java => AuthenticationSessionModel.java} | 7 +- ...ava => AuthenticationSessionProvider.java} | 12 +- .../sessions/CommonClientSessionModel.java | 2 +- .../AuthenticationProcessor.java | 197 +-- .../DefaultAuthenticationFlow.java | 63 +- .../FormAuthenticationFlow.java | 20 +- .../RequiredActionContextResult.java | 18 +- .../ResetCredentialsActionToken.java | 41 +- .../broker/AbstractIdpAuthenticator.java | 14 +- .../broker/IdpConfirmLinkAuthenticator.java | 10 +- .../IdpCreateUserIfUniqueAuthenticator.java | 8 +- .../broker/IdpReviewProfileAuthenticator.java | 6 +- .../broker/IdpUsernamePasswordForm.java | 6 +- .../SerializedBrokeredIdentityContext.java | 21 +- .../AbstractUsernameFormAuthenticator.java | 6 +- .../browser/CookieAuthenticator.java | 5 +- .../IdentityProviderAuthenticator.java | 2 +- .../browser/ScriptBasedAuthenticator.java | 2 +- .../browser/SpnegoAuthenticator.java | 3 +- .../browser/UsernamePasswordForm.java | 4 +- .../directgrant/ValidateUsername.java | 2 +- .../resetcred/ResetCredentialChooseUser.java | 7 +- .../resetcred/ResetCredentialEmail.java | 22 +- .../authenticators/resetcred/ResetOTP.java | 2 +- .../resetcred/ResetPassword.java | 9 +- .../x509/ValidateX509CertificateUsername.java | 2 +- .../X509ClientCertificateAuthenticator.java | 4 +- .../forms/RegistrationUserCreation.java | 10 +- .../requiredactions/UpdatePassword.java | 4 +- .../admin/PolicyEvaluationService.java | 14 +- .../HardcodedUserSessionAttributeMapper.java | 4 +- .../FreeMarkerLoginFormsProvider.java | 21 +- .../forms/login/freemarker/Templates.java | 2 + .../forms/login/freemarker/model/UrlBean.java | 4 + .../protocol/AuthorizationEndpointBase.java | 35 +- .../keycloak/protocol/RestartLoginCookie.java | 51 +- .../protocol/oidc/OIDCLoginProtocol.java | 36 +- .../keycloak/protocol/oidc/TokenManager.java | 80 +- .../oidc/endpoints/AuthorizationEndpoint.java | 48 +- .../oidc/endpoints/TokenEndpoint.java | 50 +- .../oidc/endpoints/UserInfoEndpoint.java | 2 +- .../mappers/AbstractOIDCProtocolMapper.java | 8 +- .../mappers/AbstractPairwiseSubMapper.java | 8 +- .../protocol/oidc/mappers/HardcodedRole.java | 4 +- .../oidc/mappers/OIDCAccessTokenMapper.java | 4 +- .../oidc/mappers/OIDCIDTokenMapper.java | 4 +- .../protocol/oidc/mappers/RoleNameMapper.java | 4 +- .../oidc/mappers/UserInfoTokenMapper.java | 4 +- .../oidc/utils/AuthorizeClientUtil.java | 2 + .../keycloak/protocol/saml/SamlProtocol.java | 56 +- .../keycloak/protocol/saml/SamlService.java | 52 +- .../saml/mappers/GroupMembershipMapper.java | 4 +- .../mappers/HardcodedAttributeMapper.java | 4 +- .../protocol/saml/mappers/RoleListMapper.java | 4 +- .../mappers/SAMLAttributeStatementMapper.java | 4 +- .../saml/mappers/SAMLLoginResponseMapper.java | 4 +- .../saml/mappers/SAMLRoleListMapper.java | 4 +- .../mappers/UserAttributeStatementMapper.java | 4 +- .../UserPropertyAttributeStatementMapper.java | 4 +- .../UserSessionNoteStatementMapper.java | 4 +- .../profile/ecp/SamlEcpProfileService.java | 14 +- .../authenticator/HttpBasicAuthenticator.java | 2 +- .../services/DefaultKeycloakSession.java | 12 +- .../main/java/org/keycloak/services/Urls.java | 6 + .../org/keycloak/services/managers/Auth.java | 9 +- .../managers/AuthenticationManager.java | 153 ++- .../managers/ResourceAdminManager.java | 20 +- .../services/managers/UserSessionManager.java | 22 +- .../services/resources/AccountService.java | 17 +- .../resources/IdentityBrokerService.java | 126 +- .../resources/LoginActionsService.java | 685 +++++---- .../resources/admin/UsersResource.java | 17 +- .../integration-arquillian/HOW-TO-RUN.md | 2 +- .../forms/PassThroughRegistration.java | 10 +- .../org/keycloak/testsuite/AssertEvents.java | 5 +- .../testsuite/forms/ResetPasswordTest.java | 18 +- .../AuthenticationSessionProviderTest.java | 122 ++ .../model/UserSessionProviderTest.java | 1219 +++++++++-------- .../theme/base/login/bypass_kerberos.ftl | 25 - .../theme/base/login/login-page-expired.ftl | 12 + .../login/messages/messages_en.properties | 4 + 120 files changed, 2914 insertions(+), 1909 deletions(-) create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java rename model/infinispan/src/main/java/org/keycloak/{sessions/infinispan/LoginSessionAdapter.java => models/sessions/infinispan/AuthenticationSessionAdapter.java} (75%) create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java rename model/infinispan/src/main/java/org/keycloak/{sessions/infinispan/LoginSessionEntity.java => models/sessions/infinispan/entities/AuthenticationSessionEntity.java} (79%) create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientLoginSessionEntity.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/AuthenticationSessionPredicate.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/sessions/infinispan/InfinispanLoginSessionProvider.java create mode 100644 model/infinispan/src/main/resources/META-INF/services/org.keycloak.sessions.AuthenticationSessionProviderFactory rename server-spi-private/src/main/java/org/keycloak/models/session/{PersistentClientSessionAdapter.java => PersistentAuthenticatedClientSessionAdapter.java} (94%) rename {services => server-spi-private}/src/main/java/org/keycloak/services/util/CookieHelper.java (69%) rename server-spi-private/src/main/java/org/keycloak/sessions/{LoginSessionProviderFactory.java => AuthenticationSessionProviderFactory.java} (88%) rename server-spi-private/src/main/java/org/keycloak/sessions/{LoginSessionSpi.java => AuthenticationSessionSpi.java} (85%) rename server-spi/src/main/java/org/keycloak/models/{ClientLoginSessionModel.java => AuthenticatedClientSessionModel.java} (91%) rename server-spi/src/main/java/org/keycloak/sessions/{LoginSessionModel.java => AuthenticationSessionModel.java} (89%) rename server-spi/src/main/java/org/keycloak/sessions/{LoginSessionProvider.java => AuthenticationSessionProvider.java} (64%) create mode 100644 testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java delete mode 100755 themes/src/main/resources/theme/base/login/bypass_kerberos.ftl create mode 100644 themes/src/main/resources/theme/base/login/login-page-expired.ftl diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java index 916db65cc3..934f0e8c11 100755 --- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java +++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java @@ -27,7 +27,6 @@ import org.infinispan.eviction.EvictionStrategy; import org.infinispan.eviction.EvictionType; import org.infinispan.manager.DefaultCacheManager; import org.infinispan.manager.EmbeddedCacheManager; -import org.infinispan.persistence.remote.configuration.ExhaustedAction; import org.infinispan.persistence.remote.configuration.RemoteStoreConfigurationBuilder; import org.infinispan.transaction.LockingMode; import org.infinispan.transaction.TransactionMode; @@ -181,6 +180,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon cacheManager.defineConfiguration(InfinispanConnectionProvider.OFFLINE_SESSION_CACHE_NAME, sessionCacheConfiguration); cacheManager.defineConfiguration(InfinispanConnectionProvider.LOGIN_FAILURE_CACHE_NAME, sessionCacheConfiguration); cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, sessionCacheConfiguration); + cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME, sessionCacheConfiguration); ConfigurationBuilder replicationConfigBuilder = new ConfigurationBuilder(); if (clustered) { diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java index 7c255fd0b8..6d8b7f4be9 100755 --- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java @@ -36,6 +36,7 @@ public interface InfinispanConnectionProvider extends Provider { String SESSION_CACHE_NAME = "sessions"; String OFFLINE_SESSION_CACHE_NAME = "offlineSessions"; String LOGIN_FAILURE_CACHE_NAME = "loginFailures"; + String AUTHENTICATION_SESSIONS_CACHE_NAME = "authenticationSessions"; String WORK_CACHE_NAME = "work"; String AUTHORIZATION_CACHE_NAME = "authorization"; diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java new file mode 100644 index 0000000000..6eaba69dad --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java @@ -0,0 +1,195 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.sessions.infinispan; + +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.Set; + +import org.infinispan.Cache; +import org.keycloak.models.AuthenticatedClientSessionModel; +import org.keycloak.models.ClientModel; +import org.keycloak.models.RealmModel; +import org.keycloak.models.UserSessionModel; +import org.keycloak.models.sessions.infinispan.entities.ClientLoginSessionEntity; +import org.keycloak.models.sessions.infinispan.entities.SessionEntity; +import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity; + +/** + * @author Marek Posolda + */ +public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSessionModel { + + private final ClientLoginSessionEntity entity; + private final InfinispanUserSessionProvider provider; + private final Cache cache; + private UserSessionAdapter userSession; + + public AuthenticatedClientSessionAdapter(ClientLoginSessionEntity entity, UserSessionAdapter userSession, InfinispanUserSessionProvider provider, Cache cache) { + this.provider = provider; + this.entity = entity; + this.cache = cache; + this.userSession = userSession; + } + + private void update() { + provider.getTx().replace(cache, userSession.getEntity().getId(), userSession.getEntity()); + } + + + @Override + public void setUserSession(UserSessionModel userSession) { + String clientUUID = entity.getClient(); + UserSessionEntity sessionEntity = this.userSession.getEntity(); + + // Dettach userSession + if (userSession == null) { + if (sessionEntity.getClientLoginSessions() != null) { + sessionEntity.getClientLoginSessions().remove(clientUUID); + update(); + this.userSession = null; + } + } else { + this.userSession = (UserSessionAdapter) userSession; + + if (sessionEntity.getClientLoginSessions() == null) { + sessionEntity.setClientLoginSessions(new HashMap<>()); + } + sessionEntity.getClientLoginSessions().put(clientUUID, entity); + update(); + } + } + + @Override + public UserSessionModel getUserSession() { + return this.userSession; + } + + @Override + public String getRedirectUri() { + return entity.getRedirectUri(); + } + + @Override + public void setRedirectUri(String uri) { + entity.setRedirectUri(uri); + update(); + } + + @Override + public String getId() { + return entity.getId(); + } + + @Override + public RealmModel getRealm() { + return userSession.getRealm(); + } + + @Override + public ClientModel getClient() { + String client = entity.getClient(); + return getRealm().getClientById(client); + } + + @Override + public int getTimestamp() { + return entity.getTimestamp(); + } + + @Override + public void setTimestamp(int timestamp) { + entity.setTimestamp(timestamp); + update(); + } + + @Override + public String getAction() { + return entity.getAction(); + } + + @Override + public void setAction(String action) { + entity.setAction(action); + update(); + } + + @Override + public String getProtocol() { + return entity.getAuthMethod(); + } + + @Override + public void setProtocol(String method) { + entity.setAuthMethod(method); + update(); + } + + @Override + public Set getRoles() { + return entity.getRoles(); + } + + @Override + public void setRoles(Set roles) { + entity.setRoles(roles); + update(); + } + + @Override + public Set getProtocolMappers() { + return entity.getProtocolMappers(); + } + + @Override + public void setProtocolMappers(Set protocolMappers) { + entity.setProtocolMappers(protocolMappers); + update(); + } + + @Override + public String getNote(String name) { + return entity.getNotes()==null ? null : entity.getNotes().get(name); + } + + @Override + public void setNote(String name, String value) { + if (entity.getNotes() == null) { + entity.setNotes(new HashMap<>()); + } + entity.getNotes().put(name, value); + update(); + } + + @Override + public void removeNote(String name) { + if (entity.getNotes() != null) { + entity.getNotes().remove(name); + update(); + } + } + + @Override + public Map getNotes() { + if (entity.getNotes() == null || entity.getNotes().isEmpty()) return Collections.emptyMap(); + Map copy = new HashMap<>(); + copy.putAll(entity.getNotes()); + return copy; + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java similarity index 75% rename from model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionAdapter.java rename to model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java index e8dda52e63..d2387cc42d 100644 --- a/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java @@ -15,7 +15,7 @@ * limitations under the License. */ -package org.keycloak.sessions.infinispan; +package org.keycloak.models.sessions.infinispan; import java.util.Collections; import java.util.HashMap; @@ -28,24 +28,24 @@ import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; -import org.keycloak.models.sessions.infinispan.entities.SessionEntity; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEntity; +import org.keycloak.sessions.AuthenticationSessionModel; /** * NOTE: Calling setter doesn't automatically enlist for update * * @author Marek Posolda */ -public class LoginSessionAdapter implements LoginSessionModel { +public class AuthenticationSessionAdapter implements AuthenticationSessionModel { private KeycloakSession session; - private InfinispanLoginSessionProvider provider; - private Cache cache; + private InfinispanAuthenticationSessionProvider provider; + private Cache cache; private RealmModel realm; - private LoginSessionEntity entity; + private AuthenticationSessionEntity entity; - public LoginSessionAdapter(KeycloakSession session, InfinispanLoginSessionProvider provider, Cache cache, RealmModel realm, - LoginSessionEntity entity) { + public AuthenticationSessionAdapter(KeycloakSession session, InfinispanAuthenticationSessionProvider provider, Cache cache, RealmModel realm, + AuthenticationSessionEntity entity) { this.session = session; this.provider = provider; this.cache = cache; @@ -53,6 +53,11 @@ public class LoginSessionAdapter implements LoginSessionModel { this.entity = entity; } + void update() { + provider.tx.replace(cache, entity.getId(), entity); + } + + @Override public String getId() { return entity.getId(); @@ -68,34 +73,6 @@ public class LoginSessionAdapter implements LoginSessionModel { return realm.getClientById(entity.getClientUuid()); } -// @Override -// public UserSessionAdapter getUserSession() { -// return entity.getUserSession() != null ? provider.getUserSession(realm, entity.getUserSession(), offline) : null; -// } -// -// @Override -// public void setUserSession(UserSessionModel userSession) { -// if (userSession == null) { -// if (entity.getUserSession() != null) { -// provider.dettachSession(getUserSession(), this); -// } -// entity.setUserSession(null); -// } else { -// UserSessionAdapter userSessionAdapter = (UserSessionAdapter) userSession; -// if (entity.getUserSession() != null) { -// if (entity.getUserSession().equals(userSession.getId())) { -// return; -// } else { -// provider.dettachSession(userSessionAdapter, this); -// } -// } else { -// provider.attachSession(userSessionAdapter, this); -// } -// -// entity.setUserSession(userSession.getId()); -// } -// } - @Override public String getRedirectUri() { return entity.getRedirectUri(); @@ -104,6 +81,7 @@ public class LoginSessionAdapter implements LoginSessionModel { @Override public void setRedirectUri(String uri) { entity.setRedirectUri(uri); + update(); } @Override @@ -114,6 +92,7 @@ public class LoginSessionAdapter implements LoginSessionModel { @Override public void setTimestamp(int timestamp) { entity.setTimestamp(timestamp); + update(); } @Override @@ -124,6 +103,7 @@ public class LoginSessionAdapter implements LoginSessionModel { @Override public void setAction(String action) { entity.setAction(action); + update(); } @Override @@ -135,6 +115,7 @@ public class LoginSessionAdapter implements LoginSessionModel { @Override public void setRoles(Set roles) { entity.setRoles(roles); + update(); } @Override @@ -146,6 +127,7 @@ public class LoginSessionAdapter implements LoginSessionModel { @Override public void setProtocolMappers(Set protocolMappers) { entity.setProtocolMappers(protocolMappers); + update(); } @Override @@ -156,6 +138,7 @@ public class LoginSessionAdapter implements LoginSessionModel { @Override public void setProtocol(String protocol) { entity.setProtocol(protocol); + update(); } @Override @@ -169,6 +152,7 @@ public class LoginSessionAdapter implements LoginSessionModel { entity.setNotes(new HashMap()); } entity.getNotes().put(name, value); + update(); } @Override @@ -176,6 +160,7 @@ public class LoginSessionAdapter implements LoginSessionModel { if (entity.getNotes() != null) { entity.getNotes().remove(name); } + update(); } @Override @@ -186,12 +171,41 @@ public class LoginSessionAdapter implements LoginSessionModel { return copy; } + @Override + public String getAuthNote(String name) { + return entity.getAuthNotes() != null ? entity.getAuthNotes().get(name) : null; + } + + @Override + public void setAuthNote(String name, String value) { + if (entity.getAuthNotes() == null) { + entity.setAuthNotes(new HashMap()); + } + entity.getAuthNotes().put(name, value); + update(); + } + + @Override + public void removeAuthNote(String name) { + if (entity.getAuthNotes() != null) { + entity.getAuthNotes().remove(name); + } + update(); + } + + @Override + public void clearAuthNotes() { + entity.setAuthNotes(new HashMap<>()); + update(); + } + @Override public void setUserSessionNote(String name, String value) { if (entity.getUserSessionNotes() == null) { entity.setUserSessionNotes(new HashMap()); } entity.getUserSessionNotes().put(name, value); + update(); } @@ -208,6 +222,7 @@ public class LoginSessionAdapter implements LoginSessionModel { @Override public void clearUserSessionNotes() { entity.setUserSessionNotes(new HashMap()); + update(); } @@ -221,19 +236,20 @@ public class LoginSessionAdapter implements LoginSessionModel { @Override public void addRequiredAction(String action) { entity.getRequiredActions().add(action); + update(); } @Override public void removeRequiredAction(String action) { entity.getRequiredActions().remove(action); + update(); } @Override public void addRequiredAction(UserModel.RequiredAction action) { addRequiredAction(action.name()); - } @Override @@ -242,19 +258,22 @@ public class LoginSessionAdapter implements LoginSessionModel { } @Override - public Map getExecutionStatus() { + public Map getExecutionStatus() { + return entity.getExecutionStatus(); } @Override - public void setExecutionStatus(String authenticator, LoginSessionModel.ExecutionStatus status) { + public void setExecutionStatus(String authenticator, AuthenticationSessionModel.ExecutionStatus status) { entity.getExecutionStatus().put(authenticator, status); + update(); } @Override public void clearExecutionStatus() { entity.getExecutionStatus().clear(); + update(); } @Override @@ -265,6 +284,6 @@ public class LoginSessionAdapter implements LoginSessionModel { public void setAuthenticatedUser(UserModel user) { if (user == null) entity.setAuthUserId(null); else entity.setAuthUserId(user.getId()); - + update(); } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java new file mode 100644 index 0000000000..9e021dbfcf --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java @@ -0,0 +1,183 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.sessions.infinispan; + +import java.util.Iterator; +import java.util.Map; + +import org.infinispan.Cache; +import org.infinispan.context.Flag; +import org.jboss.logging.Logger; +import org.keycloak.common.util.Time; +import org.keycloak.models.ClientModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEntity; +import org.keycloak.models.sessions.infinispan.stream.AuthenticationSessionPredicate; +import org.keycloak.models.utils.KeycloakModelUtils; +import org.keycloak.models.utils.RealmInfoUtil; +import org.keycloak.services.util.CookieHelper; +import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.AuthenticationSessionProvider; + +/** + * @author Marek Posolda + */ +public class InfinispanAuthenticationSessionProvider implements AuthenticationSessionProvider { + + private static final Logger log = Logger.getLogger(InfinispanAuthenticationSessionProvider.class); + + private final KeycloakSession session; + private final Cache cache; + protected final InfinispanKeycloakTransaction tx; + + public static final String AUTH_SESSION_ID = "AUTH_SESSION_ID"; + + public InfinispanAuthenticationSessionProvider(KeycloakSession session, Cache cache) { + this.session = session; + this.cache = cache; + + this.tx = new InfinispanKeycloakTransaction(); + session.getTransactionManager().enlistAfterCompletion(tx); + } + + + @Override + public AuthenticationSessionModel createAuthenticationSession(RealmModel realm, ClientModel client, boolean browser) { + String id = KeycloakModelUtils.generateId(); + + AuthenticationSessionEntity entity = new AuthenticationSessionEntity(); + entity.setId(id); + entity.setRealm(realm.getId()); + entity.setTimestamp(Time.currentTime()); + entity.setClientUuid(client.getId()); + + tx.put(cache, id, entity); + + if (browser) { + setBrowserCookie(id, realm); + } + + AuthenticationSessionAdapter wrap = wrap(realm, entity); + return wrap; + } + + private AuthenticationSessionAdapter wrap(RealmModel realm, AuthenticationSessionEntity entity) { + return entity==null ? null : new AuthenticationSessionAdapter(session, this, cache, realm, entity); + } + + @Override + public String getCurrentAuthenticationSessionId(RealmModel realm) { + return getIdFromBrowserCookie(); + } + + @Override + public AuthenticationSessionModel getCurrentAuthenticationSession(RealmModel realm) { + String authSessionId = getIdFromBrowserCookie(); + return authSessionId==null ? null : getAuthenticationSession(realm, authSessionId); + } + + @Override + public AuthenticationSessionModel getAuthenticationSession(RealmModel realm, String authenticationSessionId) { + AuthenticationSessionEntity entity = getAuthenticationSessionEntity(realm, authenticationSessionId); + return wrap(realm, entity); + } + + private AuthenticationSessionEntity getAuthenticationSessionEntity(RealmModel realm, String authSessionId) { + AuthenticationSessionEntity entity = cache.get(authSessionId); + + // Chance created in this transaction TODO:mposolda should it be opposite and rather look locally first? Check performance... + if (entity == null) { + entity = tx.get(cache, authSessionId); + } + + return entity; + } + + @Override + public void removeAuthenticationSession(RealmModel realm, AuthenticationSessionModel authenticationSession) { + tx.remove(cache, authenticationSession.getId()); + } + + @Override + public void removeExpired(RealmModel realm) { + log.debugf("Removing expired sessions"); + + int expired = Time.currentTime() - RealmInfoUtil.getDettachedClientSessionLifespan(realm); + + + // Each cluster node cleanups just local sessions, which are those owned by himself (+ few more taking l1 cache into account) + Iterator> itr = cache.getAdvancedCache().withFlags(Flag.CACHE_MODE_LOCAL) + .entrySet().stream().filter(AuthenticationSessionPredicate.create(realm.getId()).expired(expired)).iterator(); + + int counter = 0; + while (itr.hasNext()) { + counter++; + AuthenticationSessionEntity entity = itr.next().getValue(); + tx.remove(cache, entity.getId()); + } + + log.debugf("Removed %d expired user sessions for realm '%s'", counter, realm.getName()); + } + + @Override + public void onRealmRemoved(RealmModel realm) { + Iterator> itr = cache.entrySet().stream().filter(AuthenticationSessionPredicate.create(realm.getId())).iterator(); + while (itr.hasNext()) { + cache.remove(itr.next().getKey()); + } + } + + @Override + public void onClientRemoved(RealmModel realm, ClientModel client) { + Iterator> itr = cache.entrySet().stream().filter(AuthenticationSessionPredicate.create(realm.getId()).client(client.getId())).iterator(); + while (itr.hasNext()) { + cache.remove(itr.next().getKey()); + } + } + + @Override + public void close() { + + } + + // COOKIE STUFF + + protected void setBrowserCookie(String authSessionId, RealmModel realm) { + String cookiePath = CookieHelper.getRealmCookiePath(realm); + boolean sslRequired = realm.getSslRequired().isRequired(session.getContext().getConnection()); + CookieHelper.addCookie(AUTH_SESSION_ID, authSessionId, cookiePath, null, null, -1, sslRequired, true); + + // TODO trace with isTraceEnabled + log.infof("Set AUTH_SESSION_ID cookie with value %s", authSessionId); + } + + protected String getIdFromBrowserCookie() { + String cookieVal = CookieHelper.getCookieValue(AUTH_SESSION_ID); + + if (log.isTraceEnabled()) { + if (cookieVal != null) { + log.tracef("Found AUTH_SESSION_ID cookie with value %s", cookieVal); + } else { + log.tracef("Not found AUTH_SESSION_ID cookie"); + } + } + + return cookieVal; + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java new file mode 100644 index 0000000000..e6da14ef0c --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java @@ -0,0 +1,60 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.sessions.infinispan; + +import org.infinispan.Cache; +import org.keycloak.Config; +import org.keycloak.connections.infinispan.InfinispanConnectionProvider; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.KeycloakSessionFactory; +import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEntity; +import org.keycloak.sessions.AuthenticationSessionProvider; +import org.keycloak.sessions.AuthenticationSessionProviderFactory; + +/** + * @author Marek Posolda + */ +public class InfinispanAuthenticationSessionProviderFactory implements AuthenticationSessionProviderFactory { + + + @Override + public void init(Config.Scope config) { + + } + + @Override + public AuthenticationSessionProvider create(KeycloakSession session) { + InfinispanConnectionProvider connections = session.getProvider(InfinispanConnectionProvider.class); + Cache authSessionsCache = connections.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME); + + return new InfinispanAuthenticationSessionProvider(session, authSessionsCache); + } + + @Override + public void postInit(KeycloakSessionFactory factory) { + } + + @Override + public void close() { + } + + @Override + public String getId() { + return "infinispan"; + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java index 7fa9f81337..72ea8be57b 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java @@ -23,7 +23,7 @@ import org.infinispan.context.Flag; import org.jboss.logging.Logger; import org.keycloak.common.util.Time; import org.keycloak.models.ClientInitialAccessModel; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; @@ -35,6 +35,7 @@ import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionProvider; import org.keycloak.models.session.UserSessionPersisterProvider; import org.keycloak.models.sessions.infinispan.entities.ClientInitialAccessEntity; +import org.keycloak.models.sessions.infinispan.entities.ClientLoginSessionEntity; import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity; import org.keycloak.models.sessions.infinispan.entities.LoginFailureEntity; import org.keycloak.models.sessions.infinispan.entities.LoginFailureKey; @@ -57,7 +58,6 @@ import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Map; -import java.util.Set; import java.util.function.Consumer; import java.util.function.Predicate; import java.util.stream.Stream; @@ -90,7 +90,8 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { return offline ? offlineSessionCache : sessionCache; } - /* + + // TODO:mposolda remove @Override public ClientSessionModel createClientSession(RealmModel realm, ClientModel client) { String id = KeycloakModelUtils.generateId(); @@ -106,12 +107,16 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { ClientSessionAdapter wrap = wrap(realm, entity, false); return wrap; - }*/ + } - // TODO:mposolda @Override - public ClientLoginSessionModel createClientSession(RealmModel realm, ClientModel client, UserSessionModel userSession) { - return null; + public AuthenticatedClientSessionModel createClientSession(RealmModel realm, ClientModel client, UserSessionModel userSession) { + ClientLoginSessionEntity entity = new ClientLoginSessionEntity(); + entity.setClient(client.getId()); + + AuthenticatedClientSessionAdapter adapter = new AuthenticatedClientSessionAdapter(entity, (UserSessionAdapter) userSession, this, sessionCache); + adapter.setUserSession(userSession); + return adapter; } @Override @@ -629,7 +634,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { }*/ @Override - public ClientLoginSessionModel createOfflineClientSession(ClientLoginSessionModel clientSession) { + public AuthenticatedClientSessionModel createOfflineClientSession(AuthenticatedClientSessionModel clientSession) { return null; } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java index 6c81313c74..245e3e834e 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java @@ -18,12 +18,13 @@ package org.keycloak.models.sessions.infinispan; import org.infinispan.Cache; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; +import org.keycloak.models.sessions.infinispan.entities.ClientLoginSessionEntity; import org.keycloak.models.sessions.infinispan.entities.SessionEntity; import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity; @@ -61,10 +62,16 @@ public class UserSessionAdapter implements UserSessionModel { this.offline = offline; } - // TODO;mposolda @Override - public Map getClientLoginSessions() { - return null; + public Map getAuthenticatedClientSessions() { + Map clientSessionEntities = entity.getClientLoginSessions(); + Map result = new HashMap<>(); + + clientSessionEntities.forEach((String key, ClientLoginSessionEntity value) -> { + result.put(key, new AuthenticatedClientSessionAdapter(value, this, provider, cache)); + }); + + return Collections.unmodifiableMap(result); } public String getId() { diff --git a/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticationSessionEntity.java similarity index 79% rename from model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionEntity.java rename to model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticationSessionEntity.java index 97ccad4bfc..dad05e08fe 100644 --- a/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/LoginSessionEntity.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticationSessionEntity.java @@ -15,18 +15,19 @@ * limitations under the License. */ -package org.keycloak.sessions.infinispan; +package org.keycloak.models.sessions.infinispan.entities; +import java.util.HashMap; +import java.util.HashSet; import java.util.Map; import java.util.Set; -import org.keycloak.models.sessions.infinispan.entities.SessionEntity; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; /** * @author Marek Posolda */ -public class LoginSessionEntity extends SessionEntity { +public class AuthenticationSessionEntity extends SessionEntity { private String clientUuid; private String authUserId; @@ -37,11 +38,12 @@ public class LoginSessionEntity extends SessionEntity { private Set roles; private Set protocolMappers; - private Map executionStatus; + private Map executionStatus = new HashMap<>();; private String protocol; private Map notes; - private Set requiredActions; + private Map authNotes; + private Set requiredActions = new HashSet<>(); private Map userSessionNotes; public String getClientUuid() { @@ -100,11 +102,11 @@ public class LoginSessionEntity extends SessionEntity { this.protocolMappers = protocolMappers; } - public Map getExecutionStatus() { + public Map getExecutionStatus() { return executionStatus; } - public void setExecutionStatus(Map executionStatus) { + public void setExecutionStatus(Map executionStatus) { this.executionStatus = executionStatus; } @@ -139,4 +141,12 @@ public class LoginSessionEntity extends SessionEntity { public void setUserSessionNotes(Map userSessionNotes) { this.userSessionNotes = userSessionNotes; } + + public Map getAuthNotes() { + return authNotes; + } + + public void setAuthNotes(Map authNotes) { + this.authNotes = authNotes; + } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientLoginSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientLoginSessionEntity.java new file mode 100644 index 0000000000..15ed11d455 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientLoginSessionEntity.java @@ -0,0 +1,111 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.sessions.infinispan.entities; + +import java.util.Map; +import java.util.Set; + +/** + * @author Marek Posolda + */ +public class ClientLoginSessionEntity { + + private String id; + private String client; + private String authMethod; + private String redirectUri; + private int timestamp; + private String action; + + private Set roles; + private Set protocolMappers; + private Map notes; + + public String getId() { + return id; + } + + public void setId(String id) { + this.id = id; + } + + public String getClient() { + return client; + } + + public void setClient(String client) { + this.client = client; + } + + public String getAuthMethod() { + return authMethod; + } + + public void setAuthMethod(String authMethod) { + this.authMethod = authMethod; + } + + public String getRedirectUri() { + return redirectUri; + } + + public void setRedirectUri(String redirectUri) { + this.redirectUri = redirectUri; + } + + public int getTimestamp() { + return timestamp; + } + + public void setTimestamp(int timestamp) { + this.timestamp = timestamp; + } + + public String getAction() { + return action; + } + + public void setAction(String action) { + this.action = action; + } + + public Set getRoles() { + return roles; + } + + public void setRoles(Set roles) { + this.roles = roles; + } + + public Set getProtocolMappers() { + return protocolMappers; + } + + public void setProtocolMappers(Set protocolMappers) { + this.protocolMappers = protocolMappers; + } + + public Map getNotes() { + return notes; + } + + public void setNotes(Map notes) { + this.notes = notes; + } + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java index 6bce9e9287..0cbdc79d9b 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java @@ -18,7 +18,6 @@ package org.keycloak.models.sessions.infinispan.entities; import org.keycloak.models.ClientSessionModel; -import org.keycloak.sessions.LoginSessionModel; import java.util.HashMap; import java.util.HashSet; diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java index 538babfa4d..3a5a4eb7f4 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java @@ -52,6 +52,8 @@ public class UserSessionEntity extends SessionEntity { private Map notes = new ConcurrentHashMap<>(); + private Map clientLoginSessions; + public String getUser() { return user; } @@ -120,6 +122,14 @@ public class UserSessionEntity extends SessionEntity { this.notes = notes; } + public Map getClientLoginSessions() { + return clientLoginSessions; + } + + public void setClientLoginSessions(Map clientLoginSessions) { + this.clientLoginSessions = clientLoginSessions; + } + public UserSessionModel.State getState() { return state; } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/AuthenticationSessionPredicate.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/AuthenticationSessionPredicate.java new file mode 100644 index 0000000000..c471793842 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/AuthenticationSessionPredicate.java @@ -0,0 +1,105 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.sessions.infinispan.stream; + +import java.io.Serializable; +import java.util.Map; +import java.util.function.Predicate; + +import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEntity; + +/** + * @author Marek Posolda + */ +public class AuthenticationSessionPredicate implements Predicate>, Serializable { + + private String realm; + + private String client; + + private String user; + + private Integer expired; + + //private String brokerSessionId; + //private String brokerUserId; + + private AuthenticationSessionPredicate(String realm) { + this.realm = realm; + } + + public static AuthenticationSessionPredicate create(String realm) { + return new AuthenticationSessionPredicate(realm); + } + + public AuthenticationSessionPredicate user(String user) { + this.user = user; + return this; + } + + public AuthenticationSessionPredicate client(String client) { + this.client = client; + return this; + } + + public AuthenticationSessionPredicate expired(Integer expired) { + this.expired = expired; + return this; + } + +// public UserSessionPredicate brokerSessionId(String id) { +// this.brokerSessionId = id; +// return this; +// } + +// public UserSessionPredicate brokerUserId(String id) { +// this.brokerUserId = id; +// return this; +// } + + @Override + public boolean test(Map.Entry entry) { + AuthenticationSessionEntity entity = entry.getValue(); + + if (!realm.equals(entity.getRealm())) { + return false; + } + + if (user != null && !entity.getAuthUserId().equals(user)) { + return false; + } + + if (client != null && !entity.getClientUuid().equals(client)) { + return false; + } + +// if (brokerSessionId != null && !brokerSessionId.equals(entity.getBrokerSessionId())) { +// return false; +// } +// +// if (brokerUserId != null && !brokerUserId.equals(entity.getBrokerUserId())) { +// return false; +// } + + if (expired != null && entity.getTimestamp() > expired) { + return false; + } + + return true; + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/InfinispanLoginSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/InfinispanLoginSessionProvider.java deleted file mode 100644 index 8389424c3c..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/sessions/infinispan/InfinispanLoginSessionProvider.java +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.sessions.infinispan; - -import org.keycloak.models.ClientModel; -import org.keycloak.models.RealmModel; -import org.keycloak.sessions.LoginSessionModel; -import org.keycloak.sessions.LoginSessionProvider; - -/** - * @author Marek Posolda - */ -public class InfinispanLoginSessionProvider implements LoginSessionProvider { - - @Override - public LoginSessionModel createLoginSession(RealmModel realm, ClientModel client, boolean browser) { - return null; - } - - @Override - public LoginSessionModel getCurrentLoginSession(RealmModel realm) { - return null; - } - - @Override - public LoginSessionModel getLoginSession(RealmModel realm, String loginSessionId) { - return null; - } - - @Override - public void removeLoginSession(RealmModel realm, LoginSessionModel loginSession) { - - } - - @Override - public void removeExpired(RealmModel realm) { - - } - - @Override - public void onRealmRemoved(RealmModel realm) { - - } - - @Override - public void onClientRemoved(RealmModel realm, ClientModel client) { - - } - - @Override - public void close() { - - } -} diff --git a/model/infinispan/src/main/resources/META-INF/services/org.keycloak.sessions.AuthenticationSessionProviderFactory b/model/infinispan/src/main/resources/META-INF/services/org.keycloak.sessions.AuthenticationSessionProviderFactory new file mode 100644 index 0000000000..2c7b29898f --- /dev/null +++ b/model/infinispan/src/main/resources/META-INF/services/org.keycloak.sessions.AuthenticationSessionProviderFactory @@ -0,0 +1,18 @@ +# +# Copyright 2016 Red Hat, Inc. and/or its affiliates +# and other contributors as indicated by the @author tags. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +org.keycloak.models.sessions.infinispan.InfinispanAuthenticationSessionProviderFactory \ No newline at end of file diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java b/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java index e842948493..170654f7d1 100644 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java @@ -17,7 +17,7 @@ package org.keycloak.models.jpa.session; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; @@ -25,7 +25,7 @@ import org.keycloak.models.ModelException; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; -import org.keycloak.models.session.PersistentClientSessionAdapter; +import org.keycloak.models.session.PersistentAuthenticatedClientSessionAdapter; import org.keycloak.models.session.PersistentClientSessionModel; import org.keycloak.models.session.PersistentUserSessionAdapter; import org.keycloak.models.session.PersistentUserSessionModel; @@ -69,8 +69,8 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv } @Override - public void createClientSession(UserSessionModel userSession, ClientLoginSessionModel clientSession, boolean offline) { - PersistentClientSessionAdapter adapter = new PersistentClientSessionAdapter(clientSession); + public void createClientSession(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession, boolean offline) { + PersistentAuthenticatedClientSessionAdapter adapter = new PersistentAuthenticatedClientSessionAdapter(clientSession); PersistentClientSessionModel model = adapter.getUpdatedModel(); PersistentClientSessionEntity entity = new PersistentClientSessionEntity(); @@ -260,7 +260,7 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv return new PersistentUserSessionAdapter(model, realm, user, clientSessions); } - private PersistentClientSessionAdapter toAdapter(RealmModel realm, PersistentUserSessionAdapter userSession, PersistentClientSessionEntity entity) { + private PersistentAuthenticatedClientSessionAdapter toAdapter(RealmModel realm, PersistentUserSessionAdapter userSession, PersistentClientSessionEntity entity) { ClientModel client = realm.getClientById(entity.getClientId()); PersistentClientSessionModel model = new PersistentClientSessionModel(); @@ -270,7 +270,7 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv model.setUserId(userSession.getUser().getId()); model.setTimestamp(entity.getTimestamp()); model.setData(entity.getData()); - return new PersistentClientSessionAdapter(model, realm, client, userSession); + return new PersistentAuthenticatedClientSessionAdapter(model, realm, client, userSession); } @Override diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java index 80c7575c0b..e87256518d 100755 --- a/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java +++ b/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java @@ -18,11 +18,10 @@ package org.keycloak.authentication; import org.keycloak.forms.login.LoginFormsProvider; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.FormMessage; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import java.net.URI; @@ -63,7 +62,7 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon * * @return */ - LoginSessionModel getLoginSession(); + AuthenticationSessionModel getAuthenticationSession(); /** * Create a Freemarker form builder that presets the user, action URI, and a generated access code @@ -81,11 +80,11 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon URI getActionUrl(String code); /** - * Get the action URL for the required action. This auto-generates the access code. + * Get the refresh URL for the required action. * * @return */ - URI getActionUrl(); + URI getRefreshExecutionUrl(); /** * End the flow and redirect browser based on protocol specific respones. This should only be executed diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java index b131c2021b..2c1255d57a 100755 --- a/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java +++ b/server-spi-private/src/main/java/org/keycloak/authentication/FormContext.java @@ -22,11 +22,10 @@ import org.keycloak.common.ClientConnection; import org.keycloak.events.EventBuilder; import org.keycloak.models.AuthenticationExecutionModel; import org.keycloak.models.AuthenticatorConfigModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.UriInfo; @@ -80,11 +79,11 @@ public interface FormContext { RealmModel getRealm(); /** - * LoginSessionModel attached to this flow + * AuthenticationSessionModel attached to this flow * * @return */ - LoginSessionModel getLoginSession(); + AuthenticationSessionModel getAuthenticationSession(); /** * Information about the IP address from the connecting HTTP client. diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java index df0bc66c03..caaa14e59c 100755 --- a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java +++ b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java @@ -21,12 +21,10 @@ import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.common.ClientConnection; import org.keycloak.events.EventBuilder; import org.keycloak.forms.login.LoginFormsProvider; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; -import org.keycloak.models.UserSessionModel; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; @@ -91,7 +89,7 @@ public interface RequiredActionContext { */ UserModel getUser(); RealmModel getRealm(); - LoginSessionModel getLoginSession(); + AuthenticationSessionModel getAuthenticationSession(); ClientConnection getConnection(); UriInfo getUriInfo(); KeycloakSession getSession(); diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java index bcce1b880f..a2b1dc5624 100755 --- a/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java +++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/BrokeredIdentityContext.java @@ -16,10 +16,9 @@ */ package org.keycloak.broker.provider; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.Constants; import org.keycloak.models.IdentityProviderModel; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import java.util.ArrayList; import java.util.HashMap; @@ -47,7 +46,7 @@ public class BrokeredIdentityContext { private IdentityProviderModel idpConfig; private IdentityProvider idp; private Map contextData = new HashMap<>(); - private LoginSessionModel loginSession; + private AuthenticationSessionModel authenticationSession; public BrokeredIdentityContext(String id) { if (id == null) { @@ -191,12 +190,12 @@ public class BrokeredIdentityContext { this.lastName = lastName; } - public LoginSessionModel getLoginSession() { - return loginSession; + public AuthenticationSessionModel getAuthenticationSession() { + return authenticationSession; } - public void setLoginSession(LoginSessionModel loginSession) { - this.loginSession = loginSession; + public void setAuthenticationSession(AuthenticationSessionModel authenticationSession) { + this.authenticationSession = authenticationSession; } public void setName(String name) { diff --git a/server-spi-private/src/main/java/org/keycloak/events/Details.java b/server-spi-private/src/main/java/org/keycloak/events/Details.java index 0ef227dabc..3e72e8e439 100755 --- a/server-spi-private/src/main/java/org/keycloak/events/Details.java +++ b/server-spi-private/src/main/java/org/keycloak/events/Details.java @@ -48,6 +48,7 @@ public interface Details { String CLIENT_SESSION_STATE = "client_session_state"; String CLIENT_SESSION_HOST = "client_session_host"; String RESTART_AFTER_TIMEOUT = "restart_after_timeout"; + String RESTART_REQUESTED = "restart_requested"; String CONSENT = "consent"; String CONSENT_VALUE_NO_CONSENT_REQUIRED = "no_consent_required"; // No consent is required by client diff --git a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java index fcaff7a520..476e3aa8bf 100755 --- a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java +++ b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java @@ -24,6 +24,6 @@ public enum LoginFormsPages { LOGIN, LOGIN_TOTP, LOGIN_CONFIG_TOTP, LOGIN_VERIFY_EMAIL, LOGIN_IDP_LINK_CONFIRM, LOGIN_IDP_LINK_EMAIL, - OAUTH_GRANT, LOGIN_RESET_PASSWORD, LOGIN_UPDATE_PASSWORD, REGISTER, INFO, ERROR, LOGIN_UPDATE_PROFILE, CODE; + OAUTH_GRANT, LOGIN_RESET_PASSWORD, LOGIN_UPDATE_PASSWORD, REGISTER, INFO, ERROR, LOGIN_UPDATE_PROFILE, LOGIN_PAGE_EXPIRED, CODE; } diff --git a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java index a379e9df13..f94e5881d8 100755 --- a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java @@ -22,7 +22,7 @@ import org.keycloak.models.RoleModel; import org.keycloak.models.UserModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.provider.Provider; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; @@ -68,6 +68,8 @@ public interface LoginFormsProvider extends Provider { public Response createIdpLinkEmailPage(); + public Response createLoginExpiredPage(); + public Response createErrorPage(); public Response createOAuthGrant(); @@ -76,7 +78,7 @@ public interface LoginFormsProvider extends Provider { public LoginFormsProvider setClientSessionCode(String accessCode); - public LoginFormsProvider setLoginSession(LoginSessionModel loginSession); + public LoginFormsProvider setAuthenticationSession(AuthenticationSessionModel authenticationSession); public LoginFormsProvider setAccessRequest(List realmRolesRequested, MultivaluedMap resourceRolesRequested, List protocolMappers); public LoginFormsProvider setAccessRequest(String message); diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java b/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java index c860ea3090..51efc238ad 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java @@ -18,9 +18,8 @@ package org.keycloak.models.session; import org.keycloak.Config; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.RealmModel; @@ -71,7 +70,7 @@ public class DisabledUserSessionPersisterProvider implements UserSessionPersiste } @Override - public void createClientSession(UserSessionModel userSession, ClientLoginSessionModel clientSession, boolean offline) { + public void createClientSession(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession, boolean offline) { } diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionAdapter.java b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java similarity index 94% rename from server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionAdapter.java rename to server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java index 7194382bb8..d410aba2be 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionAdapter.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java @@ -18,26 +18,24 @@ package org.keycloak.models.session; import com.fasterxml.jackson.annotation.JsonProperty; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ModelException; import org.keycloak.models.RealmModel; -import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.util.JsonSerialization; import java.io.IOException; import java.util.Collections; import java.util.HashMap; -import java.util.HashSet; import java.util.Map; import java.util.Set; /** * @author Marek Posolda */ -public class PersistentClientSessionAdapter implements ClientLoginSessionModel { +public class PersistentAuthenticatedClientSessionAdapter implements AuthenticatedClientSessionModel { private final PersistentClientSessionModel model; private final RealmModel realm; @@ -46,7 +44,7 @@ public class PersistentClientSessionAdapter implements ClientLoginSessionModel { private PersistentClientSessionData data; - public PersistentClientSessionAdapter(ClientLoginSessionModel clientSession) { + public PersistentAuthenticatedClientSessionAdapter(AuthenticatedClientSessionModel clientSession) { data = new PersistentClientSessionData(); data.setAction(clientSession.getAction()); data.setAuthMethod(clientSession.getProtocol()); @@ -69,7 +67,7 @@ public class PersistentClientSessionAdapter implements ClientLoginSessionModel { userSession = clientSession.getUserSession(); } - public PersistentClientSessionAdapter(PersistentClientSessionModel model, RealmModel realm, ClientModel client, UserSessionModel userSession) { + public PersistentAuthenticatedClientSessionAdapter(PersistentClientSessionModel model, RealmModel realm, ClientModel client, UserSessionModel userSession) { this.model = model; this.realm = realm; this.client = client; diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java index 882dd539d0..7b14ec1d23 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java @@ -18,7 +18,7 @@ package org.keycloak.models.session; import com.fasterxml.jackson.annotation.JsonProperty; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ModelException; import org.keycloak.models.RealmModel; @@ -162,7 +162,7 @@ public class PersistentUserSessionAdapter implements UserSessionModel { // TODO:mposolda @Override - public Map getClientLoginSessions() { + public Map getAuthenticatedClientSessions() { return null; } diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java b/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java index cbaf31eb30..c5370edec7 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java @@ -17,7 +17,7 @@ package org.keycloak.models.session; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; @@ -35,7 +35,7 @@ public interface UserSessionPersisterProvider extends Provider { void createUserSession(UserSessionModel userSession, boolean offline); // Assuming that corresponding userSession is already persisted - void createClientSession(UserSessionModel userSession, ClientLoginSessionModel clientSession, boolean offline); + void createClientSession(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession, boolean offline); void updateUserSession(UserSessionModel userSession, boolean offline); diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java index 3ebe6d3396..fb2c727433 100755 --- a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java +++ b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java @@ -45,9 +45,8 @@ import org.keycloak.events.admin.AuthDetails; import org.keycloak.models.AuthenticationExecutionModel; import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.AuthenticatorConfigModel; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ClientTemplateModel; import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.GroupModel; @@ -486,7 +485,7 @@ public class ModelToRepresentation { rep.setUsername(session.getUser().getUsername()); rep.setUserId(session.getUser().getId()); rep.setIpAddress(session.getIpAddress()); - for (ClientLoginSessionModel clientSession : session.getClientLoginSessions().values()) { + for (AuthenticatedClientSessionModel clientSession : session.getAuthenticatedClientSessions().values()) { ClientModel client = clientSession.getClient(); rep.getClients().put(client.getId(), client.getClientId()); } diff --git a/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java b/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java index 015ead0fa3..8fc9fd9555 100755 --- a/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java +++ b/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java @@ -18,14 +18,13 @@ package org.keycloak.protocol; import org.keycloak.events.EventBuilder; -import org.keycloak.models.ClientLoginSessionModel; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; import org.keycloak.provider.Provider; import org.keycloak.services.managers.ClientSessionCode; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Response; @@ -68,19 +67,19 @@ public interface LoginProtocol extends Provider { LoginProtocol setEventBuilder(EventBuilder event); - Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode); + Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode); - Response sendError(LoginSessionModel loginSession, Error error); + Response sendError(AuthenticationSessionModel authSession, Error error); - void backchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession); - Response frontchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession); + void backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession); + Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession); Response finishLogout(UserSessionModel userSession); /** * @param userSession - * @param loginSession + * @param authSession * @return true if SSO cookie authentication can't be used. User will need to "actively" reauthenticate */ - boolean requireReauthentication(UserSessionModel userSession, LoginSessionModel loginSession); + boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession); } diff --git a/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java b/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java index 4096924bed..873c614c04 100755 --- a/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java +++ b/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java @@ -64,7 +64,7 @@ public class ClientSessionCode public static class ParseResult { ClientSessionCode code; - boolean loginSessionNotFound; + boolean authSessionNotFound; boolean illegalHash; CLIENT_SESSION clientSession; @@ -72,8 +72,8 @@ public class ClientSessionCode return code; } - public boolean isLoginSessionNotFound() { - return loginSessionNotFound; + public boolean isAuthSessionNotFound() { + return authSessionNotFound; } public boolean isIllegalHash() { @@ -94,7 +94,7 @@ public class ClientSessionCode try { result.clientSession = getClientSession(code, session, realm, sessionClass); if (result.clientSession == null) { - result.loginSessionNotFound = true; + result.authSessionNotFound = true; return result; } @@ -111,25 +111,15 @@ public class ClientSessionCode } } - public static ClientSessionCode parse(String code, KeycloakSession session, RealmModel realm, Class sessionClass) { - try { - CLIENT_SESSION clientSession = getClientSession(code, session, realm, sessionClass); - if (clientSession == null) { - return null; - } - - if (!verifyCode(code, clientSession)) { - return null; - } - - return new ClientSessionCode<>(session, realm, clientSession); - } catch (RuntimeException e) { - return null; - } - } - public static CLIENT_SESSION getClientSession(String code, KeycloakSession session, RealmModel realm, Class sessionClass) { - return CodeGenerateUtil.parseSession(code, session, realm, sessionClass); + CLIENT_SESSION clientSession = CodeGenerateUtil.parseSession(code, session, realm, sessionClass); + + // TODO:mposolda Move this to somewhere else? Maybe LoginActionsService.sessionCodeChecks should be somehow even for non-action URLs... + if (clientSession != null) { + session.getContext().setClient(clientSession.getClient()); + } + + return clientSession; } public CLIENT_SESSION getClientSession() { @@ -173,6 +163,10 @@ public class ClientSessionCode return true; } + public void removeExpiredClientSession() { + CodeGenerateUtil.removeExpiredSession(session, commonLoginSession); + } + public Set getRequestedRoles() { Set requestedRoles = new HashSet<>(); @@ -222,18 +216,18 @@ public class ClientSessionCode return nextCode; } - private static String generateCode(CommonClientSessionModel loginSession) { + private static String generateCode(CommonClientSessionModel authSession) { try { String actionId = Base64Url.encode(KeycloakModelUtils.generateSecret()); StringBuilder sb = new StringBuilder(); sb.append(actionId); sb.append('.'); - sb.append(loginSession.getId()); + sb.append(authSession.getId()); // https://tools.ietf.org/html/rfc7636#section-4 - String codeChallenge = loginSession.getNote(OAuth2Constants.CODE_CHALLENGE); - String codeChallengeMethod = loginSession.getNote(OAuth2Constants.CODE_CHALLENGE_METHOD); + String codeChallenge = authSession.getNote(OAuth2Constants.CODE_CHALLENGE); + String codeChallengeMethod = authSession.getNote(OAuth2Constants.CODE_CHALLENGE_METHOD); if (codeChallenge != null) { logger.debugf("PKCE received codeChallenge = %s", codeChallenge); if (codeChallengeMethod == null) { @@ -244,9 +238,9 @@ public class ClientSessionCode } } - String code = CodeGenerateUtil.generateCode(loginSession, actionId); + String code = CodeGenerateUtil.generateCode(authSession, actionId); - loginSession.setNote(ACTIVE_CODE, code); + authSession.setNote(ACTIVE_CODE, code); return code; } catch (Exception e) { @@ -254,15 +248,15 @@ public class ClientSessionCode } } - private static boolean verifyCode(String code, CommonClientSessionModel loginSession) { + public static boolean verifyCode(String code, CommonClientSessionModel authSession) { try { - String activeCode = loginSession.getNote(ACTIVE_CODE); + String activeCode = authSession.getNote(ACTIVE_CODE); if (activeCode == null) { logger.debug("Active code not found in client session"); return false; } - loginSession.removeNote(ACTIVE_CODE); + authSession.removeNote(ACTIVE_CODE); return MessageDigest.isEqual(code.getBytes(), activeCode.getBytes()); } catch (Exception e) { diff --git a/server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java b/server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java index 9c6a571be2..5313e73626 100644 --- a/server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java +++ b/server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java @@ -17,58 +17,90 @@ package org.keycloak.services.managers; -import org.keycloak.models.ClientLoginSessionModel; -import org.keycloak.models.ClientModel; +import java.util.HashMap; +import java.util.Map; + +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; import org.keycloak.sessions.CommonClientSessionModel; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; /** - * TODO: More object oriented and rather add parsing/generating logic into the session implementations itself * * @author Marek Posolda */ class CodeGenerateUtil { - static CS parseSession(String code, KeycloakSession session, RealmModel realm, Class expectedClazz) { - CommonClientSessionModel result = null; - if (expectedClazz.equals(ClientSessionModel.class)) { - try { - String[] parts = code.split("\\."); - String id = parts[2]; - result = session.sessions().getClientSession(realm, id); - } catch (ArrayIndexOutOfBoundsException e) { - return null; - } - } else if (expectedClazz.equals(LoginSessionModel.class)) { - result = session.loginSessions().getCurrentLoginSession(realm); - } else if (expectedClazz.equals(ClientLoginSessionModel.class)) { - try { - String[] parts = code.split("\\."); - String userSessionId = parts[1]; - String clientUUID = parts[2]; + private static final Map, ClientSessionParser> PARSERS = new HashMap<>(); - UserSessionModel userSession = session.sessions().getUserSession(realm, userSessionId); - if (userSession == null) { - return null; - } + static { + PARSERS.put(ClientSessionModel.class, new ClientSessionModelParser()); + PARSERS.put(AuthenticationSessionModel.class, new AuthenticationSessionModelParser()); + PARSERS.put(AuthenticatedClientSessionModel.class, new AuthenticatedClientSessionModelParser()); + } - result = userSession.getClientLoginSessions().get(clientUUID); - } catch (ArrayIndexOutOfBoundsException e) { - return null; - } - } else { - throw new IllegalArgumentException("Not known impl: " + expectedClazz.getName()); - } + public static CS parseSession(String code, KeycloakSession session, RealmModel realm, Class expectedClazz) { + ClientSessionParser parser = PARSERS.get(expectedClazz); + + CommonClientSessionModel result = parser.parseSession(code, session, realm); return expectedClazz.cast(result); } - static String generateCode(CommonClientSessionModel clientSession, String actionId) { - if (clientSession instanceof ClientSessionModel) { + public static String generateCode(CommonClientSessionModel clientSession, String actionId) { + ClientSessionParser parser = getParser(clientSession); + return parser.generateCode(clientSession, actionId); + } + + public static void removeExpiredSession(KeycloakSession session, CommonClientSessionModel clientSession) { + ClientSessionParser parser = getParser(clientSession); + parser.removeExpiredSession(session, clientSession); + } + + private static ClientSessionParser getParser(CommonClientSessionModel clientSession) { + for (Class c : PARSERS.keySet()) { + if (c.isAssignableFrom(clientSession.getClass())) { + return PARSERS.get(c); + } + } + return null; + } + + + private interface ClientSessionParser { + + CS parseSession(String code, KeycloakSession session, RealmModel realm); + + String generateCode(CS clientSession, String actionId); + + void removeExpiredSession(KeycloakSession session, CS clientSession); + + } + + + // IMPLEMENTATIONS + + + // TODO: remove + private static class ClientSessionModelParser implements ClientSessionParser { + + + @Override + public ClientSessionModel parseSession(String code, KeycloakSession session, RealmModel realm) { + try { + String[] parts = code.split("\\."); + String id = parts[2]; + return session.sessions().getClientSession(realm, id); + } catch (ArrayIndexOutOfBoundsException e) { + return null; + } + } + + @Override + public String generateCode(ClientSessionModel clientSession, String actionId) { StringBuilder sb = new StringBuilder(); sb.append("cls."); sb.append(actionId); @@ -76,11 +108,58 @@ class CodeGenerateUtil { sb.append(clientSession.getId()); return sb.toString(); - } else if (clientSession instanceof LoginSessionModel) { - // Should be sufficient. LoginSession itself is in the cookie + } + + @Override + public void removeExpiredSession(KeycloakSession session, ClientSessionModel clientSession) { + session.sessions().removeClientSession(clientSession.getRealm(), clientSession); + } + } + + + private static class AuthenticationSessionModelParser implements ClientSessionParser { + + @Override + public AuthenticationSessionModel parseSession(String code, KeycloakSession session, RealmModel realm) { + // Read authSessionID from cookie. Code is ignored for now + return session.authenticationSessions().getCurrentAuthenticationSession(realm); + } + + @Override + public String generateCode(AuthenticationSessionModel clientSession, String actionId) { return actionId; - } else if (clientSession instanceof ClientLoginSessionModel) { - String userSessionId = ((ClientLoginSessionModel) clientSession).getUserSession().getId(); + } + + @Override + public void removeExpiredSession(KeycloakSession session, AuthenticationSessionModel clientSession) { + session.authenticationSessions().removeAuthenticationSession(clientSession.getRealm(), clientSession); + } + } + + + private static class AuthenticatedClientSessionModelParser implements ClientSessionParser { + + @Override + public AuthenticatedClientSessionModel parseSession(String code, KeycloakSession session, RealmModel realm) { + try { + String[] parts = code.split("\\."); + String userSessionId = parts[2]; + String clientUUID = parts[3]; + + UserSessionModel userSession = session.sessions().getUserSession(realm, userSessionId); + if (userSession == null) { + return null; + } + + return userSession.getAuthenticatedClientSessions().get(clientUUID); + } catch (ArrayIndexOutOfBoundsException e) { + return null; + } + } + + @Override + public String generateCode(AuthenticatedClientSessionModel clientSession, String actionId) { + String userSessionId = clientSession.getUserSession().getId(); String clientUUID = clientSession.getClient().getId(); StringBuilder sb = new StringBuilder(); sb.append("uss."); @@ -90,9 +169,13 @@ class CodeGenerateUtil { sb.append('.'); sb.append(clientUUID); return sb.toString(); - } else { - throw new IllegalArgumentException("Not known impl: " + clientSession.getClass().getName()); } + + @Override + public void removeExpiredSession(KeycloakSession session, AuthenticatedClientSessionModel clientSession) { + throw new IllegalStateException("Not yet implemented"); + } + } diff --git a/services/src/main/java/org/keycloak/services/util/CookieHelper.java b/server-spi-private/src/main/java/org/keycloak/services/util/CookieHelper.java similarity index 69% rename from services/src/main/java/org/keycloak/services/util/CookieHelper.java rename to server-spi-private/src/main/java/org/keycloak/services/util/CookieHelper.java index b8d57f978f..45335478d3 100755 --- a/services/src/main/java/org/keycloak/services/util/CookieHelper.java +++ b/server-spi-private/src/main/java/org/keycloak/services/util/CookieHelper.java @@ -17,11 +17,18 @@ package org.keycloak.services.util; +import java.net.URI; + import org.jboss.resteasy.spi.HttpResponse; import org.jboss.resteasy.spi.ResteasyProviderFactory; import org.keycloak.common.util.ServerCookie; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import javax.ws.rs.core.Cookie; import javax.ws.rs.core.HttpHeaders; +import javax.ws.rs.core.UriBuilder; +import javax.ws.rs.core.UriInfo; /** * @author Bill Burke @@ -50,4 +57,19 @@ public class CookieHelper { } + public static String getCookieValue(String name) { + HttpHeaders headers = ResteasyProviderFactory.getContextData(HttpHeaders.class); + Cookie cookie = headers.getCookies().get(name); + return cookie != null ? cookie.getValue() : null; + } + + + public static String getRealmCookiePath(RealmModel realm) { + UriInfo uriInfo = ResteasyProviderFactory.getContextData(UriInfo.class); + UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder(); + URI uri = baseUriBuilder.path("/realms/{realm}").build(realm.getName()); + return uri.getRawPath(); + } + + } diff --git a/server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java similarity index 88% rename from server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionProviderFactory.java rename to server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java index 0dfbf8740f..b182458b5e 100644 --- a/server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionProviderFactory.java +++ b/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java @@ -22,5 +22,5 @@ import org.keycloak.provider.ProviderFactory; /** * @author Marek Posolda */ -public interface LoginSessionProviderFactory extends ProviderFactory { +public interface AuthenticationSessionProviderFactory extends ProviderFactory { } diff --git a/server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionSpi.java b/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionSpi.java similarity index 85% rename from server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionSpi.java rename to server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionSpi.java index cffa4c5023..459350e17d 100644 --- a/server-spi-private/src/main/java/org/keycloak/sessions/LoginSessionSpi.java +++ b/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionSpi.java @@ -24,7 +24,7 @@ import org.keycloak.provider.Spi; /** * @author Marek Posolda */ -public class LoginSessionSpi implements Spi { +public class AuthenticationSessionSpi implements Spi { @Override public boolean isInternal() { @@ -33,17 +33,17 @@ public class LoginSessionSpi implements Spi { @Override public String getName() { - return "loginSessions"; + return "authenticationSessions"; } @Override public Class getProviderClass() { - return LoginSessionProvider.class; + return AuthenticationSessionProvider.class; } @Override public Class getProviderFactoryClass() { - return LoginSessionProviderFactory.class; + return AuthenticationSessionProviderFactory.class; } } diff --git a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi index f858ea1ef9..b046e7d5ff 100755 --- a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi +++ b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi @@ -32,7 +32,7 @@ org.keycloak.timer.TimerSpi org.keycloak.scripting.ScriptingSpi org.keycloak.services.managers.BruteForceProtectorSpi org.keycloak.services.resource.RealmResourceSPI -org.keycloak.sessions.LoginSessionSpi +org.keycloak.sessions.AuthenticationSessionSpi org.keycloak.protocol.ClientInstallationSpi org.keycloak.protocol.LoginProtocolSpi org.keycloak.protocol.ProtocolMapperSpi diff --git a/server-spi/src/main/java/org/keycloak/models/ClientLoginSessionModel.java b/server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java similarity index 91% rename from server-spi/src/main/java/org/keycloak/models/ClientLoginSessionModel.java rename to server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java index 80d7c8dcfd..d4d2a334cb 100644 --- a/server-spi/src/main/java/org/keycloak/models/ClientLoginSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java @@ -23,7 +23,7 @@ import org.keycloak.sessions.CommonClientSessionModel; /** * @author Marek Posolda */ -public interface ClientLoginSessionModel extends CommonClientSessionModel { +public interface AuthenticatedClientSessionModel extends CommonClientSessionModel { void setUserSession(UserSessionModel userSession); UserSessionModel getUserSession(); diff --git a/server-spi/src/main/java/org/keycloak/models/KeycloakSession.java b/server-spi/src/main/java/org/keycloak/models/KeycloakSession.java index 1494126624..0348b68e6e 100755 --- a/server-spi/src/main/java/org/keycloak/models/KeycloakSession.java +++ b/server-spi/src/main/java/org/keycloak/models/KeycloakSession.java @@ -20,7 +20,7 @@ package org.keycloak.models; import org.keycloak.component.ComponentModel; import org.keycloak.models.cache.UserCache; import org.keycloak.provider.Provider; -import org.keycloak.sessions.LoginSessionProvider; +import org.keycloak.sessions.AuthenticationSessionProvider; import org.keycloak.storage.federated.UserFederatedStorageProvider; import java.util.Set; @@ -103,7 +103,7 @@ public interface KeycloakSession { UserSessionProvider sessions(); - LoginSessionProvider loginSessions(); + AuthenticationSessionProvider authenticationSessions(); diff --git a/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java b/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java index 99f69f7616..9e1a2b68d2 100755 --- a/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java @@ -53,7 +53,7 @@ public interface UserSessionModel { void setLastSessionRefresh(int seconds); - Map getClientLoginSessions(); + Map getAuthenticatedClientSessions(); // TODO: Remove List getClientSessions(); diff --git a/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java b/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java index fbd5761cfb..7925bf7bc4 100755 --- a/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java +++ b/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java @@ -27,7 +27,8 @@ import java.util.List; */ public interface UserSessionProvider extends Provider { - ClientLoginSessionModel createClientSession(RealmModel realm, ClientModel client, UserSessionModel userSession); + ClientSessionModel createClientSession(RealmModel realm, ClientModel client); + AuthenticatedClientSessionModel createClientSession(RealmModel realm, ClientModel client, UserSessionModel userSession); ClientSessionModel getClientSession(RealmModel realm, String id); ClientSessionModel getClientSession(String id); @@ -64,7 +65,7 @@ public interface UserSessionProvider extends Provider { // Removes the attached clientSessions as well void removeOfflineUserSession(RealmModel realm, UserSessionModel userSession); - ClientLoginSessionModel createOfflineClientSession(ClientLoginSessionModel clientSession); + AuthenticatedClientSessionModel createOfflineClientSession(AuthenticatedClientSessionModel clientSession); ClientSessionModel getOfflineClientSession(RealmModel realm, String clientSessionId); List getOfflineUserSessions(RealmModel realm, UserModel user); diff --git a/server-spi/src/main/java/org/keycloak/sessions/LoginSessionModel.java b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java similarity index 89% rename from server-spi/src/main/java/org/keycloak/sessions/LoginSessionModel.java rename to server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java index e3fd0e726c..e12cf26e24 100644 --- a/server-spi/src/main/java/org/keycloak/sessions/LoginSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java @@ -27,7 +27,7 @@ import org.keycloak.models.UserModel; * * @author Marek Posolda */ -public interface LoginSessionModel extends CommonClientSessionModel { +public interface AuthenticationSessionModel extends CommonClientSessionModel { // // public UserSessionModel getUserSession(); @@ -73,4 +73,9 @@ public interface LoginSessionModel extends CommonClientSessionModel { public void clearUserSessionNotes(); + public String getAuthNote(String name); + public void setAuthNote(String name, String value); + public void removeAuthNote(String name); + public void clearAuthNotes(); + } diff --git a/server-spi/src/main/java/org/keycloak/sessions/LoginSessionProvider.java b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java similarity index 64% rename from server-spi/src/main/java/org/keycloak/sessions/LoginSessionProvider.java rename to server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java index 2b5141a68b..a3b04d3fdb 100644 --- a/server-spi/src/main/java/org/keycloak/sessions/LoginSessionProvider.java +++ b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java @@ -24,17 +24,19 @@ import org.keycloak.provider.Provider; /** * @author Marek Posolda */ -public interface LoginSessionProvider extends Provider { +public interface AuthenticationSessionProvider extends Provider { - LoginSessionModel createLoginSession(RealmModel realm, ClientModel client, boolean browser); + AuthenticationSessionModel createAuthenticationSession(RealmModel realm, ClientModel client, boolean browser); - LoginSessionModel getCurrentLoginSession(RealmModel realm); + String getCurrentAuthenticationSessionId(RealmModel realm); - LoginSessionModel getLoginSession(RealmModel realm, String loginSessionId); + AuthenticationSessionModel getCurrentAuthenticationSession(RealmModel realm); - void removeLoginSession(RealmModel realm, LoginSessionModel loginSession); + AuthenticationSessionModel getAuthenticationSession(RealmModel realm, String authenticationSessionId); + void removeAuthenticationSession(RealmModel realm, AuthenticationSessionModel authenticationSession); + // TODO: test and add to scheduler void removeExpired(RealmModel realm); void onRealmRemoved(RealmModel realm); void onClientRemoved(RealmModel realm, ClientModel client); diff --git a/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java b/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java index c2e51935a3..e6a9288e0a 100644 --- a/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java @@ -24,7 +24,7 @@ import org.keycloak.models.ClientModel; import org.keycloak.models.RealmModel; /** - * Predecesor of LoginSessionModel, ClientLoginSessionModel and ClientSessionModel (then action tickets). Maybe we will remove it later... + * Predecesor of AuthenticationSessionModel, ClientLoginSessionModel and ClientSessionModel (then action tickets). Maybe we will remove it later... * * @author Marek Posolda */ diff --git a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java index 4a5053fddf..70c876f836 100755 --- a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java +++ b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java @@ -31,7 +31,7 @@ import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AuthenticationExecutionModel; import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.AuthenticatorConfigModel; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; @@ -51,7 +51,7 @@ import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.util.CacheControlUtil; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; @@ -66,10 +66,14 @@ import java.util.Map; */ public class AuthenticationProcessor { public static final String CURRENT_AUTHENTICATION_EXECUTION = "current.authentication.execution"; + public static final String LAST_PROCESSED_EXECUTION = "last.processed.execution"; + public static final String CURRENT_FLOW_PATH = "current.flow.path"; + public static final String FORKED_FROM = "forked.from"; + protected static final Logger logger = Logger.getLogger(AuthenticationProcessor.class); protected RealmModel realm; protected UserSessionModel userSession; - protected LoginSessionModel loginSession; + protected AuthenticationSessionModel authenticationSession; protected ClientConnection connection; protected UriInfo uriInfo; protected KeycloakSession session; @@ -129,8 +133,8 @@ public class AuthenticationProcessor { return clientAuthAttributes; } - public LoginSessionModel getLoginSession() { - return loginSession; + public AuthenticationSessionModel getAuthenticationSession() { + return authenticationSession; } public ClientConnection getConnection() { @@ -154,8 +158,8 @@ public class AuthenticationProcessor { return this; } - public AuthenticationProcessor setLoginSession(LoginSessionModel loginSession) { - this.loginSession = loginSession; + public AuthenticationProcessor setAuthenticationSession(AuthenticationSessionModel authenticationSession) { + this.authenticationSession = authenticationSession; return this; } @@ -210,8 +214,8 @@ public class AuthenticationProcessor { } public String generateCode() { - ClientSessionCode accessCode = new ClientSessionCode(session, getRealm(), getLoginSession()); - loginSession.setTimestamp(Time.currentTime()); + ClientSessionCode accessCode = new ClientSessionCode(session, getRealm(), getAuthenticationSession()); + authenticationSession.setTimestamp(Time.currentTime()); return accessCode.getCode(); } @@ -229,15 +233,15 @@ public class AuthenticationProcessor { } public void setAutheticatedUser(UserModel user) { - UserModel previousUser = getLoginSession().getAuthenticatedUser(); + UserModel previousUser = getAuthenticationSession().getAuthenticatedUser(); if (previousUser != null && !user.getId().equals(previousUser.getId())) throw new AuthenticationFlowException(AuthenticationFlowError.USER_CONFLICT); validateUser(user); - getLoginSession().setAuthenticatedUser(user); + getAuthenticationSession().setAuthenticatedUser(user); } public void clearAuthenticatedUser() { - getLoginSession().setAuthenticatedUser(null); + getAuthenticationSession().setAuthenticatedUser(null); } public class Result implements AuthenticationFlowContext, ClientAuthenticationFlowContext { @@ -360,7 +364,7 @@ public class AuthenticationProcessor { @Override public UserModel getUser() { - return getLoginSession().getAuthenticatedUser(); + return getAuthenticationSession().getAuthenticatedUser(); } @Override @@ -394,8 +398,8 @@ public class AuthenticationProcessor { } @Override - public LoginSessionModel getLoginSession() { - return AuthenticationProcessor.this.getLoginSession(); + public AuthenticationSessionModel getAuthenticationSession() { + return AuthenticationProcessor.this.getAuthenticationSession(); } @Override @@ -480,19 +484,22 @@ public class AuthenticationProcessor { } @Override - public URI getActionUrl() { - return getActionUrl(generateAccessCode()); + public URI getRefreshExecutionUrl() { + return LoginActionsService.loginActionsBaseUrl(getUriInfo()) + .path(AuthenticationProcessor.this.flowPath) + .queryParam("execution", getExecution().getId()) + .build(getRealm().getName()); } @Override public void cancelLogin() { getEvent().error(Errors.REJECTED_BY_USER); - LoginProtocol protocol = getSession().getProvider(LoginProtocol.class, getLoginSession().getProtocol()); + LoginProtocol protocol = getSession().getProvider(LoginProtocol.class, getAuthenticationSession().getProtocol()); protocol.setRealm(getRealm()) .setHttpHeaders(getHttpRequest().getHttpHeaders()) .setUriInfo(getUriInfo()) .setEventBuilder(event); - Response response = protocol.sendError(getLoginSession(), Error.CANCELLED_BY_USER); + Response response = protocol.sendError(getAuthenticationSession(), Error.CANCELLED_BY_USER); forceChallenge(response); } @@ -536,7 +543,7 @@ public class AuthenticationProcessor { public void logFailure() { if (realm.isBruteForceProtected()) { - String username = loginSession.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); + String username = authenticationSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); // todo need to handle non form failures if (username == null) { @@ -566,7 +573,7 @@ public class AuthenticationProcessor { } public boolean isSuccessful(AuthenticationExecutionModel model) { - ClientSessionModel.ExecutionStatus status = loginSession.getExecutionStatus().get(model.getId()); + ClientSessionModel.ExecutionStatus status = authenticationSession.getExecutionStatus().get(model.getId()); if (status == null) return false; return status == ClientSessionModel.ExecutionStatus.SUCCESS; } @@ -599,10 +606,10 @@ public class AuthenticationProcessor { } else if (e.getError() == AuthenticationFlowError.FORK_FLOW) { ForkFlowException reset = (ForkFlowException)e; - LoginSessionModel clone = clone(session, loginSession); + AuthenticationSessionModel clone = clone(session, authenticationSession); clone.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); AuthenticationProcessor processor = new AuthenticationProcessor(); - processor.setLoginSession(clone) + processor.setAuthenticationSession(clone) .setFlowPath(LoginActionsService.AUTHENTICATE_PATH) .setFlowId(realm.getBrowserFlow().getId()) .setForwardedErrorMessage(reset.getErrorMessage()) @@ -694,22 +701,23 @@ public class AuthenticationProcessor { } - public Response redirectToFlow() { - String code = generateCode(); + public Response redirectToFlow(String execution) { + logger.info("Redirecting to flow with execution: " + execution); + authenticationSession.setAuthNote(LAST_PROCESSED_EXECUTION, execution); URI redirect = LoginActionsService.loginActionsBaseUrl(getUriInfo()) .path(flowPath) - .queryParam(OAuth2Constants.CODE, code).build(getRealm().getName()); + .queryParam("execution", execution).build(getRealm().getName()); return Response.status(302).location(redirect).build(); } - public static Response redirectToRequiredActions(KeycloakSession session, RealmModel realm, LoginSessionModel loginSession, UriInfo uriInfo) { + public static Response redirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, UriInfo uriInfo) { // redirect to non-action url so browser refresh button works without reposting past data - ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, loginSession); + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, authSession); accessCode.setAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name()); - loginSession.setTimestamp(Time.currentTime()); + authSession.setTimestamp(Time.currentTime()); URI redirect = LoginActionsService.loginActionsBaseUrl(uriInfo) .path(LoginActionsService.REQUIRED_ACTION) @@ -718,25 +726,30 @@ public class AuthenticationProcessor { } - public static void resetFlow(LoginSessionModel loginSession) { + public static void resetFlow(AuthenticationSessionModel authSession) { logger.debug("RESET FLOW"); - loginSession.setTimestamp(Time.currentTime()); - loginSession.setAuthenticatedUser(null); - loginSession.clearExecutionStatus(); - loginSession.clearUserSessionNotes(); - loginSession.removeNote(CURRENT_AUTHENTICATION_EXECUTION); + authSession.setTimestamp(Time.currentTime()); + authSession.setAuthenticatedUser(null); + authSession.clearExecutionStatus(); + authSession.clearUserSessionNotes(); + authSession.clearAuthNotes(); } - public static LoginSessionModel clone(KeycloakSession session, LoginSessionModel loginSession) { - // TODO: Doublecheck false... - LoginSessionModel clone = session.loginSessions().createLoginSession(loginSession.getRealm(), loginSession.getClient(), false); - for (Map.Entry entry : loginSession.getNotes().entrySet()) { + public static AuthenticationSessionModel clone(KeycloakSession session, AuthenticationSessionModel authSession) { + AuthenticationSessionModel clone = session.authenticationSessions().createAuthenticationSession(authSession.getRealm(), authSession.getClient(), true); + + // Transfer just the client "notes", but not "authNotes" + for (Map.Entry entry : authSession.getNotes().entrySet()) { clone.setNote(entry.getKey(), entry.getValue()); } - clone.setRedirectUri(loginSession.getRedirectUri()); - clone.setProtocol(loginSession.getProtocol()); + + clone.setRedirectUri(authSession.getRedirectUri()); + clone.setProtocol(authSession.getProtocol()); clone.setTimestamp(Time.currentTime()); - clone.removeNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + + clone.setAuthNote(FORKED_FROM, authSession.getId()); + logger.infof("Forked authSession %s from authSession %s", clone.getId(), authSession.getId()); + return clone; } @@ -744,27 +757,26 @@ public class AuthenticationProcessor { public Response authenticationAction(String execution) { logger.debug("authenticationAction"); - checkClientSession(); - String current = loginSession.getNote(CURRENT_AUTHENTICATION_EXECUTION); + checkClientSession(true); + String current = authenticationSession.getAuthNote(CURRENT_AUTHENTICATION_EXECUTION); if (!execution.equals(current)) { - logger.debug("Current execution does not equal executed execution. Might be a page refresh"); - //logFailure(); - //resetFlow(clientSession); - return authenticate(); + // TODO:mposolda debug + logger.info("Current execution does not equal executed execution. Might be a page refresh"); + return redirectToFlow(current); } - UserModel authUser = loginSession.getAuthenticatedUser(); + UserModel authUser = authenticationSession.getAuthenticatedUser(); validateUser(authUser); AuthenticationExecutionModel model = realm.getAuthenticationExecutionById(execution); if (model == null) { logger.debug("Cannot find execution, reseting flow"); logFailure(); - resetFlow(loginSession); + resetFlow(authenticationSession); return authenticate(); } - event.client(loginSession.getClient().getClientId()) - .detail(Details.REDIRECT_URI, loginSession.getRedirectUri()) - .detail(Details.AUTH_METHOD, loginSession.getProtocol()); - String authType = loginSession.getNote(Details.AUTH_TYPE); + event.client(authenticationSession.getClient().getClientId()) + .detail(Details.REDIRECT_URI, authenticationSession.getRedirectUri()) + .detail(Details.AUTH_METHOD, authenticationSession.getProtocol()); + String authType = authenticationSession.getAuthNote(Details.AUTH_TYPE); if (authType != null) { event.detail(Details.AUTH_TYPE, authType); } @@ -772,40 +784,43 @@ public class AuthenticationProcessor { AuthenticationFlow authenticationFlow = createFlowExecution(this.flowId, model); Response challenge = authenticationFlow.processAction(execution); if (challenge != null) return challenge; - if (loginSession.getAuthenticatedUser() == null) { + if (authenticationSession.getAuthenticatedUser() == null) { throw new AuthenticationFlowException(AuthenticationFlowError.UNKNOWN_USER); } return authenticationComplete(); } - public void checkClientSession() { - ClientSessionCode code = new ClientSessionCode(session, realm, loginSession); - String action = ClientSessionModel.Action.AUTHENTICATE.name(); - if (!code.isValidAction(action)) { - throw new AuthenticationFlowException(AuthenticationFlowError.INVALID_CLIENT_SESSION); + private void checkClientSession(boolean checkAction) { + ClientSessionCode code = new ClientSessionCode(session, realm, authenticationSession); + + if (checkAction) { + String action = ClientSessionModel.Action.AUTHENTICATE.name(); + if (!code.isValidAction(action)) { + throw new AuthenticationFlowException(AuthenticationFlowError.INVALID_CLIENT_SESSION); + } } if (!code.isActionActive(ClientSessionCode.ActionType.LOGIN)) { throw new AuthenticationFlowException(AuthenticationFlowError.EXPIRED_CODE); } - loginSession.setTimestamp(Time.currentTime()); + authenticationSession.setTimestamp(Time.currentTime()); } public Response authenticateOnly() throws AuthenticationFlowException { logger.debug("AUTHENTICATE ONLY"); - checkClientSession(); - event.client(loginSession.getClient().getClientId()) - .detail(Details.REDIRECT_URI, loginSession.getRedirectUri()) - .detail(Details.AUTH_METHOD, loginSession.getProtocol()); - String authType = loginSession.getNote(Details.AUTH_TYPE); + checkClientSession(false); + event.client(authenticationSession.getClient().getClientId()) + .detail(Details.REDIRECT_URI, authenticationSession.getRedirectUri()) + .detail(Details.AUTH_METHOD, authenticationSession.getProtocol()); + String authType = authenticationSession.getAuthNote(Details.AUTH_TYPE); if (authType != null) { event.detail(Details.AUTH_TYPE, authType); } - UserModel authUser = loginSession.getAuthenticatedUser(); + UserModel authUser = authenticationSession.getAuthenticatedUser(); validateUser(authUser); AuthenticationFlow authenticationFlow = createFlowExecution(this.flowId, null); Response challenge = authenticationFlow.processFlow(); if (challenge != null) return challenge; - if (loginSession.getAuthenticatedUser() == null) { + if (authenticationSession.getAuthenticatedUser() == null) { throw new AuthenticationFlowException(AuthenticationFlowError.UNKNOWN_USER); } return challenge; @@ -834,26 +849,32 @@ public class AuthenticationProcessor { } // May create userSession too - public ClientLoginSessionModel attachSession() { - return attachSession(loginSession, userSession, session, realm, connection, event); + public AuthenticatedClientSessionModel attachSession() { + AuthenticatedClientSessionModel clientSession = attachSession(authenticationSession, userSession, session, realm, connection, event); + + if (userSession == null) { + userSession = clientSession.getUserSession(); + } + + return clientSession; } // May create new userSession too (if userSession argument is null) - public static ClientLoginSessionModel attachSession(LoginSessionModel loginSession, UserSessionModel userSession, KeycloakSession session, RealmModel realm, ClientConnection connection, EventBuilder event) { - String username = loginSession.getAuthenticatedUser().getUsername(); - String attemptedUsername = loginSession.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); + public static AuthenticatedClientSessionModel attachSession(AuthenticationSessionModel authSession, UserSessionModel userSession, KeycloakSession session, RealmModel realm, ClientConnection connection, EventBuilder event) { + String username = authSession.getAuthenticatedUser().getUsername(); + String attemptedUsername = authSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); if (attemptedUsername != null) username = attemptedUsername; - String rememberMe = loginSession.getNote(Details.REMEMBER_ME); + String rememberMe = authSession.getAuthNote(Details.REMEMBER_ME); boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("true"); if (userSession == null) { // if no authenticator attached a usersession - userSession = session.sessions().createUserSession(realm, loginSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), loginSession.getProtocol(), remember, null, null); + userSession = session.sessions().createUserSession(realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol(), remember, null, null); userSession.setState(UserSessionModel.State.LOGGING_IN); } if (remember) { event.detail(Details.REMEMBER_ME, "true"); } - ClientLoginSessionModel clientSession = TokenManager.attachLoginSession(session, userSession, loginSession); + AuthenticatedClientSessionModel clientSession = TokenManager.attachAuthenticationSession(session, userSession, authSession); event.user(userSession.getUser()) .detail(Details.USERNAME, username) @@ -863,13 +884,13 @@ public class AuthenticationProcessor { } public void evaluateRequiredActionTriggers() { - AuthenticationManager.evaluateRequiredActionTriggers(session, loginSession, connection, request, uriInfo, event, realm, loginSession.getAuthenticatedUser()); + AuthenticationManager.evaluateRequiredActionTriggers(session, authenticationSession, connection, request, uriInfo, event, realm, authenticationSession.getAuthenticatedUser()); } public Response finishAuthentication(LoginProtocol protocol) { event.success(); - RealmModel realm = loginSession.getRealm(); - ClientLoginSessionModel clientSession = attachSession(); + RealmModel realm = authenticationSession.getRealm(); + AuthenticatedClientSessionModel clientSession = attachSession(); return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, userSession,clientSession, request, uriInfo, connection, event, protocol); } @@ -886,20 +907,26 @@ public class AuthenticationProcessor { protected Response authenticationComplete() { // attachSession(); // Session will be attached after requiredActions + consents are finished. + AuthenticationManager.setRolesAndMappersInSession(authenticationSession); + if (isActionRequired()) { - // TODO:mposolda Changed this to avoid additional redirect. Doublecheck consequences... - //return redirectToRequiredActions(session, realm, loginSession, uriInfo); - return AuthenticationManager.nextActionAfterAuthentication(session, loginSession, connection, request, uriInfo, event); + // TODO:mposolda This was changed to avoid additional redirect. Doublecheck consequences... + //return redirectToRequiredActions(session, realm, authenticationSession, uriInfo); + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, authenticationSession); + accessCode.setAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name()); + authenticationSession.setAuthNote(CURRENT_FLOW_PATH, LoginActionsService.REQUIRED_ACTION); + + return AuthenticationManager.nextActionAfterAuthentication(session, authenticationSession, connection, request, uriInfo, event); } else { - event.detail(Details.CODE_ID, loginSession.getId()); // todo This should be set elsewhere. find out why tests fail. Don't know where this is supposed to be set + event.detail(Details.CODE_ID, authenticationSession.getId()); // todo This should be set elsewhere. find out why tests fail. Don't know where this is supposed to be set // the user has successfully logged in and we can clear his/her previous login failure attempts. logSuccess(); - return AuthenticationManager.finishedRequiredActions(session, loginSession, connection, request, uriInfo, event); + return AuthenticationManager.finishedRequiredActions(session, authenticationSession, connection, request, uriInfo, event); } } public boolean isActionRequired() { - return AuthenticationManager.isActionRequired(session, loginSession, connection, request, uriInfo, event); + return AuthenticationManager.isActionRequired(session, authenticationSession, connection, request, uriInfo, event); } public AuthenticationProcessor.Result createAuthenticatorContext(AuthenticationExecutionModel model, Authenticator authenticator, List executions) { diff --git a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java index d87301f81f..c8ec6b2941 100755 --- a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java +++ b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java @@ -51,7 +51,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { protected boolean isProcessed(AuthenticationExecutionModel model) { if (model.isDisabled()) return true; - ClientSessionModel.ExecutionStatus status = processor.getLoginSession().getExecutionStatus().get(model.getId()); + ClientSessionModel.ExecutionStatus status = processor.getAuthenticationSession().getExecutionStatus().get(model.getId()); if (status == null) return false; return status == ClientSessionModel.ExecutionStatus.SUCCESS || status == ClientSessionModel.ExecutionStatus.SKIPPED || status == ClientSessionModel.ExecutionStatus.ATTEMPTED @@ -75,7 +75,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { AuthenticationFlow authenticationFlow = processor.createFlowExecution(model.getFlowId(), model); Response flowChallenge = authenticationFlow.processAction(actionExecution); if (flowChallenge == null) { - processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); if (model.isAlternative()) alternativeSuccessful = true; return processFlow(); } else { @@ -90,9 +90,9 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { AuthenticationProcessor.Result result = processor.createAuthenticatorContext(model, authenticator, executions); logger.debugv("action: {0}", model.getAuthenticator()); authenticator.action(result); - Response response = processResult(result); + Response response = processResult(result, true); if (response == null) { - processor.getLoginSession().removeNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + processor.getAuthenticationSession().removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); if (result.status == FlowStatus.SUCCESS) { // we do this so that flow can redirect to a non-action URL processor.setActionSuccessful(); @@ -119,7 +119,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { } if (model.isAlternative() && alternativeSuccessful) { logger.debug("Skip alternative execution"); - processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); continue; } if (model.isAuthenticatorFlow()) { @@ -127,7 +127,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { AuthenticationFlow authenticationFlow = processor.createFlowExecution(model.getFlowId(), model); Response flowChallenge = authenticationFlow.processFlow(); if (flowChallenge == null) { - processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); if (model.isAlternative()) alternativeSuccessful = true; continue; } else { @@ -135,13 +135,13 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { alternativeChallenge = flowChallenge; challengedAlternativeExecution = model; } else if (model.isRequired()) { - processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return flowChallenge; } else if (model.isOptional()) { - processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); continue; } else { - processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); continue; } return flowChallenge; @@ -154,11 +154,11 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { } Authenticator authenticator = factory.create(processor.getSession()); logger.debugv("authenticator: {0}", factory.getId()); - UserModel authUser = processor.getLoginSession().getAuthenticatedUser(); + UserModel authUser = processor.getAuthenticationSession().getAuthenticatedUser(); if (authenticator.requiresUser() && authUser == null) { if (alternativeChallenge != null) { - processor.getLoginSession().setExecutionStatus(challengedAlternativeExecution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(challengedAlternativeExecution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return alternativeChallenge; } throw new AuthenticationFlowException("authenticator: " + factory.getId(), AuthenticationFlowError.UNKNOWN_USER); @@ -170,14 +170,14 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { if (model.isRequired()) { if (factory.isUserSetupAllowed()) { logger.debugv("authenticator SETUP_REQUIRED: {0}", factory.getId()); - processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SETUP_REQUIRED); - authenticator.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getLoginSession().getAuthenticatedUser()); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SETUP_REQUIRED); + authenticator.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getAuthenticationSession().getAuthenticatedUser()); continue; } else { throw new AuthenticationFlowException(AuthenticationFlowError.CREDENTIAL_SETUP_REQUIRED); } } else if (model.isOptional()) { - processor.getLoginSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); continue; } } @@ -189,69 +189,76 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { AuthenticationProcessor.Result context = processor.createAuthenticatorContext(model, authenticator, executions); logger.debug("invoke authenticator.authenticate"); authenticator.authenticate(context); - Response response = processResult(context); + Response response = processResult(context, false); if (response != null) return response; } return null; } - public Response processResult(AuthenticationProcessor.Result result) { + public Response processResult(AuthenticationProcessor.Result result, boolean isAction) { AuthenticationExecutionModel execution = result.getExecution(); FlowStatus status = result.getStatus(); switch (status) { case SUCCESS: logger.debugv("authenticator SUCCESS: {0}", execution.getAuthenticator()); - processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + + // We just do another GET to ensure that page refresh will work + if (isAction) { + processor.getAuthenticationSession().removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + return processor.redirectToFlow(execution.getId()); + } + if (execution.isAlternative()) alternativeSuccessful = true; return null; case FAILED: logger.debugv("authenticator FAILED: {0}", execution.getAuthenticator()); processor.logFailure(); - processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.FAILED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.FAILED); if (result.getChallenge() != null) { return sendChallenge(result, execution); } throw new AuthenticationFlowException(result.getError()); case FORK: logger.debugv("reset browser login from authenticator: {0}", execution.getAuthenticator()); - processor.getLoginSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution.getId()); + processor.getAuthenticationSession().setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution.getId()); throw new ForkFlowException(result.getSuccessMessage(), result.getErrorMessage()); case FORCE_CHALLENGE: - processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); case CHALLENGE: logger.debugv("authenticator CHALLENGE: {0}", execution.getAuthenticator()); if (execution.isRequired()) { - processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); } - UserModel authenticatedUser = processor.getLoginSession().getAuthenticatedUser(); + UserModel authenticatedUser = processor.getAuthenticationSession().getAuthenticatedUser(); if (execution.isOptional() && authenticatedUser != null && result.getAuthenticator().configuredFor(processor.getSession(), processor.getRealm(), authenticatedUser)) { - processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); } if (execution.isAlternative()) { alternativeChallenge = result.getChallenge(); challengedAlternativeExecution = execution; } else { - processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); } return null; case FAILURE_CHALLENGE: logger.debugv("authenticator FAILURE_CHALLENGE: {0}", execution.getAuthenticator()); processor.logFailure(); - processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); case ATTEMPTED: logger.debugv("authenticator ATTEMPTED: {0}", execution.getAuthenticator()); if (execution.getRequirement() == AuthenticationExecutionModel.Requirement.REQUIRED) { throw new AuthenticationFlowException(AuthenticationFlowError.INVALID_CREDENTIALS); } - processor.getLoginSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.ATTEMPTED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.ATTEMPTED); return null; case FLOW_RESET: - AuthenticationProcessor.resetFlow(processor.getLoginSession()); + AuthenticationProcessor.resetFlow(processor.getAuthenticationSession()); return processor.authenticate(); default: logger.debugv("authenticator INTERNAL_ERROR: {0}", execution.getAuthenticator()); @@ -261,7 +268,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { } public Response sendChallenge(AuthenticationProcessor.Result result, AuthenticationExecutionModel execution) { - processor.getLoginSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution.getId()); + processor.getAuthenticationSession().setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution.getId()); return result.getChallenge(); } diff --git a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java index b1d29f18a6..17898f4d16 100755 --- a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java +++ b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java @@ -30,7 +30,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.services.resources.LoginActionsService; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; @@ -94,7 +94,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow { @Override public UserModel getUser() { - return getLoginSession().getAuthenticatedUser(); + return getAuthenticationSession().getAuthenticatedUser(); } @Override @@ -108,8 +108,8 @@ public class FormAuthenticationFlow implements AuthenticationFlow { } @Override - public LoginSessionModel getLoginSession() { - return processor.getLoginSession(); + public AuthenticationSessionModel getAuthenticationSession() { + return processor.getAuthenticationSession(); } @Override @@ -179,7 +179,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow { FormActionFactory factory = (FormActionFactory)processor.getSession().getKeycloakSessionFactory().getProviderFactory(FormAction.class, formActionExecution.getAuthenticator()); FormAction action = factory.create(processor.getSession()); - UserModel authUser = processor.getLoginSession().getAuthenticatedUser(); + UserModel authUser = processor.getAuthenticationSession().getAuthenticatedUser(); if (action.requiresUser() && authUser == null) { throw new AuthenticationFlowException("form action: " + formExecution.getAuthenticator() + " requires user", AuthenticationFlowError.UNKNOWN_USER); } @@ -236,14 +236,14 @@ public class FormAuthenticationFlow implements AuthenticationFlow { } // set status and required actions only if form is fully successful for (Map.Entry entry : executionStatus.entrySet()) { - processor.getLoginSession().setExecutionStatus(entry.getKey(), entry.getValue()); + processor.getAuthenticationSession().setExecutionStatus(entry.getKey(), entry.getValue()); } for (FormAction action : requiredActions) { - action.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getLoginSession().getAuthenticatedUser()); + action.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getAuthenticationSession().getAuthenticatedUser()); } - processor.getLoginSession().setExecutionStatus(actionExecution, ClientSessionModel.ExecutionStatus.SUCCESS); - processor.getLoginSession().removeNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + processor.getAuthenticationSession().setExecutionStatus(actionExecution, ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getAuthenticationSession().removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); processor.setActionSuccessful(); return null; } @@ -263,7 +263,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow { public Response renderForm(MultivaluedMap formData, List errors) { String executionId = formExecution.getId(); - processor.getLoginSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, executionId); + processor.getAuthenticationSession().setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, executionId); String code = processor.generateCode(); URI actionUrl = getActionUrl(executionId, code); LoginFormsProvider form = processor.getSession().getProvider(LoginFormsProvider.class) diff --git a/services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java b/services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java index fd60a9d10e..87b3403b85 100755 --- a/services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java +++ b/services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java @@ -28,7 +28,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.resources.LoginActionsService; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; @@ -39,7 +39,7 @@ import java.net.URI; * @version $Revision: 1 $ */ public class RequiredActionContextResult implements RequiredActionContext { - protected LoginSessionModel loginSession; + protected AuthenticationSessionModel authenticationSession; protected RealmModel realm; protected EventBuilder eventBuilder; protected KeycloakSession session; @@ -49,11 +49,11 @@ public class RequiredActionContextResult implements RequiredActionContext { protected UserModel user; protected RequiredActionFactory factory; - public RequiredActionContextResult(LoginSessionModel loginSession, + public RequiredActionContextResult(AuthenticationSessionModel authSession, RealmModel realm, EventBuilder eventBuilder, KeycloakSession session, HttpRequest httpRequest, UserModel user, RequiredActionFactory factory) { - this.loginSession = loginSession; + this.authenticationSession = authSession; this.realm = realm; this.eventBuilder = eventBuilder; this.session = session; @@ -78,8 +78,8 @@ public class RequiredActionContextResult implements RequiredActionContext { } @Override - public LoginSessionModel getLoginSession() { - return loginSession; + public AuthenticationSessionModel getAuthenticationSession() { + return authenticationSession; } @Override @@ -134,14 +134,14 @@ public class RequiredActionContextResult implements RequiredActionContext { public URI getActionUrl(String code) { return LoginActionsService.requiredActionProcessor(getUriInfo()) .queryParam(OAuth2Constants.CODE, code) - .queryParam("action", factory.getId()) + .queryParam("execution", factory.getId()) .build(getRealm().getName()); } @Override public String generateCode() { - ClientSessionCode accessCode = new ClientSessionCode<>(session, getRealm(), getLoginSession()); - loginSession.setTimestamp(Time.currentTime()); + ClientSessionCode accessCode = new ClientSessionCode<>(session, getRealm(), getAuthenticationSession()); + authenticationSession.setTimestamp(Time.currentTime()); return accessCode.getCode(); } diff --git a/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java b/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java index ef9277090f..40182121ce 100644 --- a/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java +++ b/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java @@ -23,6 +23,7 @@ import org.keycloak.common.util.Time; import org.keycloak.jose.jws.*; import org.keycloak.models.*; import org.keycloak.services.Urls; +import org.keycloak.sessions.AuthenticationSessionModel; import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.annotation.JsonProperty; import java.util.Map; @@ -42,47 +43,47 @@ public class ResetCredentialsActionToken extends DefaultActionToken { private static final Logger LOG = Logger.getLogger(ResetCredentialsActionToken.class); private static final String RESET_CREDENTIALS_ACTION = "reset-credentials"; - public static final String NOTE_CLIENT_SESSION_ID = "clientSessionId"; - private static final String JSON_FIELD_CLIENT_SESSION_ID = "csid"; + public static final String NOTE_AUTHENTICATION_SESSION_ID = "clientSessionId"; + private static final String JSON_FIELD_AUTHENTICATION_SESSION_ID = "asid"; private static final String JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP = "lcpt"; @JsonIgnore - private ClientSessionModel clientSession; + private AuthenticationSessionModel authenticationSession; @JsonProperty(value = JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP) private Long lastChangedPasswordTimestamp; - public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, Long lastChangedPasswordTimestamp, String clientSessionId) { + public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, Long lastChangedPasswordTimestamp, String authenticationSessionId) { super(userId, RESET_CREDENTIALS_ACTION, absoluteExpirationInSecs, actionVerificationNonce); - setNote(NOTE_CLIENT_SESSION_ID, clientSessionId); + setNote(NOTE_AUTHENTICATION_SESSION_ID, authenticationSessionId); this.lastChangedPasswordTimestamp = lastChangedPasswordTimestamp; } - public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, Long lastChangedPasswordTimestamp, ClientSessionModel clientSession) { - this(userId, absoluteExpirationInSecs, actionVerificationNonce, lastChangedPasswordTimestamp, clientSession == null ? null : clientSession.getId()); - this.clientSession = clientSession; + public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, Long lastChangedPasswordTimestamp, AuthenticationSessionModel authenticationSession) { + this(userId, absoluteExpirationInSecs, actionVerificationNonce, lastChangedPasswordTimestamp, authenticationSession == null ? null : authenticationSession.getId()); + this.authenticationSession = authenticationSession; } private ResetCredentialsActionToken() { super(null, null, -1, null); } - public ClientSessionModel getClientSession() { - return this.clientSession; + public AuthenticationSessionModel getAuthenticationSession() { + return this.authenticationSession; } - public void setClientSession(ClientSessionModel clientSession) { - this.clientSession = clientSession; - setClientSessionId(clientSession == null ? null : clientSession.getId()); + public void setAuthenticationSession(AuthenticationSessionModel authenticationSession) { + this.authenticationSession = authenticationSession; + setAuthenticationSessionId(authenticationSession == null ? null : authenticationSession.getId()); } - @JsonProperty(value = JSON_FIELD_CLIENT_SESSION_ID) - public String getClientSessionId() { - return getNote(NOTE_CLIENT_SESSION_ID); + @JsonProperty(value = JSON_FIELD_AUTHENTICATION_SESSION_ID) + public String getAuthenticationSessionId() { + return getNote(NOTE_AUTHENTICATION_SESSION_ID); } - public void setClientSessionId(String clientSessionId) { - setNote(NOTE_CLIENT_SESSION_ID, clientSessionId); + public void setAuthenticationSessionId(String authenticationSessionId) { + setNote(NOTE_AUTHENTICATION_SESSION_ID, authenticationSessionId); } public Long getLastChangedPasswordTimestamp() { @@ -97,8 +98,8 @@ public class ResetCredentialsActionToken extends DefaultActionToken { @JsonIgnore public Map getNotes() { Map res = super.getNotes(); - if (this.clientSession != null) { - res.put(NOTE_CLIENT_SESSION_ID, getNote(NOTE_CLIENT_SESSION_ID)); + if (this.authenticationSession != null) { + res.put(NOTE_AUTHENTICATION_SESSION_ID, getNote(NOTE_AUTHENTICATION_SESSION_ID)); } return res; } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java index fd65f61eb9..9ba2053f1b 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java @@ -29,7 +29,7 @@ import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.services.messages.Messages; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Response; @@ -59,13 +59,13 @@ public abstract class AbstractIdpAuthenticator implements Authenticator { @Override public void authenticate(AuthenticationFlowContext context) { - LoginSessionModel loginSession = context.getLoginSession(); + AuthenticationSessionModel authSession = context.getAuthenticationSession(); - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(loginSession, BROKERED_CONTEXT_NOTE); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(authSession, BROKERED_CONTEXT_NOTE); if (serializedCtx == null) { throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR); } - BrokeredIdentityContext brokerContext = serializedCtx.deserialize(context.getSession(), loginSession); + BrokeredIdentityContext brokerContext = serializedCtx.deserialize(context.getSession(), authSession); if (!brokerContext.getIdpConfig().isEnabled()) { sendFailureChallenge(context, Errors.IDENTITY_PROVIDER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, AuthenticationFlowError.IDENTITY_PROVIDER_ERROR); @@ -76,7 +76,7 @@ public abstract class AbstractIdpAuthenticator implements Authenticator { @Override public void action(AuthenticationFlowContext context) { - LoginSessionModel clientSession = context.getLoginSession(); + AuthenticationSessionModel clientSession = context.getAuthenticationSession(); SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(clientSession, BROKERED_CONTEXT_NOTE); if (serializedCtx == null) { @@ -112,8 +112,8 @@ public abstract class AbstractIdpAuthenticator implements Authenticator { } - public static UserModel getExistingUser(KeycloakSession session, RealmModel realm, LoginSessionModel loginSession) { - String existingUserId = loginSession.getNote(EXISTING_USER_INFO); + public static UserModel getExistingUser(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession) { + String existingUserId = authSession.getAuthNote(EXISTING_USER_INFO); if (existingUserId == null) { throw new AuthenticationFlowException("Unexpected state. There is no existing duplicated user identified in ClientSession", AuthenticationFlowError.INTERNAL_ERROR); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java index 0b848723df..d4cfcf5570 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java @@ -29,7 +29,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.services.ServicesLogger; import org.keycloak.services.messages.Messages; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; @@ -41,9 +41,9 @@ public class IdpConfirmLinkAuthenticator extends AbstractIdpAuthenticator { @Override protected void authenticateImpl(AuthenticationFlowContext context, SerializedBrokeredIdentityContext serializedCtx, BrokeredIdentityContext brokerContext) { - LoginSessionModel loginSession = context.getLoginSession(); + AuthenticationSessionModel authSession = context.getAuthenticationSession(); - String existingUserInfo = loginSession.getNote(EXISTING_USER_INFO); + String existingUserInfo = authSession.getAuthNote(EXISTING_USER_INFO); if (existingUserInfo == null) { ServicesLogger.LOGGER.noDuplicationDetected(); context.attempted(); @@ -65,8 +65,8 @@ public class IdpConfirmLinkAuthenticator extends AbstractIdpAuthenticator { String action = formData.getFirst("submitAction"); if (action != null && action.equals("updateProfile")) { - context.getLoginSession().setNote(ENFORCE_UPDATE_PROFILE, "true"); - context.getLoginSession().removeNote(EXISTING_USER_INFO); + context.getAuthenticationSession().setAuthNote(ENFORCE_UPDATE_PROFILE, "true"); + context.getAuthenticationSession().removeAuthNote(EXISTING_USER_INFO); context.resetFlow(); } else if (action != null && action.equals("linkAccount")) { context.success(); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java index f905e0cc2a..aacd1e69d3 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpCreateUserIfUniqueAuthenticator.java @@ -53,7 +53,7 @@ public class IdpCreateUserIfUniqueAuthenticator extends AbstractIdpAuthenticator KeycloakSession session = context.getSession(); RealmModel realm = context.getRealm(); - if (context.getLoginSession().getNote(EXISTING_USER_INFO) != null) { + if (context.getAuthenticationSession().getAuthNote(EXISTING_USER_INFO) != null) { context.attempted(); return; } @@ -61,7 +61,7 @@ public class IdpCreateUserIfUniqueAuthenticator extends AbstractIdpAuthenticator String username = getUsername(context, serializedCtx, brokerContext); if (username == null) { ServicesLogger.LOGGER.resetFlow(realm.isRegistrationEmailAsUsername() ? "Email" : "Username"); - context.getLoginSession().setNote(ENFORCE_UPDATE_PROFILE, "true"); + context.getAuthenticationSession().setAuthNote(ENFORCE_UPDATE_PROFILE, "true"); context.resetFlow(); return; } @@ -91,14 +91,14 @@ public class IdpCreateUserIfUniqueAuthenticator extends AbstractIdpAuthenticator userRegisteredSuccess(context, federatedUser, serializedCtx, brokerContext); context.setUser(federatedUser); - context.getLoginSession().setNote(BROKER_REGISTERED_NEW_USER, "true"); + context.getAuthenticationSession().setAuthNote(BROKER_REGISTERED_NEW_USER, "true"); context.success(); } else { logger.debugf("Duplication detected. There is already existing user with %s '%s' .", duplication.getDuplicateAttributeName(), duplication.getDuplicateAttributeValue()); // Set duplicated user, so next authenticators can deal with it - context.getLoginSession().setNote(EXISTING_USER_INFO, duplication.serialize()); + context.getAuthenticationSession().setAuthNote(EXISTING_USER_INFO, duplication.serialize()); Response challengeResponse = context.form() .setError(Messages.FEDERATED_IDENTITY_EXISTS, duplication.getDuplicateAttributeName(), duplication.getDuplicateAttributeValue()) diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java index edd3c62200..245f258a56 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java @@ -73,7 +73,7 @@ public class IdpReviewProfileAuthenticator extends AbstractIdpAuthenticator { } protected boolean requiresUpdateProfilePage(AuthenticationFlowContext context, SerializedBrokeredIdentityContext userCtx, BrokeredIdentityContext brokerContext) { - String enforceUpdateProfile = context.getLoginSession().getNote(ENFORCE_UPDATE_PROFILE); + String enforceUpdateProfile = context.getAuthenticationSession().getAuthNote(ENFORCE_UPDATE_PROFILE); if (Boolean.parseBoolean(enforceUpdateProfile)) { return true; } @@ -122,12 +122,12 @@ public class IdpReviewProfileAuthenticator extends AbstractIdpAuthenticator { } userCtx.setEmail(email); - context.getLoginSession().setNote(UPDATE_PROFILE_EMAIL_CHANGED, "true"); + context.getAuthenticationSession().setAuthNote(UPDATE_PROFILE_EMAIL_CHANGED, "true"); } AttributeFormDataProcessor.process(formData, realm, userCtx); - userCtx.saveToLoginSession(context.getLoginSession(), BROKERED_CONTEXT_NOTE); + userCtx.saveToLoginSession(context.getAuthenticationSession(), BROKERED_CONTEXT_NOTE); logger.debugf("Profile updated successfully after first authentication with identity provider '%s' for broker user '%s'.", brokerContext.getIdpConfig().getAlias(), userCtx.getUsername()); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java index 071a1ec410..edcc030e52 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java @@ -39,7 +39,7 @@ public class IdpUsernamePasswordForm extends UsernamePasswordForm { @Override protected Response challenge(AuthenticationFlowContext context, MultivaluedMap formData) { - UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getLoginSession()); + UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getAuthenticationSession()); return setupForm(context, formData, existingUser) .setStatus(Response.Status.OK) @@ -48,7 +48,7 @@ public class IdpUsernamePasswordForm extends UsernamePasswordForm { @Override protected boolean validateForm(AuthenticationFlowContext context, MultivaluedMap formData) { - UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getLoginSession()); + UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getAuthenticationSession()); context.setUser(existingUser); // Restore formData for the case of error @@ -58,7 +58,7 @@ public class IdpUsernamePasswordForm extends UsernamePasswordForm { } protected LoginFormsProvider setupForm(AuthenticationFlowContext context, MultivaluedMap formData, UserModel existingUser) { - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(context.getLoginSession(), AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(context.getAuthenticationSession(), AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); if (serializedCtx == null) { throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java index 86bb9795a7..e648242ab2 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java @@ -24,14 +24,13 @@ import org.keycloak.broker.provider.IdentityProvider; import org.keycloak.broker.provider.IdentityProviderDataMarshaller; import org.keycloak.common.util.Base64Url; import org.keycloak.common.util.reflections.Reflections; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.Constants; import org.keycloak.models.IdentityProviderModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ModelException; import org.keycloak.models.RealmModel; import org.keycloak.services.resources.IdentityBrokerService; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.util.JsonSerialization; import java.io.IOException; @@ -247,7 +246,7 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { } } - public BrokeredIdentityContext deserialize(KeycloakSession session, LoginSessionModel loginSession) { + public BrokeredIdentityContext deserialize(KeycloakSession session, AuthenticationSessionModel authSession) { BrokeredIdentityContext ctx = new BrokeredIdentityContext(getId()); ctx.setUsername(getBrokerUsername()); @@ -259,7 +258,7 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { ctx.setBrokerUserId(getBrokerUserId()); ctx.setToken(getToken()); - RealmModel realm = loginSession.getRealm(); + RealmModel realm = authSession.getRealm(); IdentityProviderModel idpConfig = realm.getIdentityProviderByAlias(getIdentityProviderId()); if (idpConfig == null) { throw new ModelException("Can't find identity provider with ID " + getIdentityProviderId() + " in realm " + realm.getName()); @@ -283,7 +282,7 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { } } - ctx.setLoginSession(loginSession); + ctx.setAuthenticationSession(authSession); return ctx; } @@ -300,7 +299,7 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { ctx.setToken(context.getToken()); ctx.setIdentityProviderId(context.getIdpConfig().getAlias()); - ctx.emailAsUsername = context.getLoginSession().getRealm().isRegistrationEmailAsUsername(); + ctx.emailAsUsername = context.getAuthenticationSession().getRealm().isRegistrationEmailAsUsername(); IdentityProviderDataMarshaller serializer = context.getIdp().getMarshaller(); @@ -315,23 +314,23 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { } // Save this context as note to clientSession - public void saveToLoginSession(LoginSessionModel loginSession, String noteKey) { + public void saveToLoginSession(AuthenticationSessionModel authSession, String noteKey) { try { String asString = JsonSerialization.writeValueAsString(this); - loginSession.setNote(noteKey, asString); + authSession.setAuthNote(noteKey, asString); } catch (IOException ioe) { throw new RuntimeException(ioe); } } - public static SerializedBrokeredIdentityContext readFromLoginSession(LoginSessionModel loginSession, String noteKey) { - String asString = loginSession.getNote(noteKey); + public static SerializedBrokeredIdentityContext readFromLoginSession(AuthenticationSessionModel authSession, String noteKey) { + String asString = authSession.getAuthNote(noteKey); if (asString == null) { return null; } else { try { SerializedBrokeredIdentityContext serializedCtx = JsonSerialization.readValue(asString, SerializedBrokeredIdentityContext.class); - serializedCtx.emailAsUsername = loginSession.getRealm().isRegistrationEmailAsUsername(); + serializedCtx.emailAsUsername = authSession.getRealm().isRegistrationEmailAsUsername(); return serializedCtx; } catch (IOException ioe) { throw new RuntimeException(ioe); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java index fc73e1875a..a0f13bce47 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java @@ -126,7 +126,7 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth username = username.trim(); context.getEvent().detail(Details.USERNAME, username); - context.getLoginSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); + context.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); UserModel user = null; try { @@ -159,10 +159,10 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth String rememberMe = inputData.getFirst("rememberMe"); boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("on"); if (remember) { - context.getLoginSession().setNote(Details.REMEMBER_ME, "true"); + context.getAuthenticationSession().setAuthNote(Details.REMEMBER_ME, "true"); context.getEvent().detail(Details.REMEMBER_ME, "true"); } else { - context.getLoginSession().removeNote(Details.REMEMBER_ME); + context.getAuthenticationSession().removeAuthNote(Details.REMEMBER_ME); } context.setUser(user); return true; diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java index d1c22f543d..73c92cf2ef 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java @@ -19,13 +19,12 @@ package org.keycloak.authentication.authenticators.browser; import org.keycloak.authentication.AuthenticationFlowContext; import org.keycloak.authentication.Authenticator; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.protocol.LoginProtocol; import org.keycloak.services.managers.AuthenticationManager; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; /** * @author Bill Burke @@ -45,7 +44,7 @@ public class CookieAuthenticator implements Authenticator { if (authResult == null) { context.attempted(); } else { - LoginSessionModel clientSession = context.getLoginSession(); + AuthenticationSessionModel clientSession = context.getAuthenticationSession(); LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, clientSession.getProtocol()); // Cookie re-authentication is skipped if re-authentication is required diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java index 8cfd714c65..cb31e8d234 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java @@ -63,7 +63,7 @@ public class IdentityProviderAuthenticator implements Authenticator { List identityProviders = context.getRealm().getIdentityProviders(); for (IdentityProviderModel identityProvider : identityProviders) { if (identityProvider.isEnabled() && providerId.equals(identityProvider.getAlias())) { - String accessCode = new ClientSessionCode<>(context.getSession(), context.getRealm(), context.getLoginSession()).getCode(); + String accessCode = new ClientSessionCode<>(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getCode(); Response response = Response.seeOther( Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode)) .build(); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java index 1a90b59ff5..5e0851a05e 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java @@ -160,7 +160,7 @@ public class ScriptBasedAuthenticator implements Authenticator { bindings.put("user", context.getUser()); bindings.put("session", context.getSession()); bindings.put("httpRequest", context.getHttpRequest()); - bindings.put("clientSession", context.getLoginSession()); + bindings.put("clientSession", context.getAuthenticationSession()); bindings.put("LOG", LOGGER); }); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java index c909921641..6b726867ff 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java @@ -30,7 +30,6 @@ import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserModel; -import org.keycloak.services.ServicesLogger; import org.keycloak.services.messages.Messages; import javax.ws.rs.core.HttpHeaders; @@ -98,7 +97,7 @@ public class SpnegoAuthenticator extends AbstractUsernameFormAuthenticator imple context.setUser(output.getAuthenticatedUser()); if (output.getState() != null && !output.getState().isEmpty()) { for (Map.Entry entry : output.getState().entrySet()) { - context.getLoginSession().setUserSessionNote(entry.getKey(), entry.getValue()); + context.getAuthenticationSession().setUserSessionNote(entry.getKey(), entry.getValue()); } } context.success(); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java index cde0cb3ad4..eaa95bbf95 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java @@ -59,7 +59,7 @@ public class UsernamePasswordForm extends AbstractUsernameFormAuthenticator impl @Override public void authenticate(AuthenticationFlowContext context) { MultivaluedMap formData = new MultivaluedMapImpl<>(); - String loginHint = context.getLoginSession().getNote(OIDCLoginProtocol.LOGIN_HINT_PARAM); + String loginHint = context.getAuthenticationSession().getNote(OIDCLoginProtocol.LOGIN_HINT_PARAM); String rememberMeUsername = AuthenticationManager.getRememberMeUsername(context.getRealm(), context.getHttpRequest().getHttpHeaders()); @@ -72,7 +72,7 @@ public class UsernamePasswordForm extends AbstractUsernameFormAuthenticator impl } } Response challengeResponse = challenge(context, formData); - context.getLoginSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, context.getExecution().getId()); + context.getAuthenticationSession().setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, context.getExecution().getId()); context.challenge(challengeResponse); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java b/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java index 409618f318..a1cbbe514f 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java @@ -55,7 +55,7 @@ public class ValidateUsername extends AbstractDirectGrantAuthenticator { return; } context.getEvent().detail(Details.USERNAME, username); - context.getLoginSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); + context.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); UserModel user = null; try { diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java index 9604504891..4f022a0f45 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java @@ -34,7 +34,6 @@ import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.provider.ProviderConfigProperty; -import org.keycloak.services.ServicesLogger; import org.keycloak.services.messages.Messages; import javax.ws.rs.core.MultivaluedMap; @@ -53,9 +52,9 @@ public class ResetCredentialChooseUser implements Authenticator, AuthenticatorFa @Override public void authenticate(AuthenticationFlowContext context) { - String existingUserId = context.getLoginSession().getNote(AbstractIdpAuthenticator.EXISTING_USER_INFO); + String existingUserId = context.getAuthenticationSession().getAuthNote(AbstractIdpAuthenticator.EXISTING_USER_INFO); if (existingUserId != null) { - UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getLoginSession()); + UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getAuthenticationSession()); logger.debugf("Forget-password triggered when reauthenticating user after first broker login. Skipping reset-credential-choose-user screen and using user '%s' ", existingUser.getUsername()); context.setUser(existingUser); @@ -89,7 +88,7 @@ public class ResetCredentialChooseUser implements Authenticator, AuthenticatorFa user = context.getSession().users().getUserByEmail(username, realm); } - context.getLoginSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); + context.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, username); // we don't want people guessing usernames, so if there is a problem, just continue, but don't set the user // a null user will notify further executions, that this was a failure. diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java index 8f21ddf4f6..462b5d2295 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java @@ -36,6 +36,7 @@ import org.keycloak.provider.ProviderConfigProperty; import org.keycloak.services.ServicesLogger; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; +import org.keycloak.sessions.AuthenticationSessionModel; import java.util.*; import javax.ws.rs.core.Response; @@ -52,10 +53,8 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory @Override public void authenticate(AuthenticationFlowContext context) { - /*LoginActionsService.createActionCookie(context.getRealm(), context.getUriInfo(), context.getConnection(), context.getClientSession().getId()); - UserModel user = context.getUser(); - String username = context.getClientSession().getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); + String username = context.getAuthenticationSession().getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); // we don't want people guessing usernames, so if there was a problem obtaining the user, the user will be null. // just reset login for with a success message @@ -84,10 +83,10 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory Long lastCreatedPassword = password == null ? null : password.getCreatedDate(); // We send the secret in the email in a link as a query param. - ResetCredentialsActionToken token = new ResetCredentialsActionToken(user.getId(), absoluteExpirationInSecs, null, lastCreatedPassword, context.getClientSession()); + ResetCredentialsActionToken token = new ResetCredentialsActionToken(user.getId(), absoluteExpirationInSecs, null, lastCreatedPassword, context.getAuthenticationSession()); KeycloakSession keycloakSession = context.getSession(); String link = UriBuilder - .fromUri(context.getActionUrl()) + .fromUri(context.getRefreshExecutionUrl()) .queryParam(Constants.KEY, token.serialize(keycloakSession, context.getRealm(), context.getUriInfo())) .build() .toString(); @@ -98,7 +97,7 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory event.clone().event(EventType.SEND_RESET_PASSWORD) .user(user) .detail(Details.USERNAME, username) - .detail(Details.EMAIL, user.getEmail()).detail(Details.CODE_ID, context.getClientSession().getId()).success(); + .detail(Details.EMAIL, user.getEmail()).detail(Details.CODE_ID, context.getAuthenticationSession().getId()).success(); context.forkWithSuccessMessage(new FormMessage(Messages.EMAIL_SENT)); } catch (EmailException e) { event.clone().event(EventType.SEND_RESET_PASSWORD) @@ -110,12 +109,11 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory .setError(Messages.EMAIL_SENT_ERROR) .createErrorPage(); context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge); - }*/ + } } @Override public void action(AuthenticationFlowContext context) { - /* KeycloakSession keycloakSession = context.getSession(); String actionTokenString = context.getUriInfo().getQueryParameters().getFirst(Constants.KEY); ResetCredentialsActionToken tokenFromMail = null; @@ -147,10 +145,10 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory Long lastCreatedPasswordMail = tokenFromMail.getLastChangedPasswordTimestamp(); Long lastCreatedPasswordFromStore = password == null ? null : password.getCreatedDate(); - String clientSessionId = tokenFromMail.getClientSessionId(); - ClientSessionModel clientSession = clientSessionId == null ? null : keycloakSession.sessions().getClientSession(clientSessionId); + String authenticationSessionId = tokenFromMail.getAuthenticationSessionId(); + AuthenticationSessionModel authenticationSession = authenticationSessionId == null ? null : keycloakSession.authenticationSessions().getAuthenticationSession(context.getRealm(), authenticationSessionId); - if (clientSession == null + if (authenticationSession == null || ! Objects.equals(lastCreatedPasswordMail, lastCreatedPasswordFromStore) || ! Objects.equals(userId, context.getUser().getId())) { context.getEvent() @@ -167,7 +165,7 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory // We now know email is valid, so set it to valid. context.getUser().setEmailVerified(true); - context.success();*/ + context.success(); } @Override diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetOTP.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetOTP.java index 7dcf8293f0..4c1fdadac1 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetOTP.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetOTP.java @@ -33,7 +33,7 @@ public class ResetOTP extends AbstractSetRequiredActionAuthenticator { if (context.getExecution().isRequired() || (context.getExecution().isOptional() && configuredFor(context))) { - context.getLoginSession().addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP); + context.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP); } context.success(); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java index 9c0fdab7cd..68b8bfc21e 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetPassword.java @@ -20,8 +20,6 @@ package org.keycloak.authentication.authenticators.resetcred; import org.keycloak.authentication.AuthenticationFlowContext; import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserModel; -import org.keycloak.services.managers.AuthenticationManager; -import org.keycloak.services.resources.LoginActionsService; /** * @author Bill Burke @@ -33,15 +31,10 @@ public class ResetPassword extends AbstractSetRequiredActionAuthenticator { @Override public void authenticate(AuthenticationFlowContext context) { - String actionCookie = LoginActionsService.getActionCookie(context.getSession().getContext().getRequestHeaders(), context.getRealm(), context.getUriInfo(), context.getConnection()); - if (actionCookie == null || !actionCookie.equals(context.getLoginSession().getId())) { - context.getLoginSession().setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); - } - if (context.getExecution().isRequired() || (context.getExecution().isOptional() && configuredFor(context))) { - context.getLoginSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD); + context.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD); } context.success(); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java index e0860fa32b..46f800ea28 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java @@ -92,7 +92,7 @@ public class ValidateX509CertificateUsername extends AbstractX509ClientCertifica UserModel user; try { context.getEvent().detail(Details.USERNAME, userIdentity.toString()); - context.getClientSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, userIdentity.toString()); + context.getAuthenticationSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, userIdentity.toString()); user = getUserIdentityToModelMapper(config).find(context, userIdentity); } catch(ModelDuplicateException e) { diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java index 21e67ecaaf..01345bacf8 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java @@ -111,7 +111,7 @@ public class X509ClientCertificateAuthenticator extends AbstractX509ClientCertif UserModel user; try { context.getEvent().detail(Details.USERNAME, userIdentity.toString()); - context.getClientSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, userIdentity.toString()); + context.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, userIdentity.toString()); user = getUserIdentityToModelMapper(config).find(context, userIdentity); } catch(ModelDuplicateException e) { @@ -166,7 +166,7 @@ public class X509ClientCertificateAuthenticator extends AbstractX509ClientCertif // to call the method "challenge" results in a wrong/unexpected behavior. // The question is whether calling "forceChallenge" here is ok from // the design viewpoint? - context.getClientSession().setNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, context.getExecution().getId()); + context.getAuthenticationSession().setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, context.getExecution().getId()); context.forceChallenge(createSuccessResponse(context, certs[0].getSubjectDN().getName())); // Do not set the flow status yet, we want to display a form to let users // choose whether to accept the identity from certificate or to specify username/password explicitly diff --git a/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java b/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java index ddb42be050..ad13212f14 100755 --- a/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java +++ b/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java @@ -134,16 +134,16 @@ public class RegistrationUserCreation implements FormAction, FormActionFactory { user.setEnabled(true); user.setEmail(email); - context.getLoginSession().setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, username); + context.getAuthenticationSession().setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, username); AttributeFormDataProcessor.process(formData, context.getRealm(), user); context.setUser(user); context.getEvent().user(user); context.getEvent().success(); context.newEvent().event(EventType.LOGIN); - context.getEvent().client(context.getLoginSession().getClient().getClientId()) - .detail(Details.REDIRECT_URI, context.getLoginSession().getRedirectUri()) - .detail(Details.AUTH_METHOD, context.getLoginSession().getProtocol()); - String authType = context.getLoginSession().getNote(Details.AUTH_TYPE); + context.getEvent().client(context.getAuthenticationSession().getClient().getClientId()) + .detail(Details.REDIRECT_URI, context.getAuthenticationSession().getRedirectUri()) + .detail(Details.AUTH_METHOD, context.getAuthenticationSession().getProtocol()); + String authType = context.getAuthenticationSession().getAuthNote(Details.AUTH_TYPE); if (authType != null) { context.getEvent().detail(Details.AUTH_TYPE, authType); } diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java index 9984e823ae..5a0e5bf1b5 100755 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java @@ -88,8 +88,8 @@ public class UpdatePassword implements RequiredActionProvider, RequiredActionFac String passwordConfirm = formData.getFirst("password-confirm"); EventBuilder errorEvent = event.clone().event(EventType.UPDATE_PASSWORD_ERROR) - .client(context.getLoginSession().getClient()) - .user(context.getLoginSession().getAuthenticatedUser()); + .client(context.getAuthenticationSession().getClient()) + .user(context.getAuthenticationSession().getAuthenticatedUser()); if (Validation.isBlank(passwordNew)) { Response challenge = context.form() diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java index 88d859420b..8a7ea61114 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java +++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java @@ -38,7 +38,7 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.authorization.AuthorizationProvider; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.authorization.util.Permissions; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest; import org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder; @@ -54,7 +54,7 @@ import org.keycloak.authorization.policy.evaluation.EvaluationContext; import org.keycloak.authorization.policy.evaluation.Result; import org.keycloak.authorization.store.ScopeStore; import org.keycloak.authorization.store.StoreFactory; -import org.keycloak.authorization.util.Permissions; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; @@ -67,7 +67,7 @@ import org.keycloak.representations.idm.authorization.ResourceRepresentation; import org.keycloak.representations.idm.authorization.ScopeRepresentation; import org.keycloak.services.Urls; import org.keycloak.services.resources.admin.RealmAuth; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; /** * @author Pedro Igor @@ -215,7 +215,7 @@ public class PolicyEvaluationService { String subject = representation.getUserId(); - ClientLoginSessionModel clientSession = null; + AuthenticatedClientSessionModel clientSession = null; UserSessionModel userSession = null; if (subject != null) { UserModel userModel = keycloakSession.users().getUserById(subject, realm); @@ -229,11 +229,11 @@ public class PolicyEvaluationService { if (clientId != null) { ClientModel clientModel = realm.getClientById(clientId); - LoginSessionModel loginSession = keycloakSession.loginSessions().createLoginSession(realm, clientModel, false); - loginSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + AuthenticationSessionModel authSession = keycloakSession.authenticationSessions().createAuthenticationSession(realm, clientModel, false); + authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); userSession = keycloakSession.sessions().createUserSession(realm, userModel, userModel.getUsername(), "127.0.0.1", "passwd", false, null, null); - new TokenManager().attachLoginSession(keycloakSession, userSession, loginSession); + clientSession = new TokenManager().attachAuthenticationSession(keycloakSession, userSession, authSession); Set requestedRoles = new HashSet<>(); for (String roleId : clientSession.getRoles()) { diff --git a/services/src/main/java/org/keycloak/broker/provider/HardcodedUserSessionAttributeMapper.java b/services/src/main/java/org/keycloak/broker/provider/HardcodedUserSessionAttributeMapper.java index 8409206b04..1b91f56830 100755 --- a/services/src/main/java/org/keycloak/broker/provider/HardcodedUserSessionAttributeMapper.java +++ b/services/src/main/java/org/keycloak/broker/provider/HardcodedUserSessionAttributeMapper.java @@ -87,14 +87,14 @@ public class HardcodedUserSessionAttributeMapper extends AbstractIdentityProvide public void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String attribute = mapperModel.getConfig().get(ATTRIBUTE); String attributeValue = mapperModel.getConfig().get(ATTRIBUTE_VALUE); - context.getLoginSession().setUserSessionNote(attribute, attributeValue); + context.getAuthenticationSession().setUserSessionNote(attribute, attributeValue); } @Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String attribute = mapperModel.getConfig().get(ATTRIBUTE); String attributeValue = mapperModel.getConfig().get(ATTRIBUTE_VALUE); - context.getLoginSession().setUserSessionNote(attribute, attributeValue); + context.getAuthenticationSession().setUserSessionNote(attribute, attributeValue); } @Override diff --git a/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java b/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java index b1c087207f..b7e6679978 100755 --- a/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java +++ b/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java @@ -46,7 +46,7 @@ import org.keycloak.models.UserModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.services.Urls; import org.keycloak.services.messages.Messages; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.theme.BrowserSecurityHeaderSetup; import org.keycloak.theme.FreeMarkerException; import org.keycloak.theme.FreeMarkerUtil; @@ -102,7 +102,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { private UserModel user; - private LoginSessionModel loginSession; + private AuthenticationSessionModel authenticationSession; private final Map attributes = new HashMap(); public FreeMarkerLoginFormsProvider(KeycloakSession session, FreeMarkerUtil freeMarker) { @@ -141,11 +141,11 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { page = LoginFormsPages.LOGIN_UPDATE_PASSWORD; break; case VERIFY_EMAIL: - // TODO:mposolda It should be also clientSession (actionTicket) involved here. Not just loginSession + // TODO:mposolda It should be also clientSession (actionTicket) involved here. Not just authSession /*try { UriBuilder builder = Urls.loginActionEmailVerificationBuilder(uriInfo.getBaseUri()); builder.queryParam(OAuth2Constants.CODE, accessCode); - builder.queryParam(Constants.KEY, loginSession.getNote(Constants.VERIFY_EMAIL_KEY)); + builder.queryParam(Constants.KEY, authSession.getNote(Constants.VERIFY_EMAIL_KEY)); String link = builder.build(realm.getName()).toString(); long expiration = TimeUnit.SECONDS.toMinutes(realm.getAccessCodeLifespanUserAction()); @@ -187,10 +187,6 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { uriBuilder.replaceQueryParam(k, objects); } - if (accessCode != null) { - uriBuilder.replaceQueryParam(OAuth2Constants.CODE, accessCode); - } - ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending"); Theme theme; try { @@ -463,6 +459,11 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { return createResponse(LoginFormsPages.LOGIN_IDP_LINK_CONFIRM); } + @Override + public Response createLoginExpiredPage() { + return createResponse(LoginFormsPages.LOGIN_PAGE_EXPIRED); + } + @Override public Response createIdpLinkEmailPage() { BrokeredIdentityContext brokerContext = (BrokeredIdentityContext) this.attributes.get(IDENTITY_PROVIDER_BROKER_CONTEXT); @@ -589,8 +590,8 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { } @Override - public LoginFormsProvider setLoginSession(LoginSessionModel loginSession) { - this.loginSession = loginSession; + public LoginFormsProvider setAuthenticationSession(AuthenticationSessionModel authSession) { + this.authenticationSession = authSession; return this; } diff --git a/services/src/main/java/org/keycloak/forms/login/freemarker/Templates.java b/services/src/main/java/org/keycloak/forms/login/freemarker/Templates.java index e28c627593..f2a9d756a5 100755 --- a/services/src/main/java/org/keycloak/forms/login/freemarker/Templates.java +++ b/services/src/main/java/org/keycloak/forms/login/freemarker/Templates.java @@ -54,6 +54,8 @@ public class Templates { return "login-update-profile.ftl"; case CODE: return "code.ftl"; + case LOGIN_PAGE_EXPIRED: + return "login-page-expired.ftl"; default: throw new IllegalArgumentException(); } diff --git a/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java b/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java index a622c222e0..9b3a9f3c30 100755 --- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java +++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java @@ -50,6 +50,10 @@ public class UrlBean { return Urls.realmLoginPage(baseURI, realm).toString(); } + public String getLoginRestartFlowUrl() { + return Urls.realmLoginRestartPage(baseURI, realm).toString(); + } + public String getRegistrationAction() { if (this.actionuri != null) { return this.actionuri.toString(); diff --git a/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java b/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java index f0387e8055..e81e9e59e0 100755 --- a/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java +++ b/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java @@ -23,14 +23,12 @@ import org.keycloak.common.ClientConnection; import org.keycloak.events.Details; import org.keycloak.events.EventBuilder; import org.keycloak.models.AuthenticationFlowModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.protocol.LoginProtocol.Error; -import org.keycloak.services.ServicesLogger; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.resources.LoginActionsService; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; @@ -64,9 +62,9 @@ public abstract class AuthorizationEndpointBase { this.event = event; } - protected AuthenticationProcessor createProcessor(LoginSessionModel loginSession, String flowId, String flowPath) { + protected AuthenticationProcessor createProcessor(AuthenticationSessionModel authSession, String flowId, String flowPath) { AuthenticationProcessor processor = new AuthenticationProcessor(); - processor.setLoginSession(loginSession) + processor.setAuthenticationSession(authSession) .setFlowPath(flowPath) .setFlowId(flowId) .setBrowserFlow(true) @@ -76,23 +74,26 @@ public abstract class AuthorizationEndpointBase { .setSession(session) .setUriInfo(uriInfo) .setRequest(request); + + authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, flowPath); + return processor; } /** * Common method to handle browser authentication request in protocols unified way. * - * @param loginSession for current request + * @param authSession for current request * @param protocol handler for protocol used to initiate login * @param isPassive set to true if login should be passive (without login screen shown) * @param redirectToAuthentication if true redirect to flow url. If initial call to protocol is a POST, you probably want to do this. This is so we can disable the back button on browser * @return response to be returned to the browser */ - protected Response handleBrowserAuthenticationRequest(LoginSessionModel loginSession, LoginProtocol protocol, boolean isPassive, boolean redirectToAuthentication) { + protected Response handleBrowserAuthenticationRequest(AuthenticationSessionModel authSession, LoginProtocol protocol, boolean isPassive, boolean redirectToAuthentication) { AuthenticationFlowModel flow = getAuthenticationFlow(); String flowId = flow.getId(); - AuthenticationProcessor processor = createProcessor(loginSession, flowId, LoginActionsService.AUTHENTICATE_PATH); - event.detail(Details.CODE_ID, loginSession.getId()); + AuthenticationProcessor processor = createProcessor(authSession, flowId, LoginActionsService.AUTHENTICATE_PATH); + event.detail(Details.CODE_ID, authSession.getId()); if (isPassive) { // OIDC prompt == NONE or SAML 2 IsPassive flag // This means that client is just checking if the user is already completely logged in. @@ -101,13 +102,16 @@ public abstract class AuthorizationEndpointBase { if (processor.authenticateOnly() == null) { // processor.attachSession(); } else { - Response response = protocol.sendError(loginSession, Error.PASSIVE_LOGIN_REQUIRED); - session.loginSessions().removeLoginSession(realm, loginSession); + Response response = protocol.sendError(authSession, Error.PASSIVE_LOGIN_REQUIRED); + session.authenticationSessions().removeAuthenticationSession(realm, authSession); return response; } + + AuthenticationManager.setRolesAndMappersInSession(authSession); + if (processor.isActionRequired()) { - Response response = protocol.sendError(loginSession, Error.PASSIVE_INTERACTION_REQUIRED); - session.loginSessions().removeLoginSession(realm, loginSession); + Response response = protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED); + session.authenticationSessions().removeAuthenticationSession(realm, authSession); return response; } @@ -119,10 +123,9 @@ public abstract class AuthorizationEndpointBase { return processor.finishAuthentication(protocol); } else { try { - // TODO: Check if this is required... - RestartLoginCookie.setRestartCookie(session, realm, clientConnection, uriInfo, loginSession); + RestartLoginCookie.setRestartCookie(session, realm, clientConnection, uriInfo, authSession); if (redirectToAuthentication) { - return processor.redirectToFlow(); + return processor.redirectToFlow(null); } return processor.authenticate(); } catch (Exception e) { diff --git a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java index 109f2c935f..22d764dc20 100644 --- a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java +++ b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java @@ -23,20 +23,17 @@ import org.keycloak.common.ClientConnection; import org.keycloak.jose.jws.JWSBuilder; import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.crypto.HMACProvider; -import org.keycloak.jose.jws.crypto.RSAProvider; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeyManager; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.util.CookieHelper; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.crypto.SecretKey; import javax.ws.rs.core.Cookie; import javax.ws.rs.core.UriInfo; -import java.security.PublicKey; import java.util.HashMap; import java.util.Map; @@ -51,7 +48,7 @@ public class RestartLoginCookie { private static final Logger logger = Logger.getLogger(RestartLoginCookie.class); public static final String KC_RESTART = "KC_RESTART"; @JsonProperty("cs") - protected String clientSession; + protected String authenticationSession; @JsonProperty("cid") protected String clientId; @@ -68,12 +65,12 @@ public class RestartLoginCookie { @JsonProperty("notes") protected Map notes = new HashMap<>(); - public String getClientSession() { - return clientSession; + public String getAuthenticationSession() { + return authenticationSession; } - public void setClientSession(String clientSession) { - this.clientSession = clientSession; + public void setAuthenticationSession(String authenticationSession) { + this.authenticationSession = authenticationSession; } public Map getNotes() { @@ -126,19 +123,19 @@ public class RestartLoginCookie { public RestartLoginCookie() { } - public RestartLoginCookie(LoginSessionModel clientSession) { + public RestartLoginCookie(AuthenticationSessionModel clientSession) { this.action = clientSession.getAction(); this.clientId = clientSession.getClient().getClientId(); this.authMethod = clientSession.getProtocol(); this.redirectUri = clientSession.getRedirectUri(); - this.clientSession = clientSession.getId(); + this.authenticationSession = clientSession.getId(); for (Map.Entry entry : clientSession.getNotes().entrySet()) { notes.put(entry.getKey(), entry.getValue()); } } - public static void setRestartCookie(KeycloakSession session, RealmModel realm, ClientConnection connection, UriInfo uriInfo, LoginSessionModel loginSession) { - RestartLoginCookie restart = new RestartLoginCookie(loginSession); + public static void setRestartCookie(KeycloakSession session, RealmModel realm, ClientConnection connection, UriInfo uriInfo, AuthenticationSessionModel authSession) { + RestartLoginCookie restart = new RestartLoginCookie(authSession); String encoded = restart.encode(session, realm); String path = AuthenticationManager.getRealmCookiePath(realm, uriInfo); boolean secureOnly = realm.getSslRequired().isRequired(connection); @@ -151,14 +148,12 @@ public class RestartLoginCookie { CookieHelper.addCookie(KC_RESTART, "", path, null, null, 0, secureOnly, true); } - // TODO:mposolda - /* - public static ClientSessionModel restartSession(KeycloakSession session, RealmModel realm, String code) throws Exception { - String[] parts = code.split("\\."); - return restartSessionByClientSession(session, realm, parts[1]); + + public static AuthenticationSessionModel restartSession(KeycloakSession session, RealmModel realm) throws Exception { + return restartSessionByClientSession(session, realm); } - public static ClientSessionModel restartSessionByClientSession(KeycloakSession session, RealmModel realm, String clientSessionId) throws Exception { + private static AuthenticationSessionModel restartSessionByClientSession(KeycloakSession session, RealmModel realm) throws Exception { Cookie cook = session.getContext().getRequestHeaders().getCookies().get(KC_RESTART); if (cook == null) { logger.debug("KC_RESTART cookie doesn't exist"); @@ -172,22 +167,18 @@ public class RestartLoginCookie { return null; } RestartLoginCookie cookie = input.readJsonContent(RestartLoginCookie.class); - if (!clientSessionId.equals(cookie.getClientSession())) { - logger.debug("RestartLoginCookie clientSession does not match code's clientSession"); - return null; - } ClientModel client = realm.getClientByClientId(cookie.getClientId()); if (client == null) return null; - ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); - clientSession.setAuthMethod(cookie.getAuthMethod()); - clientSession.setRedirectUri(cookie.getRedirectUri()); - clientSession.setAction(cookie.getAction()); + AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + authSession.setProtocol(cookie.getAuthMethod()); + authSession.setRedirectUri(cookie.getRedirectUri()); + authSession.setAction(cookie.getAction()); for (Map.Entry entry : cookie.getNotes().entrySet()) { - clientSession.setNote(entry.getKey(), entry.getValue()); + authSession.setNote(entry.getKey(), entry.getValue()); } - return clientSession; - }*/ + return authSession; + } } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java index 5dd0433a9a..59b7835007 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java @@ -23,7 +23,7 @@ import org.keycloak.common.util.Time; import org.keycloak.events.Details; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; @@ -39,7 +39,7 @@ import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ResourceAdminManager; import org.keycloak.sessions.CommonClientSessionModel; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.util.TokenUtil; import javax.ws.rs.core.HttpHeaders; @@ -171,8 +171,8 @@ public class OIDCLoginProtocol implements LoginProtocol { @Override - public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { - ClientLoginSessionModel clientSession = accessCode.getClientSession(); + public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { + AuthenticatedClientSessionModel clientSession = accessCode.getClientSession(); setupResponseTypeAndMode(clientSession); String redirect = clientSession.getRedirectUri(); @@ -229,15 +229,15 @@ public class OIDCLoginProtocol implements LoginProtocol { @Override - public Response sendError(LoginSessionModel loginSession, Error error) { - setupResponseTypeAndMode(loginSession); + public Response sendError(AuthenticationSessionModel authSession, Error error) { + setupResponseTypeAndMode(authSession); - String redirect = loginSession.getRedirectUri(); - String state = loginSession.getNote(OIDCLoginProtocol.STATE_PARAM); + String redirect = authSession.getRedirectUri(); + String state = authSession.getNote(OIDCLoginProtocol.STATE_PARAM); OIDCRedirectUriBuilder redirectUri = OIDCRedirectUriBuilder.fromUri(redirect, responseMode).addParam(OAuth2Constants.ERROR, translateError(error)); if (state != null) redirectUri.addParam(OAuth2Constants.STATE, state); - session.loginSessions().removeLoginSession(realm, loginSession); + session.authenticationSessions().removeAuthenticationSession(realm, authSession); RestartLoginCookie.expireRestartCookie(realm, session.getContext().getConnection(), uriInfo); return redirectUri.build(); } @@ -258,13 +258,13 @@ public class OIDCLoginProtocol implements LoginProtocol { } @Override - public void backchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public void backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { ClientModel client = clientSession.getClient(); new ResourceAdminManager(session).logoutClientSession(uriInfo.getRequestUri(), realm, client, clientSession); } @Override - public Response frontchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { // todo oidc redirect support throw new RuntimeException("NOT IMPLEMENTED"); } @@ -291,18 +291,18 @@ public class OIDCLoginProtocol implements LoginProtocol { @Override - public boolean requireReauthentication(UserSessionModel userSession, LoginSessionModel loginSession) { - return isPromptLogin(loginSession) || isAuthTimeExpired(userSession, loginSession); + public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) { + return isPromptLogin(authSession) || isAuthTimeExpired(userSession, authSession); } - protected boolean isPromptLogin(LoginSessionModel loginSession) { - String prompt = loginSession.getNote(OIDCLoginProtocol.PROMPT_PARAM); + protected boolean isPromptLogin(AuthenticationSessionModel authSession) { + String prompt = authSession.getNote(OIDCLoginProtocol.PROMPT_PARAM); return TokenUtil.hasPrompt(prompt, OIDCLoginProtocol.PROMPT_VALUE_LOGIN); } - protected boolean isAuthTimeExpired(UserSessionModel userSession, LoginSessionModel loginSession) { + protected boolean isAuthTimeExpired(UserSessionModel userSession, AuthenticationSessionModel authSession) { String authTime = userSession.getNote(AuthenticationManager.AUTH_TIME); - String maxAge = loginSession.getNote(OIDCLoginProtocol.MAX_AGE_PARAM); + String maxAge = authSession.getNote(OIDCLoginProtocol.MAX_AGE_PARAM); if (maxAge == null) { return false; } @@ -312,7 +312,7 @@ public class OIDCLoginProtocol implements LoginProtocol { if (authTimeInt + maxAgeInt < Time.currentTime()) { logger.debugf("Authentication time is expired, needs to reauthenticate. userSession=%s, clientId=%s, maxAge=%d, authTime=%d", userSession.getId(), - loginSession.getClient().getId(), maxAgeInt, authTimeInt); + authSession.getClient().getId(), maxAgeInt, authTimeInt); return true; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java index 49a47a1c2d..cd7c65cfe5 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java @@ -31,9 +31,8 @@ import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInputException; import org.keycloak.jose.jws.crypto.HashProvider; import org.keycloak.jose.jws.crypto.RSAProvider; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ClientTemplateModel; import org.keycloak.models.GroupModel; import org.keycloak.models.KeyManager; @@ -60,7 +59,7 @@ import org.keycloak.services.ErrorResponseException; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.UserSessionManager; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.util.TokenUtil; import org.keycloak.common.util.Time; @@ -108,10 +107,10 @@ public class TokenManager { public static class TokenValidation { public final UserModel user; public final UserSessionModel userSession; - public final ClientLoginSessionModel clientSession; + public final AuthenticatedClientSessionModel clientSession; public final AccessToken newToken; - public TokenValidation(UserModel user, UserSessionModel userSession, ClientLoginSessionModel clientSession, AccessToken newToken) { + public TokenValidation(UserModel user, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession, AccessToken newToken) { this.user = user; this.userSession = userSession; this.clientSession = clientSession; @@ -157,7 +156,7 @@ public class TokenManager { } ClientModel client = session.getContext().getClient(); - ClientLoginSessionModel clientSession = userSession.getClientLoginSessions().get(client.getId()); + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(client.getId()); if (!client.getClientId().equals(oldToken.getIssuedFor())) { throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Unmatching clients", "Unmatching clients"); @@ -218,7 +217,7 @@ public class TokenManager { return false; } - ClientLoginSessionModel clientSession = userSession.getClientLoginSessions().get(client.getId()); + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(client.getId()); if (clientSession == null) { return false; >>>>>>> KEYCLOAK-4626 AuthenticationSessions: start @@ -346,7 +345,7 @@ public class TokenManager { } public AccessToken createClientAccessToken(KeycloakSession session, Set requestedRoles, RealmModel realm, ClientModel client, UserModel user, UserSessionModel userSession, - ClientLoginSessionModel clientSession) { + AuthenticatedClientSessionModel clientSession) { AccessToken token = initToken(realm, client, user, userSession, clientSession, session.getContext().getUri()); for (RoleModel role : requestedRoles) { addComposites(token, role); @@ -355,68 +354,45 @@ public class TokenManager { return token; } - public static ClientLoginSessionModel attachLoginSession(KeycloakSession session, UserSessionModel userSession, LoginSessionModel loginSession) { - UserModel user = userSession.getUser(); - ClientModel client = loginSession.getClient(); - ClientLoginSessionModel clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession); - Set requestedRoles = new HashSet(); - // todo scope param protocol independent - String scopeParam = loginSession.getNote(OAuth2Constants.SCOPE); - for (RoleModel r : TokenManager.getAccess(scopeParam, true, client, user)) { - requestedRoles.add(r.getId()); - } - clientSession.setRoles(requestedRoles); + public static AuthenticatedClientSessionModel attachAuthenticationSession(KeycloakSession session, UserSessionModel userSession, AuthenticationSessionModel authSession) { + ClientModel client = authSession.getClient(); - Set requestedProtocolMappers = new HashSet(); - ClientTemplateModel clientTemplate = client.getClientTemplate(); - if (clientTemplate != null && client.useTemplateMappers()) { - for (ProtocolMapperModel protocolMapper : clientTemplate.getProtocolMappers()) { - if (protocolMapper.getProtocol().equals(loginSession.getProtocol())) { - requestedProtocolMappers.add(protocolMapper.getId()); - } - } + AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession); + clientSession.setRedirectUri(authSession.getRedirectUri()); + clientSession.setProtocol(authSession.getProtocol()); - } - for (ProtocolMapperModel protocolMapper : client.getProtocolMappers()) { - if (protocolMapper.getProtocol().equals(loginSession.getProtocol())) { - requestedProtocolMappers.add(protocolMapper.getId()); - } - } - clientSession.setProtocolMappers(requestedProtocolMappers); + clientSession.setRoles(authSession.getRoles()); + clientSession.setProtocolMappers(authSession.getProtocolMappers()); - Map transferredNotes = loginSession.getNotes(); + Map transferredNotes = authSession.getNotes(); for (Map.Entry entry : transferredNotes.entrySet()) { clientSession.setNote(entry.getKey(), entry.getValue()); } - Map transferredUserSessionNotes = loginSession.getUserSessionNotes(); + Map transferredUserSessionNotes = authSession.getUserSessionNotes(); for (Map.Entry entry : transferredUserSessionNotes.entrySet()) { userSession.setNote(entry.getKey(), entry.getValue()); } clientSession.setTimestamp(Time.currentTime()); - userSession.getClientLoginSessions().put(client.getId(), clientSession); - - // Remove login session now - session.loginSessions().removeLoginSession(userSession.getRealm(), loginSession); + // Remove authentication session now + session.authenticationSessions().removeAuthenticationSession(userSession.getRealm(), authSession); return clientSession; } - public static void dettachClientSession(UserSessionProvider sessions, RealmModel realm, ClientLoginSessionModel clientSession) { + public static void dettachClientSession(UserSessionProvider sessions, RealmModel realm, AuthenticatedClientSessionModel clientSession) { UserSessionModel userSession = clientSession.getUserSession(); if (userSession == null) { return; } clientSession.setUserSession(null); - clientSession.setRoles(null); - clientSession.setProtocolMappers(null); - if (userSession.getClientSessions().isEmpty()) { + if (userSession.getAuthenticatedClientSessions().isEmpty()) { sessions.removeUserSession(realm, userSession); } } @@ -550,7 +526,7 @@ public class TokenManager { } public AccessToken transformAccessToken(KeycloakSession session, AccessToken token, RealmModel realm, ClientModel client, UserModel user, - UserSessionModel userSession, ClientLoginSessionModel clientSession) { + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { Set mappings = ClientSessionCode.getRequestedProtocolMappers(clientSession.getProtocolMappers(), client); KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); for (ProtocolMapperModel mapping : mappings) { @@ -565,7 +541,7 @@ public class TokenManager { } public AccessToken transformUserInfoAccessToken(KeycloakSession session, AccessToken token, RealmModel realm, ClientModel client, UserModel user, - UserSessionModel userSession, ClientLoginSessionModel clientSession) { + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { Set mappings = ClientSessionCode.getRequestedProtocolMappers(clientSession.getProtocolMappers(), client); KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); for (ProtocolMapperModel mapping : mappings) { @@ -580,7 +556,7 @@ public class TokenManager { } public void transformIDToken(KeycloakSession session, IDToken token, RealmModel realm, ClientModel client, UserModel user, - UserSessionModel userSession, ClientLoginSessionModel clientSession) { + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { Set mappings = ClientSessionCode.getRequestedProtocolMappers(clientSession.getProtocolMappers(), client); KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); for (ProtocolMapperModel mapping : mappings) { @@ -592,7 +568,7 @@ public class TokenManager { } } - protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, ClientLoginSessionModel clientSession, UriInfo uriInfo) { + protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, AuthenticatedClientSessionModel clientSession, UriInfo uriInfo) { AccessToken token = new AccessToken(); token.clientSession(clientSession.getId()); token.id(KeycloakModelUtils.generateId()); @@ -628,7 +604,7 @@ public class TokenManager { return token; } - private int getTokenLifespan(RealmModel realm, ClientLoginSessionModel clientSession) { + private int getTokenLifespan(RealmModel realm, AuthenticatedClientSessionModel clientSession) { boolean implicitFlow = false; String responseType = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); if (responseType != null) { @@ -670,7 +646,7 @@ public class TokenManager { return new JWSBuilder().type(JWT).kid(activeRsaKey.getKid()).jsonContent(token).sign(jwsAlgorithm, activeRsaKey.getPrivateKey()); } - public AccessTokenResponseBuilder responseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public AccessTokenResponseBuilder responseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { return new AccessTokenResponseBuilder(realm, client, event, session, userSession, clientSession); } @@ -680,7 +656,7 @@ public class TokenManager { EventBuilder event; KeycloakSession session; UserSessionModel userSession; - ClientLoginSessionModel clientSession; + AuthenticatedClientSessionModel clientSession; AccessToken accessToken; RefreshToken refreshToken; @@ -689,7 +665,7 @@ public class TokenManager { boolean generateAccessTokenHash = false; String codeHash; - public AccessTokenResponseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public AccessTokenResponseBuilder(RealmModel realm, ClientModel client, EventBuilder event, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { this.realm = realm; this.client = client; this.event = event; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java index 3a41f92daa..6691712e38 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java @@ -44,7 +44,7 @@ import org.keycloak.services.Urls; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.util.CacheControlUtil; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.util.TokenUtil; import javax.ws.rs.GET; @@ -64,10 +64,10 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { public static final String CODE_AUTH_TYPE = "code"; /** - * Prefix used to store additional HTTP GET params from original client request into {@link LoginSessionModel} note to be available later in Authenticators, RequiredActions etc. Prefix is used to + * Prefix used to store additional HTTP GET params from original client request into {@link AuthenticationSessionModel} note to be available later in Authenticators, RequiredActions etc. Prefix is used to * prevent collisions with internally used notes. * - * @see LoginSessionModel#getNote(String) + * @see AuthenticationSessionModel#getNote(String) */ public static final String LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX = "client_request_param_"; @@ -79,7 +79,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { } private ClientModel client; - private LoginSessionModel loginSession; + private AuthenticationSessionModel authenticationSession; private Action action; private OIDCResponseType parsedResponseType; @@ -359,22 +359,22 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { } private void createLoginSession() { - loginSession = session.loginSessions().createLoginSession(realm, client, true); - loginSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); - loginSession.setRedirectUri(redirectUri); - loginSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - loginSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, request.getResponseType()); - loginSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, request.getRedirectUriParam()); - loginSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + authenticationSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + authenticationSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + authenticationSession.setRedirectUri(redirectUri); + authenticationSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + authenticationSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, request.getResponseType()); + authenticationSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, request.getRedirectUriParam()); + authenticationSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); - if (request.getState() != null) loginSession.setNote(OIDCLoginProtocol.STATE_PARAM, request.getState()); - if (request.getNonce() != null) loginSession.setNote(OIDCLoginProtocol.NONCE_PARAM, request.getNonce()); - if (request.getMaxAge() != null) loginSession.setNote(OIDCLoginProtocol.MAX_AGE_PARAM, String.valueOf(request.getMaxAge())); - if (request.getScope() != null) loginSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, request.getScope()); - if (request.getLoginHint() != null) loginSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, request.getLoginHint()); - if (request.getPrompt() != null) loginSession.setNote(OIDCLoginProtocol.PROMPT_PARAM, request.getPrompt()); - if (request.getIdpHint() != null) loginSession.setNote(AdapterConstants.KC_IDP_HINT, request.getIdpHint()); - if (request.getResponseMode() != null) loginSession.setNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM, request.getResponseMode()); + if (request.getState() != null) authenticationSession.setNote(OIDCLoginProtocol.STATE_PARAM, request.getState()); + if (request.getNonce() != null) authenticationSession.setNote(OIDCLoginProtocol.NONCE_PARAM, request.getNonce()); + if (request.getMaxAge() != null) authenticationSession.setNote(OIDCLoginProtocol.MAX_AGE_PARAM, String.valueOf(request.getMaxAge())); + if (request.getScope() != null) authenticationSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, request.getScope()); + if (request.getLoginHint() != null) authenticationSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, request.getLoginHint()); + if (request.getPrompt() != null) authenticationSession.setNote(OIDCLoginProtocol.PROMPT_PARAM, request.getPrompt()); + if (request.getIdpHint() != null) authenticationSession.setNote(AdapterConstants.KC_IDP_HINT, request.getIdpHint()); + if (request.getResponseMode() != null) authenticationSession.setNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM, request.getResponseMode()); // https://tools.ietf.org/html/rfc7636#section-4 if (request.getCodeChallenge() != null) loginSession.setNote(OIDCLoginProtocol.CODE_CHALLENGE_PARAM, request.getCodeChallenge()); @@ -386,16 +386,16 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { if (request.getAdditionalReqParams() != null) { for (String paramName : request.getAdditionalReqParams().keySet()) { - loginSession.setNote(LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + paramName, request.getAdditionalReqParams().get(paramName)); + authenticationSession.setNote(LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + paramName, request.getAdditionalReqParams().get(paramName)); } } } private Response buildAuthorizationCodeAuthorizationResponse() { this.event.event(EventType.LOGIN); - loginSession.setNote(Details.AUTH_TYPE, CODE_AUTH_TYPE); + authenticationSession.setAuthNote(Details.AUTH_TYPE, CODE_AUTH_TYPE); - return handleBrowserAuthenticationRequest(loginSession, new OIDCLoginProtocol(session, realm, uriInfo, headers, event), TokenUtil.hasPrompt(request.getPrompt(), OIDCLoginProtocol.PROMPT_VALUE_NONE), false); + return handleBrowserAuthenticationRequest(authenticationSession, new OIDCLoginProtocol(session, realm, uriInfo, headers, event), TokenUtil.hasPrompt(request.getPrompt(), OIDCLoginProtocol.PROMPT_VALUE_NONE), false); } private Response buildRegister() { @@ -404,7 +404,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { AuthenticationFlowModel flow = realm.getRegistrationFlow(); String flowId = flow.getId(); - AuthenticationProcessor processor = createProcessor(loginSession, flowId, LoginActionsService.REGISTRATION_PATH); + AuthenticationProcessor processor = createProcessor(authenticationSession, flowId, LoginActionsService.REGISTRATION_PATH); return processor.authenticate(); } @@ -415,7 +415,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { AuthenticationFlowModel flow = realm.getResetCredentialsFlow(); String flowId = flow.getId(); - AuthenticationProcessor processor = createProcessor(loginSession, flowId, LoginActionsService.RESET_CREDENTIALS_PATH); + AuthenticationProcessor processor = createProcessor(authenticationSession, flowId, LoginActionsService.RESET_CREDENTIALS_PATH); return processor.authenticate(); } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java index e308bc9f51..2a6c2dc68f 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java @@ -32,7 +32,7 @@ import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.models.AuthenticationFlowModel; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; @@ -51,7 +51,7 @@ import org.keycloak.services.managers.ClientManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.RealmManager; import org.keycloak.services.resources.Cors; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.OPTIONS; import javax.ws.rs.POST; @@ -174,6 +174,8 @@ public class TokenEndpoint { if (client.isBearerOnly()) { throw new ErrorResponseException(OAuthErrorException.INVALID_CLIENT, "Bearer-only not allowed", Response.Status.BAD_REQUEST); } + + } private void checkGrantType() { @@ -207,8 +209,8 @@ public class TokenEndpoint { throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Missing parameter: " + OAuth2Constants.CODE, Response.Status.BAD_REQUEST); } - ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm, ClientLoginSessionModel.class); - if (parseResult.isLoginSessionNotFound() || parseResult.isIllegalHash()) { + ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class); + if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) { String[] parts = code.split("\\."); if (parts.length == 2) { event.detail(Details.CODE_ID, parts[1]); @@ -216,20 +218,18 @@ public class TokenEndpoint { event.error(Errors.INVALID_CODE); // Attempt to use same code twice should invalidate existing clientSession - ClientLoginSessionModel clientSession = parseResult.getClientSession(); + AuthenticatedClientSessionModel clientSession = parseResult.getClientSession(); if (clientSession != null) { - UserSessionModel userSession = clientSession.getUserSession(); - String clientUUID = clientSession.getClient().getId(); - userSession.getClientLoginSessions().remove(clientUUID); + clientSession.setUserSession(null); } throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Code not valid", Response.Status.BAD_REQUEST); } - ClientLoginSessionModel clientSession = parseResult.getClientSession(); + AuthenticatedClientSessionModel clientSession = parseResult.getClientSession(); event.detail(Details.CODE_ID, clientSession.getId()); - if (!parseResult.getCode().isValid(ClientLoginSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) { + if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) { event.error(Errors.INVALID_CODE); throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Code is expired", Response.Status.BAD_REQUEST); } @@ -362,7 +362,7 @@ public class TokenEndpoint { if (!result.isOfflineToken()) { UserSessionModel userSession = session.sessions().getUserSession(realm, res.getSessionState()); - ClientLoginSessionModel clientSession = userSession.getClientLoginSessions().get(client.getId()); + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(client.getId()); updateClientSession(clientSession); updateUserSessionFromClientAuth(userSession); } @@ -377,7 +377,7 @@ public class TokenEndpoint { return Cors.add(request, Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).auth().allowedOrigins(uriInfo, client).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build(); } - private void updateClientSession(ClientLoginSessionModel clientSession) { + private void updateClientSession(AuthenticatedClientSessionModel clientSession) { if(clientSession == null) { ServicesLogger.LOGGER.clientSessionNull(); @@ -416,16 +416,16 @@ public class TokenEndpoint { } String scope = formParams.getFirst(OAuth2Constants.SCOPE); - LoginSessionModel loginSession = session.loginSessions().createLoginSession(realm, client, false); - loginSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); - loginSession.setAction(ClientLoginSessionModel.Action.AUTHENTICATE.name()); - loginSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); - loginSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); + AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client, false); + authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + authSession.setAction(AuthenticatedClientSessionModel.Action.AUTHENTICATE.name()); + authSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + authSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); AuthenticationFlowModel flow = realm.getDirectGrantFlow(); String flowId = flow.getId(); AuthenticationProcessor processor = new AuthenticationProcessor(); - processor.setLoginSession(loginSession) + processor.setAuthenticationSession(authSession) .setFlowId(flowId) .setConnection(clientConnection) .setEventBuilder(event) @@ -436,13 +436,13 @@ public class TokenEndpoint { Response challenge = processor.authenticateOnly(); if (challenge != null) return challenge; processor.evaluateRequiredActionTriggers(); - UserModel user = loginSession.getAuthenticatedUser(); + UserModel user = authSession.getAuthenticatedUser(); if (user.getRequiredActions() != null && user.getRequiredActions().size() > 0) { event.error(Errors.RESOLVE_REQUIRED_ACTIONS); throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Account is not fully set up", Response.Status.BAD_REQUEST); } - ClientLoginSessionModel clientSession = processor.attachSession(); + AuthenticatedClientSessionModel clientSession = processor.attachSession(); UserSessionModel userSession = processor.getUserSession(); updateUserSessionFromClientAuth(userSession); @@ -492,15 +492,15 @@ public class TokenEndpoint { String scope = formParams.getFirst(OAuth2Constants.SCOPE); - LoginSessionModel loginSession = session.loginSessions().createLoginSession(realm, client, false); - loginSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); - loginSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); - loginSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); + AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client, false); + authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + authSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + authSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); UserSessionModel userSession = session.sessions().createUserSession(realm, clientUser, clientUsername, clientConnection.getRemoteAddr(), ServiceAccountConstants.CLIENT_AUTH, false, null, null); event.session(userSession); - ClientLoginSessionModel clientSession = TokenManager.attachLoginSession(session, userSession, loginSession); + AuthenticatedClientSessionModel clientSession = TokenManager.attachAuthenticationSession(session, userSession, authSession); // Notes about client details userSession.setNote(ServiceAccountConstants.CLIENT_ID, client.getClientId()); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java index 763da1e38c..f2d6f60d6f 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java @@ -29,7 +29,7 @@ import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.jose.jws.Algorithm; import org.keycloak.jose.jws.JWSBuilder; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.java index d43934370c..d267f9128d 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.oidc.mappers; import org.keycloak.Config; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.ProtocolMapperModel; @@ -61,7 +61,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper { } public AccessToken transformUserInfoToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession) { + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { if (!OIDCAttributeMapperHelper.includeInUserInfo(mappingModel)) { return token; @@ -72,7 +72,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper { } public AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession) { + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { if (!OIDCAttributeMapperHelper.includeInAccessToken(mappingModel)){ return token; @@ -83,7 +83,7 @@ public abstract class AbstractOIDCProtocolMapper implements ProtocolMapper { } public IDToken transformIDToken(IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession) { + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { if (!OIDCAttributeMapperHelper.includeInIDToken(mappingModel)){ return token; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractPairwiseSubMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractPairwiseSubMapper.java index 4b8b1f3a47..09b39c4ae2 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractPairwiseSubMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractPairwiseSubMapper.java @@ -1,6 +1,6 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperContainerModel; @@ -64,19 +64,19 @@ public abstract class AbstractPairwiseSubMapper extends AbstractOIDCProtocolMapp } @Override - public final IDToken transformIDToken(IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public final IDToken transformIDToken(IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { setSubject(token, generateSub(mappingModel, getSectorIdentifier(clientSession.getClient(), mappingModel), userSession.getUser().getId())); return token; } @Override - public final AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public final AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { setSubject(token, generateSub(mappingModel, getSectorIdentifier(clientSession.getClient(), mappingModel), userSession.getUser().getId())); return token; } @Override - public final AccessToken transformUserInfoToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public final AccessToken transformUserInfoToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { setSubject(token, generateSub(mappingModel, getSectorIdentifier(clientSession.getClient(), mappingModel), userSession.getUser().getId())); return token; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedRole.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedRole.java index 7ebb435695..19ff92559e 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedRole.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/HardcodedRole.java @@ -17,7 +17,7 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -82,7 +82,7 @@ public class HardcodedRole extends AbstractOIDCProtocolMapper implements OIDCAcc @Override public AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession) { + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { String role = mappingModel.getConfig().get(ROLE_CONFIG); String[] scopedRole = KeycloakModelUtils.parseRole(role); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAccessTokenMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAccessTokenMapper.java index 387ef5c79b..e7e0b7b422 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAccessTokenMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAccessTokenMapper.java @@ -17,7 +17,7 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -30,5 +30,5 @@ import org.keycloak.representations.AccessToken; public interface OIDCAccessTokenMapper { AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession); + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCIDTokenMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCIDTokenMapper.java index ca80ed5113..54f380b165 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCIDTokenMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCIDTokenMapper.java @@ -17,7 +17,7 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -30,5 +30,5 @@ import org.keycloak.representations.IDToken; public interface OIDCIDTokenMapper { IDToken transformIDToken(IDToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession); + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/RoleNameMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/RoleNameMapper.java index c91040054f..d41063b72e 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/RoleNameMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/RoleNameMapper.java @@ -17,7 +17,7 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -89,7 +89,7 @@ public class RoleNameMapper extends AbstractOIDCProtocolMapper implements OIDCAc @Override public AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession) { + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { String role = mappingModel.getConfig().get(ROLE_CONFIG); String newName = mappingModel.getConfig().get(NEW_ROLE_NAME); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserInfoTokenMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserInfoTokenMapper.java index af5084c5f6..e1fc17e900 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserInfoTokenMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserInfoTokenMapper.java @@ -17,7 +17,7 @@ package org.keycloak.protocol.oidc.mappers; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -29,5 +29,5 @@ import org.keycloak.representations.AccessToken; public interface UserInfoTokenMapper { AccessToken transformUserInfoToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession); + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/utils/AuthorizeClientUtil.java b/services/src/main/java/org/keycloak/protocol/oidc/utils/AuthorizeClientUtil.java index 6e4498ee50..ffff19c818 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/utils/AuthorizeClientUtil.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/utils/AuthorizeClientUtil.java @@ -53,6 +53,8 @@ public class AuthorizeClientUtil { throw new ErrorResponseException("invalid_client", "Client authentication ended, but client is null", Response.Status.BAD_REQUEST); } + session.getContext().setClient(client); + return new ClientAuthResult(client, processor.getClientAuthAttributes()); } diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java b/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java index 04da54a76e..db43a7506d 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java @@ -30,7 +30,7 @@ import org.keycloak.dom.saml.v2.assertion.AssertionType; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; import org.keycloak.dom.saml.v2.protocol.ResponseType; import org.keycloak.events.EventBuilder; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.KeyManager; import org.keycloak.models.KeycloakSession; @@ -40,6 +40,7 @@ import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.protocol.LoginProtocol; import org.keycloak.protocol.ProtocolMapper; +import org.keycloak.protocol.RestartLoginCookie; import org.keycloak.protocol.saml.mappers.SAMLAttributeStatementMapper; import org.keycloak.protocol.saml.mappers.SAMLLoginResponseMapper; import org.keycloak.protocol.saml.mappers.SAMLRoleListMapper; @@ -61,7 +62,7 @@ import org.keycloak.services.managers.ResourceAdminManager; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.RealmsResource; import org.keycloak.sessions.CommonClientSessionModel; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import org.w3c.dom.Document; import javax.ws.rs.core.HttpHeaders; @@ -157,9 +158,9 @@ public class SamlProtocol implements LoginProtocol { } @Override - public Response sendError(LoginSessionModel loginSession, Error error) { + public Response sendError(AuthenticationSessionModel authSession, Error error) { try { - ClientModel client = loginSession.getClient(); + ClientModel client = authSession.getClient(); if ("true".equals(client.getAttribute(SAML_IDP_INITIATED_LOGIN))) { if (error == Error.CANCELLED_BY_USER) { @@ -174,9 +175,9 @@ public class SamlProtocol implements LoginProtocol { return ErrorPage.error(session, translateErrorToIdpInitiatedErrorMessage(error)); } } else { - SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(loginSession.getRedirectUri()).issuer(getResponseIssuer(realm)).status(translateErrorToSAMLStatus(error).get()); + SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(authSession.getRedirectUri()).issuer(getResponseIssuer(realm)).status(translateErrorToSAMLStatus(error).get()); try { - JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder().relayState(loginSession.getNote(GeneralConstants.RELAY_STATE)); + JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder().relayState(authSession.getNote(GeneralConstants.RELAY_STATE)); SamlClient samlClient = new SamlClient(client); KeyManager keyManager = session.keys(); if (samlClient.requiresRealmSignature()) { @@ -199,23 +200,22 @@ public class SamlProtocol implements LoginProtocol { binding.encrypt(publicKey); } Document document = builder.buildDocument(); - return buildErrorResponse(loginSession, binding, document); + return buildErrorResponse(authSession, binding, document); } catch (Exception e) { return ErrorPage.error(session, Messages.FAILED_TO_PROCESS_RESPONSE); } } } finally { - // TODO:mposolda - //RestartLoginCookie.expireRestartCookie(realm, session.getContext().getConnection(), uriInfo); - session.loginSessions().removeLoginSession(realm, loginSession); + RestartLoginCookie.expireRestartCookie(realm, session.getContext().getConnection(), uriInfo); + session.authenticationSessions().removeAuthenticationSession(realm, authSession); } } - protected Response buildErrorResponse(LoginSessionModel loginSession, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException { - if (isPostBinding(loginSession)) { - return binding.postBinding(document).response(loginSession.getRedirectUri()); + protected Response buildErrorResponse(AuthenticationSessionModel authSession, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException { + if (isPostBinding(authSession)) { + return binding.postBinding(document).response(authSession.getRedirectUri()); } else { - return binding.redirectBinding(document).response(loginSession.getRedirectUri()); + return binding.redirectBinding(document).response(authSession.getRedirectUri()); } } @@ -250,10 +250,10 @@ public class SamlProtocol implements LoginProtocol { return RealmsResource.realmBaseUrl(uriInfo).build(realm.getName()).toString(); } - protected boolean isPostBinding(CommonClientSessionModel loginSession) { - ClientModel client = loginSession.getClient(); + protected boolean isPostBinding(CommonClientSessionModel authSession) { + ClientModel client = authSession.getClient(); SamlClient samlClient = new SamlClient(client); - return SamlProtocol.SAML_POST_BINDING.equals(loginSession.getNote(SamlProtocol.SAML_BINDING)) || samlClient.forcePostBinding(); + return SamlProtocol.SAML_POST_BINDING.equals(authSession.getNote(SamlProtocol.SAML_BINDING)) || samlClient.forcePostBinding(); } public static boolean isLogoutPostBindingForInitiator(UserSessionModel session) { @@ -261,7 +261,7 @@ public class SamlProtocol implements LoginProtocol { return SamlProtocol.SAML_POST_BINDING.equals(note); } - protected boolean isLogoutPostBindingForClient(ClientLoginSessionModel clientSession) { + protected boolean isLogoutPostBindingForClient(AuthenticatedClientSessionModel clientSession) { ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); String logoutPostUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE); @@ -353,8 +353,8 @@ public class SamlProtocol implements LoginProtocol { } @Override - public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { - ClientLoginSessionModel clientSession = accessCode.getClientSession(); + public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { + AuthenticatedClientSessionModel clientSession = accessCode.getClientSession(); ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); String requestID = clientSession.getNote(SAML_REQUEST_ID); @@ -462,7 +462,7 @@ public class SamlProtocol implements LoginProtocol { } } - protected Response buildAuthenticatedResponse(ClientLoginSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException { + protected Response buildAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException { if (isPostBinding(clientSession)) { return bindingBuilder.postBinding(samlDocument).response(redirectUri); } else { @@ -481,7 +481,7 @@ public class SamlProtocol implements LoginProtocol { } public AttributeStatementType populateAttributeStatements(List> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession, - ClientLoginSessionModel clientSession) { + AuthenticatedClientSessionModel clientSession) { AttributeStatementType attributeStatement = new AttributeStatementType(); for (ProtocolMapperProcessor processor : attributeStatementMappers) { processor.mapper.transformAttributeStatement(attributeStatement, processor.model, session, userSession, clientSession); @@ -490,14 +490,14 @@ public class SamlProtocol implements LoginProtocol { return attributeStatement; } - public ResponseType transformLoginResponse(List> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public ResponseType transformLoginResponse(List> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { for (ProtocolMapperProcessor processor : mappers) { response = processor.mapper.transformLoginResponse(response, processor.model, session, userSession, clientSession); } return response; } - public void populateRoles(ProtocolMapperProcessor roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession, + public void populateRoles(ProtocolMapperProcessor roleListMapper, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession, final AttributeStatementType existingAttributeStatement) { if (roleListMapper == null) return; @@ -520,7 +520,7 @@ public class SamlProtocol implements LoginProtocol { } @Override - public Response frontchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); try { @@ -615,7 +615,7 @@ public class SamlProtocol implements LoginProtocol { } @Override - public void backchannelLogout(UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public void backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); String logoutUrl = getLogoutServiceUrl(uriInfo, client, SAML_POST_BINDING); @@ -674,7 +674,7 @@ public class SamlProtocol implements LoginProtocol { } - protected SAML2LogoutRequestBuilder createLogoutRequest(String logoutUrl, ClientLoginSessionModel clientSession, ClientModel client) { + protected SAML2LogoutRequestBuilder createLogoutRequest(String logoutUrl, AuthenticatedClientSessionModel clientSession, ClientModel client) { // build userPrincipal with subject used at login SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder().assertionExpiration(realm.getAccessCodeLifespan()).issuer(getResponseIssuer(realm)).sessionIndex(clientSession.getId()) .userPrincipal(clientSession.getNote(SAML_NAME_ID), clientSession.getNote(SAML_NAME_ID_FORMAT)).destination(logoutUrl); @@ -682,7 +682,7 @@ public class SamlProtocol implements LoginProtocol { } @Override - public boolean requireReauthentication(UserSessionModel userSession, LoginSessionModel clientSession) { + public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) { // Not yet supported return false; } diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java index 83445a6352..29daf1e5ee 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java @@ -86,7 +86,7 @@ import org.keycloak.rotation.HardcodedKeyLocator; import org.keycloak.rotation.KeyLocator; import org.keycloak.saml.SPMetadataDescriptor; import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; /** * Resource class for the oauth/openid connect token service @@ -271,13 +271,13 @@ public class SamlService extends AuthorizationEndpointBase { return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI); } - LoginSessionModel loginSession = session.loginSessions().createLoginSession(realm, client, true); - loginSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL); - loginSession.setRedirectUri(redirect); - loginSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - loginSession.setNote(SamlProtocol.SAML_BINDING, bindingType); - loginSession.setNote(GeneralConstants.RELAY_STATE, relayState); - loginSession.setNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID()); + AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL); + authSession.setRedirectUri(redirect); + authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + authSession.setNote(SamlProtocol.SAML_BINDING, bindingType); + authSession.setNote(GeneralConstants.RELAY_STATE, relayState); + authSession.setNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID()); // Handle NameIDPolicy from SP NameIDPolicyType nameIdPolicy = requestAbstractType.getNameIDPolicy(); @@ -286,7 +286,7 @@ public class SamlService extends AuthorizationEndpointBase { String nameIdFormat = nameIdFormatUri.toString(); // TODO: Handle AllowCreate too, relevant for persistent NameID. if (isSupportedNameIdFormat(nameIdFormat)) { - loginSession.setNote(GeneralConstants.NAMEID_FORMAT, nameIdFormat); + authSession.setNote(GeneralConstants.NAMEID_FORMAT, nameIdFormat); } else { event.detail(Details.REASON, "unsupported_nameid_format"); event.error(Errors.INVALID_SAML_AUTHN_REQUEST); @@ -302,13 +302,13 @@ public class SamlService extends AuthorizationEndpointBase { BaseIDAbstractType baseID = subject.getSubType().getBaseID(); if (baseID != null && baseID instanceof NameIDType) { NameIDType nameID = (NameIDType) baseID; - loginSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, nameID.getValue()); + authSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, nameID.getValue()); } } } - return newBrowserAuthentication(loginSession, requestAbstractType.isIsPassive(), redirectToAuthentication); + return newBrowserAuthentication(authSession, requestAbstractType.isIsPassive(), redirectToAuthentication); } protected String getBindingType(AuthnRequestType requestAbstractType) { @@ -519,13 +519,13 @@ public class SamlService extends AuthorizationEndpointBase { } - protected Response newBrowserAuthentication(LoginSessionModel loginSession, boolean isPassive, boolean redirectToAuthentication) { + protected Response newBrowserAuthentication(AuthenticationSessionModel authSession, boolean isPassive, boolean redirectToAuthentication) { SamlProtocol samlProtocol = new SamlProtocol().setEventBuilder(event).setHttpHeaders(headers).setRealm(realm).setSession(session).setUriInfo(uriInfo); - return newBrowserAuthentication(loginSession, isPassive, redirectToAuthentication, samlProtocol); + return newBrowserAuthentication(authSession, isPassive, redirectToAuthentication, samlProtocol); } - protected Response newBrowserAuthentication(LoginSessionModel loginSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol) { - return handleBrowserAuthenticationRequest(loginSession, samlProtocol, isPassive, redirectToAuthentication); + protected Response newBrowserAuthentication(AuthenticationSessionModel authSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol) { + return handleBrowserAuthenticationRequest(authSession, samlProtocol, isPassive, redirectToAuthentication); } /** @@ -616,9 +616,9 @@ public class SamlService extends AuthorizationEndpointBase { return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI); } - LoginSessionModel loginSession = createLoginSessionForIdpInitiatedSso(this.session, this.realm, client, relayState); + AuthenticationSessionModel authSession = createLoginSessionForIdpInitiatedSso(this.session, this.realm, client, relayState); - return newBrowserAuthentication(loginSession, false, false); + return newBrowserAuthentication(authSession, false, false); } /** @@ -632,7 +632,7 @@ public class SamlService extends AuthorizationEndpointBase { * @param relayState Optional relay state - free field as per SAML specification * @return */ - public static LoginSessionModel createLoginSessionForIdpInitiatedSso(KeycloakSession session, RealmModel realm, ClientModel client, String relayState) { + public static AuthenticationSessionModel createLoginSessionForIdpInitiatedSso(KeycloakSession session, RealmModel realm, ClientModel client, String relayState) { String bindingType = SamlProtocol.SAML_POST_BINDING; if (client.getManagementUrl() == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) != null) { bindingType = SamlProtocol.SAML_REDIRECT_BINDING; @@ -648,21 +648,21 @@ public class SamlService extends AuthorizationEndpointBase { redirect = client.getManagementUrl(); } - LoginSessionModel loginSession = session.loginSessions().createLoginSession(realm, client, true); - loginSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL); - loginSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - loginSession.setNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING); - loginSession.setNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true"); - loginSession.setRedirectUri(redirect); + AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL); + authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + authSession.setNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING); + authSession.setNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true"); + authSession.setRedirectUri(redirect); if (relayState == null) { relayState = client.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE); } if (relayState != null && !relayState.trim().equals("")) { - loginSession.setNote(GeneralConstants.RELAY_STATE, relayState); + authSession.setNote(GeneralConstants.RELAY_STATE, relayState); } - return loginSession; + return authSession; } @POST diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/GroupMembershipMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/GroupMembershipMapper.java index 3ffdec4353..d193ee381b 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/GroupMembershipMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/GroupMembershipMapper.java @@ -19,7 +19,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; import org.keycloak.dom.saml.v2.assertion.AttributeType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.GroupModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; @@ -117,7 +117,7 @@ public class GroupMembershipMapper extends AbstractSAMLProtocolMapper implements @Override - public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { String single = mappingModel.getConfig().get(SINGLE_GROUP_ATTRIBUTE); boolean singleAttribute = Boolean.parseBoolean(single); diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java index 79092096f3..43c024154e 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -76,7 +76,7 @@ public class HardcodedAttributeMapper extends AbstractSAMLProtocolMapper impleme } @Override - public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { String attributeValue = mappingModel.getConfig().get(ATTRIBUTE_VALUE); AttributeStatementHelper.addAttribute(attributeStatement, mappingModel, attributeValue); diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java index 169f25ac38..322735071d 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java @@ -19,7 +19,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; import org.keycloak.dom.saml.v2.assertion.AttributeType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.ProtocolMapperModel; @@ -111,7 +111,7 @@ public class RoleListMapper extends AbstractSAMLProtocolMapper implements SAMLRo } @Override - public void mapRoles(AttributeStatementType roleAttributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public void mapRoles(AttributeStatementType roleAttributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { String single = mappingModel.getConfig().get(SINGLE_ROLE_ATTRIBUTE); boolean singleAttribute = Boolean.parseBoolean(single); diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java index 8e33f92e55..a26b0e0334 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -30,5 +30,5 @@ import org.keycloak.models.UserSessionModel; public interface SAMLAttributeStatementMapper { void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession); + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java index 329f1ac60b..1f962feaab 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.protocol.ResponseType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -30,5 +30,5 @@ import org.keycloak.models.UserSessionModel; public interface SAMLLoginResponseMapper { ResponseType transformLoginResponse(ResponseType response, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession); + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java index e74c79f12f..991c2238e8 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -30,5 +30,5 @@ import org.keycloak.models.UserSessionModel; public interface SAMLRoleListMapper { void mapRoles(AttributeStatementType roleAttributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, - UserSessionModel userSession, ClientLoginSessionModel clientSession); + UserSessionModel userSession, AuthenticatedClientSessionModel clientSession); } diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java index 661c9b6e62..2579af1c71 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserModel; @@ -77,7 +77,7 @@ public class UserAttributeStatementMapper extends AbstractSAMLProtocolMapper imp } @Override - public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { UserModel user = userSession.getUser(); String attributeName = mappingModel.getConfig().get(ProtocolMapperUtils.USER_ATTRIBUTE); List attributeValues = KeycloakModelUtils.resolveAttribute(user, attributeName); diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java index adfc9aac81..1d7d0384f3 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserModel; @@ -76,7 +76,7 @@ public class UserPropertyAttributeStatementMapper extends AbstractSAMLProtocolMa } @Override - public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { UserModel user = userSession.getUser(); String propertyName = mappingModel.getConfig().get(ProtocolMapperUtils.USER_ATTRIBUTE); String propertyValue = ProtocolMapperUtils.getUserModelValue(user, propertyName); diff --git a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserSessionNoteStatementMapper.java b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserSessionNoteStatementMapper.java index d633e2c70f..b4b24b5fec 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/mappers/UserSessionNoteStatementMapper.java +++ b/services/src/main/java/org/keycloak/protocol/saml/mappers/UserSessionNoteStatementMapper.java @@ -18,7 +18,7 @@ package org.keycloak.protocol.saml.mappers; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.UserSessionModel; @@ -74,7 +74,7 @@ public class UserSessionNoteStatementMapper extends AbstractSAMLProtocolMapper i } @Override - public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientLoginSessionModel clientSession) { + public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { String note = mappingModel.getConfig().get("note"); String value = userSession.getNote(note); if (value == null) return; diff --git a/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/SamlEcpProfileService.java b/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/SamlEcpProfileService.java index f578f3d872..b90a165004 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/SamlEcpProfileService.java +++ b/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/SamlEcpProfileService.java @@ -20,7 +20,7 @@ package org.keycloak.protocol.saml.profile.ecp; import org.keycloak.dom.saml.v2.protocol.AuthnRequestType; import org.keycloak.events.EventBuilder; import org.keycloak.models.AuthenticationFlowModel; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; @@ -35,7 +35,7 @@ import org.keycloak.saml.common.constants.JBossSAMLConstants; import org.keycloak.saml.common.constants.JBossSAMLURIConstants; import org.keycloak.saml.common.exceptions.ConfigurationException; import org.keycloak.saml.common.exceptions.ProcessingException; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import org.w3c.dom.Document; import javax.ws.rs.core.Response; @@ -86,15 +86,15 @@ public class SamlEcpProfileService extends SamlService { } @Override - protected Response newBrowserAuthentication(LoginSessionModel loginSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol) { - return super.newBrowserAuthentication(loginSession, isPassive, redirectToAuthentication, createEcpSamlProtocol()); + protected Response newBrowserAuthentication(AuthenticationSessionModel authSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol) { + return super.newBrowserAuthentication(authSession, isPassive, redirectToAuthentication, createEcpSamlProtocol()); } private SamlProtocol createEcpSamlProtocol() { return new SamlProtocol() { // method created to send a SOAP Binding response instead of a HTTP POST response @Override - protected Response buildAuthenticatedResponse(ClientLoginSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException { + protected Response buildAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException { Document document = bindingBuilder.postBinding(samlDocument).getDocument(); try { @@ -114,7 +114,7 @@ public class SamlEcpProfileService extends SamlService { } } - private void createRequestAuthenticatedHeader(ClientLoginSessionModel clientSession, Soap.SoapMessageBuilder messageBuilder) { + private void createRequestAuthenticatedHeader(AuthenticatedClientSessionModel clientSession, Soap.SoapMessageBuilder messageBuilder) { ClientModel client = clientSession.getClient(); if ("true".equals(client.getAttribute(SamlConfigAttributes.SAML_CLIENT_SIGNATURE_ATTRIBUTE))) { @@ -134,7 +134,7 @@ public class SamlEcpProfileService extends SamlService { } @Override - protected Response buildErrorResponse(LoginSessionModel clientSession, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException { + protected Response buildErrorResponse(AuthenticationSessionModel authSession, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException { return Soap.createMessage().addToBody(document).build(); } diff --git a/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.java b/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.java index 81496fcb09..f21eff3bf0 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.java +++ b/services/src/main/java/org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.java @@ -104,7 +104,7 @@ public class HttpBasicAuthenticator implements AuthenticatorFactory { boolean valid = context.getSession().userCredentialManager().isValid(realm, user, UserCredentialModel.password(password)); if (valid) { - context.getLoginSession().setAuthenticatedUser(user); + context.getAuthenticationSession().setAuthenticatedUser(user); context.success(); } else { context.getEvent().user(user); diff --git a/services/src/main/java/org/keycloak/services/DefaultKeycloakSession.java b/services/src/main/java/org/keycloak/services/DefaultKeycloakSession.java index 7d45f15a3a..67cce1ff61 100644 --- a/services/src/main/java/org/keycloak/services/DefaultKeycloakSession.java +++ b/services/src/main/java/org/keycloak/services/DefaultKeycloakSession.java @@ -33,7 +33,7 @@ import org.keycloak.models.cache.CacheRealmProvider; import org.keycloak.models.cache.UserCache; import org.keycloak.provider.Provider; import org.keycloak.provider.ProviderFactory; -import org.keycloak.sessions.LoginSessionProvider; +import org.keycloak.sessions.AuthenticationSessionProvider; import org.keycloak.storage.UserStorageManager; import org.keycloak.storage.federated.UserFederatedStorageProvider; @@ -58,7 +58,7 @@ public class DefaultKeycloakSession implements KeycloakSession { private UserStorageManager userStorageManager; private UserCredentialStoreManager userCredentialStorageManager; private UserSessionProvider sessionProvider; - private LoginSessionProvider loginSessionProvider; + private AuthenticationSessionProvider authenticationSessionProvider; private UserFederatedStorageProvider userFederatedStorageProvider; private KeycloakContext context; private KeyManager keyManager; @@ -238,11 +238,11 @@ public class DefaultKeycloakSession implements KeycloakSession { } @Override - public LoginSessionProvider loginSessions() { - if (loginSessionProvider == null) { - loginSessionProvider = getProvider(LoginSessionProvider.class); + public AuthenticationSessionProvider authenticationSessions() { + if (authenticationSessionProvider == null) { + authenticationSessionProvider = getProvider(AuthenticationSessionProvider.class); } - return loginSessionProvider; + return authenticationSessionProvider; } @Override diff --git a/services/src/main/java/org/keycloak/services/Urls.java b/services/src/main/java/org/keycloak/services/Urls.java index 21eb047159..8735cc8900 100755 --- a/services/src/main/java/org/keycloak/services/Urls.java +++ b/services/src/main/java/org/keycloak/services/Urls.java @@ -206,6 +206,12 @@ public class Urls { return loginActionsBase(baseUri).path(LoginActionsService.class, "authenticate").build(realmName); } + public static URI realmLoginRestartPage(URI baseUri, String realmId) { + return loginActionsBase(baseUri).path(LoginActionsService.class, "authenticate") + .queryParam("restart", "true") + .build(realmId); + } + private static UriBuilder realmLogout(URI baseUri) { return tokenBase(baseUri).path(OIDCLoginProtocolService.class, "logout"); } diff --git a/services/src/main/java/org/keycloak/services/managers/Auth.java b/services/src/main/java/org/keycloak/services/managers/Auth.java index 2ac758442d..8b6086e04b 100755 --- a/services/src/main/java/org/keycloak/services/managers/Auth.java +++ b/services/src/main/java/org/keycloak/services/managers/Auth.java @@ -17,9 +17,8 @@ package org.keycloak.services.managers; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; @@ -36,7 +35,7 @@ public class Auth { private final UserModel user; private final ClientModel client; private final UserSessionModel session; - private ClientLoginSessionModel clientSession; + private AuthenticatedClientSessionModel clientSession; public Auth(RealmModel realm, AccessToken token, UserModel user, ClientModel client, UserSessionModel session, boolean cookie) { this.cookie = cookie; @@ -72,11 +71,11 @@ public class Auth { return session; } - public ClientLoginSessionModel getClientSession() { + public AuthenticatedClientSessionModel getClientSession() { return clientSession; } - public void setClientSession(ClientLoginSessionModel clientSession) { + public void setClientSession(AuthenticatedClientSessionModel clientSession) { this.clientSession = clientSession; } diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index e460a1dbcd..3c68370e6c 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -19,6 +19,7 @@ package org.keycloak.services.managers; import org.jboss.logging.Logger; import org.jboss.resteasy.specimpl.MultivaluedMapImpl; import org.jboss.resteasy.spi.HttpRequest; +import org.keycloak.OAuth2Constants; import org.keycloak.TokenVerifier; import org.keycloak.authentication.AuthenticationProcessor; import org.keycloak.authentication.RequiredActionContext; @@ -36,8 +37,9 @@ import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.jose.jws.AlgorithmType; import org.keycloak.jose.jws.JWSBuilder; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; +import org.keycloak.models.ClientTemplateModel; import org.keycloak.models.KeyManager; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ProtocolMapperModel; @@ -59,7 +61,7 @@ import org.keycloak.services.resources.IdentityBrokerService; import org.keycloak.services.resources.RealmsResource; import org.keycloak.services.util.CookieHelper; import org.keycloak.services.util.P3PHelper; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.crypto.SecretKey; import javax.ws.rs.core.Cookie; @@ -71,6 +73,7 @@ import javax.ws.rs.core.UriInfo; import java.net.URI; import java.security.PublicKey; import java.util.Collection; +import java.util.HashSet; import java.util.LinkedList; import java.util.List; import java.util.Set; @@ -165,7 +168,7 @@ public class AuthenticationManager { logger.debugv("Logging out: {0} ({1})", user.getUsername(), userSession.getId()); expireUserSessionCookie(session, userSession, realm, uriInfo, headers, connection); - for (ClientLoginSessionModel clientSession : userSession.getClientLoginSessions().values()) { + for (AuthenticatedClientSessionModel clientSession : userSession.getAuthenticatedClientSessions().values()) { backchannelLogoutClientSession(session, realm, clientSession, userSession, uriInfo, headers); } if (logoutBroker) { @@ -183,9 +186,9 @@ public class AuthenticationManager { session.sessions().removeUserSession(realm, userSession); } - public static void backchannelLogoutClientSession(KeycloakSession session, RealmModel realm, ClientLoginSessionModel clientSession, UserSessionModel userSession, UriInfo uriInfo, HttpHeaders headers) { + public static void backchannelLogoutClientSession(KeycloakSession session, RealmModel realm, AuthenticatedClientSessionModel clientSession, UserSessionModel userSession, UriInfo uriInfo, HttpHeaders headers) { ClientModel client = clientSession.getClient(); - if (!client.isFrontchannelLogout() && !ClientLoginSessionModel.Action.LOGGED_OUT.name().equals(clientSession.getAction())) { + if (!client.isFrontchannelLogout() && !AuthenticatedClientSessionModel.Action.LOGGED_OUT.name().equals(clientSession.getAction())) { String authMethod = clientSession.getProtocol(); if (authMethod == null) return; // must be a keycloak service like account LoginProtocol protocol = session.getProvider(LoginProtocol.class, authMethod); @@ -193,7 +196,7 @@ public class AuthenticationManager { .setHttpHeaders(headers) .setUriInfo(uriInfo); protocol.backchannelLogout(userSession, clientSession); - clientSession.setAction(ClientLoginSessionModel.Action.LOGGED_OUT.name()); + clientSession.setAction(AuthenticatedClientSessionModel.Action.LOGGED_OUT.name()); } } @@ -204,8 +207,8 @@ public class AuthenticationManager { List userSessions = session.sessions().getUserSessions(realm, user); for (UserSessionModel userSession : userSessions) { - Collection clientSessions = userSession.getClientLoginSessions().values(); - for (ClientLoginSessionModel clientSession : clientSessions) { + Collection clientSessions = userSession.getAuthenticatedClientSessions().values(); + for (AuthenticatedClientSessionModel clientSession : clientSessions) { if (clientSession.getClient().getId().equals(clientId)) { AuthenticationManager.backchannelLogoutClientSession(session, realm, clientSession, userSession, uriInfo, headers); TokenManager.dettachClientSession(session.sessions(), realm, clientSession); @@ -222,10 +225,10 @@ public class AuthenticationManager { if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) { userSession.setState(UserSessionModel.State.LOGGING_OUT); } - List redirectClients = new LinkedList<>(); - for (ClientLoginSessionModel clientSession : userSession.getClientLoginSessions().values()) { + List redirectClients = new LinkedList<>(); + for (AuthenticatedClientSessionModel clientSession : userSession.getAuthenticatedClientSessions().values()) { ClientModel client = clientSession.getClient(); - if (ClientLoginSessionModel.Action.LOGGED_OUT.name().equals(clientSession.getAction())) continue; + if (AuthenticatedClientSessionModel.Action.LOGGED_OUT.name().equals(clientSession.getAction())) continue; if (client.isFrontchannelLogout()) { String authMethod = clientSession.getProtocol(); if (authMethod == null) continue; // must be a keycloak service like account @@ -240,21 +243,21 @@ public class AuthenticationManager { try { logger.debugv("backchannel logout to: {0}", client.getClientId()); protocol.backchannelLogout(userSession, clientSession); - clientSession.setAction(ClientLoginSessionModel.Action.LOGGED_OUT.name()); + clientSession.setAction(AuthenticatedClientSessionModel.Action.LOGGED_OUT.name()); } catch (Exception e) { ServicesLogger.LOGGER.failedToLogoutClient(e); } } } - for (ClientLoginSessionModel nextRedirectClient : redirectClients) { + for (AuthenticatedClientSessionModel nextRedirectClient : redirectClients) { String authMethod = nextRedirectClient.getProtocol(); LoginProtocol protocol = session.getProvider(LoginProtocol.class, authMethod); protocol.setRealm(realm) .setHttpHeaders(headers) .setUriInfo(uriInfo); // setting this to logged out cuz I"m not sure protocols can always verify that the client was logged out or not - nextRedirectClient.setAction(ClientLoginSessionModel.Action.LOGGED_OUT.name()); + nextRedirectClient.setAction(AuthenticatedClientSessionModel.Action.LOGGED_OUT.name()); try { logger.debugv("frontchannel logout to: {0}", nextRedirectClient.getClient().getClientId()); Response response = protocol.frontchannelLogout(userSession, nextRedirectClient); @@ -417,7 +420,7 @@ public class AuthenticationManager { public static Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, - ClientLoginSessionModel clientSession, + AuthenticatedClientSessionModel clientSession, HttpRequest request, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, String protocol) { LoginProtocol protocolImpl = session.getProvider(LoginProtocol.class, protocol); @@ -425,12 +428,12 @@ public class AuthenticationManager { .setHttpHeaders(request.getHttpHeaders()) .setUriInfo(uriInfo) .setEventBuilder(event); - return redirectAfterSuccessfulFlow(session, realm, userSession, clientSession, request, uriInfo, clientConnection, event, protocol); + return redirectAfterSuccessfulFlow(session, realm, userSession, clientSession, request, uriInfo, clientConnection, event, protocolImpl); } public static Response redirectAfterSuccessfulFlow(KeycloakSession session, RealmModel realm, UserSessionModel userSession, - ClientLoginSessionModel clientSession, + AuthenticatedClientSessionModel clientSession, HttpRequest request, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder event, LoginProtocol protocol) { Cookie sessionCookie = request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_SESSION_COOKIE); @@ -471,29 +474,29 @@ public class AuthenticationManager { } - public static boolean isSSOAuthentication(ClientLoginSessionModel clientSession) { + public static boolean isSSOAuthentication(AuthenticatedClientSessionModel clientSession) { String ssoAuth = clientSession.getNote(SSO_AUTH); return Boolean.parseBoolean(ssoAuth); } - public static Response nextActionAfterAuthentication(KeycloakSession session, LoginSessionModel loginSession, + public static Response nextActionAfterAuthentication(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event) { - Response requiredAction = actionRequired(session, loginSession, clientConnection, request, uriInfo, event); + Response requiredAction = actionRequired(session, authSession, clientConnection, request, uriInfo, event); if (requiredAction != null) return requiredAction; - return finishedRequiredActions(session, loginSession, clientConnection, request, uriInfo, event); + return finishedRequiredActions(session, authSession, clientConnection, request, uriInfo, event); } - public static Response finishedRequiredActions(KeycloakSession session, LoginSessionModel loginSession, + public static Response finishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event) { - if (loginSession.getNote(END_AFTER_REQUIRED_ACTIONS) != null) { + if (authSession.getAuthNote(END_AFTER_REQUIRED_ACTIONS) != null) { LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class) .setSuccess(Messages.ACCOUNT_UPDATED); - if (loginSession.getNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) != null) { - if (loginSession.getRedirectUri() != null) { - infoPage.setAttribute("pageRedirectUri", loginSession.getRedirectUri()); + if (authSession.getAuthNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) != null) { + if (authSession.getRedirectUri() != null) { + infoPage.setAttribute("pageRedirectUri", authSession.getRedirectUri()); } } else { @@ -504,29 +507,32 @@ public class AuthenticationManager { return response; } - event.success(); - RealmModel realm = loginSession.getRealm(); + RealmModel realm = authSession.getRealm(); - ClientLoginSessionModel clientSession = AuthenticationProcessor.attachSession(loginSession, null, session, realm, clientConnection, event); - return redirectAfterSuccessfulFlow(session, realm , clientSession.getUserSession(), clientSession, request, uriInfo, clientConnection, event, loginSession.getProtocol()); + AuthenticatedClientSessionModel clientSession = AuthenticationProcessor.attachSession(authSession, null, session, realm, clientConnection, event); + + event.event(EventType.LOGIN); + event.session(clientSession.getUserSession()); + event.success(); + return redirectAfterSuccessfulFlow(session, realm, clientSession.getUserSession(), clientSession, request, uriInfo, clientConnection, event, authSession.getProtocol()); } - public static boolean isActionRequired(final KeycloakSession session, final LoginSessionModel loginSession, + public static boolean isActionRequired(final KeycloakSession session, final AuthenticationSessionModel authSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event) { - final RealmModel realm = loginSession.getRealm(); - final UserModel user = loginSession.getAuthenticatedUser(); - final ClientModel client = loginSession.getClient(); + final RealmModel realm = authSession.getRealm(); + final UserModel user = authSession.getAuthenticatedUser(); + final ClientModel client = authSession.getClient(); - evaluateRequiredActionTriggers(session, loginSession, clientConnection, request, uriInfo, event, realm, user); + evaluateRequiredActionTriggers(session, authSession, clientConnection, request, uriInfo, event, realm, user); - if (!user.getRequiredActions().isEmpty() || !loginSession.getRequiredActions().isEmpty()) return true; + if (!user.getRequiredActions().isEmpty() || !authSession.getRequiredActions().isEmpty()) return true; if (client.isConsentRequired()) { UserConsentModel grantedConsent = session.users().getConsentByClient(realm, user.getId(), client.getId()); - ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, loginSession); + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, authSession); for (RoleModel r : accessCode.getRequestedRoles()) { // Consent already granted by user @@ -553,27 +559,27 @@ public class AuthenticationManager { } - public static Response actionRequired(final KeycloakSession session, final LoginSessionModel loginSession, + public static Response actionRequired(final KeycloakSession session, final AuthenticationSessionModel authSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event) { - final RealmModel realm = loginSession.getRealm(); - final UserModel user = loginSession.getAuthenticatedUser(); - final ClientModel client = loginSession.getClient(); + final RealmModel realm = authSession.getRealm(); + final UserModel user = authSession.getAuthenticatedUser(); + final ClientModel client = authSession.getClient(); - evaluateRequiredActionTriggers(session, loginSession, clientConnection, request, uriInfo, event, realm, user); + evaluateRequiredActionTriggers(session, authSession, clientConnection, request, uriInfo, event, realm, user); logger.debugv("processAccessCode: go to oauth page?: {0}", client.isConsentRequired()); - event.detail(Details.CODE_ID, loginSession.getId()); + event.detail(Details.CODE_ID, authSession.getId()); Set requiredActions = user.getRequiredActions(); - Response action = executionActions(session, loginSession, request, event, realm, user, requiredActions); + Response action = executionActions(session, authSession, request, event, realm, user, requiredActions); if (action != null) return action; // executionActions() method should remove any duplicate actions that might be in the clientSession - requiredActions = loginSession.getRequiredActions(); - action = executionActions(session, loginSession, request, event, realm, user, requiredActions); + requiredActions = authSession.getRequiredActions(); + action = executionActions(session, authSession, request, event, realm, user, requiredActions); if (action != null) return action; if (client.isConsentRequired()) { @@ -582,7 +588,7 @@ public class AuthenticationManager { List realmRoles = new LinkedList<>(); MultivaluedMap resourceRoles = new MultivaluedMapImpl<>(); - ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, loginSession); + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, authSession); for (RoleModel r : accessCode.getRequestedRoles()) { // Consent already granted by user @@ -610,8 +616,8 @@ public class AuthenticationManager { if (realmRoles.size() > 0 || resourceRoles.size() > 0 || protocolMappers.size() > 0) { accessCode. - setAction(ClientLoginSessionModel.Action.REQUIRED_ACTIONS.name()); - loginSession.setNote(CURRENT_REQUIRED_ACTION, ClientLoginSessionModel.Action.OAUTH_GRANT.name()); + setAction(AuthenticatedClientSessionModel.Action.REQUIRED_ACTIONS.name()); + authSession.setAuthNote(CURRENT_REQUIRED_ACTION, AuthenticatedClientSessionModel.Action.OAUTH_GRANT.name()); return session.getProvider(LoginFormsProvider.class) .setClientSessionCode(accessCode.getCode()) @@ -628,7 +634,38 @@ public class AuthenticationManager { } - protected static Response executionActions(KeycloakSession session, LoginSessionModel loginSession, + + public static void setRolesAndMappersInSession(AuthenticationSessionModel authSession) { + ClientModel client = authSession.getClient(); + UserModel user = authSession.getAuthenticatedUser(); + + Set requestedRoles = new HashSet(); + // todo scope param protocol independent + String scopeParam = authSession.getNote(OAuth2Constants.SCOPE); + for (RoleModel r : TokenManager.getAccess(scopeParam, true, client, user)) { + requestedRoles.add(r.getId()); + } + authSession.setRoles(requestedRoles); + + Set requestedProtocolMappers = new HashSet(); + ClientTemplateModel clientTemplate = client.getClientTemplate(); + if (clientTemplate != null && client.useTemplateMappers()) { + for (ProtocolMapperModel protocolMapper : clientTemplate.getProtocolMappers()) { + if (protocolMapper.getProtocol().equals(authSession.getProtocol())) { + requestedProtocolMappers.add(protocolMapper.getId()); + } + } + + } + for (ProtocolMapperModel protocolMapper : client.getProtocolMappers()) { + if (protocolMapper.getProtocol().equals(authSession.getProtocol())) { + requestedProtocolMappers.add(protocolMapper.getId()); + } + } + authSession.setProtocolMappers(requestedProtocolMappers); + } + + protected static Response executionActions(KeycloakSession session, AuthenticationSessionModel authSession, HttpRequest request, EventBuilder event, RealmModel realm, UserModel user, Set requiredActions) { for (String action : requiredActions) { @@ -646,34 +683,34 @@ public class AuthenticationManager { throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?"); } RequiredActionProvider actionProvider = factory.create(session); - RequiredActionContextResult context = new RequiredActionContextResult(loginSession, realm, event, session, request, user, factory); + RequiredActionContextResult context = new RequiredActionContextResult(authSession, realm, event, session, request, user, factory); actionProvider.requiredActionChallenge(context); if (context.getStatus() == RequiredActionContext.Status.FAILURE) { - LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, context.getLoginSession().getProtocol()); + LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, context.getAuthenticationSession().getProtocol()); protocol.setRealm(context.getRealm()) .setHttpHeaders(context.getHttpRequest().getHttpHeaders()) .setUriInfo(context.getUriInfo()) .setEventBuilder(event); - Response response = protocol.sendError(context.getLoginSession(), Error.CONSENT_DENIED); + Response response = protocol.sendError(context.getAuthenticationSession(), Error.CONSENT_DENIED); event.error(Errors.REJECTED_BY_USER); return response; } else if (context.getStatus() == RequiredActionContext.Status.CHALLENGE) { - loginSession.setNote(CURRENT_REQUIRED_ACTION, model.getProviderId()); + authSession.setAuthNote(CURRENT_REQUIRED_ACTION, model.getProviderId()); return context.getChallenge(); } else if (context.getStatus() == RequiredActionContext.Status.SUCCESS) { event.clone().event(EventType.CUSTOM_REQUIRED_ACTION).detail(Details.CUSTOM_REQUIRED_ACTION, factory.getId()).success(); // don't have to perform the same action twice, so remove it from both the user and session required actions - loginSession.getAuthenticatedUser().removeRequiredAction(factory.getId()); - loginSession.removeRequiredAction(factory.getId()); + authSession.getAuthenticatedUser().removeRequiredAction(factory.getId()); + authSession.removeRequiredAction(factory.getId()); } } return null; } - public static void evaluateRequiredActionTriggers(final KeycloakSession session, final LoginSessionModel loginSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event, final RealmModel realm, final UserModel user) { + public static void evaluateRequiredActionTriggers(final KeycloakSession session, final AuthenticationSessionModel authSession, final ClientConnection clientConnection, final HttpRequest request, final UriInfo uriInfo, final EventBuilder event, final RealmModel realm, final UserModel user) { // see if any required actions need triggering, i.e. an expired password for (RequiredActionProviderModel model : realm.getRequiredActionProviders()) { @@ -683,7 +720,7 @@ public class AuthenticationManager { throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?"); } RequiredActionProvider provider = factory.create(session); - RequiredActionContextResult result = new RequiredActionContextResult(loginSession, realm, event, session, request, user, factory) { + RequiredActionContextResult result = new RequiredActionContextResult(authSession, realm, event, session, request, user, factory) { @Override public void challenge(Response response) { throw new RuntimeException("Not allowed to call challenge() within evaluateTriggers()"); diff --git a/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java b/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java index baf7eaddfc..9aa4b69293 100755 --- a/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java +++ b/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java @@ -24,7 +24,7 @@ import org.keycloak.common.util.StringPropertyReplacer; import org.keycloak.common.util.Time; import org.keycloak.connections.httpclient.HttpClientProvider; import org.keycloak.constants.AdapterConstants; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; @@ -113,7 +113,7 @@ public class ResourceAdminManager { protected void logoutUserSessions(URI requestUri, RealmModel realm, List userSessions) { // Map from "app" to clientSessions for this app - MultivaluedHashMap clientSessions = new MultivaluedHashMap<>(); + MultivaluedHashMap clientSessions = new MultivaluedHashMap<>(); for (UserSessionModel userSession : userSessions) { putClientSessions(clientSessions, userSession); } @@ -121,7 +121,7 @@ public class ResourceAdminManager { logger.debugv("logging out {0} resources ", clientSessions.size()); //logger.infov("logging out resources: {0}", clientSessions); - for (Map.Entry> entry : clientSessions.entrySet()) { + for (Map.Entry> entry : clientSessions.entrySet()) { if (entry.getValue().size() == 0) { continue; } @@ -129,18 +129,18 @@ public class ResourceAdminManager { } } - private void putClientSessions(MultivaluedHashMap clientSessions, UserSessionModel userSession) { - for (Map.Entry entry : userSession.getClientLoginSessions().entrySet()) { + private void putClientSessions(MultivaluedHashMap clientSessions, UserSessionModel userSession) { + for (Map.Entry entry : userSession.getAuthenticatedClientSessions().entrySet()) { clientSessions.add(entry.getKey(), entry.getValue()); } } public void logoutUserFromClient(URI requestUri, RealmModel realm, ClientModel resource, UserModel user) { List userSessions = session.sessions().getUserSessions(realm, user); - List ourAppClientSessions = new LinkedList<>(); + List ourAppClientSessions = new LinkedList<>(); if (userSessions != null) { for (UserSessionModel userSession : userSessions) { - ClientLoginSessionModel clientSession = userSession.getClientLoginSessions().get(resource.getId()); + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(resource.getId()); if (clientSession != null) { ourAppClientSessions.add(clientSession); } @@ -150,11 +150,11 @@ public class ResourceAdminManager { logoutClientSessions(requestUri, realm, resource, ourAppClientSessions); } - public boolean logoutClientSession(URI requestUri, RealmModel realm, ClientModel resource, ClientLoginSessionModel clientSession) { + public boolean logoutClientSession(URI requestUri, RealmModel realm, ClientModel resource, AuthenticatedClientSessionModel clientSession) { return logoutClientSessions(requestUri, realm, resource, Arrays.asList(clientSession)); } - protected boolean logoutClientSessions(URI requestUri, RealmModel realm, ClientModel resource, List clientSessions) { + protected boolean logoutClientSessions(URI requestUri, RealmModel realm, ClientModel resource, List clientSessions) { String managementUrl = getManagementUrl(requestUri, resource); if (managementUrl != null) { @@ -163,7 +163,7 @@ public class ResourceAdminManager { List userSessions = new LinkedList<>(); if (clientSessions != null && clientSessions.size() > 0) { adapterSessionIds = new MultivaluedHashMap(); - for (ClientLoginSessionModel clientSession : clientSessions) { + for (AuthenticatedClientSessionModel clientSession : clientSessions) { String adapterSessionId = clientSession.getNote(AdapterConstants.CLIENT_SESSION_STATE); if (adapterSessionId != null) { String host = clientSession.getNote(AdapterConstants.CLIENT_SESSION_HOST); diff --git a/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java b/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java index a70c6f63f1..4528575d4e 100644 --- a/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java +++ b/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java @@ -18,7 +18,7 @@ package org.keycloak.services.managers; import org.jboss.logging.Logger; import org.keycloak.common.util.Time; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.Constants; import org.keycloak.models.KeycloakSession; @@ -50,7 +50,7 @@ public class UserSessionManager { this.persister = session.getProvider(UserSessionPersisterProvider.class); } - public void createOrUpdateOfflineSession(ClientLoginSessionModel clientSession, UserSessionModel userSession) { + public void createOrUpdateOfflineSession(AuthenticatedClientSessionModel clientSession, UserSessionModel userSession) { UserModel user = userSession.getUser(); // Create and persist offline userSession if we don't have one @@ -63,7 +63,7 @@ public class UserSessionManager { } // Create and persist clientSession - ClientLoginSessionModel offlineClientSession = offlineUserSession.getClientLoginSessions().get(clientSession.getClient().getId()); + AuthenticatedClientSessionModel offlineClientSession = offlineUserSession.getAuthenticatedClientSessions().get(clientSession.getClient().getId()); if (offlineClientSession == null) { createOfflineClientSession(user, clientSession, offlineUserSession); } @@ -78,7 +78,7 @@ public class UserSessionManager { List userSessions = kcSession.sessions().getOfflineUserSessions(realm, user); Set clients = new HashSet<>(); for (UserSessionModel userSession : userSessions) { - Set clientIds = userSession.getClientLoginSessions().keySet(); + Set clientIds = userSession.getAuthenticatedClientSessions().keySet(); for (String clientUUID : clientIds) { ClientModel client = realm.getClientById(clientUUID); clients.add(client); @@ -97,14 +97,14 @@ public class UserSessionManager { List userSessions = kcSession.sessions().getOfflineUserSessions(realm, user); boolean anyRemoved = false; for (UserSessionModel userSession : userSessions) { - ClientLoginSessionModel clientSession = userSession.getClientLoginSessions().get(client.getId()); + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(client.getId()); if (clientSession != null) { if (logger.isTraceEnabled()) { logger.tracef("Removing existing offline token for user '%s' and client '%s' .", user.getUsername(), client.getClientId()); } - userSession.getClientLoginSessions().remove(client.getClientId()); + userSession.getAuthenticatedClientSessions().remove(client.getClientId()); persister.removeClientSession(clientSession.getId(), true); checkOfflineUserSessionHasClientSessions(realm, user, userSession); anyRemoved = true; @@ -122,7 +122,7 @@ public class UserSessionManager { persister.removeUserSession(userSession.getId(), true); } - public boolean isOfflineTokenAllowed(ClientLoginSessionModel clientSession) { + public boolean isOfflineTokenAllowed(AuthenticatedClientSessionModel clientSession) { RoleModel offlineAccessRole = clientSession.getRealm().getRole(Constants.OFFLINE_ACCESS_ROLE); if (offlineAccessRole == null) { ServicesLogger.LOGGER.roleNotInRealm(Constants.OFFLINE_ACCESS_ROLE); @@ -142,20 +142,20 @@ public class UserSessionManager { return offlineUserSession; } - private void createOfflineClientSession(UserModel user, ClientLoginSessionModel clientSession, UserSessionModel offlineUserSession) { + private void createOfflineClientSession(UserModel user, AuthenticatedClientSessionModel clientSession, UserSessionModel offlineUserSession) { if (logger.isTraceEnabled()) { logger.tracef("Creating new offline token client session. ClientSessionId: '%s', UserSessionID: '%s' , Username: '%s', Client: '%s'" , clientSession.getId(), offlineUserSession.getId(), user.getUsername(), clientSession.getClient().getClientId()); } - ClientLoginSessionModel offlineClientSession = kcSession.sessions().createOfflineClientSession(clientSession); - offlineUserSession.getClientLoginSessions().put(clientSession.getClient().getId(), offlineClientSession); + AuthenticatedClientSessionModel offlineClientSession = kcSession.sessions().createOfflineClientSession(clientSession); + offlineUserSession.getAuthenticatedClientSessions().put(clientSession.getClient().getId(), offlineClientSession); persister.createClientSession(offlineUserSession, clientSession, true); } // Check if userSession has any offline clientSessions attached to it. Remove userSession if not private void checkOfflineUserSessionHasClientSessions(RealmModel realm, UserModel user, UserSessionModel userSession) { - if (userSession.getClientLoginSessions().size() > 0) { + if (userSession.getAuthenticatedClientSessions().size() > 0) { return; } diff --git a/services/src/main/java/org/keycloak/services/resources/AccountService.java b/services/src/main/java/org/keycloak/services/resources/AccountService.java index f4737ad0b6..1894686285 100755 --- a/services/src/main/java/org/keycloak/services/resources/AccountService.java +++ b/services/src/main/java/org/keycloak/services/resources/AccountService.java @@ -30,9 +30,8 @@ import org.keycloak.forms.account.AccountPages; import org.keycloak.forms.account.AccountProvider; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AccountRoles; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.IdentityProviderModel; import org.keycloak.models.KeycloakSession; @@ -45,7 +44,6 @@ import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.CredentialValidation; import org.keycloak.models.utils.FormMessage; import org.keycloak.models.utils.ModelToRepresentation; -import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.utils.RedirectUtils; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.services.ForbiddenException; @@ -54,7 +52,6 @@ import org.keycloak.services.Urls; import org.keycloak.services.managers.AppAuthManager; import org.keycloak.services.managers.Auth; import org.keycloak.services.managers.AuthenticationManager; -import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.UserSessionManager; import org.keycloak.services.messages.Messages; import org.keycloak.services.util.ResolveRelative; @@ -68,13 +65,12 @@ import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; -import javax.ws.rs.core.Variant; + import java.io.IOException; import java.lang.reflect.Method; import java.net.URI; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import java.util.HashSet; import java.util.Iterator; import java.util.List; @@ -165,12 +161,11 @@ public class AccountService extends AbstractSecuredLocalService { if (authResult != null) { UserSessionModel userSession = authResult.getSession(); if (userSession != null) { - boolean associated = userSession.getClientLoginSessions().get(client.getId()) != null; - if (!associated) { - ClientLoginSessionModel clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession); - clientSession.setUserSession(userSession); - auth.setClientSession(clientSession); + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(client.getId()); + if (clientSession == null) { + clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession); } + auth.setClientSession(clientSession); } account.setUser(auth.getUser()); diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java index 9dd9f9561c..749228594e 100755 --- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java +++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java @@ -16,101 +16,19 @@ */ package org.keycloak.services.resources; -import org.jboss.logging.Logger; -import org.jboss.resteasy.annotations.cache.NoCache; -import org.jboss.resteasy.spi.HttpRequest; -import org.jboss.resteasy.spi.ResteasyProviderFactory; - -import org.keycloak.OAuth2Constants; -import org.keycloak.authentication.AuthenticationProcessor; -import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator; -import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants; -import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; -import org.keycloak.broker.provider.AuthenticationRequest; -import org.keycloak.broker.provider.BrokeredIdentityContext; import org.keycloak.broker.provider.IdentityBrokerException; import org.keycloak.broker.provider.IdentityProvider; import org.keycloak.broker.provider.IdentityProviderFactory; -import org.keycloak.broker.provider.IdentityProviderMapper; -import org.keycloak.broker.saml.SAMLEndpoint; import org.keycloak.broker.social.SocialIdentityProvider; -import org.keycloak.common.ClientConnection; -import org.keycloak.common.util.Base64Url; -import org.keycloak.common.util.ObjectUtil; -import org.keycloak.common.util.Time; -import org.keycloak.common.util.UriUtils; -import org.keycloak.events.Details; -import org.keycloak.events.Errors; -import org.keycloak.events.EventBuilder; -import org.keycloak.events.EventType; -import org.keycloak.forms.login.LoginFormsProvider; -import org.keycloak.models.AuthenticationFlowModel; -import org.keycloak.models.ClientLoginSessionModel; -import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.Constants; -import org.keycloak.models.FederatedIdentityModel; -import org.keycloak.models.IdentityProviderMapperModel; import org.keycloak.models.IdentityProviderModel; import org.keycloak.models.KeycloakSession; -import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.RealmModel; -import org.keycloak.models.RoleModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.UserSessionModel; -import org.keycloak.models.utils.FormMessage; -import org.keycloak.protocol.oidc.OIDCLoginProtocol; -import org.keycloak.protocol.oidc.TokenManager; -import org.keycloak.protocol.oidc.utils.RedirectUtils; -import org.keycloak.protocol.saml.SamlProtocol; -import org.keycloak.protocol.saml.SamlService; import org.keycloak.provider.ProviderFactory; -import org.keycloak.representations.AccessToken; -import org.keycloak.services.ErrorPage; -import org.keycloak.services.ErrorPageException; -import org.keycloak.services.ErrorResponse; -import org.keycloak.services.ServicesLogger; -import org.keycloak.services.Urls; -import org.keycloak.services.managers.AppAuthManager; -import org.keycloak.services.managers.AuthenticationManager; -import org.keycloak.services.managers.AuthenticationManager.AuthResult; -import org.keycloak.services.managers.BruteForceProtector; -import org.keycloak.services.managers.ClientSessionCode; -import org.keycloak.services.messages.Messages; -import org.keycloak.services.util.CacheControlUtil; -import org.keycloak.services.validation.Validation; -import org.keycloak.sessions.LoginSessionModel; -import org.keycloak.util.JsonSerialization; -import javax.ws.rs.GET; -import javax.ws.rs.OPTIONS; -import javax.ws.rs.POST; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.QueryParam; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.Response.Status; -import javax.ws.rs.core.UriBuilder; -import javax.ws.rs.core.UriInfo; -import java.io.IOException; -import java.net.URI; -import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; -import java.util.Objects; -import java.util.Optional; -import java.util.Set; -import java.util.UUID; - -import static org.keycloak.models.AccountRoles.MANAGE_ACCOUNT; -import static org.keycloak.models.AccountRoles.MANAGE_ACCOUNT_LINKS; -import static org.keycloak.models.Constants.ACCOUNT_MANAGEMENT_CLIENT_ID; /** *

@@ -246,7 +164,7 @@ public class IdentityBrokerService { // // // ClientLoginSessionModel clientSession = null; -// for (ClientLoginSessionModel cs : cookieResult.getSession().getClientLoginSessions().values()) { +// for (ClientLoginSessionModel cs : cookieResult.getSession().getAuthenticatedClientSessions().values()) { // if (cs.getClient().getClientId().equals(clientId)) { // byte[] decoded = Base64Url.decode(hash); // MessageDigest md = null; @@ -298,7 +216,7 @@ public class IdentityBrokerService { // } // // -// // TODO: Create LoginSessionModel and Login cookie and set the state inside. See my notes document +// // TODO: Create AuthenticationSessionModel and Login cookie and set the state inside. See my notes document // ClientSessionCode clientSessionCode = new ClientSessionCode(session, realmModel, clientSession); // clientSessionCode.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); // clientSessionCode.getCode(); @@ -487,10 +405,10 @@ public class IdentityBrokerService { // context.setToken(null); // } // -// LoginSessionModel loginSession = clientCode.getClientSession(); -// context.setLoginSession(loginSession); +// AuthenticationSessionModel authSession = clientCode.getClientSession(); +// context.setAuthenticationSession(authenticationSession); // -// session.getContext().setClient(loginSession.getClient()); +// session.getContext().setClient(authenticationSession.getClient()); // // context.getIdp().preprocessFederatedIdentity(session, realmModel, context); // Set mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); @@ -506,13 +424,13 @@ public class IdentityBrokerService { // context.getUsername(), context.getToken()); // // this.event.event(EventType.IDENTITY_PROVIDER_LOGIN) -// .detail(Details.REDIRECT_URI, loginSession.getRedirectUri()) +// .detail(Details.REDIRECT_URI, authenticationSession.getRedirectUri()) // .detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); // // UserModel federatedUser = this.session.users().getUserByFederatedIdentity(federatedIdentityModel, this.realmModel); // // // Check if federatedUser is already authenticated (this means linking social into existing federatedUser account) -// if (loginSession.getUserSession() != null) { +// if (authenticationSession.getUserSession() != null) { // return performAccountLinking(clientSession, context, federatedIdentityModel, federatedUser); // } // @@ -701,30 +619,30 @@ public class IdentityBrokerService { // if (parsedCode.response != null) { // return parsedCode.response; // } -// LoginSessionModel loginSession = parsedCode.clientSessionCode.getClientSession(); +// AuthenticationSessionModel authenticationSession = parsedCode.clientSessionCode.getClientSession(); // // try { -// SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(loginSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); +// SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(authenticationSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); // if (serializedCtx == null) { // throw new IdentityBrokerException("Not found serialized context in clientSession. Note " + PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT + " was null"); // } -// BrokeredIdentityContext context = serializedCtx.deserialize(session, loginSession); +// BrokeredIdentityContext context = serializedCtx.deserialize(session, authenticationSession); // -// String wasFirstBrokerLoginNote = loginSession.getNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); +// String wasFirstBrokerLoginNote = authenticationSession.getNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); // boolean wasFirstBrokerLogin = Boolean.parseBoolean(wasFirstBrokerLoginNote); // // // Ensure the post-broker-login flow was successfully finished // String authStateNoteKey = PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + context.getIdpConfig().getAlias(); -// String authState = loginSession.getNote(authStateNoteKey); +// String authState = authenticationSession.getNote(authStateNoteKey); // if (!Boolean.parseBoolean(authState)) { // throw new IdentityBrokerException("Invalid request. Not found the flag that post-broker-login flow was finished"); // } // // // remove notes -// loginSession.removeNote(PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); -// loginSession.removeNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); +// authenticationSession.removeNote(PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); +// authenticationSession.removeNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); // -// return afterPostBrokerLoginFlowSuccess(loginSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode); +// return afterPostBrokerLoginFlowSuccess(authenticationSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode); // } catch (IdentityBrokerException e) { // return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); // } @@ -903,12 +821,12 @@ public class IdentityBrokerService { // } // // private ParsedCodeContext parseClientSessionCode(String code) { -// ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel, LoginSessionModel.class); +// ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel, AuthenticationSessionModel.class); // // if (clientCode != null) { -// LoginSessionModel loginSession = clientCode.getClientSession(); +// AuthenticationSessionModel authenticationSession = clientCode.getClientSession(); // -// ClientModel client = loginSession.getClient(); +// ClientModel client = authenticationSession.getClient(); // // if (client != null) { // @@ -917,7 +835,7 @@ public class IdentityBrokerService { // this.session.getContext().setClient(client); // // if (!clientCode.isValid(AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { -// logger.debugf("Authorization code is not valid. Client session ID: %s, Client session's action: %s", loginSession.getId(), loginSession.getAction()); +// logger.debugf("Authorization code is not valid. Client session ID: %s, Client session's action: %s", authenticationSession.getId(), authenticationSession.getAction()); // // // Check if error happened during login or during linking from account management // Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.STALE_CODE_ACCOUNT); @@ -966,7 +884,7 @@ public class IdentityBrokerService { // return ParsedCodeContext.clientSessionCode(new ClientSessionCode(session, this.realmModel, clientSession)); // } // -// private Response checkAccountManagementFailedLinking(LoginSessionModel loginSession, String error, Object... parameters) { +// private Response checkAccountManagementFailedLinking(LoginSessionModel authenticationSession, String error, Object... parameters) { // if (clientSession.getUserSession() != null && clientSession.getClient() != null && clientSession.getClient().getClientId().equals(ACCOUNT_MANAGEMENT_CLIENT_ID)) { // // this.event.event(EventType.FEDERATED_IDENTITY_LINK); @@ -981,11 +899,11 @@ public class IdentityBrokerService { // } // // private AuthenticationRequest createAuthenticationRequest(String providerId, ClientSessionCode clientSessionCode) { -// LoginSessionModel loginSession = null; +// AuthenticationSessionModel authenticationSession = null; // String relayState = null; // // if (clientSessionCode != null) { -// loginSession = clientSessionCode.getClientSession(); +// authenticationSession = clientSessionCode.getClientSession(); // relayState = clientSessionCode.getCode(); // } // diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 9633212828..50333954de 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -31,6 +31,7 @@ import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticato import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; import org.keycloak.common.ClientConnection; import org.keycloak.common.VerificationException; +import org.keycloak.common.util.ObjectUtil; import org.keycloak.common.util.Time; import org.keycloak.events.Details; import org.keycloak.events.Errors; @@ -38,7 +39,7 @@ import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AuthenticationFlowModel; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.Constants; @@ -48,7 +49,6 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; import org.keycloak.models.UserConsentModel; import org.keycloak.models.UserModel; -import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.protocol.LoginProtocol; import org.keycloak.protocol.LoginProtocol.Error; @@ -63,12 +63,10 @@ import org.keycloak.services.Urls; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ClientSessionCode.ActionType; -import org.keycloak.services.managers.ClientSessionCode.ParseResult; import org.keycloak.services.messages.Messages; import org.keycloak.services.util.CacheControlUtil; import org.keycloak.services.util.CookieHelper; -import org.keycloak.sessions.CommonClientSessionModel; -import org.keycloak.sessions.LoginSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.Consumes; import javax.ws.rs.GET; @@ -102,7 +100,6 @@ public class LoginActionsService { public static final String REQUIRED_ACTION = "required-action"; public static final String FIRST_BROKER_LOGIN_PATH = "first-broker-login"; public static final String POST_BROKER_LOGIN_PATH = "post-broker-login"; - public static final String LAST_PROCESSED_CODE = "last_processed_code"; private RealmModel realm; @@ -169,28 +166,33 @@ public class LoginActionsService { } } - private SessionCodeChecks checksForCode(String code, Class expectedClazz) { - SessionCodeChecks res = new SessionCodeChecks<>(code, expectedClazz); + private SessionCodeChecks checksForCode(String code, String execution, String flowPath, boolean wantsRestartSession) { + SessionCodeChecks res = new SessionCodeChecks(code, execution, flowPath, wantsRestartSession); res.initialVerifyCode(); return res; } - private class SessionCodeChecks { - ClientSessionCode clientCode; + private class SessionCodeChecks { + ClientSessionCode clientCode; Response response; - ClientSessionCode.ParseResult result; - Class expectedClazz; + ClientSessionCode.ParseResult result; + private boolean actionRequest; private final String code; + private final String execution; + private final String flowPath; + private final boolean wantsRestartSession; - public SessionCodeChecks(String code, Class expectedClazz) { + public SessionCodeChecks(String code, String execution, String flowPath, boolean wantsRestartSession) { this.code = code; - this.expectedClazz = expectedClazz; + this.execution = execution; + this.flowPath = flowPath; + this.wantsRestartSession = wantsRestartSession; } - public C getClientSession() { + public AuthenticationSessionModel getAuthenticationSession() { return clientCode == null ? null : clientCode.getClientSession(); } @@ -209,9 +211,11 @@ public class LoginActionsService { } if (!clientCode.isValidAction(requiredAction)) { - C clientSession = getClientSession(); - if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(clientSession.getAction())) { - response = redirectToRequiredActions(code); + AuthenticationSessionModel authSession = getAuthenticationSession(); + if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(authSession.getAction())) { + // TODO:mposolda debug or trace + logger.info("Incorrect flow '%s' . User authenticated already. Trying requiredActions now."); + response = AuthenticationManager.nextActionAfterAuthentication(session, authSession, clientConnection, request, uriInfo, event); return false; } // TODO:mposolda /*else if (clientSession.getUserSession() != null && clientSession.getUserSession().getState() == UserSessionModel.State.LOGGED_IN) { @@ -234,19 +238,19 @@ public class LoginActionsService { } private void invalidAction() { - event.client(getClientSession().getClient()); + event.client(getAuthenticationSession().getClient()); event.error(Errors.INVALID_CODE); response = ErrorPage.error(session, Messages.INVALID_CODE); } private boolean isActionActive(ClientSessionCode.ActionType actionType) { if (!clientCode.isActionActive(actionType)) { - event.client(getClientSession().getClient()); + event.client(getAuthenticationSession().getClient()); event.clone().error(Errors.EXPIRED_CODE); - if (getClientSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) { - LoginSessionModel loginSession = (LoginSessionModel) getClientSession(); - AuthenticationProcessor.resetFlow(loginSession); - response = processAuthentication(null, loginSession, Messages.LOGIN_TIMEOUT); + if (getAuthenticationSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) { + AuthenticationSessionModel authSession = getAuthenticationSession(); + AuthenticationProcessor.resetFlow(authSession); + response = processAuthentication(false, null, authSession, Messages.LOGIN_TIMEOUT); return false; } response = ErrorPage.error(session, Messages.EXPIRED_CODE); @@ -256,6 +260,7 @@ public class LoginActionsService { } private boolean initialVerifyCode() { + // Basic realm checks if (!checkSsl()) { event.error(Errors.SSL_REQUIRED); response = ErrorPage.error(session, Messages.HTTPS_REQUIRED); @@ -266,52 +271,100 @@ public class LoginActionsService { response = ErrorPage.error(session, Messages.REALM_NOT_ENABLED); return false; } - result = ClientSessionCode.parseResult(code, session, realm, expectedClazz); - clientCode = result.getCode(); - if (clientCode == null) { - if (result.isLoginSessionNotFound()) { // timeout or loginSession already logged - // TODO:mposolda - /* - try { - ClientSessionModel clientSession = RestartLoginCookie.restartSession(session, realm, code); - if (clientSession != null) { - event.clone().detail(Details.RESTART_AFTER_TIMEOUT, "true").error(Errors.EXPIRED_CODE); - response = processFlow(null, clientSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), Messages.LOGIN_TIMEOUT, new AuthenticationProcessor()); - return false; - } - } catch (Exception e) { - ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e); - }*/ - } - event.error(Errors.INVALID_CODE); - response = ErrorPage.error(session, Messages.INVALID_CODE); + + // authenticationSession retrieve and check if we need session restart + AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(code, session, realm, AuthenticationSessionModel.class); + if (authSession == null) { + response = restartAuthenticationSession(false); + return false; + } + if (wantsRestartSession) { + response = restartAuthenticationSession(true); return false; } - C clientSession = getClientSession(); - if (clientSession == null) { - event.error(Errors.INVALID_CODE); - response = ErrorPage.error(session, Messages.INVALID_CODE); - return false; - } - event.detail(Details.CODE_ID, clientSession.getId()); - ClientModel client = clientSession.getClient(); + // Client checks + event.detail(Details.CODE_ID, authSession.getId()); + ClientModel client = authSession.getClient(); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); response = ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); - // TODO:mposolda - //session.sessions().removeClientSession(realm, clientSession); + clientCode.removeExpiredClientSession(); return false; } if (!client.isEnabled()) { - event.error(Errors.CLIENT_NOT_FOUND); + event.error(Errors.CLIENT_DISABLED); response = ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); - // TODO:mposolda - //session.sessions().removeClientSession(realm, clientSession); + clientCode.removeExpiredClientSession(); return false; } session.getContext().setClient(client); - return true; + + + // Check if it's action or not + if (code == null) { + String lastExecFromSession = authSession.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION); + String lastFlow = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); + + // Check if we transitted between flows (eg. clicking "register" on login screen) + if (execution==null && !flowPath.equals(lastFlow)) { + logger.infof("Transition between flows! Current flow: %s, Previous flow: %s", flowPath, lastFlow); + + if (lastFlow == null || isFlowTransitionAllowed(lastFlow)) { + authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, flowPath); + authSession.removeAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION); + lastExecFromSession = null; + } + } + + if (ObjectUtil.isEqualOrBothNull(execution, lastExecFromSession)) { + // Allow refresh of previous page + clientCode = new ClientSessionCode<>(session, realm, authSession); + actionRequest = false; + return true; + } else { + logger.info("Redirecting to page expired page."); + response = showPageExpired(flowPath, authSession); + return false; + } + } else { + result = ClientSessionCode.parseResult(code, session, realm, AuthenticationSessionModel.class); + clientCode = result.getCode(); + if (clientCode == null) { + + // In case that is replayed action, but sent to the same FORM like actual FORM, we just re-render the page + if (ObjectUtil.isEqualOrBothNull(execution, authSession.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION))) { + String latestFlowPath = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); + URI redirectUri = getLastExecutionUrl(latestFlowPath, execution); + logger.infof("Invalid action code, but execution matches. So just redirecting to %s", redirectUri); + response = Response.status(Response.Status.FOUND).location(redirectUri).build(); + } else { + response = showPageExpired(flowPath, authSession); + } + return false; + } + + + actionRequest = true; + authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, execution); + return true; + } + } + + private boolean isFlowTransitionAllowed(String lastFlow) { + if (flowPath.equals(AUTHENTICATE_PATH) && (lastFlow.equals(REGISTRATION_PATH) || lastFlow.equals(RESET_CREDENTIALS_PATH))) { + return true; + } + + if (flowPath.equals(REGISTRATION_PATH) && (lastFlow.equals(AUTHENTICATE_PATH))) { + return true; + } + + if (flowPath.equals(RESET_CREDENTIALS_PATH) && (lastFlow.equals(AUTHENTICATE_PATH))) { + return true; + } + + return false; } public boolean verifyRequiredAction(String executedAction) { @@ -322,25 +375,75 @@ public class LoginActionsService { if (!isValidAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name())) return false; if (!isActionActive(ClientSessionCode.ActionType.USER)) return false; - final LoginSessionModel loginSession = (LoginSessionModel) getClientSession(); + final AuthenticationSessionModel authSession = getAuthenticationSession(); - if (executedAction == null) { // do next required action only if user is already authenticated - initLoginEvent(loginSession); - event.event(EventType.LOGIN); - response = AuthenticationManager.nextActionAfterAuthentication(session, loginSession, clientConnection, request, uriInfo, event); - return false; - } - - if (!executedAction.equals(loginSession.getNote(AuthenticationManager.CURRENT_REQUIRED_ACTION))) { - logger.debug("required action doesn't match current required action"); - loginSession.removeNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); - response = redirectToRequiredActions(code); - return false; + if (actionRequest) { + String currentRequiredAction = authSession.getAuthNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); + if (executedAction == null || !executedAction.equals(currentRequiredAction)) { + logger.debug("required action doesn't match current required action"); + authSession.removeAuthNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); + response = redirectToRequiredActions(currentRequiredAction, authSession); + return false; + } } return true; } } + + protected Response restartAuthenticationSession(boolean managedRestart) { + logger.infof("Login restart requested or authentication session not found. Trying to restart from cookie. Managed restart: %s", managedRestart); + AuthenticationSessionModel authSession = null; + try { + authSession = RestartLoginCookie.restartSession(session, realm); + } catch (Exception e) { + ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e); + } + + if (authSession != null) { + + event.clone(); + + String warningMessage = null; + if (managedRestart) { + event.detail(Details.RESTART_REQUESTED, "true"); + } else { + event.detail(Details.RESTART_AFTER_TIMEOUT, "true"); + warningMessage = Messages.LOGIN_TIMEOUT; + } + + event.error(Errors.EXPIRED_CODE); + return processFlow(false, null, authSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), warningMessage, new AuthenticationProcessor()); + } else { + event.error(Errors.INVALID_CODE); + return ErrorPage.error(session, Messages.INVALID_CODE); + } + } + + + protected Response showPageExpired(String flowPath, AuthenticationSessionModel authSession) { + String executionId = authSession==null ? null : authSession.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION); + String latestFlowPath = authSession==null ? flowPath : authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); + URI lastStepUrl = getLastExecutionUrl(latestFlowPath, executionId); + + logger.infof("Redirecting to 'page expired' now. Will use URL: %s", lastStepUrl); + + return session.getProvider(LoginFormsProvider.class) + .setActionUri(lastStepUrl) + .createLoginExpiredPage(); + } + + + protected URI getLastExecutionUrl(String flowPath, String executionId) { + UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo) + .path(flowPath); + + if (executionId != null) { + uriBuilder.queryParam("execution", executionId); + } + return uriBuilder.build(realm.getName()); + } + /** * protocol independent login page entry point * @@ -350,33 +453,29 @@ public class LoginActionsService { @Path(AUTHENTICATE_PATH) @GET public Response authenticate(@QueryParam("code") String code, - @QueryParam("execution") String execution) { + @QueryParam("execution") String execution, + @QueryParam("restart") String restart) { event.event(EventType.LOGIN); - LoginSessionModel loginSession = ClientSessionCode.getClientSession(code, session, realm, LoginSessionModel.class); - if (loginSession != null && code.equals(loginSession.getNote(LAST_PROCESSED_CODE))) { - // Allow refresh of previous page - } else { - SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); - if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { - return checks.response; - } + boolean wantsSessionRestart = Boolean.parseBoolean(restart); - ClientSessionCode clientSessionCode = checks.clientCode; - loginSession = clientSessionCode.getClientSession(); + SessionCodeChecks checks = checksForCode(code, execution, AUTHENTICATE_PATH, wantsSessionRestart); + if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + return checks.response; } - event.detail(Details.CODE_ID, code); - loginSession.setNote(LAST_PROCESSED_CODE, code); - return processAuthentication(execution, loginSession, null); + AuthenticationSessionModel authSession = checks.getAuthenticationSession(); + boolean actionRequest = checks.actionRequest; + + return processAuthentication(actionRequest, execution, authSession, null); } - protected Response processAuthentication(String execution, LoginSessionModel loginSession, String errorMessage) { - return processFlow(execution, loginSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), errorMessage, new AuthenticationProcessor()); + protected Response processAuthentication(boolean action, String execution, AuthenticationSessionModel authSession, String errorMessage) { + return processFlow(action, execution, authSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), errorMessage, new AuthenticationProcessor()); } - protected Response processFlow(String execution, LoginSessionModel loginSession, String flowPath, AuthenticationFlowModel flow, String errorMessage, AuthenticationProcessor processor) { - processor.setLoginSession(loginSession) + protected Response processFlow(boolean action, String execution, AuthenticationSessionModel authSession, String flowPath, AuthenticationFlowModel flow, String errorMessage, AuthenticationProcessor processor) { + processor.setAuthenticationSession(authSession) .setFlowPath(flowPath) .setBrowserFlow(true) .setFlowId(flow.getId()) @@ -389,7 +488,7 @@ public class LoginActionsService { if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage)); try { - if (execution != null) { + if (action) { return processor.authenticationAction(execution); } else { return processor.authenticate(); @@ -409,33 +508,14 @@ public class LoginActionsService { @POST public Response authenticateForm(@QueryParam("code") String code, @QueryParam("execution") String execution) { - event.event(EventType.LOGIN); - - LoginSessionModel loginSession = ClientSessionCode.getClientSession(code, session, realm, LoginSessionModel.class); - if (loginSession != null && code.equals(loginSession.getNote(LAST_PROCESSED_CODE))) { - // Post already processed (refresh) - ignore form post and return next form - request.getFormParameters().clear(); - return authenticate(code, null); - } - - SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); - if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { - return checks.response; - } - final ClientSessionCode clientCode = checks.clientCode; - loginSession = clientCode.getClientSession(); - loginSession.setNote(LAST_PROCESSED_CODE, code); - - return processAuthentication(execution, loginSession, null); + return authenticate(code, execution, null); } @Path(RESET_CREDENTIALS_PATH) @POST public Response resetCredentialsPOST(@QueryParam("code") String code, @QueryParam("execution") String execution) { - // TODO:mposolda - //return resetCredentials(code, execution); - return null; + return resetCredentials(code, execution); } private boolean isSslUsed(JsonWebToken t) throws VerificationException { @@ -456,7 +536,7 @@ public class LoginActionsService { private boolean isResetCredentialsAllowed(ResetCredentialsActionToken t) throws VerificationException { if (!realm.isResetPasswordAllowed()) { - event.client(t.getClientSession().getClient()); + event.client(t.getAuthenticationSession().getClient()); event.error(Errors.NOT_ALLOWED); throw new LoginActionsServiceException(ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED)); } @@ -464,52 +544,59 @@ public class LoginActionsService { } private boolean canResolveClientSession(ResetCredentialsActionToken t) throws VerificationException { - // TODO:mposolda - /* - String clientSessionId = t == null ? null : t.getNote(ResetCredentialsActionToken.NOTE_CLIENT_SESSION_ID); + String authSessionId = t == null ? null : t.getAuthenticationSessionId(); - if (t == null || clientSessionId == null) { + if (t == null || authSessionId == null) { event.error(Errors.INVALID_CODE); throw new LoginActionsServiceException(ErrorPage.error(session, Messages.INVALID_CODE)); } - ClientSessionModel clientSession = session.sessions().getClientSession(clientSessionId); - t.setClientSession(clientSession); + AuthenticationSessionModel authSession = session.authenticationSessions().getAuthenticationSession(realm, authSessionId); + t.setAuthenticationSession(authSession); - if (clientSession == null) { // timeout + if (authSession == null) { // timeout or logged-already try { - clientSession = RestartLoginCookie.restartSessionByClientSession(session, realm, clientSessionId); + // Check if we are logged-already (it means userSession with same ID already exists). If yes, just showing the INFO or ERROR that user is already authenticated + // TODO:mposolda + + // If not, try to restart authSession from the cookie + AuthenticationSessionModel restartedAuthSession = RestartLoginCookie.restartSession(session, realm); + + // IDs must match with the ID from cookie + if (restartedAuthSession!=null && restartedAuthSession.getId().equals(authSessionId)) { + authSession = restartedAuthSession; + } } catch (Exception e) { ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e); } - if (clientSession != null) { + if (authSession != null) { event.clone().detail(Details.RESTART_AFTER_TIMEOUT, "true").error(Errors.EXPIRED_CODE); - throw new LoginActionsServiceException(processFlow(null, clientSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), Messages.LOGIN_TIMEOUT, new AuthenticationProcessor())); + throw new LoginActionsServiceException(processFlow(false, null, authSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), Messages.LOGIN_TIMEOUT, new AuthenticationProcessor())); } } - if (clientSession == null) { + if (authSession == null) { event.error(Errors.INVALID_CODE); throw new LoginActionsServiceException(ErrorPage.error(session, Messages.INVALID_CODE)); } - event.detail(Details.CODE_ID, clientSession.getId());*/ + event.detail(Details.CODE_ID, authSession.getId()); return true; } private boolean canResolveClient(ResetCredentialsActionToken t) throws VerificationException { - ClientModel client = t.getClientSession().getClient(); + ClientModel client = t.getAuthenticationSession().getClient(); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); - session.sessions().removeClientSession(realm, t.getClientSession()); + session.authenticationSessions().removeAuthenticationSession(realm, t.getAuthenticationSession()); throw new LoginActionsServiceException(ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER)); } if (! client.isEnabled()) { event.error(Errors.CLIENT_NOT_FOUND); - session.sessions().removeClientSession(realm, t.getClientSession()); + session.authenticationSessions().removeAuthenticationSession(realm, t.getAuthenticationSession()); throw new LoginActionsServiceException(ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED)); } session.getContext().setClient(client); @@ -527,20 +614,22 @@ public class LoginActionsService { @Override public boolean test(ResetCredentialsActionToken t) throws VerificationException { - ClientSessionModel clientSession = t.getClientSession(); - if (! Objects.equals(clientSession.getAction(), this.requiredAction)) { + AuthenticationSessionModel authSession = t.getAuthenticationSession(); + if (! Objects.equals(authSession.getAction(), this.requiredAction)) { - if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(clientSession.getAction())) { + if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(authSession.getAction())) { // TODO: Once login tokens would be implemented, this would have to be rewritten // String code = clientSession.getNote(ClientSessionCode.ACTIVE_CODE) + "." + clientSession.getId(); - String code = clientSession.getNote("active_code") + "." + clientSession.getId(); - throw new LoginActionsServiceException(redirectToRequiredActions(code)); - } else if (clientSession.getUserSession() != null && clientSession.getUserSession().getState() == UserSessionModel.State.LOGGED_IN) { + //String code = clientSession.getNote("active_code") + "." + clientSession.getId(); + throw new LoginActionsServiceException(redirectToRequiredActions(null, authSession)); + } + // TODO:mposolda Similar stuff is in SessionCodeChecks as well. The case when authSession is already logged should be handled similarly + /*else if (clientSession.getUserSession() != null && clientSession.getUserSession().getState() == UserSessionModel.State.LOGGED_IN) { throw new LoginActionsServiceException( session.getProvider(LoginFormsProvider.class) .setSuccess(Messages.ALREADY_LOGGED_IN) .createInfoPage()); - } + }*/ } return true; @@ -556,17 +645,16 @@ public class LoginActionsService { @Override public boolean test(ResetCredentialsActionToken t) throws VerificationException { - int timestamp = t.getClientSession().getTimestamp(); + int timestamp = t.getAuthenticationSession().getTimestamp(); if (! isActionActive(actionType, timestamp)) { - event.client(t.getClientSession().getClient()); + event.client(t.getAuthenticationSession().getClient()); event.clone().error(Errors.EXPIRED_CODE); - if (t.getClientSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) { - // TODO:mposolda incompatible types - LoginSessionModel loginSession = (LoginSessionModel) t.getClientSession(); + if (t.getAuthenticationSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) { + AuthenticationSessionModel authSession = t.getAuthenticationSession(); - AuthenticationProcessor.resetFlow(loginSession); - throw new LoginActionsServiceException(processAuthentication(null, loginSession, Messages.LOGIN_TIMEOUT)); + AuthenticationProcessor.resetFlow(authSession); + throw new LoginActionsServiceException(processAuthentication(false, null, authSession, Messages.LOGIN_TIMEOUT)); } throw new LoginActionsServiceException(ErrorPage.error(session, Messages.EXPIRED_CODE)); @@ -608,8 +696,15 @@ public class LoginActionsService { public Response resetCredentialsGET(@QueryParam("code") String code, @QueryParam("execution") String execution, @QueryParam("key") String key) { + if (code != null && key != null) { + // TODO:mposolda better handling of error + throw new IllegalStateException("Illegal state"); + } + + AuthenticationSessionModel authSession = session.authenticationSessions().getCurrentAuthenticationSession(realm); + // we allow applications to link to reset credentials without going through OAuth or SAML handshakes - if (code == null && key == null) { + if (authSession == null && key == null) { if (!realm.isResetPasswordAllowed()) { event.event(EventType.RESET_PASSWORD); event.error(Errors.NOT_ALLOWED); @@ -618,24 +713,25 @@ public class LoginActionsService { } // set up the account service as the endpoint to call. ClientModel client = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); - ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); - clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - //clientSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); - clientSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + authSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + //authSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); + authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); - clientSession.setRedirectUri(redirectUri); - clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - clientSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE); - clientSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); - clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); - return processResetCredentials(null, clientSession, null); + authSession.setRedirectUri(redirectUri); + authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + authSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE); + authSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); + authSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + return processResetCredentials(false, null, authSession, null); } if (key != null) { try { ResetCredentialsActionToken token = ResetCredentialsActionToken.deserialize( session, realm, session.getContext().getUri(), key); - return resetCredentials(code, token, execution); + + return resetCredentials(token, execution); } catch (VerificationException ex) { event.event(EventType.RESET_PASSWORD) .detail(Details.REASON, ex.getMessage()) @@ -649,32 +745,30 @@ public class LoginActionsService { /** - * @deprecated In favor of {@link #resetCredentials(String, org.keycloak.authentication.ResetCredentialsActionToken, java.lang.String)} + * @deprecated In favor of {@link #resetCredentials(org.keycloak.authentication.ResetCredentialsActionToken, java.lang.String)} * @param code * @param execution * @return */ protected Response resetCredentials(String code, String execution) { event.event(EventType.RESET_PASSWORD); - SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); + SessionCodeChecks checks = checksForCode(code, execution, RESET_CREDENTIALS_PATH, false); if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) { return checks.response; } - final LoginSessionModel clientSession = checks.getClientSession(); + final AuthenticationSessionModel authSession = checks.getAuthenticationSession(); if (!realm.isResetPasswordAllowed()) { - event.client(clientSession.getClient()); + event.client(authSession.getClient()); event.error(Errors.NOT_ALLOWED); return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } - // TODO:mposolda - //return processResetCredentials(execution, clientSession, null); - return null; + return processResetCredentials(checks.actionRequest, execution, authSession, null); } - protected Response resetCredentials(String code, ResetCredentialsActionToken token, String execution) { + protected Response resetCredentials(ResetCredentialsActionToken token, String execution) { event.event(EventType.RESET_PASSWORD); if (token == null) { @@ -712,43 +806,100 @@ public class LoginActionsService { return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } - final ClientSessionModel clientSession = token.getClientSession(); + final AuthenticationSessionModel authSession = token.getAuthenticationSession(); - return processResetCredentials(execution, clientSession, null); + // Verify if action is processed in same browser. + if (!isSameBrowser(authSession)) { + logger.infof("Action request processed in different browser!"); + + // TODO:mposolda improve this. The code should be merged with the InfinispanLoginSessionProvider code and rather extracted from the infinispan provider + setAuthSessionCookie(authSession.getId()); + + authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); + } + + return processResetCredentials(true, execution, authSession, null); } - protected Response processResetCredentials(String execution, ClientSessionModel clientSession, String errorMessage) { - // TODO:mposolda - /* + + // Verify if action is processed in same browser. + private boolean isSameBrowser(AuthenticationSessionModel actionTokenSession) { + String cookieSessionId = session.authenticationSessions().getCurrentAuthenticationSessionId(realm); + + if (cookieSessionId == null) { + return false; + } + + if (actionTokenSession.getId().equals(cookieSessionId)) { + return true; + } + + // Chance that cookie session was "forked" in browser from some other session + AuthenticationSessionModel forkedSession = session.authenticationSessions().getAuthenticationSession(realm, cookieSessionId); + if (forkedSession == null) { + return false; + } + + String parentSessionId = forkedSession.getAuthNote(AuthenticationProcessor.FORKED_FROM); + if (parentSessionId == null) { + return false; + } + + if (actionTokenSession.getId().equals(parentSessionId)) { + // It's the the correct browser. Let's remove forked session as we won't continue from the login form (browser flow) but from the resetCredentials flow + session.authenticationSessions().removeAuthenticationSession(realm, forkedSession); + logger.infof("Removed forked session: %s", forkedSession.getId()); + + // Refresh browser cookie + setAuthSessionCookie(parentSessionId); + + return true; + } else { + return false; + } + } + + // TODO:mposolda improve this. The code should be merged with the InfinispanLoginSessionProvider code and rather extracted from the infinispan provider + private void setAuthSessionCookie(String authSessionId) { + logger.infof("Set browser cookie to %s", authSessionId); + + String cookiePath = CookieHelper.getRealmCookiePath(realm); + boolean sslRequired = realm.getSslRequired().isRequired(session.getContext().getConnection()); + CookieHelper.addCookie("AUTH_SESSION_ID", authSessionId, cookiePath, null, null, -1, sslRequired, true); + } + + + + protected Response processResetCredentials(boolean actionRequest, String execution, AuthenticationSessionModel authSession, String errorMessage) { AuthenticationProcessor authProcessor = new AuthenticationProcessor() { @Override protected Response authenticationComplete() { - boolean firstBrokerLoginInProgress = (clientSession.getNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); + boolean firstBrokerLoginInProgress = (authenticationSession.getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); if (firstBrokerLoginInProgress) { - UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realm, clientSession); - if (!linkingUser.getId().equals(clientSession.getAuthenticatedUser().getId())) { - return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, clientSession.getAuthenticatedUser().getUsername(), linkingUser.getUsername()); + UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realm, authenticationSession); + if (!linkingUser.getId().equals(authenticationSession.getAuthenticatedUser().getId())) { + return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, authenticationSession.getAuthenticatedUser().getUsername(), linkingUser.getUsername()); } logger.debugf("Forget-password flow finished when authenticated user '%s' after first broker login.", linkingUser.getUsername()); - return redirectToAfterBrokerLoginEndpoint(clientSession, true); + // TODO:mposolda Isn't this a bug that we redirect to 'afterBrokerLoginEndpoint' without rather continue with firstBrokerLogin and other authenticators like OTP? + //return redirectToAfterBrokerLoginEndpoint(authSession, true); + return null; } else { return super.authenticationComplete(); } } }; - return processFlow(execution, clientSession, RESET_CREDENTIALS_PATH, realm.getResetCredentialsFlow(), errorMessage, authProcessor); - */ - return null; + return processFlow(actionRequest, execution, authSession, RESET_CREDENTIALS_PATH, realm.getResetCredentialsFlow(), errorMessage, authProcessor); } - protected Response processRegistration(String execution, LoginSessionModel loginSession, String errorMessage) { - return processFlow(execution, loginSession, REGISTRATION_PATH, realm.getRegistrationFlow(), errorMessage, new AuthenticationProcessor()); + protected Response processRegistration(boolean action, String execution, AuthenticationSessionModel authSession, String errorMessage) { + return processFlow(action, execution, authSession, REGISTRATION_PATH, realm.getRegistrationFlow(), errorMessage, new AuthenticationProcessor()); } @@ -762,24 +913,7 @@ public class LoginActionsService { @GET public Response registerPage(@QueryParam("code") String code, @QueryParam("execution") String execution) { - event.event(EventType.REGISTER); - if (!realm.isRegistrationAllowed()) { - event.error(Errors.REGISTRATION_DISABLED); - return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED); - } - - SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); - if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { - return checks.response; - } - event.detail(Details.CODE_ID, code); - ClientSessionCode clientSessionCode = checks.clientCode; - LoginSessionModel clientSession = clientSessionCode.getClientSession(); - - - AuthenticationManager.expireIdentityCookie(realm, uriInfo, clientConnection); - - return processRegistration(execution, clientSession, null); + return registerRequest(code, execution, false); } @@ -793,20 +927,31 @@ public class LoginActionsService { @POST public Response processRegister(@QueryParam("code") String code, @QueryParam("execution") String execution) { + return registerRequest(code, execution, true); + } + + + private Response registerRequest(String code, String execution, boolean isPostRequest) { event.event(EventType.REGISTER); if (!realm.isRegistrationAllowed()) { event.error(Errors.REGISTRATION_DISABLED); return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED); } - SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); + + SessionCodeChecks checks = checksForCode(code, execution, REGISTRATION_PATH, false); if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response; } + ClientSessionCode clientSessionCode = checks.clientCode; + AuthenticationSessionModel clientSession = clientSessionCode.getClientSession(); - ClientSessionCode clientCode = checks.clientCode; - LoginSessionModel loginSession = clientCode.getClientSession(); - return processRegistration(execution, loginSession, null); + // TODO:mposolda any consequences to do this for POST request too? + if (!isPostRequest) { + AuthenticationManager.expireIdentityCookie(realm, uriInfo, clientConnection); + } + + return processRegistration(checks.actionRequest, execution, clientSession, null); } // TODO:mposolda broker login @@ -917,27 +1062,27 @@ public class LoginActionsService { public Response processConsent(final MultivaluedMap formData) { event.event(EventType.LOGIN); String code = formData.getFirst("code"); - SessionCodeChecks checks = checksForCode(code, LoginSessionModel.class); + SessionCodeChecks checks = checksForCode(code, null, REQUIRED_ACTION, false); if (!checks.verifyRequiredAction(ClientSessionModel.Action.OAUTH_GRANT.name())) { return checks.response; } - ClientSessionCode accessCode = checks.clientCode; - LoginSessionModel loginSession = accessCode.getClientSession(); + ClientSessionCode accessCode = checks.clientCode; + AuthenticationSessionModel authSession = accessCode.getClientSession(); - initLoginEvent(loginSession); + initLoginEvent(authSession); - UserModel user = loginSession.getAuthenticatedUser(); - ClientModel client = loginSession.getClient(); + UserModel user = authSession.getAuthenticatedUser(); + ClientModel client = authSession.getClient(); if (formData.containsKey("cancel")) { - LoginProtocol protocol = session.getProvider(LoginProtocol.class, loginSession.getProtocol()); + LoginProtocol protocol = session.getProvider(LoginProtocol.class, authSession.getProtocol()); protocol.setRealm(realm) .setHttpHeaders(headers) .setUriInfo(uriInfo) .setEventBuilder(event); - Response response = protocol.sendError(loginSession, Error.CONSENT_DENIED); + Response response = protocol.sendError(authSession, Error.CONSENT_DENIED); event.error(Errors.REJECTED_BY_USER); return response; } @@ -961,8 +1106,8 @@ public class LoginActionsService { event.success(); // TODO:mposolda So assume that requiredActions were already done in this stage. Doublecheck... - ClientLoginSessionModel clientSession = AuthenticationProcessor.attachSession(loginSession, null, session, realm, clientConnection, event); - return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, clientSession.getUserSession(), clientSession, request, uriInfo, clientConnection, event, loginSession.getProtocol()); + AuthenticatedClientSessionModel clientSession = AuthenticationProcessor.attachSession(authSession, null, session, realm, clientConnection, event); + return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, clientSession.getUserSession(), clientSession, request, uriInfo, clientConnection, event, authSession.getProtocol()); } @Path("email-verification") @@ -1040,7 +1185,7 @@ public class LoginActionsService { return session.getProvider(LoginFormsProvider.class) .setClientSessionCode(accessCode.getCode()) - .setClientSession(clientSession) + .setAuthenticationSession(clientSession) .setUser(userSession.getUser()) .createResponse(RequiredAction.VERIFY_EMAIL); }*/ @@ -1092,57 +1237,38 @@ public class LoginActionsService { CookieHelper.addCookie(ACTION_COOKIE, sessionId, AuthenticationManager.getRealmCookiePath(realm, uriInfo), null, null, -1, realm.getSslRequired().isRequired(clientConnection), true); } - private void initEvent(ClientSessionModel clientSession) { - UserSessionModel userSession = clientSession.getUserSession(); - - String responseType = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); + private void initLoginEvent(AuthenticationSessionModel authSession) { + String responseType = authSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); if (responseType == null) { responseType = "code"; } - String respMode = clientSession.getNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM); + String respMode = authSession.getNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM); OIDCResponseMode responseMode = OIDCResponseMode.parse(respMode, OIDCResponseType.parse(responseType)); - event.event(EventType.LOGIN).client(clientSession.getClient()) - .user(userSession.getUser()) - .session(userSession.getId()) - .detail(Details.CODE_ID, clientSession.getId()) - .detail(Details.REDIRECT_URI, clientSession.getRedirectUri()) - .detail(Details.USERNAME, clientSession.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME)) - .detail(Details.AUTH_METHOD, userSession.getAuthMethod()) - .detail(Details.USERNAME, userSession.getLoginUsername()) - .detail(Details.RESPONSE_TYPE, responseType) - .detail(Details.RESPONSE_MODE, responseMode.toString().toLowerCase()) - .detail(Details.IDENTITY_PROVIDER, userSession.getNote(Details.IDENTITY_PROVIDER)) - .detail(Details.IDENTITY_PROVIDER_USERNAME, userSession.getNote(Details.IDENTITY_PROVIDER_USERNAME)); - - if (userSession.isRememberMe()) { - event.detail(Details.REMEMBER_ME, "true"); - } - } - - private void initLoginEvent(LoginSessionModel loginSession) { - String responseType = loginSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); - if (responseType == null) { - responseType = "code"; - } - String respMode = loginSession.getNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM); - OIDCResponseMode responseMode = OIDCResponseMode.parse(respMode, OIDCResponseType.parse(responseType)); - - event.event(EventType.LOGIN).client(loginSession.getClient()) - .detail(Details.CODE_ID, loginSession.getId()) - .detail(Details.REDIRECT_URI, loginSession.getRedirectUri()) - .detail(Details.AUTH_METHOD, loginSession.getProtocol()) + event.event(EventType.LOGIN).client(authSession.getClient()) + .detail(Details.CODE_ID, authSession.getId()) + .detail(Details.REDIRECT_URI, authSession.getRedirectUri()) + .detail(Details.AUTH_METHOD, authSession.getProtocol()) .detail(Details.RESPONSE_TYPE, responseType) .detail(Details.RESPONSE_MODE, responseMode.toString().toLowerCase()); - UserModel authenticatedUser = loginSession.getAuthenticatedUser(); + UserModel authenticatedUser = authSession.getAuthenticatedUser(); if (authenticatedUser != null) { event.user(authenticatedUser) .detail(Details.USERNAME, authenticatedUser.getUsername()); - } else { - event.detail(Details.USERNAME, loginSession.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME)); } + String attemptedUsername = authSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); + if (attemptedUsername != null) { + event.detail(Details.USERNAME, attemptedUsername); + } + + String rememberMe = authSession.getAuthNote(Details.REMEMBER_ME); + if (rememberMe==null || !rememberMe.equalsIgnoreCase("true")) { + rememberMe = "false"; + } + event.detail(Details.REMEMBER_ME, rememberMe); + // TODO:mposolda Fix if this is called at firstBroker or postBroker login /* .detail(Details.IDENTITY_PROVIDER, userSession.getNote(Details.IDENTITY_PROVIDER)) @@ -1153,32 +1279,33 @@ public class LoginActionsService { @Path(REQUIRED_ACTION) @POST public Response requiredActionPOST(@QueryParam("code") final String code, - @QueryParam("action") String action) { + @QueryParam("execution") String action) { return processRequireAction(code, action); - - - } @Path(REQUIRED_ACTION) @GET public Response requiredActionGET(@QueryParam("code") final String code, - @QueryParam("action") String action) { + @QueryParam("execution") String action) { return processRequireAction(code, action); } private Response processRequireAction(final String code, String action) { - // TODO:mposolda - /* - event.event(EventType.CUSTOM_REQUIRED_ACTION); - event.detail(Details.CUSTOM_REQUIRED_ACTION, action); - SessionCodeChecks checks = checksForCode(code); + SessionCodeChecks checks = checksForCode(code, action, REQUIRED_ACTION, false); if (!checks.verifyRequiredAction(action)) { return checks.response; } - final ClientSessionModel clientSession = checks.getClientSession(); - final UserSessionModel userSession = clientSession.getUserSession(); + AuthenticationSessionModel authSession = checks.getAuthenticationSession(); + if (!checks.actionRequest) { + initLoginEvent(authSession); + event.event(EventType.CUSTOM_REQUIRED_ACTION); + return AuthenticationManager.nextActionAfterAuthentication(session, authSession, clientConnection, request, uriInfo, event); + } + + initLoginEvent(authSession); + event.event(EventType.CUSTOM_REQUIRED_ACTION); + event.detail(Details.CUSTOM_REQUIRED_ACTION, action); RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, action); if (factory == null) { @@ -1188,11 +1315,7 @@ public class LoginActionsService { } RequiredActionProvider provider = factory.create(session); - initEvent(clientSession); - event.event(EventType.CUSTOM_REQUIRED_ACTION); - - - RequiredActionContextResult context = new RequiredActionContextResult(userSession, clientSession, realm, event, session, request, userSession.getUser(), factory) { + RequiredActionContextResult context = new RequiredActionContextResult(authSession, realm, event, session, request, authSession.getAuthenticatedUser(), factory) { @Override public void ignore() { throw new RuntimeException("Cannot call ignore within processAction()"); @@ -1201,46 +1324,44 @@ public class LoginActionsService { provider.processAction(context); if (context.getStatus() == RequiredActionContext.Status.SUCCESS) { event.clone().success(); - initEvent(clientSession); + initLoginEvent(authSession); event.event(EventType.LOGIN); - clientSession.removeRequiredAction(factory.getId()); - userSession.getUser().removeRequiredAction(factory.getId()); - clientSession.removeNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); + authSession.removeRequiredAction(factory.getId()); + authSession.getAuthenticatedUser().removeRequiredAction(factory.getId()); + authSession.removeAuthNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); - if (AuthenticationManager.isActionRequired(session, userSession, clientSession, clientConnection, request, uriInfo, event)) { - // redirect to a generic code URI so that browser refresh will work - return redirectToRequiredActions(checks.clientCode.getCode()); - } else { - return AuthenticationManager.finishedRequiredActions(session, userSession, clientSession, clientConnection, request, uriInfo, event); - - } + return redirectToRequiredActions(action, authSession); } if (context.getStatus() == RequiredActionContext.Status.CHALLENGE) { return context.getChallenge(); } if (context.getStatus() == RequiredActionContext.Status.FAILURE) { - LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, context.getClientSession().getAuthMethod()); + LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, authSession.getProtocol()); protocol.setRealm(context.getRealm()) .setHttpHeaders(context.getHttpRequest().getHttpHeaders()) .setUriInfo(context.getUriInfo()) .setEventBuilder(event); event.detail(Details.CUSTOM_REQUIRED_ACTION, action); - Response response = protocol.sendError(context.getClientSession(), Error.CONSENT_DENIED); + Response response = protocol.sendError(authSession, Error.CONSENT_DENIED); event.error(Errors.REJECTED_BY_USER); return response; } throw new RuntimeException("Unreachable"); - */ - return null; } - private Response redirectToRequiredActions(String code) { - URI redirect = LoginActionsService.loginActionsBaseUrl(uriInfo) - .path(LoginActionsService.REQUIRED_ACTION) - .queryParam(OAuth2Constants.CODE, code).build(realm.getName()); + private Response redirectToRequiredActions(String action, AuthenticationSessionModel authSession) { + authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, action); + + UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo) + .path(LoginActionsService.REQUIRED_ACTION); + + if (action != null) { + uriBuilder.queryParam("execution", action); + } + URI redirect = uriBuilder.build(realm.getName()); return Response.status(302).location(redirect).build(); } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java index d74521370f..c04b99e959 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java @@ -24,18 +24,14 @@ import org.jboss.resteasy.spi.ResteasyProviderFactory; import org.keycloak.authentication.RequiredActionProvider; import org.keycloak.common.ClientConnection; import org.keycloak.common.Profile; -import org.keycloak.common.util.Time; import org.keycloak.credential.CredentialModel; -import org.keycloak.email.EmailException; -import org.keycloak.email.EmailTemplateProvider; import org.keycloak.events.Details; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.events.admin.OperationType; import org.keycloak.events.admin.ResourceType; -import org.keycloak.models.ClientLoginSessionModel; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.Constants; import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.GroupModel; @@ -49,11 +45,8 @@ import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserLoginFailureModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; -import org.keycloak.models.credential.PasswordUserCredentialModel; import org.keycloak.models.utils.ModelToRepresentation; -import org.keycloak.models.utils.RepresentationToModel; import org.keycloak.protocol.oidc.OIDCLoginProtocol; -import org.keycloak.protocol.oidc.utils.RedirectUtils; import org.keycloak.provider.ProviderFactory; import org.keycloak.representations.idm.CredentialRepresentation; import org.keycloak.representations.idm.FederatedIdentityRepresentation; @@ -63,11 +56,8 @@ import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.representations.idm.UserSessionRepresentation; import org.keycloak.services.ErrorResponse; import org.keycloak.services.ErrorResponseException; -import org.keycloak.services.ServicesLogger; -import org.keycloak.services.Urls; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.BruteForceProtector; -import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.models.UserManager; import org.keycloak.services.managers.UserSessionManager; import org.keycloak.services.resources.AccountService; @@ -84,13 +74,11 @@ import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; -import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import javax.ws.rs.core.Response.Status; -import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import java.net.URI; import java.text.MessageFormat; @@ -103,7 +91,6 @@ import java.util.List; import java.util.Map; import java.util.Properties; import java.util.Set; -import java.util.concurrent.TimeUnit; /** * Base resource for managing users @@ -414,7 +401,7 @@ public class UsersResource { UserSessionRepresentation rep = ModelToRepresentation.toRepresentation(session); // Update lastSessionRefresh with the timestamp from clientSession - ClientLoginSessionModel clientSession = session.getClientLoginSessions().get(clientId); + AuthenticatedClientSessionModel clientSession = session.getAuthenticatedClientSessions().get(clientId); // Skip if userSession is not for this client if (clientSession == null) { diff --git a/testsuite/integration-arquillian/HOW-TO-RUN.md b/testsuite/integration-arquillian/HOW-TO-RUN.md index 1c519b1e13..35e4be8cb6 100644 --- a/testsuite/integration-arquillian/HOW-TO-RUN.md +++ b/testsuite/integration-arquillian/HOW-TO-RUN.md @@ -22,7 +22,7 @@ Adding this system property when running any test: -Darquillian.debug=true will add lots of info to the log. Especially about: -* The test method names, which will be executed for each test class, will be written at the proper running order to the log at the beginning of each test (done by KcArquillian class). +* The test method names, which will be executed for each test class, will be written at the proper running order to the log at the beginning of each test class(done by KcArquillian class). * All the triggered arquillian lifecycle events and executed observers listening to those events will be written to the log * The bootstrap of WebDriver will be unlimited. By default there is just 1 minute timeout and test is cancelled when WebDriver is not bootstrapped within it. diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/forms/PassThroughRegistration.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/forms/PassThroughRegistration.java index b600c140e5..74906bde2a 100755 --- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/forms/PassThroughRegistration.java +++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/forms/PassThroughRegistration.java @@ -52,15 +52,15 @@ public class PassThroughRegistration implements Authenticator, AuthenticatorFact user.setEnabled(true); user.setEmail(email); - context.getLoginSession().setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, username); + context.getAuthenticationSession().setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, username); context.setUser(user); context.getEvent().user(user); context.getEvent().success(); context.newEvent().event(EventType.LOGIN); - context.getEvent().client(context.getLoginSession().getClient().getClientId()) - .detail(Details.REDIRECT_URI, context.getLoginSession().getRedirectUri()) - .detail(Details.AUTH_METHOD, context.getLoginSession().getProtocol()); - String authType = context.getLoginSession().getNote(Details.AUTH_TYPE); + context.getEvent().client(context.getAuthenticationSession().getClient().getClientId()) + .detail(Details.REDIRECT_URI, context.getAuthenticationSession().getRedirectUri()) + .detail(Details.AUTH_METHOD, context.getAuthenticationSession().getProtocol()); + String authType = context.getAuthenticationSession().getAuthNote(Details.AUTH_TYPE); if (authType != null) { context.getEvent().detail(Details.AUTH_TYPE, authType); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java index 4445de9647..eaf5ab597b 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java @@ -20,6 +20,7 @@ package org.keycloak.testsuite; import org.hamcrest.CoreMatchers; import org.hamcrest.Description; import org.hamcrest.Matcher; +import org.hamcrest.Matchers; import org.hamcrest.TypeSafeMatcher; import org.junit.Assert; import org.junit.rules.TestRule; @@ -88,7 +89,7 @@ public class AssertEvents implements TestRule { } public ExpectedEvent expectRequiredAction(EventType event) { - return expectLogin().event(event).removeDetail(Details.CONSENT).session(isUUID()); + return expectLogin().event(event).removeDetail(Details.CONSENT).session(Matchers.isEmptyOrNullString()); } public ExpectedEvent expectLogin() { @@ -120,9 +121,9 @@ public class AssertEvents implements TestRule { .session(isUUID()); } + // TODO:mposolda codeId is not needed anymore public ExpectedEvent expectCodeToToken(String codeId, String sessionId) { return expect(EventType.CODE_TO_TOKEN) - .detail(Details.CODE_ID, codeId) .detail(Details.TOKEN_ID, isUUID()) .detail(Details.REFRESH_TOKEN_ID, isUUID()) .detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_REFRESH) diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java index 201a625ac4..787db5b2dd 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java @@ -142,15 +142,15 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { updatePasswordPage.changePassword("resetPassword", "resetPassword"); - String sessionId = events.expectRequiredAction(EventType.UPDATE_PASSWORD) - .detail(Details.REDIRECT_URI, oauth.AUTH_SERVER_ROOT + "/realms/test/account/") + events.expectRequiredAction(EventType.UPDATE_PASSWORD) + .detail(Details.REDIRECT_URI, oauth.AUTH_SERVER_ROOT + "/realms/test/account/") .client("account") - .user(userId).detail(Details.USERNAME, username).assertEvent().getSessionId(); + .user(userId).detail(Details.USERNAME, username).assertEvent(); - events.expectLogin().user(userId).detail(Details.USERNAME, username) + String sessionId = events.expectLogin().user(userId).detail(Details.USERNAME, username) .detail(Details.REDIRECT_URI, oauth.AUTH_SERVER_ROOT + "/realms/test/account/") .client("account") - .session(sessionId).assertEvent(); + .assertEvent().getSessionId(); oauth.openLogout(); @@ -246,11 +246,11 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { updatePasswordPage.changePassword(password, password); - String sessionId = events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).detail(Details.USERNAME, username.trim()).assertEvent().getSessionId(); + events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).detail(Details.USERNAME, username.trim()).assertEvent(); assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - events.expectLogin().user(userId).detail(Details.USERNAME, username.trim()).session(sessionId).assertEvent(); + String sessionId = events.expectLogin().user(userId).detail(Details.USERNAME, username.trim()).assertEvent().getSessionId(); oauth.openLogout(); @@ -513,11 +513,11 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { updatePasswordPage.changePassword("resetPasswordWithPasswordPolicy", "resetPasswordWithPasswordPolicy"); - String sessionId = events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).detail(Details.USERNAME, "login-test").assertEvent().getSessionId(); + events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).detail(Details.USERNAME, "login-test").assertEvent().getSessionId(); assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").session(sessionId).assertEvent(); + String sessionId = events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent().getSessionId(); oauth.openLogout(); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java new file mode 100644 index 0000000000..e747683399 --- /dev/null +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java @@ -0,0 +1,122 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.model; + +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.ClassRule; +import org.junit.Test; +import org.keycloak.models.ClientModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import org.keycloak.models.UserManager; +import org.keycloak.models.UserModel; +import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.testsuite.rule.KeycloakRule; + +/** + * @author Marek Posolda + */ +public class AuthenticationSessionProviderTest { + + @ClassRule + public static KeycloakRule kc = new KeycloakRule(); + + private KeycloakSession session; + private RealmModel realm; + + @Before + public void before() { + session = kc.startSession(); + realm = session.realms().getRealm("test"); + session.users().addUser(realm, "user1").setEmail("user1@localhost"); + session.users().addUser(realm, "user2").setEmail("user2@localhost"); + } + + @After + public void after() { + resetSession(); + session.sessions().removeUserSessions(realm); + UserModel user1 = session.users().getUserByUsername("user1", realm); + UserModel user2 = session.users().getUserByUsername("user2", realm); + + UserManager um = new UserManager(session); + if (user1 != null) { + um.removeUser(realm, user1); + } + if (user2 != null) { + um.removeUser(realm, user2); + } + kc.stopSession(session, true); + } + + private void resetSession() { + kc.stopSession(session, true); + session = kc.startSession(); + realm = session.realms().getRealm("test"); + } + + @Test + public void testLoginSessionsCRUD() { + ClientModel client1 = realm.getClientByClientId("test-app"); + UserModel user1 = session.users().getUserByUsername("user1", realm); + + AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client1, false); + + authSession.setAction("foo"); + authSession.setTimestamp(100); + + resetSession(); + + // Ensure session is here + authSession = session.authenticationSessions().getAuthenticationSession(realm, authSession.getId()); + testLoginSession(authSession, client1.getId(), null, "foo", 100); + + // Update and commit + authSession.setAction("foo-updated"); + authSession.setTimestamp(200); + authSession.setAuthenticatedUser(session.users().getUserByUsername("user1", realm)); + + resetSession(); + + // Ensure session was updated + authSession = session.authenticationSessions().getAuthenticationSession(realm, authSession.getId()); + testLoginSession(authSession, client1.getId(), user1.getId(), "foo-updated", 200); + + // Remove and commit + session.authenticationSessions().removeAuthenticationSession(realm, authSession); + + resetSession(); + + // Ensure session was removed + Assert.assertNull(session.authenticationSessions().getAuthenticationSession(realm, authSession.getId())); + + } + + private void testLoginSession(AuthenticationSessionModel authSession, String expectedClientId, String expectedUserId, String expectedAction, int expectedTimestamp) { + Assert.assertEquals(expectedClientId, authSession.getClient().getId()); + if (expectedUserId == null) { + Assert.assertNull(authSession.getAuthenticatedUser()); + } else { + Assert.assertEquals(expectedUserId, authSession.getAuthenticatedUser().getId()); + } + Assert.assertEquals(expectedAction, authSession.getAction()); + Assert.assertEquals(expectedTimestamp, authSession.getTimestamp()); + } +} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java index 534bff342b..4e13b30061 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java @@ -23,6 +23,7 @@ import org.junit.Before; import org.junit.ClassRule; import org.junit.Test; import org.keycloak.common.util.Time; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; @@ -38,6 +39,7 @@ import java.util.Arrays; import java.util.HashSet; import java.util.LinkedList; import java.util.List; +import java.util.Map; import java.util.Set; import static org.junit.Assert.assertArrayEquals; @@ -52,577 +54,648 @@ import static org.junit.Assert.assertTrue; */ public class UserSessionProviderTest { - // TODO:mposolda -// -// @ClassRule -// public static KeycloakRule kc = new KeycloakRule(); -// -// private KeycloakSession session; -// private RealmModel realm; -// -// @Before -// public void before() { -// session = kc.startSession(); -// realm = session.realms().getRealm("test"); -// session.users().addUser(realm, "user1").setEmail("user1@localhost"); -// session.users().addUser(realm, "user2").setEmail("user2@localhost"); -// } -// -// @After -// public void after() { -// resetSession(); -// session.sessions().removeUserSessions(realm); -// UserModel user1 = session.users().getUserByUsername("user1", realm); -// UserModel user2 = session.users().getUserByUsername("user2", realm); -// -// UserManager um = new UserManager(session); -// if (user1 != null) { -// um.removeUser(realm, user1); -// } -// if (user2 != null) { -// um.removeUser(realm, user2); -// } -// kc.stopSession(session, true); -// } -// -// @Test -// public void testCreateSessions() { -// int started = Time.currentTime(); -// UserSessionModel[] sessions = createSessions(); -// -// assertSession(session.sessions().getUserSession(realm, sessions[0].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); -// assertSession(session.sessions().getUserSession(realm, sessions[1].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); -// assertSession(session.sessions().getUserSession(realm, sessions[2].getId()), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); -// } -// -// @Test -// public void testUpdateSession() { -// UserSessionModel[] sessions = createSessions(); -// session.sessions().getUserSession(realm, sessions[0].getId()).setLastSessionRefresh(1000); -// -// resetSession(); -// -// assertEquals(1000, session.sessions().getUserSession(realm, sessions[0].getId()).getLastSessionRefresh()); -// } -// -// @Test -// public void testCreateClientSession() { -// UserSessionModel[] sessions = createSessions(); -// -// List clientSessions = session.sessions().getUserSession(realm, sessions[0].getId()).getClientSessions(); -// assertEquals(2, clientSessions.size()); -// -// String client1 = realm.getClientByClientId("test-app").getId(); -// -// ClientSessionModel session1; -// -// if (clientSessions.get(0).getClient().getId().equals(client1)) { -// session1 = clientSessions.get(0); -// } else { -// session1 = clientSessions.get(1); -// } -// -// assertEquals(null, session1.getAction()); -// assertEquals(realm.getClientByClientId("test-app").getClientId(), session1.getClient().getClientId()); -// assertEquals(sessions[0].getId(), session1.getUserSession().getId()); -// assertEquals("http://redirect", session1.getRedirectUri()); -// assertEquals("state", session1.getNote(OIDCLoginProtocol.STATE_PARAM)); -// assertEquals(2, session1.getRoles().size()); -// assertTrue(session1.getRoles().contains("one")); -// assertTrue(session1.getRoles().contains("two")); -// assertEquals(2, session1.getProtocolMappers().size()); -// assertTrue(session1.getProtocolMappers().contains("mapper-one")); -// assertTrue(session1.getProtocolMappers().contains("mapper-two")); -// } -// -// @Test -// public void testUpdateClientSession() { -// UserSessionModel[] sessions = createSessions(); -// -// String id = sessions[0].getClientSessions().get(0).getId(); -// -// ClientSessionModel clientSession = session.sessions().getClientSession(realm, id); -// -// int time = clientSession.getTimestamp(); -// assertEquals(null, clientSession.getAction()); -// -// clientSession.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name()); -// clientSession.setTimestamp(time + 10); -// -// kc.stopSession(session, true); -// session = kc.startSession(); -// -// ClientSessionModel updated = session.sessions().getClientSession(realm, id); -// assertEquals(ClientSessionModel.Action.CODE_TO_TOKEN.name(), updated.getAction()); -// assertEquals(time + 10, updated.getTimestamp()); -// } -// -// @Test -// public void testGetUserSessions() { -// UserSessionModel[] sessions = createSessions(); -// -// assertSessions(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)), sessions[0], sessions[1]); -// assertSessions(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)), sessions[2]); -// } -// -// @Test -// public void testRemoveUserSessionsByUser() { -// UserSessionModel[] sessions = createSessions(); -// -// List clientSessionsRemoved = new LinkedList(); -// List clientSessionsKept = new LinkedList(); -// for (UserSessionModel s : sessions) { -// s = session.sessions().getUserSession(realm, s.getId()); -// -// for (ClientSessionModel c : s.getClientSessions()) { -// if (c.getUserSession().getUser().getUsername().equals("user1")) { -// clientSessionsRemoved.add(c.getId()); -// } else { -// clientSessionsKept.add(c.getId()); -// } -// } -// } -// -// session.sessions().removeUserSessions(realm, session.users().getUserByUsername("user1", realm)); -// resetSession(); -// -// assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)).isEmpty()); -// assertFalse(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); -// -// for (String c : clientSessionsRemoved) { -// assertNull(session.sessions().getClientSession(realm, c)); -// } -// for (String c : clientSessionsKept) { -// assertNotNull(session.sessions().getClientSession(realm, c)); -// } -// } -// -// @Test -// public void testRemoveUserSession() { -// UserSessionModel userSession = createSessions()[0]; -// -// List clientSessionsRemoved = new LinkedList(); -// for (ClientSessionModel c : userSession.getClientSessions()) { -// clientSessionsRemoved.add(c.getId()); -// } -// -// session.sessions().removeUserSession(realm, userSession); -// resetSession(); -// -// assertNull(session.sessions().getUserSession(realm, userSession.getId())); -// for (String c : clientSessionsRemoved) { -// assertNull(session.sessions().getClientSession(realm, c)); -// } -// } -// -// @Test -// public void testRemoveUserSessionsByRealm() { -// UserSessionModel[] sessions = createSessions(); -// -// List clientSessions = new LinkedList(); -// for (UserSessionModel s : sessions) { -// clientSessions.addAll(s.getClientSessions()); -// } -// -// session.sessions().removeUserSessions(realm); -// resetSession(); -// -// assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)).isEmpty()); -// assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); -// -// for (ClientSessionModel c : clientSessions) { -// assertNull(session.sessions().getClientSession(realm, c.getId())); -// } -// } -// -// @Test -// public void testOnClientRemoved() { -// UserSessionModel[] sessions = createSessions(); -// -// List clientSessionsRemoved = new LinkedList(); -// List clientSessionsKept = new LinkedList(); -// for (UserSessionModel s : sessions) { -// s = session.sessions().getUserSession(realm, s.getId()); -// for (ClientSessionModel c : s.getClientSessions()) { -// if (c.getClient().getClientId().equals("third-party")) { -// clientSessionsRemoved.add(c.getId()); -// } else { -// clientSessionsKept.add(c.getId()); -// } -// } -// } -// -// session.sessions().onClientRemoved(realm, realm.getClientByClientId("third-party")); -// resetSession(); -// -// for (String c : clientSessionsRemoved) { -// assertNull(session.sessions().getClientSession(realm, c)); -// } -// for (String c : clientSessionsKept) { -// assertNotNull(session.sessions().getClientSession(realm, c)); -// } -// -// session.sessions().onClientRemoved(realm, realm.getClientByClientId("test-app")); -// resetSession(); -// -// for (String c : clientSessionsRemoved) { -// assertNull(session.sessions().getClientSession(realm, c)); -// } -// for (String c : clientSessionsKept) { -// assertNull(session.sessions().getClientSession(realm, c)); -// } -// } -// -// @Test -// public void testRemoveUserSessionsByExpired() { -// session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)); -// ClientModel client = realm.getClientByClientId("test-app"); -// -// try { -// Set expired = new HashSet(); -// Set expiredClientSessions = new HashSet(); -// -// Time.setOffset(-(realm.getSsoSessionMaxLifespan() + 1)); -// expired.add(session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); -// expiredClientSessions.add(session.sessions().createClientSession(realm, client).getId()); -// -// Time.setOffset(0); -// UserSessionModel s = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.1", "form", true, null, null); -// //s.setLastSessionRefresh(Time.currentTime() - (realm.getSsoSessionIdleTimeout() + 1)); -// s.setLastSessionRefresh(0); -// expired.add(s.getId()); -// -// ClientSessionModel clSession = session.sessions().createClientSession(realm, client); -// clSession.setUserSession(s); -// expiredClientSessions.add(clSession.getId()); -// -// Set valid = new HashSet(); -// Set validClientSessions = new HashSet(); -// -// valid.add(session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); -// validClientSessions.add(session.sessions().createClientSession(realm, client).getId()); -// -// resetSession(); -// -// session.sessions().removeExpired(realm); -// resetSession(); -// -// for (String e : expired) { -// assertNull(session.sessions().getUserSession(realm, e)); -// } -// for (String e : expiredClientSessions) { -// assertNull(session.sessions().getClientSession(realm, e)); -// } -// -// for (String v : valid) { -// assertNotNull(session.sessions().getUserSession(realm, v)); -// } -// for (String e : validClientSessions) { -// assertNotNull(session.sessions().getClientSession(realm, e)); -// } -// } finally { -// Time.setOffset(0); -// } -// } -// -// @Test -// public void testExpireDetachedClientSessions() { -// try { -// realm.setAccessCodeLifespan(10); -// realm.setAccessCodeLifespanUserAction(10); -// realm.setAccessCodeLifespanLogin(30); -// -// // Login lifespan is largest -// String clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); -// resetSession(); -// -// Time.setOffset(25); -// session.sessions().removeExpired(realm); -// resetSession(); -// -// assertNotNull(session.sessions().getClientSession(clientSessionId)); -// -// Time.setOffset(35); -// session.sessions().removeExpired(realm); -// resetSession(); -// -// assertNull(session.sessions().getClientSession(clientSessionId)); -// -// // User action is largest -// realm.setAccessCodeLifespanUserAction(40); -// -// Time.setOffset(0); -// clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); -// resetSession(); -// -// Time.setOffset(35); -// session.sessions().removeExpired(realm); -// resetSession(); -// -// assertNotNull(session.sessions().getClientSession(clientSessionId)); -// -// Time.setOffset(45); -// session.sessions().removeExpired(realm); -// resetSession(); -// -// assertNull(session.sessions().getClientSession(clientSessionId)); -// -// // Access code is largest -// realm.setAccessCodeLifespan(50); -// -// Time.setOffset(0); -// clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); -// resetSession(); -// -// Time.setOffset(45); -// session.sessions().removeExpired(realm); -// resetSession(); -// -// assertNotNull(session.sessions().getClientSession(clientSessionId)); -// -// Time.setOffset(55); -// session.sessions().removeExpired(realm); -// resetSession(); -// -// assertNull(session.sessions().getClientSession(clientSessionId)); -// } finally { -// Time.setOffset(0); -// -// realm.setAccessCodeLifespan(60); -// realm.setAccessCodeLifespanUserAction(300); -// realm.setAccessCodeLifespanLogin(1800); -// -// } -// } -// -// // KEYCLOAK-2508 -// @Test -// public void testRemovingExpiredSession() { -// UserSessionModel[] sessions = createSessions(); -// try { -// Time.setOffset(3600000); -// UserSessionModel userSession = sessions[0]; -// RealmModel realm = userSession.getRealm(); -// session.sessions().removeExpired(realm); -// -// resetSession(); -// -// // Assert no exception is thrown here -// session.sessions().removeUserSession(realm, userSession); -// } finally { -// Time.setOffset(0); -// } -// } -// -// @Test -// public void testGetByClient() { -// UserSessionModel[] sessions = createSessions(); -// -// assertSessions(session.sessions().getUserSessions(realm, realm.getClientByClientId("test-app")), sessions[0], sessions[1], sessions[2]); -// assertSessions(session.sessions().getUserSessions(realm, realm.getClientByClientId("third-party")), sessions[0]); -// } -// -// @Test -// public void testGetByClientPaginated() { -// try { -// for (int i = 0; i < 25; i++) { -// Time.setOffset(i); -// UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0." + i, "form", false, null, null); -// ClientSessionModel clientSession = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")); -// clientSession.setUserSession(userSession); -// clientSession.setRedirectUri("http://redirect"); -// clientSession.setRoles(new HashSet()); -// clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, "state"); -// clientSession.setTimestamp(userSession.getStarted()); -// } -// } finally { -// Time.setOffset(0); -// } -// -// resetSession(); -// -// assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 0, 1, 1); -// assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 0, 10, 10); -// assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 10, 10, 10); -// assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 20, 10, 5); -// assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 30, 10, 0); -// } -// -// @Test -// public void testCreateAndGetInSameTransaction() { -// UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); -// ClientSessionModel clientSession = createClientSession(realm.getClientByClientId("test-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); -// -// Assert.assertNotNull(session.sessions().getUserSession(realm, userSession.getId())); -// Assert.assertNotNull(session.sessions().getClientSession(realm, clientSession.getId())); -// -// Assert.assertEquals(userSession.getId(), clientSession.getUserSession().getId()); -// Assert.assertEquals(1, userSession.getClientSessions().size()); -// Assert.assertEquals(clientSession.getId(), userSession.getClientSessions().get(0).getId()); -// } -// -// private void assertPaginatedSession(RealmModel realm, ClientModel client, int start, int max, int expectedSize) { -// List sessions = session.sessions().getUserSessions(realm, client, start, max); -// String[] actualIps = new String[sessions.size()]; -// for (int i = 0; i < actualIps.length; i++) { -// actualIps[i] = sessions.get(i).getIpAddress(); -// } -// -// String[] expectedIps = new String[expectedSize]; -// for (int i = 0; i < expectedSize; i++) { -// expectedIps[i] = "127.0.0." + (i + start); -// } -// -// assertArrayEquals(expectedIps, actualIps); -// } -// -// @Test -// public void testGetCountByClient() { -// createSessions(); -// -// assertEquals(3, session.sessions().getActiveUserSessions(realm, realm.getClientByClientId("test-app"))); -// assertEquals(1, session.sessions().getActiveUserSessions(realm, realm.getClientByClientId("third-party"))); -// } -// -// @Test -// public void loginFailures() { -// UserLoginFailureModel failure1 = session.sessions().addUserLoginFailure(realm, "user1"); -// failure1.incrementFailures(); -// -// UserLoginFailureModel failure2 = session.sessions().addUserLoginFailure(realm, "user2"); -// failure2.incrementFailures(); -// failure2.incrementFailures(); -// -// resetSession(); -// -// failure1 = session.sessions().getUserLoginFailure(realm, "user1"); -// assertEquals(1, failure1.getNumFailures()); -// -// failure2 = session.sessions().getUserLoginFailure(realm, "user2"); -// assertEquals(2, failure2.getNumFailures()); -// -// resetSession(); -// -// failure1 = session.sessions().getUserLoginFailure(realm, "user1"); -// failure1.clearFailures(); -// -// resetSession(); -// -// failure1 = session.sessions().getUserLoginFailure(realm, "user1"); -// assertEquals(0, failure1.getNumFailures()); -// -// session.sessions().removeUserLoginFailure(realm, "user1"); -// -// resetSession(); -// -// assertNull(session.sessions().getUserLoginFailure(realm, "user1")); -// -// session.sessions().removeAllUserLoginFailures(realm); -// -// resetSession(); -// -// assertNull(session.sessions().getUserLoginFailure(realm, "user2")); -// } -// -// @Test -// public void testOnUserRemoved() { -// createSessions(); -// -// session.sessions().addUserLoginFailure(realm, "user1"); -// session.sessions().addUserLoginFailure(realm, "user1@localhost"); -// session.sessions().addUserLoginFailure(realm, "user2"); -// -// resetSession(); -// -// UserModel user1 = session.users().getUserByUsername("user1", realm); -// new UserManager(session).removeUser(realm, user1); -// -// resetSession(); -// -// assertTrue(session.sessions().getUserSessions(realm, user1).isEmpty()); -// assertFalse(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); -// -// assertNull(session.sessions().getUserLoginFailure(realm, "user1")); -// assertNull(session.sessions().getUserLoginFailure(realm, "user1@localhost")); -// assertNotNull(session.sessions().getUserLoginFailure(realm, "user2")); -// } -// -// private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { -// ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); -// if (userSession != null) clientSession.setUserSession(userSession); -// clientSession.setRedirectUri(redirect); -// if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); -// if (roles != null) clientSession.setRoles(roles); -// if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); -// return clientSession; -// } -// -// private UserSessionModel[] createSessions() { -// UserSessionModel[] sessions = new UserSessionModel[3]; -// sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); -// -// Set roles = new HashSet(); -// roles.add("one"); -// roles.add("two"); -// -// Set protocolMappers = new HashSet(); -// protocolMappers.add("mapper-one"); -// protocolMappers.add("mapper-two"); -// -// createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); -// createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); -// -// sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); -// createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); -// -// sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); -// createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); -// -// resetSession(); -// -// return sessions; -// } -// -// private void resetSession() { -// kc.stopSession(session, true); -// session = kc.startSession(); -// realm = session.realms().getRealm("test"); -// } -// -// public static void assertSessions(List actualSessions, UserSessionModel... expectedSessions) { -// String[] expected = new String[expectedSessions.length]; -// for (int i = 0; i < expected.length; i++) { -// expected[i] = expectedSessions[i].getId(); -// } -// -// String[] actual = new String[actualSessions.size()]; -// for (int i = 0; i < actual.length; i++) { -// actual[i] = actualSessions.get(i).getId(); -// } -// -// Arrays.sort(expected); -// Arrays.sort(actual); -// -// assertArrayEquals(expected, actual); -// } -// -// public static void assertSession(UserSessionModel session, UserModel user, String ipAddress, int started, int lastRefresh, String... clients) { -// assertEquals(user.getId(), session.getUser().getId()); -// assertEquals(ipAddress, session.getIpAddress()); -// assertEquals(user.getUsername(), session.getLoginUsername()); -// assertEquals("form", session.getAuthMethod()); -// assertEquals(true, session.isRememberMe()); -// assertTrue(session.getStarted() >= started - 1 && session.getStarted() <= started + 1); -// assertTrue(session.getLastSessionRefresh() >= lastRefresh - 1 && session.getLastSessionRefresh() <= lastRefresh + 1); -// -// String[] actualClients = new String[session.getClientSessions().size()]; -// for (int i = 0; i < actualClients.length; i++) { -// actualClients[i] = session.getClientSessions().get(i).getClient().getClientId(); -// } -// -// Arrays.sort(clients); -// Arrays.sort(actualClients); -// -// assertArrayEquals(clients, actualClients); -// } + @ClassRule + public static KeycloakRule kc = new KeycloakRule(); + + private KeycloakSession session; + private RealmModel realm; + + @Before + public void before() { + session = kc.startSession(); + realm = session.realms().getRealm("test"); + session.users().addUser(realm, "user1").setEmail("user1@localhost"); + session.users().addUser(realm, "user2").setEmail("user2@localhost"); + } + + @After + public void after() { + resetSession(); + session.sessions().removeUserSessions(realm); + UserModel user1 = session.users().getUserByUsername("user1", realm); + UserModel user2 = session.users().getUserByUsername("user2", realm); + + UserManager um = new UserManager(session); + if (user1 != null) { + um.removeUser(realm, user1); + } + if (user2 != null) { + um.removeUser(realm, user2); + } + kc.stopSession(session, true); + } + + @Test + public void testCreateSessions() { + int started = Time.currentTime(); + UserSessionModel[] sessions = createSessions(); + + assertSession(session.sessions().getUserSession(realm, sessions[0].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); + assertSession(session.sessions().getUserSession(realm, sessions[1].getId()), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); + assertSession(session.sessions().getUserSession(realm, sessions[2].getId()), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); + } + + @Test + public void testUpdateSession() { + UserSessionModel[] sessions = createSessions(); + session.sessions().getUserSession(realm, sessions[0].getId()).setLastSessionRefresh(1000); + + resetSession(); + + assertEquals(1000, session.sessions().getUserSession(realm, sessions[0].getId()).getLastSessionRefresh()); + } + + @Test + public void testCreateClientSession() { + UserSessionModel[] sessions = createSessions(); + + List clientSessions = session.sessions().getUserSession(realm, sessions[0].getId()).getClientSessions(); + assertEquals(2, clientSessions.size()); + + String client1 = realm.getClientByClientId("test-app").getId(); + + ClientSessionModel session1; + + if (clientSessions.get(0).getClient().getId().equals(client1)) { + session1 = clientSessions.get(0); + } else { + session1 = clientSessions.get(1); + } + + assertEquals(null, session1.getAction()); + assertEquals(realm.getClientByClientId("test-app").getClientId(), session1.getClient().getClientId()); + assertEquals(sessions[0].getId(), session1.getUserSession().getId()); + assertEquals("http://redirect", session1.getRedirectUri()); + assertEquals("state", session1.getNote(OIDCLoginProtocol.STATE_PARAM)); + assertEquals(2, session1.getRoles().size()); + assertTrue(session1.getRoles().contains("one")); + assertTrue(session1.getRoles().contains("two")); + assertEquals(2, session1.getProtocolMappers().size()); + assertTrue(session1.getProtocolMappers().contains("mapper-one")); + assertTrue(session1.getProtocolMappers().contains("mapper-two")); + } + + @Test + public void testUpdateClientSession() { + UserSessionModel[] sessions = createSessions(); + + String id = sessions[0].getClientSessions().get(0).getId(); + + ClientSessionModel clientSession = session.sessions().getClientSession(realm, id); + + int time = clientSession.getTimestamp(); + assertEquals(null, clientSession.getAction()); + + clientSession.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name()); + clientSession.setTimestamp(time + 10); + + kc.stopSession(session, true); + session = kc.startSession(); + + ClientSessionModel updated = session.sessions().getClientSession(realm, id); + assertEquals(ClientSessionModel.Action.CODE_TO_TOKEN.name(), updated.getAction()); + assertEquals(time + 10, updated.getTimestamp()); + } + + @Test + public void testGetUserSessions() { + UserSessionModel[] sessions = createSessions(); + + assertSessions(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)), sessions[0], sessions[1]); + assertSessions(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)), sessions[2]); + } + + @Test + public void testRemoveUserSessionsByUser() { + UserSessionModel[] sessions = createSessions(); + + List clientSessionsRemoved = new LinkedList(); + List clientSessionsKept = new LinkedList(); + for (UserSessionModel s : sessions) { + s = session.sessions().getUserSession(realm, s.getId()); + + for (ClientSessionModel c : s.getClientSessions()) { + if (c.getUserSession().getUser().getUsername().equals("user1")) { + clientSessionsRemoved.add(c.getId()); + } else { + clientSessionsKept.add(c.getId()); + } + } + } + + session.sessions().removeUserSessions(realm, session.users().getUserByUsername("user1", realm)); + resetSession(); + + assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)).isEmpty()); + assertFalse(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); + + for (String c : clientSessionsRemoved) { + assertNull(session.sessions().getClientSession(realm, c)); + } + for (String c : clientSessionsKept) { + assertNotNull(session.sessions().getClientSession(realm, c)); + } + } + + @Test + public void testRemoveUserSession() { + UserSessionModel userSession = createSessions()[0]; + + List clientSessionsRemoved = new LinkedList(); + for (ClientSessionModel c : userSession.getClientSessions()) { + clientSessionsRemoved.add(c.getId()); + } + + session.sessions().removeUserSession(realm, userSession); + resetSession(); + + assertNull(session.sessions().getUserSession(realm, userSession.getId())); + for (String c : clientSessionsRemoved) { + assertNull(session.sessions().getClientSession(realm, c)); + } + } + + @Test + public void testRemoveUserSessionsByRealm() { + UserSessionModel[] sessions = createSessions(); + + List clientSessions = new LinkedList(); + for (UserSessionModel s : sessions) { + clientSessions.addAll(s.getClientSessions()); + } + + session.sessions().removeUserSessions(realm); + resetSession(); + + assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)).isEmpty()); + assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); + + for (ClientSessionModel c : clientSessions) { + assertNull(session.sessions().getClientSession(realm, c.getId())); + } + } + + @Test + public void testOnClientRemoved() { + UserSessionModel[] sessions = createSessions(); + + List clientSessionsRemoved = new LinkedList(); + List clientSessionsKept = new LinkedList(); + for (UserSessionModel s : sessions) { + s = session.sessions().getUserSession(realm, s.getId()); + for (ClientSessionModel c : s.getClientSessions()) { + if (c.getClient().getClientId().equals("third-party")) { + clientSessionsRemoved.add(c.getId()); + } else { + clientSessionsKept.add(c.getId()); + } + } + } + + session.sessions().onClientRemoved(realm, realm.getClientByClientId("third-party")); + resetSession(); + + for (String c : clientSessionsRemoved) { + assertNull(session.sessions().getClientSession(realm, c)); + } + for (String c : clientSessionsKept) { + assertNotNull(session.sessions().getClientSession(realm, c)); + } + + session.sessions().onClientRemoved(realm, realm.getClientByClientId("test-app")); + resetSession(); + + for (String c : clientSessionsRemoved) { + assertNull(session.sessions().getClientSession(realm, c)); + } + for (String c : clientSessionsKept) { + assertNull(session.sessions().getClientSession(realm, c)); + } + } + + @Test + public void testRemoveUserSessionsByExpired() { + session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)); + ClientModel client = realm.getClientByClientId("test-app"); + + try { + Set expired = new HashSet(); + Set expiredClientSessions = new HashSet(); + + Time.setOffset(-(realm.getSsoSessionMaxLifespan() + 1)); + expired.add(session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); + expiredClientSessions.add(session.sessions().createClientSession(realm, client).getId()); + + Time.setOffset(0); + UserSessionModel s = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.1", "form", true, null, null); + //s.setLastSessionRefresh(Time.currentTime() - (realm.getSsoSessionIdleTimeout() + 1)); + s.setLastSessionRefresh(0); + expired.add(s.getId()); + + ClientSessionModel clSession = session.sessions().createClientSession(realm, client); + clSession.setUserSession(s); + expiredClientSessions.add(clSession.getId()); + + Set valid = new HashSet(); + Set validClientSessions = new HashSet(); + + valid.add(session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); + validClientSessions.add(session.sessions().createClientSession(realm, client).getId()); + + resetSession(); + + session.sessions().removeExpired(realm); + resetSession(); + + for (String e : expired) { + assertNull(session.sessions().getUserSession(realm, e)); + } + for (String e : expiredClientSessions) { + assertNull(session.sessions().getClientSession(realm, e)); + } + + for (String v : valid) { + assertNotNull(session.sessions().getUserSession(realm, v)); + } + for (String e : validClientSessions) { + assertNotNull(session.sessions().getClientSession(realm, e)); + } + } finally { + Time.setOffset(0); + } + } + + @Test + public void testExpireDetachedClientSessions() { + try { + realm.setAccessCodeLifespan(10); + realm.setAccessCodeLifespanUserAction(10); + realm.setAccessCodeLifespanLogin(30); + + // Login lifespan is largest + String clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); + resetSession(); + + Time.setOffset(25); + session.sessions().removeExpired(realm); + resetSession(); + + assertNotNull(session.sessions().getClientSession(clientSessionId)); + + Time.setOffset(35); + session.sessions().removeExpired(realm); + resetSession(); + + assertNull(session.sessions().getClientSession(clientSessionId)); + + // User action is largest + realm.setAccessCodeLifespanUserAction(40); + + Time.setOffset(0); + clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); + resetSession(); + + Time.setOffset(35); + session.sessions().removeExpired(realm); + resetSession(); + + assertNotNull(session.sessions().getClientSession(clientSessionId)); + + Time.setOffset(45); + session.sessions().removeExpired(realm); + resetSession(); + + assertNull(session.sessions().getClientSession(clientSessionId)); + + // Access code is largest + realm.setAccessCodeLifespan(50); + + Time.setOffset(0); + clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); + resetSession(); + + Time.setOffset(45); + session.sessions().removeExpired(realm); + resetSession(); + + assertNotNull(session.sessions().getClientSession(clientSessionId)); + + Time.setOffset(55); + session.sessions().removeExpired(realm); + resetSession(); + + assertNull(session.sessions().getClientSession(clientSessionId)); + } finally { + Time.setOffset(0); + + realm.setAccessCodeLifespan(60); + realm.setAccessCodeLifespanUserAction(300); + realm.setAccessCodeLifespanLogin(1800); + + } + } + + // KEYCLOAK-2508 + @Test + public void testRemovingExpiredSession() { + UserSessionModel[] sessions = createSessions(); + try { + Time.setOffset(3600000); + UserSessionModel userSession = sessions[0]; + RealmModel realm = userSession.getRealm(); + session.sessions().removeExpired(realm); + + resetSession(); + + // Assert no exception is thrown here + session.sessions().removeUserSession(realm, userSession); + } finally { + Time.setOffset(0); + } + } + + @Test + public void testGetByClient() { + UserSessionModel[] sessions = createSessions(); + + assertSessions(session.sessions().getUserSessions(realm, realm.getClientByClientId("test-app")), sessions[0], sessions[1], sessions[2]); + assertSessions(session.sessions().getUserSessions(realm, realm.getClientByClientId("third-party")), sessions[0]); + } + + @Test + public void testGetByClientPaginated() { + try { + for (int i = 0; i < 25; i++) { + Time.setOffset(i); + UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0." + i, "form", false, null, null); + ClientSessionModel clientSession = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")); + clientSession.setUserSession(userSession); + clientSession.setRedirectUri("http://redirect"); + clientSession.setRoles(new HashSet()); + clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, "state"); + clientSession.setTimestamp(userSession.getStarted()); + } + } finally { + Time.setOffset(0); + } + + resetSession(); + + assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 0, 1, 1); + assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 0, 10, 10); + assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 10, 10, 10); + assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 20, 10, 5); + assertPaginatedSession(realm, realm.getClientByClientId("test-app"), 30, 10, 0); + } + + @Test + public void testCreateAndGetInSameTransaction() { + UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + ClientSessionModel clientSession = createClientSession(realm.getClientByClientId("test-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); + + Assert.assertNotNull(session.sessions().getUserSession(realm, userSession.getId())); + Assert.assertNotNull(session.sessions().getClientSession(realm, clientSession.getId())); + + Assert.assertEquals(userSession.getId(), clientSession.getUserSession().getId()); + Assert.assertEquals(1, userSession.getClientSessions().size()); + Assert.assertEquals(clientSession.getId(), userSession.getClientSessions().get(0).getId()); + } + + @Test + public void testClientLoginSessions() { + UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + + ClientModel client1 = realm.getClientByClientId("test-app"); + ClientModel client2 = realm.getClientByClientId("third-party"); + + // Create client1 session + AuthenticatedClientSessionModel clientSession1 = session.sessions().createClientSession(realm, client1, userSession); + clientSession1.setAction("foo1"); + clientSession1.setTimestamp(100); + + // Create client2 session + AuthenticatedClientSessionModel clientSession2 = session.sessions().createClientSession(realm, client2, userSession); + clientSession2.setAction("foo2"); + clientSession2.setTimestamp(200); + + // commit + resetSession(); + + // Ensure sessions are here + userSession = session.sessions().getUserSession(realm, userSession.getId()); + Map clientSessions = userSession.getAuthenticatedClientSessions(); + Assert.assertEquals(2, clientSessions.size()); + testClientLoginSession(clientSessions.get(client1.getId()), "test-app", userSession.getId(), "foo1", 100); + testClientLoginSession(clientSessions.get(client2.getId()), "third-party", userSession.getId(), "foo2", 200); + + // Update session1 + clientSessions.get(client1.getId()).setAction("foo1-updated"); + + // commit + resetSession(); + + // Ensure updated + userSession = session.sessions().getUserSession(realm, userSession.getId()); + clientSessions = userSession.getAuthenticatedClientSessions(); + testClientLoginSession(clientSessions.get(client1.getId()), "test-app", userSession.getId(), "foo1-updated", 100); + + // Rewrite session2 + clientSession2 = session.sessions().createClientSession(realm, client2, userSession); + clientSession2.setAction("foo2-rewrited"); + clientSession2.setTimestamp(300); + + // commit + resetSession(); + + // Ensure updated + userSession = session.sessions().getUserSession(realm, userSession.getId()); + clientSessions = userSession.getAuthenticatedClientSessions(); + Assert.assertEquals(2, clientSessions.size()); + testClientLoginSession(clientSessions.get(client1.getId()), "test-app", userSession.getId(), "foo1-updated", 100); + testClientLoginSession(clientSessions.get(client2.getId()), "third-party", userSession.getId(), "foo2-rewrited", 300); + + // remove session + clientSession1 = userSession.getAuthenticatedClientSessions().get(client1.getId()); + clientSession1.setUserSession(null); + + // Commit and ensure removed + resetSession(); + + userSession = session.sessions().getUserSession(realm, userSession.getId()); + clientSessions = userSession.getAuthenticatedClientSessions(); + Assert.assertEquals(1, clientSessions.size()); + Assert.assertNull(clientSessions.get(client1.getId())); + } + + private void testClientLoginSession(AuthenticatedClientSessionModel clientLoginSession, String expectedClientId, String expectedUserSessionId, String expectedAction, int expectedTimestamp) { + Assert.assertEquals(expectedClientId, clientLoginSession.getClient().getClientId()); + Assert.assertEquals(expectedUserSessionId, clientLoginSession.getUserSession().getId()); + Assert.assertEquals(expectedAction, clientLoginSession.getAction()); + Assert.assertEquals(expectedTimestamp, clientLoginSession.getTimestamp()); + } + + private void assertPaginatedSession(RealmModel realm, ClientModel client, int start, int max, int expectedSize) { + List sessions = session.sessions().getUserSessions(realm, client, start, max); + String[] actualIps = new String[sessions.size()]; + for (int i = 0; i < actualIps.length; i++) { + actualIps[i] = sessions.get(i).getIpAddress(); + } + + String[] expectedIps = new String[expectedSize]; + for (int i = 0; i < expectedSize; i++) { + expectedIps[i] = "127.0.0." + (i + start); + } + + assertArrayEquals(expectedIps, actualIps); + } + + @Test + public void testGetCountByClient() { + createSessions(); + + assertEquals(3, session.sessions().getActiveUserSessions(realm, realm.getClientByClientId("test-app"))); + assertEquals(1, session.sessions().getActiveUserSessions(realm, realm.getClientByClientId("third-party"))); + } + + @Test + public void loginFailures() { + UserLoginFailureModel failure1 = session.sessions().addUserLoginFailure(realm, "user1"); + failure1.incrementFailures(); + + UserLoginFailureModel failure2 = session.sessions().addUserLoginFailure(realm, "user2"); + failure2.incrementFailures(); + failure2.incrementFailures(); + + resetSession(); + + failure1 = session.sessions().getUserLoginFailure(realm, "user1"); + assertEquals(1, failure1.getNumFailures()); + + failure2 = session.sessions().getUserLoginFailure(realm, "user2"); + assertEquals(2, failure2.getNumFailures()); + + resetSession(); + + failure1 = session.sessions().getUserLoginFailure(realm, "user1"); + failure1.clearFailures(); + + resetSession(); + + failure1 = session.sessions().getUserLoginFailure(realm, "user1"); + assertEquals(0, failure1.getNumFailures()); + + session.sessions().removeUserLoginFailure(realm, "user1"); + + resetSession(); + + assertNull(session.sessions().getUserLoginFailure(realm, "user1")); + + session.sessions().removeAllUserLoginFailures(realm); + + resetSession(); + + assertNull(session.sessions().getUserLoginFailure(realm, "user2")); + } + + @Test + public void testOnUserRemoved() { + createSessions(); + + session.sessions().addUserLoginFailure(realm, "user1"); + session.sessions().addUserLoginFailure(realm, "user1@localhost"); + session.sessions().addUserLoginFailure(realm, "user2"); + + resetSession(); + + UserModel user1 = session.users().getUserByUsername("user1", realm); + new UserManager(session).removeUser(realm, user1); + + resetSession(); + + assertTrue(session.sessions().getUserSessions(realm, user1).isEmpty()); + assertFalse(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); + + assertNull(session.sessions().getUserLoginFailure(realm, "user1")); + assertNull(session.sessions().getUserLoginFailure(realm, "user1@localhost")); + assertNotNull(session.sessions().getUserLoginFailure(realm, "user2")); + } + + private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { + ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); + if (userSession != null) clientSession.setUserSession(userSession); + clientSession.setRedirectUri(redirect); + if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); + if (roles != null) clientSession.setRoles(roles); + if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); + return clientSession; + } + + private UserSessionModel[] createSessions() { + UserSessionModel[] sessions = new UserSessionModel[3]; + sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); + + Set roles = new HashSet(); + roles.add("one"); + roles.add("two"); + + Set protocolMappers = new HashSet(); + protocolMappers.add("mapper-one"); + protocolMappers.add("mapper-two"); + + createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); + createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); + + sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); + + sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); + createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); + + resetSession(); + + return sessions; + } + + private void resetSession() { + kc.stopSession(session, true); + session = kc.startSession(); + realm = session.realms().getRealm("test"); + } + + public static void assertSessions(List actualSessions, UserSessionModel... expectedSessions) { + String[] expected = new String[expectedSessions.length]; + for (int i = 0; i < expected.length; i++) { + expected[i] = expectedSessions[i].getId(); + } + + String[] actual = new String[actualSessions.size()]; + for (int i = 0; i < actual.length; i++) { + actual[i] = actualSessions.get(i).getId(); + } + + Arrays.sort(expected); + Arrays.sort(actual); + + assertArrayEquals(expected, actual); + } + + public static void assertSession(UserSessionModel session, UserModel user, String ipAddress, int started, int lastRefresh, String... clients) { + assertEquals(user.getId(), session.getUser().getId()); + assertEquals(ipAddress, session.getIpAddress()); + assertEquals(user.getUsername(), session.getLoginUsername()); + assertEquals("form", session.getAuthMethod()); + assertEquals(true, session.isRememberMe()); + assertTrue(session.getStarted() >= started - 1 && session.getStarted() <= started + 1); + assertTrue(session.getLastSessionRefresh() >= lastRefresh - 1 && session.getLastSessionRefresh() <= lastRefresh + 1); + + String[] actualClients = new String[session.getClientSessions().size()]; + for (int i = 0; i < actualClients.length; i++) { + actualClients[i] = session.getClientSessions().get(i).getClient().getClientId(); + } + + Arrays.sort(clients); + Arrays.sort(actualClients); + + assertArrayEquals(clients, actualClients); + } } diff --git a/themes/src/main/resources/theme/base/login/bypass_kerberos.ftl b/themes/src/main/resources/theme/base/login/bypass_kerberos.ftl deleted file mode 100755 index d87163c1a1..0000000000 --- a/themes/src/main/resources/theme/base/login/bypass_kerberos.ftl +++ /dev/null @@ -1,25 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.registrationLayout displayMessage=false; section> - <#if section = "title"> - ${msg("kerberosNotConfiguredTitle")} - <#elseif section = "header"> - ${msg("kerberosNotConfigured")} - <#elseif section = "form"> -
- -

${msg("bypassKerberosDetail")}

-
-
-
-
- -
-
- <#if client?? && client.baseUrl?has_content> -

${msg("backToApplication")}

- -
-
-
- - \ No newline at end of file diff --git a/themes/src/main/resources/theme/base/login/login-page-expired.ftl b/themes/src/main/resources/theme/base/login/login-page-expired.ftl new file mode 100644 index 0000000000..5812f316cb --- /dev/null +++ b/themes/src/main/resources/theme/base/login/login-page-expired.ftl @@ -0,0 +1,12 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout; section> + <#if section = "title"> + ${msg("pageExpiredTitle")} + <#elseif section = "header"> + ${msg("pageExpiredTitle")} + <#elseif section = "form"> +

+ ${msg("pageExpiredMsg1")} ${msg("doClickHere")} . ${msg("pageExpiredMsg2")} ${msg("doClickHere")} . +

+ + \ No newline at end of file diff --git a/themes/src/main/resources/theme/base/login/messages/messages_en.properties b/themes/src/main/resources/theme/base/login/messages/messages_en.properties index 6c168aeff8..994caa7e68 100755 --- a/themes/src/main/resources/theme/base/login/messages/messages_en.properties +++ b/themes/src/main/resources/theme/base/login/messages/messages_en.properties @@ -90,6 +90,10 @@ emailInstruction=Enter your username or email address and we will send you instr copyCodeInstruction=Please copy this code and paste it into your application: +pageExpiredTitle=Page has expired +pageExpiredMsg1=To restart the login process +pageExpiredMsg2=To continue the login process + personalInfo=Personal Info: role_admin=Admin role_realm-admin=Realm Admin From b55b08935542ded3388cb7fb20982027e86b04db Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Thu, 30 Mar 2017 14:05:41 +0200 Subject: [PATCH 05/30] KEYCLOAK-4627 Changes in TokenVerifier to include token in exceptions. Reset credentials uses checks to validate individual token aspects --- .../java/org/keycloak/RSATokenVerifier.java | 2 +- .../main/java/org/keycloak/TokenVerifier.java | 162 +++++-- .../exceptions/TokenNotActiveException.java | 19 +- .../TokenSignatureInvalidException.java | 19 +- .../TokenVerificationException.java | 54 +++ .../ResetCredentialsActionToken.java | 20 +- .../ResetCredentialsActionTokenChecks.java | 74 +++ .../resetcred/ResetCredentialEmail.java | 45 +- .../managers/AuthenticationManager.java | 6 +- .../resources/LoginActionsService.java | 436 ++++++++++-------- .../org/keycloak/testsuite/AssertEvents.java | 19 +- .../testsuite/forms/ResetPasswordTest.java | 53 ++- 12 files changed, 599 insertions(+), 310 deletions(-) create mode 100644 core/src/main/java/org/keycloak/exceptions/TokenVerificationException.java create mode 100644 services/src/main/java/org/keycloak/authentication/ResetCredentialsActionTokenChecks.java diff --git a/core/src/main/java/org/keycloak/RSATokenVerifier.java b/core/src/main/java/org/keycloak/RSATokenVerifier.java index 653f205d33..0e3c08bbca 100755 --- a/core/src/main/java/org/keycloak/RSATokenVerifier.java +++ b/core/src/main/java/org/keycloak/RSATokenVerifier.java @@ -32,7 +32,7 @@ public class RSATokenVerifier { private final TokenVerifier tokenVerifier; private RSATokenVerifier(String tokenString) { - this.tokenVerifier = TokenVerifier.create(tokenString, AccessToken.class); + this.tokenVerifier = TokenVerifier.create(tokenString, AccessToken.class).withDefaultChecks(); } public static RSATokenVerifier create(String tokenString) { diff --git a/core/src/main/java/org/keycloak/TokenVerifier.java b/core/src/main/java/org/keycloak/TokenVerifier.java index 6bfcb3bf32..0c6e2db1a8 100755 --- a/core/src/main/java/org/keycloak/TokenVerifier.java +++ b/core/src/main/java/org/keycloak/TokenVerifier.java @@ -33,6 +33,8 @@ import org.keycloak.util.TokenUtil; import javax.crypto.SecretKey; import java.security.PublicKey; import java.util.*; +import java.util.logging.Level; +import java.util.logging.Logger; /** * @author Bill Burke @@ -40,9 +42,15 @@ import java.util.*; */ public class TokenVerifier { + private static final Logger LOG = Logger.getLogger(TokenVerifier.class.getName()); + // This interface is here as JDK 7 is a requirement for this project. // Once JDK 8 would become mandatory, java.util.function.Predicate would be used instead. + /** + * Functional interface of checks that verify some part of a JWT. + * @param Type of the token handled by this predicate. + */ // @FunctionalInterface public static interface Predicate { /** @@ -66,11 +74,15 @@ public class TokenVerifier { } }; + /** + * Check for token being neither expired nor used before it gets valid. + * @see JsonWebToken#isActive() + */ public static final Predicate IS_ACTIVE = new Predicate() { @Override public boolean test(JsonWebToken t) throws VerificationException { if (! t.isActive()) { - throw new TokenNotActiveException("Token is not active"); + throw new TokenNotActiveException(t, "Token is not active"); } return true; @@ -143,29 +155,45 @@ public class TokenVerifier { } /** - * Creates a {@code TokenVerifier instance. The method is here for backwards compatibility. - * @param tokenString + * Creates an instance of {@code TokenVerifier} from the given string on a JWT of the given class. + * The token verifier has no checks defined. Note that the checks are only tested when + * {@link #verify()} method is invoked. + * @param Type of the token + * @param tokenString String representation of JWT + * @param clazz Class of the token * @return - * @deprecated use {@link #create(java.lang.String, java.lang.Class) } instead */ - public static TokenVerifier create(String tokenString) { - return create(tokenString, AccessToken.class); - } - public static TokenVerifier create(String tokenString, Class clazz) { - return new TokenVerifier(tokenString, clazz) - .check(RealmUrlCheck.NULL_INSTANCE) - .check(SUBJECT_EXISTS_CHECK) - .check(TokenTypeCheck.INSTANCE_BEARER) - .check(IS_ACTIVE); + return new TokenVerifier(tokenString, clazz); } - public static TokenVerifier from(T token) { - return new TokenVerifier(token) - .check(RealmUrlCheck.NULL_INSTANCE) - .check(SUBJECT_EXISTS_CHECK) - .check(TokenTypeCheck.INSTANCE_BEARER) - .check(IS_ACTIVE); + /** + * Creates an instance of {@code TokenVerifier} from the given string on a JWT of the given class. + * The token verifier has no checks defined. Note that the checks are only tested when + * {@link #verify()} method is invoked. + * @return + */ + public static TokenVerifier create(T token) { + return new TokenVerifier(token); + } + + /** + * Adds default checks to the token verification: + *
    + *
  • Realm URL (JWT issuer field: {@code iss}) has to be defined and match realm set via {@link #realmUrl(java.lang.String)} method
    • + *
  • Subject (JWT subject field: {@code sub}) has to be defined
    • + *
  • Token type (JWT type field: {@code typ}) has to be {@code Bearer}. The type can be set via {@link #tokenType(java.lang.String)} method
    • + *
  • Token has to be active, ie. both not expired and not used before its validity (JWT issuer fields: {@code exp} and {@code nbf})
    • + *
+ * @return This token verifier. + */ + public TokenVerifier withDefaultChecks() { + return withChecks( + RealmUrlCheck.NULL_INSTANCE, + SUBJECT_EXISTS_CHECK, + TokenTypeCheck.INSTANCE_BEARER, + IS_ACTIVE + ); } private void removeCheck(Class> checkClass) { @@ -197,12 +225,11 @@ public class TokenVerifier { } /** - * Resets all preset checks and will test the given checks in {@link #verify()} method. + * Will test the given checks in {@link #verify()} method in addition to already set checks. * @param checks * @return */ - public TokenVerifier checkOnly(Predicate... checks) { - this.checks.clear(); + public TokenVerifier withChecks(Predicate... checks) { if (checks != null) { this.checks.addAll(Arrays.asList(checks)); } @@ -210,46 +237,64 @@ public class TokenVerifier { } /** - * Will test the given checks in {@link #verify()} method in addition to already set checks. - * @param checks + * Sets the key for verification of RSA-based signature. + * @param publicKey * @return */ - public TokenVerifier check(Predicate... checks) { - if (checks != null) { - this.checks.addAll(Arrays.asList(checks)); - } - return this; - } - public TokenVerifier publicKey(PublicKey publicKey) { this.publicKey = publicKey; return this; } + /** + * Sets the key for verification of HMAC-based signature. + * @param secretKey + * @return + */ public TokenVerifier secretKey(SecretKey secretKey) { this.secretKey = secretKey; return this; } + /** + * @deprecated This method is here only for backward compatibility with previous version of {@code TokenVerifier}. + * @return This token verifier + */ public TokenVerifier realmUrl(String realmUrl) { this.realmUrl = realmUrl; return replaceCheck(RealmUrlCheck.class, checkRealmUrl, new RealmUrlCheck(realmUrl)); } + /** + * @deprecated This method is here only for backward compatibility with previous version of {@code TokenVerifier}. + * @return This token verifier + */ public TokenVerifier checkTokenType(boolean checkTokenType) { this.checkTokenType = checkTokenType; return replaceCheck(TokenTypeCheck.class, this.checkTokenType, new TokenTypeCheck(expectedTokenType)); } + /** + * @deprecated This method is here only for backward compatibility with previous version of {@code TokenVerifier}. + * @return This token verifier + */ public TokenVerifier tokenType(String tokenType) { this.expectedTokenType = tokenType; return replaceCheck(TokenTypeCheck.class, this.checkTokenType, new TokenTypeCheck(expectedTokenType)); } + /** + * @deprecated This method is here only for backward compatibility with previous version of {@code TokenVerifier}. + * @return This token verifier + */ public TokenVerifier checkActive(boolean checkActive) { return replaceCheck(IS_ACTIVE, checkActive, IS_ACTIVE); } + /** + * @deprecated This method is here only for backward compatibility with previous version of {@code TokenVerifier}. + * @return This token verifier + */ public TokenVerifier checkRealmUrl(boolean checkRealmUrl) { this.checkRealmUrl = checkRealmUrl; return replaceCheck(RealmUrlCheck.class, this.checkRealmUrl, new RealmUrlCheck(realmUrl)); @@ -300,14 +345,14 @@ public class TokenVerifier { throw new VerificationException("Public key not set"); } if (!RSAProvider.verify(jws, publicKey)) { - throw new TokenSignatureInvalidException("Invalid token signature"); + throw new TokenSignatureInvalidException(token, "Invalid token signature"); } break; case HMAC: if (secretKey == null) { throw new VerificationException("Secret key not set"); } if (!HMACProvider.verify(jws, secretKey)) { - throw new TokenSignatureInvalidException("Invalid token signature"); + throw new TokenSignatureInvalidException(token, "Invalid token signature"); } break; default: throw new VerificationException("Unknown or unsupported token algorithm"); @@ -331,4 +376,55 @@ public class TokenVerifier { return this; } + /** + * Creates an optional predicate from a predicate that will proceed with check but always pass. + * @param + * @param mandatoryPredicate + * @return + */ + public static Predicate optional(final Predicate mandatoryPredicate) { + return new Predicate() { + @Override + public boolean test(T t) throws VerificationException { + try { + if (! mandatoryPredicate.test(t)) { + LOG.finer("[optional] predicate failed: " + mandatoryPredicate); + } + + return true; + } catch (VerificationException ex) { + LOG.log(Level.FINER, "[optional] predicate " + mandatoryPredicate + " failed.", ex); + return true; + } + } + }; + } + + /** + * Creates a predicate that will proceed with checks of the given predicates + * and will pass if and only if at least one of the given predicates passes. + * @param + * @param predicates + * @return + */ + public static Predicate alternative(final Predicate... predicates) { + return new Predicate() { + @Override + public boolean test(T t) throws VerificationException { + for (Predicate predicate : predicates) { + try { + if (predicate.test(t)) { + return true; + } + + LOG.finer("[alternative] predicate failed: " + predicate); + } catch (VerificationException ex) { + LOG.log(Level.FINER, "[alternative] predicate " + predicate + " failed.", ex); + } + } + + return false; + } + }; + } } diff --git a/core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java b/core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java index 2253f5ed7d..4740567539 100644 --- a/core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java +++ b/core/src/main/java/org/keycloak/exceptions/TokenNotActiveException.java @@ -16,28 +16,29 @@ */ package org.keycloak.exceptions; -import org.keycloak.common.VerificationException; +import org.keycloak.representations.JsonWebToken; /** * Exception thrown for cases when token is invalid due to time constraints (expired, or not yet valid). * Cf. {@link JsonWebToken#isActive()}. * @author hmlnarik */ -public class TokenNotActiveException extends VerificationException { +public class TokenNotActiveException extends TokenVerificationException { - public TokenNotActiveException() { + public TokenNotActiveException(JsonWebToken token) { + super(token); } - public TokenNotActiveException(String message) { - super(message); + public TokenNotActiveException(JsonWebToken token, String message) { + super(token, message); } - public TokenNotActiveException(String message, Throwable cause) { - super(message, cause); + public TokenNotActiveException(JsonWebToken token, String message, Throwable cause) { + super(token, message, cause); } - public TokenNotActiveException(Throwable cause) { - super(cause); + public TokenNotActiveException(JsonWebToken token, Throwable cause) { + super(token, cause); } } diff --git a/core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java b/core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java index 13225fa9cd..4d389eb8d7 100644 --- a/core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java +++ b/core/src/main/java/org/keycloak/exceptions/TokenSignatureInvalidException.java @@ -16,27 +16,28 @@ */ package org.keycloak.exceptions; -import org.keycloak.common.VerificationException; +import org.keycloak.representations.JsonWebToken; /** * Thrown when token signature is invalid. * @author hmlnarik */ -public class TokenSignatureInvalidException extends VerificationException { +public class TokenSignatureInvalidException extends TokenVerificationException { - public TokenSignatureInvalidException() { + public TokenSignatureInvalidException(JsonWebToken token) { + super(token); } - public TokenSignatureInvalidException(String message) { - super(message); + public TokenSignatureInvalidException(JsonWebToken token, String message) { + super(token, message); } - public TokenSignatureInvalidException(String message, Throwable cause) { - super(message, cause); + public TokenSignatureInvalidException(JsonWebToken token, String message, Throwable cause) { + super(token, message, cause); } - public TokenSignatureInvalidException(Throwable cause) { - super(cause); + public TokenSignatureInvalidException(JsonWebToken token, Throwable cause) { + super(token, cause); } } diff --git a/core/src/main/java/org/keycloak/exceptions/TokenVerificationException.java b/core/src/main/java/org/keycloak/exceptions/TokenVerificationException.java new file mode 100644 index 0000000000..4d6b7d0177 --- /dev/null +++ b/core/src/main/java/org/keycloak/exceptions/TokenVerificationException.java @@ -0,0 +1,54 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.exceptions; + +import org.keycloak.common.VerificationException; +import org.keycloak.representations.JsonWebToken; + +/** + * Exception thrown on failed verification of a token. + * + * @author hmlnarik + */ +public class TokenVerificationException extends VerificationException { + + private final JsonWebToken token; + + public TokenVerificationException(JsonWebToken token) { + this.token = token; + } + + public TokenVerificationException(JsonWebToken token, String message) { + super(message); + this.token = token; + } + + public TokenVerificationException(JsonWebToken token, String message, Throwable cause) { + super(message, cause); + this.token = token; + } + + public TokenVerificationException(JsonWebToken token, Throwable cause) { + super(cause); + this.token = token; + } + + public JsonWebToken getToken() { + return token; + } + +} diff --git a/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java b/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java index 40182121ce..5612a35172 100644 --- a/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java +++ b/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java @@ -42,7 +42,7 @@ public class ResetCredentialsActionToken extends DefaultActionToken { private static final Logger LOG = Logger.getLogger(ResetCredentialsActionToken.class); - private static final String RESET_CREDENTIALS_ACTION = "reset-credentials"; + public static final String RESET_CREDENTIALS_TYPE = "reset-credentials"; public static final String NOTE_AUTHENTICATION_SESSION_ID = "clientSessionId"; private static final String JSON_FIELD_AUTHENTICATION_SESSION_ID = "asid"; private static final String JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP = "lcpt"; @@ -54,7 +54,7 @@ public class ResetCredentialsActionToken extends DefaultActionToken { private Long lastChangedPasswordTimestamp; public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, Long lastChangedPasswordTimestamp, String authenticationSessionId) { - super(userId, RESET_CREDENTIALS_ACTION, absoluteExpirationInSecs, actionVerificationNonce); + super(userId, RESET_CREDENTIALS_TYPE, absoluteExpirationInSecs, actionVerificationNonce); setNote(NOTE_AUTHENTICATION_SESSION_ID, authenticationSessionId); this.lastChangedPasswordTimestamp = lastChangedPasswordTimestamp; } @@ -131,19 +131,7 @@ public class ResetCredentialsActionToken extends DefaultActionToken { * @param actionTokenString * @return */ - public static ResetCredentialsActionToken deserialize(KeycloakSession session, RealmModel realm, UriInfo uri, String token, - Predicate... checks) throws VerificationException { - return TokenVerifier.create(token, ResetCredentialsActionToken.class) - .secretKey(session.keys().getActiveHmacKey(realm).getSecretKey()) - .realmUrl(getIssuer(realm, uri)) - .tokenType(RESET_CREDENTIALS_ACTION) - - .checkActive(false) // TODO: If this line is omitted, the following tests in ResetPasswordTest fail: resetPasswordExpiredCodeShort, resetPasswordExpiredCode - - .check(ACTION_TOKEN_BASIC_CHECKS) - .check(checks) - .verify() - .getToken() - ; + public static ResetCredentialsActionToken deserialize(String token) throws VerificationException { + return TokenVerifier.create(token, ResetCredentialsActionToken.class).getToken(); } } diff --git a/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionTokenChecks.java b/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionTokenChecks.java new file mode 100644 index 0000000000..9afc25c3cb --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionTokenChecks.java @@ -0,0 +1,74 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication; + +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail; +import org.keycloak.common.VerificationException; +import org.keycloak.events.Details; +import org.keycloak.events.Errors; +import org.keycloak.events.EventBuilder; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import org.keycloak.models.UserModel; +import org.keycloak.services.ErrorPage; +import org.keycloak.services.messages.Messages; +import org.keycloak.services.resources.LoginActionsServiceException; +import java.util.Objects; + +/** + * Additional checks for {@link ResetCredentialsActionToken}. + * + * @author hmlnarik + */ +public class ResetCredentialsActionTokenChecks implements Predicate { + + private final KeycloakSession session; + + private final RealmModel realm; + + private final EventBuilder event; + + public ResetCredentialsActionTokenChecks(KeycloakSession session, RealmModel realm, EventBuilder event) { + this.session = session; + this.realm = realm; + this.event = event; + } + + public boolean lastChangedTimestampMatches(ResetCredentialsActionToken t) throws VerificationException { + // TODO:hmlnarik Update to use single-use cache + UserModel m = session.users().getUserById(t.getSubject(), realm); + Long lastChanged = m == null ? null : ResetCredentialEmail.getLastChangedTimestamp(session, realm, m); + + if (! Objects.equals(lastChanged, t.getLastChangedPasswordTimestamp())) { + if (m != null) { + event.detail(Details.USERNAME, m.getUsername()); + } + event.user(t.getSubject()).error(Errors.EXPIRED_CODE); + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.INVALID_CODE)); + } + + return true; + } + + @Override + public boolean test(ResetCredentialsActionToken t) throws VerificationException { + return lastChangedTimestampMatches(t); + + } + +} diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java index 462b5d2295..05ed9485f0 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java @@ -17,7 +17,6 @@ package org.keycloak.authentication.authenticators.resetcred; -import org.jboss.logging.Logger; import org.keycloak.Config; import org.keycloak.authentication.*; import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; @@ -35,7 +34,6 @@ import org.keycloak.models.utils.FormMessage; import org.keycloak.provider.ProviderConfigProperty; import org.keycloak.services.ServicesLogger; import org.keycloak.services.messages.Messages; -import org.keycloak.services.resources.LoginActionsService; import org.keycloak.sessions.AuthenticationSessionModel; import java.util.*; @@ -78,13 +76,11 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory int validityInSecs = context.getRealm().getAccessCodeLifespanUserAction(); int absoluteExpirationInSecs = Time.currentTime() + validityInSecs; - PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider) context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID); - CredentialModel password = passwordProvider.getPassword(context.getRealm(), user); - Long lastCreatedPassword = password == null ? null : password.getCreatedDate(); + KeycloakSession keycloakSession = context.getSession(); + Long lastCreatedPassword = getLastChangedTimestamp(keycloakSession, context.getRealm(), user); // We send the secret in the email in a link as a query param. ResetCredentialsActionToken token = new ResetCredentialsActionToken(user.getId(), absoluteExpirationInSecs, null, lastCreatedPassword, context.getAuthenticationSession()); - KeycloakSession keycloakSession = context.getSession(); String link = UriBuilder .fromUri(context.getRefreshExecutionUrl()) .queryParam(Constants.KEY, token.serialize(keycloakSession, context.getRealm(), context.getUriInfo())) @@ -112,22 +108,26 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory } } + public static Long getLastChangedTimestamp(KeycloakSession session, RealmModel realm, UserModel user) { + // TODO(hmlnarik): Make this more generic to support non-password credential types + PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider) session.getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID); + CredentialModel password = passwordProvider.getPassword(realm, user); + + return password == null ? null : password.getCreatedDate(); + } + @Override public void action(AuthenticationFlowContext context) { KeycloakSession keycloakSession = context.getSession(); - String actionTokenString = context.getUriInfo().getQueryParameters().getFirst(Constants.KEY); + String actionTokenString = context.getAuthenticationSession().getAuthNote(ResetCredentialsActionToken.class.getName()); ResetCredentialsActionToken tokenFromMail = null; - try { - tokenFromMail = ResetCredentialsActionToken.deserialize(keycloakSession, context.getRealm(), context.getUriInfo(), actionTokenString); - } catch (VerificationException ex) { - context.getEvent().detail(Details.REASON, ex.getMessage()).error(Errors.INVALID_CODE); - Response challenge = context.form() - .setError(Messages.INVALID_CODE) - .createErrorPage(); - context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge); - } - String userId = tokenFromMail == null ? null : tokenFromMail.getUserId(); + try { + tokenFromMail = ResetCredentialsActionToken.deserialize(actionTokenString); + } catch (VerificationException ex) { + context.getEvent().detail(Details.REASON, ex.getMessage()); + // flow returns in the next condition so no "return" statmenent here + } if (tokenFromMail == null) { context.getEvent() @@ -139,14 +139,15 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory return; } - PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider) context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID); - CredentialModel password = passwordProvider.getPassword(context.getRealm(), context.getUser()); + String userId = tokenFromMail.getUserId(); Long lastCreatedPasswordMail = tokenFromMail.getLastChangedPasswordTimestamp(); - Long lastCreatedPasswordFromStore = password == null ? null : password.getCreatedDate(); + Long lastCreatedPasswordFromStore = getLastChangedTimestamp(keycloakSession, context.getRealm(), context.getUser()); String authenticationSessionId = tokenFromMail.getAuthenticationSessionId(); - AuthenticationSessionModel authenticationSession = authenticationSessionId == null ? null : keycloakSession.authenticationSessions().getAuthenticationSession(context.getRealm(), authenticationSessionId); + AuthenticationSessionModel authenticationSession = authenticationSessionId == null + ? null + : keycloakSession.authenticationSessions().getAuthenticationSession(context.getRealm(), authenticationSessionId); if (authenticationSession == null || ! Objects.equals(lastCreatedPasswordMail, lastCreatedPasswordFromStore) @@ -157,7 +158,7 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory .detail(Details.TOKEN_ID, tokenFromMail.getId()) .error(Errors.EXPIRED_CODE); Response challenge = context.form() - .setError(Messages.INVALID_CODE) + .setError(Messages.EXPIRED_CODE) .createErrorPage(); context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge); return; diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 3c68370e6c..10b5e3d1c8 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -750,7 +750,11 @@ public class AuthenticationManager { public static AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType, boolean isCookie, String tokenString, HttpHeaders headers) { try { - TokenVerifier verifier = TokenVerifier.create(tokenString).realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())).checkActive(checkActive).checkTokenType(checkTokenType); + TokenVerifier verifier = TokenVerifier.create(tokenString, AccessToken.class) + .withDefaultChecks() + .realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())) + .checkActive(checkActive) + .checkTokenType(checkTokenType); String kid = verifier.getHeader().getKeyId(); AlgorithmType algorithmType = verifier.getHeader().getAlgorithm().getType(); diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 50333954de..6792964c74 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -26,17 +26,18 @@ import org.keycloak.authentication.RequiredActionFactory; import org.keycloak.authentication.RequiredActionProvider; import org.keycloak.TokenVerifier; import org.keycloak.TokenVerifier.Predicate; -import org.keycloak.authentication.ResetCredentialsActionToken; +import org.keycloak.TokenVerifier.TokenTypeCheck; +import org.keycloak.authentication.*; import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator; import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; import org.keycloak.common.ClientConnection; import org.keycloak.common.VerificationException; import org.keycloak.common.util.ObjectUtil; -import org.keycloak.common.util.Time; import org.keycloak.events.Details; import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; +import org.keycloak.exceptions.TokenNotActiveException; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.AuthenticatedClientSessionModel; @@ -62,12 +63,12 @@ import org.keycloak.services.ServicesLogger; import org.keycloak.services.Urls; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.ClientSessionCode; -import org.keycloak.services.managers.ClientSessionCode.ActionType; import org.keycloak.services.messages.Messages; import org.keycloak.services.util.CacheControlUtil; import org.keycloak.services.util.CookieHelper; import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.CommonClientSessionModel.Action; import javax.ws.rs.Consumes; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -85,6 +86,11 @@ import javax.ws.rs.core.UriInfo; import javax.ws.rs.ext.Providers; import java.net.URI; import java.util.Objects; +import java.util.function.*; +import javax.ws.rs.core.*; +import static org.keycloak.TokenVerifier.optional; +import static org.keycloak.authentication.DefaultActionToken.ACTION_TOKEN_BASIC_CHECKS; +import static org.keycloak.authentication.ResetCredentialsActionToken.RESET_CREDENTIALS_TYPE; /** * @author Stian Thorgersen @@ -518,171 +524,192 @@ public class LoginActionsService { return resetCredentials(code, execution); } - private boolean isSslUsed(JsonWebToken t) throws VerificationException { - if (! checkSsl()) { - event.error(Errors.SSL_REQUIRED); - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.HTTPS_REQUIRED)); - } - return true; - } - - private boolean isRealmEnabled(JsonWebToken t) throws VerificationException { - if (! realm.isEnabled()) { - event.error(Errors.REALM_DISABLED); - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.REALM_NOT_ENABLED)); - } - return true; - } - - private boolean isResetCredentialsAllowed(ResetCredentialsActionToken t) throws VerificationException { - if (!realm.isResetPasswordAllowed()) { - event.client(t.getAuthenticationSession().getClient()); - event.error(Errors.NOT_ALLOWED); - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED)); - } - return true; - } - - private boolean canResolveClientSession(ResetCredentialsActionToken t) throws VerificationException { - String authSessionId = t == null ? null : t.getAuthenticationSessionId(); - - if (t == null || authSessionId == null) { - event.error(Errors.INVALID_CODE); - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.INVALID_CODE)); - } - - AuthenticationSessionModel authSession = session.authenticationSessions().getAuthenticationSession(realm, authSessionId); - t.setAuthenticationSession(authSession); - - if (authSession == null) { // timeout or logged-already - try { - // Check if we are logged-already (it means userSession with same ID already exists). If yes, just showing the INFO or ERROR that user is already authenticated - // TODO:mposolda - - // If not, try to restart authSession from the cookie - AuthenticationSessionModel restartedAuthSession = RestartLoginCookie.restartSession(session, realm); - - // IDs must match with the ID from cookie - if (restartedAuthSession!=null && restartedAuthSession.getId().equals(authSessionId)) { - authSession = restartedAuthSession; - } - } catch (Exception e) { - ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e); + private Predicate checkThat(BooleanSupplier function, String errorEvent, String errorMessage) { + return t -> { + if (! function.getAsBoolean()) { + event.error(errorEvent); + throw new LoginActionsServiceException(ErrorPage.error(session, errorMessage)); } - if (authSession != null) { - event.clone().detail(Details.RESTART_AFTER_TIMEOUT, "true").error(Errors.EXPIRED_CODE); - throw new LoginActionsServiceException(processFlow(false, null, authSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), Messages.LOGIN_TIMEOUT, new AuthenticationProcessor())); + return true; + }; + } + + /** + * Verifies that the authentication session has not yet been converted to user session, in other words + * that the user has not yet completed authentication and logged in. + * @param t token + */ + private class IsAuthenticationSessionNotConvertedToUserSession implements Predicate { + + private final Function getAuthenticationSessionIdFromToken; + + public IsAuthenticationSessionNotConvertedToUserSession(Function getAuthenticationSessionIdFromToken) { + this.getAuthenticationSessionIdFromToken = getAuthenticationSessionIdFromToken; + } + + @Override + public boolean test(T t) throws VerificationException { + String authSessionId = t == null ? null : getAuthenticationSessionIdFromToken.apply(t); + if (authSessionId == null) { + return false; } + + if (session.sessions().getUserSession(realm, authSessionId) != null) { + throw new LoginActionsServiceException( + session.getProvider(LoginFormsProvider.class) + .setSuccess(Messages.ALREADY_LOGGED_IN) + .createInfoPage()); + } + + return true; } - - if (authSession == null) { - event.error(Errors.INVALID_CODE); - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.INVALID_CODE)); - } - - event.detail(Details.CODE_ID, authSession.getId()); - - return true; } - private boolean canResolveClient(ResetCredentialsActionToken t) throws VerificationException { - ClientModel client = t.getAuthenticationSession().getClient(); - if (client == null) { - event.error(Errors.CLIENT_NOT_FOUND); - session.authenticationSessions().removeAuthenticationSession(realm, t.getAuthenticationSession()); - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER)); + /** + * Verifies whether client stored in the authentication session both exists and is enabled. If yes, it also sets the client + * into session context. + * @param + */ + private class IsClientValid implements Predicate { + + private final Function getAuthenticationSessionFromToken; + + public IsClientValid(Function getAuthenticationSessionFromToken) { + this.getAuthenticationSessionFromToken = getAuthenticationSessionFromToken; } - if (! client.isEnabled()) { - event.error(Errors.CLIENT_NOT_FOUND); - session.authenticationSessions().removeAuthenticationSession(realm, t.getAuthenticationSession()); - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED)); - } - session.getContext().setClient(client); + @Override + public boolean test(T t) throws VerificationException { + AuthenticationSessionModel authenticationSession = getAuthenticationSessionFromToken.apply(t); - return true; + ClientModel client = authenticationSession == null ? null : authenticationSession.getClient(); + + if (client == null) { + event.error(Errors.CLIENT_NOT_FOUND); + session.authenticationSessions().removeAuthenticationSession(realm, authenticationSession); + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER)); + } + + if (! client.isEnabled()) { + event.error(Errors.CLIENT_NOT_FOUND); + session.authenticationSessions().removeAuthenticationSession(realm, authenticationSession); + throw new LoginActionsServiceException(ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED)); + } + + session.getContext().setClient(client); + + return true; + } } - private class IsValidAction implements Predicate { + /** + * This check verifies that: + *
    + *
  • If authentication session ID is not set in the token, passes.
    • + *
  • If auth session ID is set in the token, then the corresponding authentication session exists. + * Then it is set into the token.
    • + *
+ * + * @param + */ + private class CanResolveAuthenticationSession implements Predicate { - private final String requiredAction; + private final Function getAuthenticationSessionIdFromToken; - public IsValidAction(String requiredAction) { - this.requiredAction = requiredAction; + private final BiConsumer setAuthenticationSessionToToken; + + public CanResolveAuthenticationSession(Function getAuthenticationSessionIdFromToken, + BiConsumer setAuthenticationSessionToToken) { + this.getAuthenticationSessionIdFromToken = getAuthenticationSessionIdFromToken; + this.setAuthenticationSessionToToken = setAuthenticationSessionToToken; } - + + @Override + public boolean test(T t) throws VerificationException { + String authSessionId = t == null ? null : getAuthenticationSessionIdFromToken.apply(t); + + AuthenticationSessionModel authSession; + if (authSessionId == null) { + return true; + } else { + authSession = session.authenticationSessions().getAuthenticationSession(realm, authSessionId); + } + + if (authSession == null) { // timeout or logged-already (NOPE - this is handled by IsAuthenticationSessionNotConvertedToUserSession) + throw new LoginActionsServiceException(restartAuthenticationSession(false)); + } + + event + .detail(Details.CODE_ID, authSession.getId()) + .client(authSession.getClient()); + + setAuthenticationSessionToToken.accept(t, authSession); + + return true; + } + } + + /** + * This check verifies that if the token has not authentication session set, a new authentication session is introduced + * for the given client and reset-credentials flow is started with this new session. + * @param + */ + private class ResetCredsIntroduceAuthenticationSessionIfNotSet implements Predicate { + + private final String defaultClientId; + + public ResetCredsIntroduceAuthenticationSessionIfNotSet(String defaultClientId) { + this.defaultClientId = defaultClientId; + } + @Override public boolean test(ResetCredentialsActionToken t) throws VerificationException { AuthenticationSessionModel authSession = t.getAuthenticationSession(); - if (! Objects.equals(authSession.getAction(), this.requiredAction)) { + if (authSession == null) { + authSession = createAuthenticationSessionForClient(this.defaultClientId); + throw new LoginActionsServiceException(processResetCredentials(false, null, authSession, null)); + } + + return true; + } + } + + /** + * Verifies that if authentication session exists and any action is required according to it, then it is + * the expected one. + * + * If there is an action required in the session, furthermore it is not the expected one, and the required + * action is redirection to "required actions", it throws with response performing the redirect to required + * actions. + * @param + */ + private class IsActionRequired implements Predicate { + + private final ClientSessionModel.Action expectedAction; + + private final Function getAuthenticationSessionFromToken; + + public IsActionRequired(Action expectedAction, Function getAuthenticationSessionFromToken) { + this.expectedAction = expectedAction; + this.getAuthenticationSessionFromToken = getAuthenticationSessionFromToken; + } + + @Override + public boolean test(T t) throws VerificationException { + AuthenticationSessionModel authSession = getAuthenticationSessionFromToken.apply(t); + + if (authSession != null && ! Objects.equals(authSession.getAction(), this.expectedAction.name())) { if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(authSession.getAction())) { -// TODO: Once login tokens would be implemented, this would have to be rewritten -// String code = clientSession.getNote(ClientSessionCode.ACTIVE_CODE) + "." + clientSession.getId(); - //String code = clientSession.getNote("active_code") + "." + clientSession.getId(); throw new LoginActionsServiceException(redirectToRequiredActions(null, authSession)); } - // TODO:mposolda Similar stuff is in SessionCodeChecks as well. The case when authSession is already logged should be handled similarly - /*else if (clientSession.getUserSession() != null && clientSession.getUserSession().getState() == UserSessionModel.State.LOGGED_IN) { - throw new LoginActionsServiceException( - session.getProvider(LoginFormsProvider.class) - .setSuccess(Messages.ALREADY_LOGGED_IN) - .createInfoPage()); - }*/ } return true; } } - private class IsActiveAction implements Predicate { - private final ClientSessionCode.ActionType actionType; - - public IsActiveAction(ActionType actionType) { - this.actionType = actionType; - } - - @Override - public boolean test(ResetCredentialsActionToken t) throws VerificationException { - int timestamp = t.getAuthenticationSession().getTimestamp(); - if (! isActionActive(actionType, timestamp)) { - event.client(t.getAuthenticationSession().getClient()); - event.clone().error(Errors.EXPIRED_CODE); - - if (t.getAuthenticationSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) { - AuthenticationSessionModel authSession = t.getAuthenticationSession(); - - AuthenticationProcessor.resetFlow(authSession); - throw new LoginActionsServiceException(processAuthentication(false, null, authSession, Messages.LOGIN_TIMEOUT)); - } - - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.EXPIRED_CODE)); - } - return true; - } - - public boolean isActionActive(ActionType actionType, int timestamp) { - int lifespan; - switch (actionType) { - case CLIENT: - lifespan = realm.getAccessCodeLifespan(); - break; - case LOGIN: - lifespan = realm.getAccessCodeLifespanLogin() > 0 ? realm.getAccessCodeLifespanLogin() : realm.getAccessCodeLifespanUserAction(); - break; - case USER: - lifespan = realm.getAccessCodeLifespanUserAction(); - break; - default: - throw new IllegalArgumentException(); - } - - return timestamp + lifespan > Time.currentTime(); - } - - } - /** * Endpoint for executing reset credentials flow. If code is null, a client session is created with the account * service as the client. Successful reset sends you to the account page. Note, account service must be enabled. @@ -695,7 +722,7 @@ public class LoginActionsService { @GET public Response resetCredentialsGET(@QueryParam("code") String code, @QueryParam("execution") String execution, - @QueryParam("key") String key) { + @QueryParam(Constants.KEY) String key) { if (code != null && key != null) { // TODO:mposolda better handling of error throw new IllegalStateException("Illegal state"); @@ -704,48 +731,45 @@ public class LoginActionsService { AuthenticationSessionModel authSession = session.authenticationSessions().getCurrentAuthenticationSession(realm); // we allow applications to link to reset credentials without going through OAuth or SAML handshakes - if (authSession == null && key == null) { + if (authSession == null && key == null && code == null) { if (!realm.isResetPasswordAllowed()) { event.event(EventType.RESET_PASSWORD); event.error(Errors.NOT_ALLOWED); return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } - // set up the account service as the endpoint to call. - ClientModel client = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); - authSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); - authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - //authSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); - authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); - String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); - authSession.setRedirectUri(redirectUri); - authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - authSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE); - authSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); - authSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + authSession = createAuthenticationSessionForClient(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); return processResetCredentials(false, null, authSession, null); } if (key != null) { - try { - ResetCredentialsActionToken token = ResetCredentialsActionToken.deserialize( - session, realm, session.getContext().getUri(), key); - - return resetCredentials(token, execution); - } catch (VerificationException ex) { - event.event(EventType.RESET_PASSWORD) - .detail(Details.REASON, ex.getMessage()) - .error(Errors.NOT_ALLOWED); - return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); - } + return resetCredentialsByToken(key, execution); } return resetCredentials(code, execution); } + private AuthenticationSessionModel createAuthenticationSessionForClient(String clientId) + throws UriBuilderException, IllegalArgumentException { + AuthenticationSessionModel authSession; + + // set up the account service as the endpoint to call. + ClientModel client = realm.getClientByClientId(clientId); + authSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + //authSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); + authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); + authSession.setRedirectUri(redirectUri); + authSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE); + authSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); + authSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + + return authSession; + } /** - * @deprecated In favor of {@link #resetCredentials(org.keycloak.authentication.ResetCredentialsActionToken, java.lang.String)} + * @deprecated In favor of {@link #resetCredentialsByToken(String, String)} * @param code * @param execution * @return @@ -768,49 +792,79 @@ public class LoginActionsService { return processResetCredentials(checks.actionRequest, execution, authSession, null); } - protected Response resetCredentials(ResetCredentialsActionToken token, String execution) { + protected Response resetCredentialsByToken(String tokenString, String execution) { event.event(EventType.RESET_PASSWORD); - if (token == null) { - // TODO: Use more appropriate code - event.error(Errors.NOT_ALLOWED); - return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); - } - + ResetCredentialsActionToken token; + ResetCredentialsActionTokenChecks singleUseCheck = new ResetCredentialsActionTokenChecks(session, realm, event); try { - TokenVerifier.from(token).checkOnly( - // Start basic checks - this::isRealmEnabled, - this::isSslUsed, - this::isResetCredentialsAllowed, - this::canResolveClientSession, - this::canResolveClient, - // End basic checks - - new IsValidAction(ClientSessionModel.Action.AUTHENTICATE.name()), - new IsActiveAction(ActionType.USER) - ).verify(); + token = TokenVerifier.createHollow(tokenString, ResetCredentialsActionToken.class) + .secretKey(session.keys().getActiveHmacKey(realm).getSecretKey()) + + .withChecks( + new TokenTypeCheck(RESET_CREDENTIALS_TYPE), + + checkThat(realm::isEnabled, Errors.REALM_DISABLED, Messages.REALM_NOT_ENABLED), + checkThat(realm::isResetPasswordAllowed, Errors.NOT_ALLOWED, Messages.RESET_CREDENTIAL_NOT_ALLOWED), + checkThat(this::checkSsl, Errors.SSL_REQUIRED, Messages.HTTPS_REQUIRED), + + new IsAuthenticationSessionNotConvertedToUserSession<>(ResetCredentialsActionToken::getAuthenticationSessionId), + + // Authentication session might not be part of the token, hence the following check is optional + optional(new CanResolveAuthenticationSession<>(ResetCredentialsActionToken::getAuthenticationSessionId, ResetCredentialsActionToken::setAuthenticationSession)), + + // Check for being active has to be after authentication session is resolved so that it can be used in error handling + TokenVerifier.IS_ACTIVE, + + singleUseCheck, // TODO:hmlnarik make it use a check via generic single-use cache + + new ResetCredsIntroduceAuthenticationSessionIfNotSet(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID), + + new IsActionRequired<>(Action.AUTHENTICATE, ResetCredentialsActionToken::getAuthenticationSession), + new IsClientValid<>(ResetCredentialsActionToken::getAuthenticationSession) + ) + .withChecks(ACTION_TOKEN_BASIC_CHECKS) + + .verify() + .getToken(); + } catch (TokenNotActiveException ex) { + token = (ResetCredentialsActionToken) ex.getToken(); + + if (token != null && token.getAuthenticationSession() != null) { + event.clone() + .client(token.getAuthenticationSession().getClient()) + .error(Errors.EXPIRED_CODE); + AuthenticationSessionModel authSession = token.getAuthenticationSession(); + AuthenticationProcessor.resetFlow(authSession); + return processAuthentication(false, null, authSession, Messages.LOGIN_TIMEOUT); + } + + event + .detail(Details.REASON, ex.getMessage()) + .error(Errors.NOT_ALLOWED); + return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } catch (LoginActionsServiceException ex) { if (ex.getResponse() == null) { - event.event(EventType.RESET_PASSWORD) + event .detail(Details.REASON, ex.getMessage()) - .error(Errors.INVALID_REQUEST); + .error(Errors.NOT_ALLOWED); return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } else { return ex.getResponse(); } } catch (VerificationException ex) { - event.event(EventType.RESET_PASSWORD) + event .detail(Details.REASON, ex.getMessage()) .error(Errors.NOT_ALLOWED); return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } final AuthenticationSessionModel authSession = token.getAuthenticationSession(); + authSession.setAuthNote(ResetCredentialsActionToken.class.getName(), tokenString); // Verify if action is processed in same browser. if (!isSameBrowser(authSession)) { - logger.infof("Action request processed in different browser!"); + logger.debug("Action request processed in different browser."); // TODO:mposolda improve this. The code should be merged with the InfinispanLoginSessionProvider code and rather extracted from the infinispan provider setAuthSessionCookie(authSession.getId()); @@ -846,7 +900,7 @@ public class LoginActionsService { } if (actionTokenSession.getId().equals(parentSessionId)) { - // It's the the correct browser. Let's remove forked session as we won't continue from the login form (browser flow) but from the resetCredentials flow + // It's the correct browser. Let's remove forked session as we won't continue from the login form (browser flow) but from the resetCredentialsByToken flow session.authenticationSessions().removeAuthenticationSession(realm, forkedSession); logger.infof("Removed forked session: %s", forkedSession.getId()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java index eaf5ab597b..454d205758 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java @@ -40,6 +40,7 @@ import javax.ws.rs.core.Response; import java.util.HashMap; import java.util.List; import java.util.Map; +import static org.hamcrest.Matchers.is; /** * @author Stian Thorgersen @@ -271,16 +272,16 @@ public class AssertEvents implements TestRule { } public EventRepresentation assertEvent(EventRepresentation actual) { - if (expected.getError() != null && !expected.getType().toString().endsWith("_ERROR")) { + if (expected.getError() != null && ! expected.getType().toString().endsWith("_ERROR")) { expected.setType(expected.getType() + "_ERROR"); } - Assert.assertEquals(expected.getType(), actual.getType()); - Assert.assertThat(actual.getRealmId(), realmId); - Assert.assertEquals(expected.getClientId(), actual.getClientId()); - Assert.assertEquals(expected.getError(), actual.getError()); - Assert.assertEquals(expected.getIpAddress(), actual.getIpAddress()); - Assert.assertThat(actual.getUserId(), userId); - Assert.assertThat(actual.getSessionId(), sessionId); + Assert.assertThat("type", actual.getType(), is(expected.getType())); + Assert.assertThat("realm ID", actual.getRealmId(), is(realmId)); + Assert.assertThat("client ID", actual.getClientId(), is(expected.getClientId())); + Assert.assertThat("error", actual.getError(), is(expected.getError())); + Assert.assertThat("ip address", actual.getIpAddress(), is(expected.getIpAddress())); + Assert.assertThat("user ID", actual.getUserId(), is(userId)); + Assert.assertThat("session ID", actual.getSessionId(), is(sessionId)); if (details == null || details.isEmpty()) { // Assert.assertNull(actual.getDetails()); @@ -292,7 +293,7 @@ public class AssertEvents implements TestRule { Assert.fail(d.getKey() + " missing"); } - Assert.assertThat("Unexpected value for " + d.getKey(), actualValue, d.getValue()); + Assert.assertThat("Unexpected value for " + d.getKey(), actualValue, is(d.getValue())); } /* for (String k : actual.getDetails().keySet()) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java index 787db5b2dd..9afade5378 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java @@ -17,9 +17,6 @@ package org.keycloak.testsuite.forms; import org.jboss.arquillian.graphene.page.Page; -import org.junit.Before; -import org.junit.Rule; -import org.junit.Test; import org.keycloak.events.Details; import org.keycloak.events.Errors; import org.keycloak.events.EventType; @@ -51,8 +48,7 @@ import java.util.Map; import java.util.concurrent.atomic.AtomicInteger; import org.junit.*; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; /** * @author Stian Thorgersen @@ -172,16 +168,34 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { } @Test - @Ignore public void resetPasswordTwice() throws IOException, MessagingException { String changePasswordUrl = resetPassword("login-test"); + events.clear(); + + // TODO:hmlnarik is this correct?? + assertSecondPasswordResetFails(changePasswordUrl, "test-app"); // KC_RESTART exists, hence client-ID is taken from it. + } + + @Test + public void resetPasswordTwiceInNewBrowser() throws IOException, MessagingException { + String changePasswordUrl = resetPassword("login-test"); + events.clear(); + + String resetUri = oauth.AUTH_SERVER_ROOT + "/realms/test/login-actions/reset-credentials"; + driver.navigate().to(resetUri); // This is necessary to delete KC_RESTART cookie that is restricted to /auth/realms/test path + driver.manage().deleteAllCookies(); + + assertSecondPasswordResetFails(changePasswordUrl, null); + } + + public void assertSecondPasswordResetFails(String changePasswordUrl, String clientId) { driver.navigate().to(changePasswordUrl.trim()); errorPage.assertCurrent(); assertEquals("An error occurred, please login again through your application.", errorPage.getError()); events.expect(EventType.RESET_PASSWORD) - .client((String) null) + .client(clientId) .session((String) null) .user(userId) .detail(Details.USERNAME, "login-test") @@ -337,19 +351,19 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { @Test public void resetPasswordExpiredCode() throws IOException, MessagingException, InterruptedException { + initiateResetPasswordFromResetPasswordPage("login-test"); + + events.expectRequiredAction(EventType.SEND_RESET_PASSWORD) + .session((String)null) + .user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent(); + + assertEquals(1, greenMail.getReceivedMessages().length); + + MimeMessage message = greenMail.getReceivedMessages()[0]; + + String changePasswordUrl = getPasswordResetEmailLink(message); + try { - initiateResetPasswordFromResetPasswordPage("login-test"); - - events.expectRequiredAction(EventType.SEND_RESET_PASSWORD) - .session((String)null) - .user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent(); - - assertEquals(1, greenMail.getReceivedMessages().length); - - MimeMessage message = greenMail.getReceivedMessages()[0]; - - String changePasswordUrl = getPasswordResetEmailLink(message); - setTimeOffset(1800 + 23); driver.navigate().to(changePasswordUrl.trim()); @@ -590,6 +604,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { String changePasswordUrl = getPasswordResetEmailLink(message); + driver.navigate().to(resetUri); // This is necessary to delete KC_RESTART cookie that is restricted to /auth/realms/test path driver.manage().deleteAllCookies(); driver.navigate().to(changePasswordUrl.trim()); From e7272dc05af9922f7621af273feab4d651d10fc3 Mon Sep 17 00:00:00 2001 From: mposolda Date: Mon, 27 Mar 2017 22:41:36 +0200 Subject: [PATCH 06/30] KEYCLOAK-4626 AuthenticationSessions - brokering works. Few other fixes and tests added --- .../AuthenticationSessionAdapter.java | 48 +- ...finispanAuthenticationSessionProvider.java | 57 +- .../InfinispanKeycloakTransaction.java | 46 +- .../InfinispanUserSessionProvider.java | 27 +- .../infinispan/UserSessionAdapter.java | 13 +- .../entities/AuthenticationSessionEntity.java | 10 +- .../AuthenticationFlowContext.java | 6 + .../provider/AbstractIdentityProvider.java | 3 +- .../provider/AuthenticationRequest.java | 11 +- .../broker/provider/IdentityProvider.java | 4 +- .../java/org/keycloak/events/Details.java | 3 +- .../main/java/org/keycloak/events/Errors.java | 1 + .../java/org/keycloak/events/EventType.java | 3 + .../session/PersistentUserSessionAdapter.java | 5 + .../org/keycloak/protocol/LoginProtocol.java | 3 +- .../AuthenticatedClientSessionModel.java | 7 + .../keycloak/models/ClientSessionModel.java | 5 + .../org/keycloak/models/UserSessionModel.java | 4 +- .../keycloak/models/UserSessionProvider.java | 2 +- .../sessions/AuthenticationSessionModel.java | 48 +- .../AuthenticationSessionProvider.java | 7 +- .../sessions/CommonClientSessionModel.java | 15 +- .../AuthenticationProcessor.java | 119 +- .../DefaultAuthenticationFlow.java | 17 +- .../FormAuthenticationFlow.java | 1 - .../broker/AbstractIdpAuthenticator.java | 9 +- .../broker/IdpConfirmLinkAuthenticator.java | 10 +- .../IdpEmailVerificationAuthenticator.java | 12 +- .../broker/IdpReviewProfileAuthenticator.java | 2 +- .../broker/IdpUsernamePasswordForm.java | 2 +- .../SerializedBrokeredIdentityContext.java | 6 +- .../browser/CookieAuthenticator.java | 2 +- .../browser/UsernamePasswordForm.java | 3 +- .../x509/ValidateX509CertificateUsername.java | 2 +- .../X509ClientCertificateAuthenticator.java | 1 - .../forms/RegistrationUserCreation.java | 2 +- .../admin/PolicyEvaluationService.java | 15 +- .../oidc/AbstractOAuth2IdentityProvider.java | 3 + .../broker/oidc/OIDCIdentityProvider.java | 11 +- .../keycloak/broker/saml/SAMLEndpoint.java | 4 +- .../broker/saml/SAMLIdentityProvider.java | 9 +- .../FreeMarkerLoginFormsProvider.java | 25 +- .../model/IdentityProviderBean.java | 2 +- .../protocol/AuthorizationEndpointBase.java | 129 +- .../keycloak/protocol/RestartLoginCookie.java | 24 +- .../protocol/oidc/OIDCLoginProtocol.java | 27 +- .../keycloak/protocol/oidc/TokenManager.java | 11 +- .../oidc/endpoints/AuthorizationEndpoint.java | 66 +- .../oidc/endpoints/TokenEndpoint.java | 20 +- .../keycloak/protocol/saml/SamlProtocol.java | 22 +- .../keycloak/protocol/saml/SamlService.java | 91 +- .../main/java/org/keycloak/services/Urls.java | 3 +- .../managers/AuthenticationManager.java | 67 +- .../AuthenticationSessionManager.java | 115 + .../services/managers/ClientSessionCode.java | 39 +- .../services/managers/CodeGenerateUtil.java | 97 +- .../keycloak/services/messages/Messages.java | 7 + .../services/resources/AccountService.java | 23 +- .../resources/IdentityBrokerService.java | 2062 +++++++++-------- .../resources/LoginActionsService.java | 473 ++-- .../services/resources/RealmsResource.java | 4 - .../resources/admin/UsersResource.java | 4 +- .../services/util/BrowserHistoryHelper.java | 191 ++ .../keycloak/services/util/CookieHelper.java | 10 +- .../services/util/PageExpiredRedirect.java | 90 + .../twitter/TwitterIdentityProvider.java | 25 +- .../forms/PassThroughRegistration.java | 2 +- .../rest/TestingResourceProvider.java | 1 + .../ClientInitiatedAccountLinkServlet.java | 4 +- .../keycloak/testsuite/pages/InfoPage.java | 7 + .../testsuite/pages/LoginExpiredPage.java | 51 + .../testsuite/pages/RegisterPage.java | 7 + .../keycloak/testsuite/util/OAuthClient.java | 29 +- .../testsuite/account/AccountTest.java | 2 - .../RequiredActionEmailVerificationTest.java | 3 - .../RequiredActionResetPasswordTest.java | 5 - ...bstractClientInitiatedAccountLinkTest.java | 98 +- .../testsuite/forms/BrowserButtonsTest.java | 376 +++ .../keycloak/testsuite/forms/LoginTest.java | 98 +- .../keycloak/testsuite/forms/LogoutTest.java | 2 +- .../forms/MultipleTabsLoginTest.java | 248 ++ .../testsuite/forms/ResetPasswordTest.java | 16 +- .../org/keycloak/testsuite/forms/SSOTest.java | 43 +- .../oauth/AuthorizationCodeTest.java | 12 +- ...urceOwnerPasswordCredentialsGrantTest.java | 3 + .../oidc/OIDCAdvancedRequestParamsTest.java | 12 +- .../AbstractKeycloakIdentityProviderTest.java | 6 +- .../OIDCKeyCloakServerBrokerBasicTest.java | 4 +- ...DCKeycloakServerBrokerWithConsentTest.java | 1 + .../SAMLKeyCloakServerBrokerBasicTest.java | 2 +- .../AuthenticationSessionProviderTest.java | 53 +- .../keycloak/testsuite/model/CacheTest.java | 2 +- .../model/ClusterSessionCleanerTest.java | 4 +- .../model/UserSessionProviderTest.java | 40 +- .../keycloak/testsuite/rule/KeycloakRule.java | 1 - .../src/test/resources/log4j.properties | 7 +- .../theme/base/login/login-page-expired.ftl | 3 +- .../login/messages/messages_en.properties | 4 + 98 files changed, 3628 insertions(+), 1703 deletions(-) create mode 100644 services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java rename {server-spi-private => services}/src/main/java/org/keycloak/services/managers/ClientSessionCode.java (84%) rename {server-spi-private => services}/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java (61%) create mode 100644 services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java rename {server-spi-private => services}/src/main/java/org/keycloak/services/util/CookieHelper.java (87%) create mode 100644 services/src/main/java/org/keycloak/services/util/PageExpiredRedirect.java create mode 100644 testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/LoginExpiredPage.java create mode 100644 testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java create mode 100644 testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java index d2387cc42d..202fe5c99a 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java @@ -24,6 +24,7 @@ import java.util.Map; import java.util.Set; import org.infinispan.Cache; +import org.keycloak.common.util.Time; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; @@ -142,35 +143,41 @@ public class AuthenticationSessionAdapter implements AuthenticationSessionModel } @Override - public String getNote(String name) { - return entity.getNotes() != null ? entity.getNotes().get(name) : null; + public String getClientNote(String name) { + return entity.getClientNotes() != null ? entity.getClientNotes().get(name) : null; } @Override - public void setNote(String name, String value) { - if (entity.getNotes() == null) { - entity.setNotes(new HashMap()); + public void setClientNote(String name, String value) { + if (entity.getClientNotes() == null) { + entity.setClientNotes(new HashMap<>()); } - entity.getNotes().put(name, value); + entity.getClientNotes().put(name, value); update(); } @Override - public void removeNote(String name) { - if (entity.getNotes() != null) { - entity.getNotes().remove(name); + public void removeClientNote(String name) { + if (entity.getClientNotes() != null) { + entity.getClientNotes().remove(name); } update(); } @Override - public Map getNotes() { - if (entity.getNotes() == null || entity.getNotes().isEmpty()) return Collections.emptyMap(); + public Map getClientNotes() { + if (entity.getClientNotes() == null || entity.getClientNotes().isEmpty()) return Collections.emptyMap(); Map copy = new HashMap<>(); - copy.putAll(entity.getNotes()); + copy.putAll(entity.getClientNotes()); return copy; } + @Override + public void clearClientNotes() { + entity.setClientNotes(new HashMap<>()); + update(); + } + @Override public String getAuthNote(String name) { return entity.getAuthNotes() != null ? entity.getAuthNotes().get(name) : null; @@ -286,4 +293,21 @@ public class AuthenticationSessionAdapter implements AuthenticationSessionModel else entity.setAuthUserId(user.getId()); update(); } + + @Override + public void updateClient(ClientModel client) { + entity.setClientUuid(client.getId()); + update(); + } + + @Override + public void restartSession(RealmModel realm, ClientModel client) { + String id = entity.getId(); + entity = new AuthenticationSessionEntity(); + entity.setId(id); + entity.setRealm(realm.getId()); + entity.setClientUuid(client.getId()); + entity.setTimestamp(Time.currentTime()); + update(); + } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java index 9e021dbfcf..1e23524fdc 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java @@ -31,7 +31,6 @@ import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEnt import org.keycloak.models.sessions.infinispan.stream.AuthenticationSessionPredicate; import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.models.utils.RealmInfoUtil; -import org.keycloak.services.util.CookieHelper; import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.sessions.AuthenticationSessionProvider; @@ -46,8 +45,6 @@ public class InfinispanAuthenticationSessionProvider implements AuthenticationSe private final Cache cache; protected final InfinispanKeycloakTransaction tx; - public static final String AUTH_SESSION_ID = "AUTH_SESSION_ID"; - public InfinispanAuthenticationSessionProvider(KeycloakSession session, Cache cache) { this.session = session; this.cache = cache; @@ -56,11 +53,14 @@ public class InfinispanAuthenticationSessionProvider implements AuthenticationSe session.getTransactionManager().enlistAfterCompletion(tx); } + @Override + public AuthenticationSessionModel createAuthenticationSession(RealmModel realm, ClientModel client) { + String id = KeycloakModelUtils.generateId(); + return createAuthenticationSession(id, realm, client); + } @Override - public AuthenticationSessionModel createAuthenticationSession(RealmModel realm, ClientModel client, boolean browser) { - String id = KeycloakModelUtils.generateId(); - + public AuthenticationSessionModel createAuthenticationSession(String id, RealmModel realm, ClientModel client) { AuthenticationSessionEntity entity = new AuthenticationSessionEntity(); entity.setId(id); entity.setRealm(realm.getId()); @@ -69,10 +69,6 @@ public class InfinispanAuthenticationSessionProvider implements AuthenticationSe tx.put(cache, id, entity); - if (browser) { - setBrowserCookie(id, realm); - } - AuthenticationSessionAdapter wrap = wrap(realm, entity); return wrap; } @@ -81,17 +77,6 @@ public class InfinispanAuthenticationSessionProvider implements AuthenticationSe return entity==null ? null : new AuthenticationSessionAdapter(session, this, cache, realm, entity); } - @Override - public String getCurrentAuthenticationSessionId(RealmModel realm) { - return getIdFromBrowserCookie(); - } - - @Override - public AuthenticationSessionModel getCurrentAuthenticationSession(RealmModel realm) { - String authSessionId = getIdFromBrowserCookie(); - return authSessionId==null ? null : getAuthenticationSession(realm, authSessionId); - } - @Override public AuthenticationSessionModel getAuthenticationSession(RealmModel realm, String authenticationSessionId) { AuthenticationSessionEntity entity = getAuthenticationSessionEntity(realm, authenticationSessionId); @@ -99,11 +84,11 @@ public class InfinispanAuthenticationSessionProvider implements AuthenticationSe } private AuthenticationSessionEntity getAuthenticationSessionEntity(RealmModel realm, String authSessionId) { - AuthenticationSessionEntity entity = cache.get(authSessionId); + // Chance created in this transaction + AuthenticationSessionEntity entity = tx.get(cache, authSessionId); - // Chance created in this transaction TODO:mposolda should it be opposite and rather look locally first? Check performance... if (entity == null) { - entity = tx.get(cache, authSessionId); + entity = cache.get(authSessionId); } return entity; @@ -156,28 +141,4 @@ public class InfinispanAuthenticationSessionProvider implements AuthenticationSe } - // COOKIE STUFF - - protected void setBrowserCookie(String authSessionId, RealmModel realm) { - String cookiePath = CookieHelper.getRealmCookiePath(realm); - boolean sslRequired = realm.getSslRequired().isRequired(session.getContext().getConnection()); - CookieHelper.addCookie(AUTH_SESSION_ID, authSessionId, cookiePath, null, null, -1, sslRequired, true); - - // TODO trace with isTraceEnabled - log.infof("Set AUTH_SESSION_ID cookie with value %s", authSessionId); - } - - protected String getIdFromBrowserCookie() { - String cookieVal = CookieHelper.getCookieValue(AUTH_SESSION_ID); - - if (log.isTraceEnabled()) { - if (cookieVal != null) { - log.tracef("Found AUTH_SESSION_ID cookie with value %s", cookieVal); - } else { - log.tracef("Not found AUTH_SESSION_ID cookie"); - } - } - - return cookieVal; - } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java index c6b30f41cf..4ac40af7a9 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java @@ -16,6 +16,7 @@ */ package org.keycloak.models.sessions.infinispan; +import org.infinispan.context.Flag; import org.keycloak.models.KeycloakTransaction; import java.util.HashMap; @@ -31,7 +32,7 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { private final static Logger log = Logger.getLogger(InfinispanKeycloakTransaction.class); public enum CacheOperation { - ADD, REMOVE, REPLACE + ADD, REMOVE, REPLACE, ADD_IF_ABSENT // ADD_IF_ABSENT throws an exception if there is existing value } private boolean active; @@ -79,7 +80,18 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { if (tasks.containsKey(taskKey)) { throw new IllegalStateException("Can't add session: task in progress for session"); } else { - tasks.put(taskKey, new CacheTask(cache, CacheOperation.ADD, key, value)); + tasks.put(taskKey, new CacheTask<>(cache, CacheOperation.ADD, key, value)); + } + } + + public void putIfAbsent(Cache cache, K key, V value) { + log.tracev("Adding cache operation: {0} on {1}", CacheOperation.ADD_IF_ABSENT, key); + + Object taskKey = getTaskKey(cache, key); + if (tasks.containsKey(taskKey)) { + throw new IllegalStateException("Can't add session: task in progress for session"); + } else { + tasks.put(taskKey, new CacheTask<>(cache, CacheOperation.ADD_IF_ABSENT, key, value)); } } @@ -91,6 +103,7 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { if (current != null) { switch (current.operation) { case ADD: + case ADD_IF_ABSENT: case REPLACE: current.value = value; return; @@ -98,7 +111,7 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { return; } } else { - tasks.put(taskKey, new CacheTask(cache, CacheOperation.REPLACE, key, value)); + tasks.put(taskKey, new CacheTask<>(cache, CacheOperation.REPLACE, key, value)); } } @@ -106,7 +119,7 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REMOVE, key); Object taskKey = getTaskKey(cache, key); - tasks.put(taskKey, new CacheTask(cache, CacheOperation.REMOVE, key, null)); + tasks.put(taskKey, new CacheTask<>(cache, CacheOperation.REMOVE, key, null)); } // This is for possibility to lookup for session by id, which was created in this transaction @@ -116,12 +129,16 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { if (current != null) { switch (current.operation) { case ADD: + case ADD_IF_ABSENT: case REPLACE: return current.value; + case REMOVE: + return null; } } - return null; + // Should we have per-transaction cache for lookups? + return cache.get(key); } private static Object getTaskKey(Cache cache, K key) { @@ -152,15 +169,28 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { switch (operation) { case ADD: - cache.put(key, value); + decorateCache().put(key, value); break; case REMOVE: - cache.remove(key); + decorateCache().remove(key); break; case REPLACE: - cache.replace(key, value); + decorateCache().replace(key, value); + break; + case ADD_IF_ABSENT: + V existing = cache.putIfAbsent(key, value); + if (existing != null) { + throw new IllegalStateException("IllegalState. There is already existing value in cache for key " + key); + } break; } } + + + // Ignore return values. Should have better performance within cluster / cross-dc env + private Cache decorateCache() { + return cache.getAdvancedCache() + .withFlags(Flag.IGNORE_RETURN_VALUES, Flag.SKIP_REMOTE_LOOKUP); + } } } \ No newline at end of file diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java index 72ea8be57b..e87347e213 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java @@ -120,9 +120,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { } @Override - public UserSessionModel createUserSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId) { - String id = KeycloakModelUtils.generateId(); - + public UserSessionModel createUserSession(String id, RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId) { UserSessionEntity entity = new UserSessionEntity(); entity.setId(id); entity.setRealm(realm.getId()); @@ -139,7 +137,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { entity.setStarted(currentTime); entity.setLastSessionRefresh(currentTime); - tx.put(sessionCache, id, entity); + tx.putIfAbsent(sessionCache, id, entity); return wrap(realm, entity, false); } @@ -151,11 +149,10 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { protected ClientSessionModel getClientSession(RealmModel realm, String id, boolean offline) { Cache cache = getCache(offline); - ClientSessionEntity entity = (ClientSessionEntity) cache.get(id); + ClientSessionEntity entity = (ClientSessionEntity) tx.get(cache, id); // Chance created in this transaction - // Chance created in this transaction if (entity == null) { - entity = (ClientSessionEntity) tx.get(cache, id); + entity = (ClientSessionEntity) cache.get(id); } return wrap(realm, entity, offline); @@ -163,11 +160,11 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { @Override public ClientSessionModel getClientSession(String id) { - ClientSessionEntity entity = (ClientSessionEntity) sessionCache.get(id); - // Chance created in this transaction + ClientSessionEntity entity = (ClientSessionEntity) tx.get(sessionCache, id); + if (entity == null) { - entity = (ClientSessionEntity) tx.get(sessionCache, id); + entity = (ClientSessionEntity) sessionCache.get(id); } if (entity != null) { @@ -184,11 +181,10 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { protected UserSessionAdapter getUserSession(RealmModel realm, String id, boolean offline) { Cache cache = getCache(offline); - UserSessionEntity entity = (UserSessionEntity) cache.get(id); + UserSessionEntity entity = (UserSessionEntity) tx.get(cache, id); // Chance created in this transaction - // Chance created in this transaction if (entity == null) { - entity = (UserSessionEntity) tx.get(cache, id); + entity = (UserSessionEntity) cache.get(id); } return wrap(realm, entity, offline); @@ -742,11 +738,10 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { @Override public ClientInitialAccessModel getClientInitialAccessModel(RealmModel realm, String id) { Cache cache = getCache(false); - ClientInitialAccessEntity entity = (ClientInitialAccessEntity) cache.get(id); + ClientInitialAccessEntity entity = (ClientInitialAccessEntity) tx.get(cache, id); // Chance created in this transaction - // If created in this transaction if (entity == null) { - entity = (ClientInitialAccessEntity) tx.get(cache, id); + entity = (ClientInitialAccessEntity) cache.get(id); } return wrap(realm, entity); diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java index 245e3e834e..d87612acdf 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java @@ -67,9 +67,11 @@ public class UserSessionAdapter implements UserSessionModel { Map clientSessionEntities = entity.getClientLoginSessions(); Map result = new HashMap<>(); - clientSessionEntities.forEach((String key, ClientLoginSessionEntity value) -> { - result.put(key, new AuthenticatedClientSessionAdapter(value, this, provider, cache)); - }); + if (clientSessionEntities != null) { + clientSessionEntities.forEach((String key, ClientLoginSessionEntity value) -> { + result.put(key, new AuthenticatedClientSessionAdapter(value, this, provider, cache)); + }); + } return Collections.unmodifiableMap(result); } @@ -96,6 +98,11 @@ public class UserSessionAdapter implements UserSessionModel { return session.users().getUserById(entity.getUser(), realm); } + @Override + public void setUser(UserModel user) { + entity.setUser(user.getId()); + } + @Override public String getLoginUsername() { return entity.getLoginUsername(); diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticationSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticationSessionEntity.java index dad05e08fe..0b992254b2 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticationSessionEntity.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticationSessionEntity.java @@ -41,7 +41,7 @@ public class AuthenticationSessionEntity extends SessionEntity { private Map executionStatus = new HashMap<>();; private String protocol; - private Map notes; + private Map clientNotes; private Map authNotes; private Set requiredActions = new HashSet<>(); private Map userSessionNotes; @@ -118,12 +118,12 @@ public class AuthenticationSessionEntity extends SessionEntity { this.protocol = protocol; } - public Map getNotes() { - return notes; + public Map getClientNotes() { + return clientNotes; } - public void setNotes(Map notes) { - this.notes = notes; + public void setClientNotes(Map clientNotes) { + this.clientNotes = clientNotes; } public Set getRequiredActions() { diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java index e87256518d..2159f0912f 100755 --- a/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java +++ b/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java @@ -99,6 +99,12 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon */ void resetFlow(); + /** + * Reset the current flow to the beginning and restarts it. Allows to add additional listener, which is triggered after flow restarted + * + */ + void resetFlow(Runnable afterResetListener); + /** * Fork the current flow. The client session will be cloned and set to point at the realm's browser login flow. The Response will be the result * of this fork. The previous flow will still be set at the current execution. This is used by reset password when it sends an email. diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java index 8f571331a9..9d71b78202 100755 --- a/server-spi-private/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java @@ -23,6 +23,7 @@ import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; @@ -75,7 +76,7 @@ public abstract class AbstractIdentityProvider } @Override - public void attachUserSession(UserSessionModel userSession, ClientSessionModel clientSession, BrokeredIdentityContext context) { + public void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) { } diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java index 863decb984..7affd99944 100644 --- a/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java +++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java @@ -20,6 +20,7 @@ import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.UriInfo; @@ -34,16 +35,16 @@ public class AuthenticationRequest { private final HttpRequest httpRequest; private final RealmModel realm; private final String redirectUri; - private final ClientSessionModel clientSession; + private final AuthenticationSessionModel authSession; - public AuthenticationRequest(KeycloakSession session, RealmModel realm, ClientSessionModel clientSession, HttpRequest httpRequest, UriInfo uriInfo, String state, String redirectUri) { + public AuthenticationRequest(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, HttpRequest httpRequest, UriInfo uriInfo, String state, String redirectUri) { this.session = session; this.realm = realm; this.httpRequest = httpRequest; this.uriInfo = uriInfo; this.state = state; this.redirectUri = redirectUri; - this.clientSession = clientSession; + this.authSession = authSession; } public KeycloakSession getSession() { @@ -76,7 +77,7 @@ public class AuthenticationRequest { return this.redirectUri; } - public ClientSessionModel getClientSession() { - return this.clientSession; + public AuthenticationSessionModel getAuthenticationSession() { + return this.authSession; } } diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProvider.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProvider.java index b14572ee5d..c4f1c5c3b6 100755 --- a/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProvider.java @@ -17,7 +17,6 @@ package org.keycloak.broker.provider; import org.keycloak.events.EventBuilder; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.IdentityProviderModel; import org.keycloak.models.KeycloakSession; @@ -25,6 +24,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.provider.Provider; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; @@ -51,7 +51,7 @@ public interface IdentityProvider extends Provi void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context); - void attachUserSession(UserSessionModel userSession, ClientSessionModel clientSession, BrokeredIdentityContext context); + void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context); void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context); void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context); diff --git a/server-spi-private/src/main/java/org/keycloak/events/Details.java b/server-spi-private/src/main/java/org/keycloak/events/Details.java index 3e72e8e439..2483a9b5e3 100755 --- a/server-spi-private/src/main/java/org/keycloak/events/Details.java +++ b/server-spi-private/src/main/java/org/keycloak/events/Details.java @@ -48,7 +48,6 @@ public interface Details { String CLIENT_SESSION_STATE = "client_session_state"; String CLIENT_SESSION_HOST = "client_session_host"; String RESTART_AFTER_TIMEOUT = "restart_after_timeout"; - String RESTART_REQUESTED = "restart_requested"; String CONSENT = "consent"; String CONSENT_VALUE_NO_CONSENT_REQUIRED = "no_consent_required"; // No consent is required by client @@ -64,4 +63,6 @@ public interface Details { String CLIENT_REGISTRATION_POLICY = "client_registration_policy"; + String EXISTING_USER = "previous_user"; + } diff --git a/server-spi-private/src/main/java/org/keycloak/events/Errors.java b/server-spi-private/src/main/java/org/keycloak/events/Errors.java index e82421f079..ab954bc40a 100755 --- a/server-spi-private/src/main/java/org/keycloak/events/Errors.java +++ b/server-spi-private/src/main/java/org/keycloak/events/Errors.java @@ -37,6 +37,7 @@ public interface Errors { String USER_DISABLED = "user_disabled"; String USER_TEMPORARILY_DISABLED = "user_temporarily_disabled"; String INVALID_USER_CREDENTIALS = "invalid_user_credentials"; + String DIFFERENT_USER_AUTHENTICATED = "different_user_authenticated"; String USERNAME_MISSING = "username_missing"; String USERNAME_IN_USE = "username_in_use"; diff --git a/server-spi-private/src/main/java/org/keycloak/events/EventType.java b/server-spi-private/src/main/java/org/keycloak/events/EventType.java index f77137fc0a..ea4b1fb9be 100755 --- a/server-spi-private/src/main/java/org/keycloak/events/EventType.java +++ b/server-spi-private/src/main/java/org/keycloak/events/EventType.java @@ -79,6 +79,9 @@ public enum EventType { RESET_PASSWORD(true), RESET_PASSWORD_ERROR(true), + RESTART_AUTHENTICATION(true), + RESTART_AUTHENTICATION_ERROR(true), + INVALID_SIGNATURE(false), INVALID_SIGNATURE_ERROR(false), REGISTER_NODE(false), diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java index 7b14ec1d23..7ba4bc49d1 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java @@ -115,6 +115,11 @@ public class PersistentUserSessionAdapter implements UserSessionModel { return user; } + @Override + public void setUser(UserModel user) { + throw new IllegalStateException("Not supported"); + } + @Override public RealmModel getRealm() { return realm; diff --git a/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java b/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java index 8fc9fd9555..569a2c0dcd 100755 --- a/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java +++ b/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java @@ -23,7 +23,6 @@ import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; import org.keycloak.provider.Provider; -import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.HttpHeaders; @@ -67,7 +66,7 @@ public interface LoginProtocol extends Provider { LoginProtocol setEventBuilder(EventBuilder event); - Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode); + Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession); Response sendError(AuthenticationSessionModel authSession, Error error); diff --git a/server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java b/server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java index d4d2a334cb..15dc57f89e 100644 --- a/server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java @@ -18,6 +18,8 @@ package org.keycloak.models; +import java.util.Map; + import org.keycloak.sessions.CommonClientSessionModel; /** @@ -27,4 +29,9 @@ public interface AuthenticatedClientSessionModel extends CommonClientSessionMode void setUserSession(UserSessionModel userSession); UserSessionModel getUserSession(); + + public String getNote(String name); + public void setNote(String name, String value); + public void removeNote(String name); + public Map getNotes(); } diff --git a/server-spi/src/main/java/org/keycloak/models/ClientSessionModel.java b/server-spi/src/main/java/org/keycloak/models/ClientSessionModel.java index 109709fa58..12abb10903 100755 --- a/server-spi/src/main/java/org/keycloak/models/ClientSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/models/ClientSessionModel.java @@ -72,5 +72,10 @@ public interface ClientSessionModel extends CommonClientSessionModel { public void clearUserSessionNotes(); + public String getNote(String name); + public void setNote(String name, String value); + public void removeNote(String name); + public Map getNotes(); + } diff --git a/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java b/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java index 9e1a2b68d2..0dc2f5c3c7 100755 --- a/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java @@ -66,8 +66,10 @@ public interface UserSessionModel { State getState(); void setState(State state); + void setUser(UserModel user); + public static enum State { - LOGGING_IN, // TODO: Maybe state "LOGGING_IN" is useless now once userSession is attached after requiredActions + LOGGING_IN, // TODO:mposolda Maybe state "LOGGING_IN" is useless now once userSession is attached after requiredActions LOGGED_IN, LOGGING_OUT, LOGGED_OUT diff --git a/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java b/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java index 7925bf7bc4..1afbcbaad3 100755 --- a/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java +++ b/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java @@ -32,7 +32,7 @@ public interface UserSessionProvider extends Provider { ClientSessionModel getClientSession(RealmModel realm, String id); ClientSessionModel getClientSession(String id); - UserSessionModel createUserSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId); + UserSessionModel createUserSession(String id, RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId); UserSessionModel getUserSession(RealmModel realm, String id); List getUserSessions(RealmModel realm, UserModel user); List getUserSessions(RealmModel realm, ClientModel client); diff --git a/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java index e12cf26e24..9602db0db9 100644 --- a/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java @@ -20,6 +20,8 @@ package org.keycloak.sessions; import java.util.Map; import java.util.Set; +import org.keycloak.models.ClientModel; +import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; /** @@ -34,11 +36,11 @@ public interface AuthenticationSessionModel extends CommonClientSessionModel { // public void setUserSession(UserSessionModel userSession); - public Map getExecutionStatus(); - public void setExecutionStatus(String authenticator, ExecutionStatus status); - public void clearExecutionStatus(); - public UserModel getAuthenticatedUser(); - public void setAuthenticatedUser(UserModel user); + Map getExecutionStatus(); + void setExecutionStatus(String authenticator, ExecutionStatus status); + void clearExecutionStatus(); + UserModel getAuthenticatedUser(); + void setAuthenticatedUser(UserModel user); /** * Required actions that are attached to this client session. @@ -56,26 +58,26 @@ public interface AuthenticationSessionModel extends CommonClientSessionModel { void removeRequiredAction(UserModel.RequiredAction action); - /** - * These are notes you want applied to the UserSessionModel when the client session is attached to it. - * - * @param name - * @param value - */ - public void setUserSessionNote(String name, String value); + // These are notes you want applied to the UserSessionModel when the client session is attached to it. + void setUserSessionNote(String name, String value); + Map getUserSessionNotes(); + void clearUserSessionNotes(); - /** - * These are notes you want applied to the UserSessionModel when the client session is attached to it. - * - * @return - */ - public Map getUserSessionNotes(); + // These are notes used typically by authenticators and authentication flows. They are cleared when authentication session is restarted + String getAuthNote(String name); + void setAuthNote(String name, String value); + void removeAuthNote(String name); + void clearAuthNotes(); - public void clearUserSessionNotes(); + // These are notes specific to client protocol. They are NOT cleared when authentication session is restarted + String getClientNote(String name); + void setClientNote(String name, String value); + void removeClientNote(String name); + Map getClientNotes(); + void clearClientNotes(); - public String getAuthNote(String name); - public void setAuthNote(String name, String value); - public void removeAuthNote(String name); - public void clearAuthNotes(); + void updateClient(ClientModel client); + // Will completely restart whole state of authentication session. It will just keep same ID. It will setup it with provided realm and client. + void restartSession(RealmModel realm, ClientModel client); } diff --git a/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java index a3b04d3fdb..42884cc5e2 100644 --- a/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java +++ b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java @@ -26,11 +26,10 @@ import org.keycloak.provider.Provider; */ public interface AuthenticationSessionProvider extends Provider { - AuthenticationSessionModel createAuthenticationSession(RealmModel realm, ClientModel client, boolean browser); + // Generates random ID + AuthenticationSessionModel createAuthenticationSession(RealmModel realm, ClientModel client); - String getCurrentAuthenticationSessionId(RealmModel realm); - - AuthenticationSessionModel getCurrentAuthenticationSession(RealmModel realm); + AuthenticationSessionModel createAuthenticationSession(String id, RealmModel realm, ClientModel client); AuthenticationSessionModel getAuthenticationSession(RealmModel realm, String authenticationSessionId); diff --git a/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java b/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java index e6a9288e0a..c47a6a5ea2 100644 --- a/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/sessions/CommonClientSessionModel.java @@ -53,25 +53,12 @@ public interface CommonClientSessionModel { // TODO: Not needed here...? public Set getProtocolMappers(); public void setProtocolMappers(Set protocolMappers); - - public String getNote(String name); - public void setNote(String name, String value); - public void removeNote(String name); - public Map getNotes(); - + public static enum Action { OAUTH_GRANT, CODE_TO_TOKEN, - VERIFY_EMAIL, - UPDATE_PROFILE, - CONFIGURE_TOTP, - UPDATE_PASSWORD, - RECOVER_PASSWORD, // deprecated AUTHENTICATE, - SOCIAL_CALLBACK, LOGGED_OUT, - RESET_CREDENTIALS, - EXECUTE_ACTIONS, REQUIRED_ACTIONS } diff --git a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java index 70c876f836..e633c70730 100755 --- a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java +++ b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java @@ -44,16 +44,20 @@ import org.keycloak.protocol.LoginProtocol; import org.keycloak.protocol.LoginProtocol.Error; import org.keycloak.protocol.oidc.TokenManager; import org.keycloak.services.ErrorPage; +import org.keycloak.services.ErrorPageException; import org.keycloak.services.ServicesLogger; import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.BruteForceProtector; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.util.CacheControlUtil; +import org.keycloak.services.util.PageExpiredRedirect; import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import java.net.URI; import java.util.HashMap; @@ -69,6 +73,10 @@ public class AuthenticationProcessor { public static final String LAST_PROCESSED_EXECUTION = "last.processed.execution"; public static final String CURRENT_FLOW_PATH = "current.flow.path"; public static final String FORKED_FROM = "forked.from"; + public static final String FORWARDED_ERROR_MESSAGE_NOTE = "forwardedErrorMessage"; + + public static final String BROKER_SESSION_ID = "broker.session.id"; + public static final String BROKER_USER_ID = "broker.user.id"; protected static final Logger logger = Logger.getLogger(AuthenticationProcessor.class); protected RealmModel realm; @@ -83,7 +91,7 @@ public class AuthenticationProcessor { protected String flowPath; protected boolean browserFlow; protected BruteForceProtector protector; - protected boolean oneActionWasSuccessful; + protected Runnable afterResetListener; /** * This could be an error message forwarded from another authenticator */ @@ -508,6 +516,12 @@ public class AuthenticationProcessor { this.status = FlowStatus.FLOW_RESET; } + @Override + public void resetFlow(Runnable afterResetListener) { + this.status = FlowStatus.FLOW_RESET; + AuthenticationProcessor.this.afterResetListener = afterResetListener; + } + @Override public void fork() { this.status = FlowStatus.FORK; @@ -558,7 +572,7 @@ public class AuthenticationProcessor { protected void logSuccess() { if (realm.isBruteForceProtected()) { - String username = clientSession.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); + String username = authenticationSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); // TODO: as above, need to handle non form success if(username == null) { @@ -608,6 +622,8 @@ public class AuthenticationProcessor { ForkFlowException reset = (ForkFlowException)e; AuthenticationSessionModel clone = clone(session, authenticationSession); clone.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + setAuthenticationSession(clone); + AuthenticationProcessor processor = new AuthenticationProcessor(); processor.setAuthenticationSession(clone) .setFlowPath(LoginActionsService.AUTHENTICATE_PATH) @@ -701,46 +717,40 @@ public class AuthenticationProcessor { } - public Response redirectToFlow(String execution) { - logger.info("Redirecting to flow with execution: " + execution); - authenticationSession.setAuthNote(LAST_PROCESSED_EXECUTION, execution); + public Response redirectToFlow() { + URI redirect = new PageExpiredRedirect(session, realm, uriInfo).getLastExecutionUrl(authenticationSession); + + logger.info("Redirecting to URL: " + redirect.toString()); - URI redirect = LoginActionsService.loginActionsBaseUrl(getUriInfo()) - .path(flowPath) - .queryParam("execution", execution).build(getRealm().getName()); return Response.status(302).location(redirect).build(); } - public static Response redirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, UriInfo uriInfo) { - - // redirect to non-action url so browser refresh button works without reposting past data - ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, authSession); - accessCode.setAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name()); - authSession.setTimestamp(Time.currentTime()); - - URI redirect = LoginActionsService.loginActionsBaseUrl(uriInfo) - .path(LoginActionsService.REQUIRED_ACTION) - .queryParam(OAuth2Constants.CODE, accessCode.getCode()).build(realm.getName()); - return Response.status(302).location(redirect).build(); + public void resetFlow() { + resetFlow(authenticationSession, flowPath); + if (afterResetListener != null) { + afterResetListener.run(); + } } - public static void resetFlow(AuthenticationSessionModel authSession) { + public static void resetFlow(AuthenticationSessionModel authSession, String flowPath) { logger.debug("RESET FLOW"); authSession.setTimestamp(Time.currentTime()); authSession.setAuthenticatedUser(null); authSession.clearExecutionStatus(); authSession.clearUserSessionNotes(); authSession.clearAuthNotes(); + + authSession.setAuthNote(CURRENT_FLOW_PATH, flowPath); } public static AuthenticationSessionModel clone(KeycloakSession session, AuthenticationSessionModel authSession) { - AuthenticationSessionModel clone = session.authenticationSessions().createAuthenticationSession(authSession.getRealm(), authSession.getClient(), true); + AuthenticationSessionModel clone = new AuthenticationSessionManager(session).createAuthenticationSession(authSession.getRealm(), authSession.getClient(), true); // Transfer just the client "notes", but not "authNotes" - for (Map.Entry entry : authSession.getNotes().entrySet()) { - clone.setNote(entry.getKey(), entry.getValue()); + for (Map.Entry entry : authSession.getClientNotes().entrySet()) { + clone.setClientNote(entry.getKey(), entry.getValue()); } clone.setRedirectUri(authSession.getRedirectUri()); @@ -762,7 +772,7 @@ public class AuthenticationProcessor { if (!execution.equals(current)) { // TODO:mposolda debug logger.info("Current execution does not equal executed execution. Might be a page refresh"); - return redirectToFlow(current); + return new PageExpiredRedirect(session, realm, uriInfo).showPageExpired(authenticationSession); } UserModel authUser = authenticationSession.getAuthenticatedUser(); validateUser(authUser); @@ -770,7 +780,7 @@ public class AuthenticationProcessor { if (model == null) { logger.debug("Cannot find execution, reseting flow"); logFailure(); - resetFlow(authenticationSession); + resetFlow(); return authenticate(); } event.client(authenticationSession.getClient().getClientId()) @@ -826,28 +836,6 @@ public class AuthenticationProcessor { return challenge; } - /** - * Marks that at least one action was successful - * - */ - public void setActionSuccessful() { -// oneActionWasSuccessful = true; - } - - public Response checkWasSuccessfulBrowserAction() { - if (oneActionWasSuccessful && isBrowserFlow()) { - // redirect to non-action url so browser refresh button works without reposting past data - String code = generateCode(); - - URI redirect = LoginActionsService.loginActionsBaseUrl(getUriInfo()) - .path(flowPath) - .queryParam(OAuth2Constants.CODE, code).build(getRealm().getName()); - return Response.status(302).location(redirect).build(); - } else { - return null; - } - } - // May create userSession too public AuthenticatedClientSessionModel attachSession() { AuthenticatedClientSessionModel clientSession = attachSession(authenticationSession, userSession, session, realm, connection, event); @@ -866,10 +854,28 @@ public class AuthenticationProcessor { if (attemptedUsername != null) username = attemptedUsername; String rememberMe = authSession.getAuthNote(Details.REMEMBER_ME); boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("true"); + if (userSession == null) { // if no authenticator attached a usersession - userSession = session.sessions().createUserSession(realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol(), remember, null, null); + + userSession = session.sessions().getUserSession(realm, authSession.getId()); + if (userSession == null) { + String brokerSessionId = authSession.getAuthNote(BROKER_SESSION_ID); + String brokerUserId = authSession.getAuthNote(BROKER_USER_ID); + userSession = session.sessions().createUserSession(authSession.getId(), realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol() + , remember, brokerSessionId, brokerUserId); + } else { + // We have existing userSession even if it wasn't attached to authenticator. Could happen if SSO authentication was ignored (eg. prompt=login) and in some other cases. + // We need to handle case when different user was used and update that (TODO:mposolda evaluate this again and corner cases like token refresh etc. AND ROLES!!! LIKELY ERROR SHOULD BE SHOWN IF ATTEMPT TO AUTHENTICATE AS DIFFERENT USER) + logger.info("No SSO login, but found existing userSession with ID '%s' after finished authentication."); + if (!authSession.getAuthenticatedUser().equals(userSession.getUser())) { + event.detail(Details.EXISTING_USER, userSession.getUser().getId()); + event.error(Errors.DIFFERENT_USER_AUTHENTICATED); + throw new ErrorPageException(session, Messages.DIFFERENT_USER_AUTHENTICATED, userSession.getUser().getUsername()); + } + } userSession.setState(UserSessionModel.State.LOGGING_IN); } + if (remember) { event.detail(Details.REMEMBER_ME, "true"); } @@ -909,24 +915,19 @@ public class AuthenticationProcessor { // attachSession(); // Session will be attached after requiredActions + consents are finished. AuthenticationManager.setRolesAndMappersInSession(authenticationSession); - if (isActionRequired()) { - // TODO:mposolda This was changed to avoid additional redirect. Doublecheck consequences... - //return redirectToRequiredActions(session, realm, authenticationSession, uriInfo); - ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, authenticationSession); - accessCode.setAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name()); - authenticationSession.setAuthNote(CURRENT_FLOW_PATH, LoginActionsService.REQUIRED_ACTION); - - return AuthenticationManager.nextActionAfterAuthentication(session, authenticationSession, connection, request, uriInfo, event); + String nextRequiredAction = nextRequiredAction(); + if (nextRequiredAction != null) { + return AuthenticationManager.redirectToRequiredActions(session, realm, authenticationSession, uriInfo, nextRequiredAction); } else { event.detail(Details.CODE_ID, authenticationSession.getId()); // todo This should be set elsewhere. find out why tests fail. Don't know where this is supposed to be set // the user has successfully logged in and we can clear his/her previous login failure attempts. logSuccess(); - return AuthenticationManager.finishedRequiredActions(session, authenticationSession, connection, request, uriInfo, event); + return AuthenticationManager.finishedRequiredActions(session, authenticationSession, userSession, connection, request, uriInfo, event); } } - public boolean isActionRequired() { - return AuthenticationManager.isActionRequired(session, authenticationSession, connection, request, uriInfo, event); + public String nextRequiredAction() { + return AuthenticationManager.nextRequiredAction(session, authenticationSession, connection, request, uriInfo, event); } public AuthenticationProcessor.Result createAuthenticatorContext(AuthenticationExecutionModel model, Authenticator authenticator, List executions) { diff --git a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java index c8ec6b2941..dfa1afa6e9 100755 --- a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java +++ b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java @@ -93,10 +93,6 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { Response response = processResult(result, true); if (response == null) { processor.getAuthenticationSession().removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); - if (result.status == FlowStatus.SUCCESS) { - // we do this so that flow can redirect to a non-action URL - processor.setActionSuccessful(); - } return processFlow(); } else return response; } @@ -183,8 +179,8 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { } } // skip if action as successful already - Response redirect = processor.checkWasSuccessfulBrowserAction(); - if (redirect != null) return redirect; +// Response redirect = processor.checkWasSuccessfulBrowserAction(); +// if (redirect != null) return redirect; AuthenticationProcessor.Result context = processor.createAuthenticatorContext(model, authenticator, executions); logger.debug("invoke authenticator.authenticate"); @@ -203,13 +199,6 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { case SUCCESS: logger.debugv("authenticator SUCCESS: {0}", execution.getAuthenticator()); processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); - - // We just do another GET to ensure that page refresh will work - if (isAction) { - processor.getAuthenticationSession().removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); - return processor.redirectToFlow(execution.getId()); - } - if (execution.isAlternative()) alternativeSuccessful = true; return null; case FAILED: @@ -258,7 +247,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.ATTEMPTED); return null; case FLOW_RESET: - AuthenticationProcessor.resetFlow(processor.getAuthenticationSession()); + processor.resetFlow(); return processor.authenticate(); default: logger.debugv("authenticator INTERNAL_ERROR: {0}", execution.getAuthenticator()); diff --git a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java index 17898f4d16..0e121dd5b5 100755 --- a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java +++ b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java @@ -244,7 +244,6 @@ public class FormAuthenticationFlow implements AuthenticationFlow { } processor.getAuthenticationSession().setExecutionStatus(actionExecution, ClientSessionModel.ExecutionStatus.SUCCESS); processor.getAuthenticationSession().removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); - processor.setActionSuccessful(); return null; } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java index 9ba2053f1b..fc7b9417f6 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java @@ -48,7 +48,7 @@ public abstract class AbstractIdpAuthenticator implements Authenticator { public static final String UPDATE_PROFILE_EMAIL_CHANGED = "UPDATE_PROFILE_EMAIL_CHANGED"; // The clientSession note flag to indicate if re-authentication after first broker login happened in different browser window. This can happen for example during email verification - public static final String IS_DIFFERENT_BROWSER = "IS_DIFFERENT_BROWSER"; + public static final String IS_DIFFERENT_BROWSER = "IS_DIFFERENT_BROWSER"; // TODO:mposolda can reuse the END_AFTER_REQUIRED_ACTIONS instead? // The clientSession note flag to indicate that updateProfile page will be always displayed even if "updateProfileOnFirstLogin" is off public static final String ENFORCE_UPDATE_PROFILE = "ENFORCE_UPDATE_PROFILE"; @@ -56,12 +56,15 @@ public abstract class AbstractIdpAuthenticator implements Authenticator { // clientSession.note flag specifies if we imported new user to keycloak (true) or we just linked to an existing keycloak user (false) public static final String BROKER_REGISTERED_NEW_USER = "BROKER_REGISTERED_NEW_USER"; + // Set after firstBrokerLogin is successfully finished and contains the providerId of the provider, whose 'first-broker-login' flow was just finished + public static final String FIRST_BROKER_LOGIN_SUCCESS = "FIRST_BROKER_LOGIN_SUCCESS"; + @Override public void authenticate(AuthenticationFlowContext context) { AuthenticationSessionModel authSession = context.getAuthenticationSession(); - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(authSession, BROKERED_CONTEXT_NOTE); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, BROKERED_CONTEXT_NOTE); if (serializedCtx == null) { throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR); } @@ -78,7 +81,7 @@ public abstract class AbstractIdpAuthenticator implements Authenticator { public void action(AuthenticationFlowContext context) { AuthenticationSessionModel clientSession = context.getAuthenticationSession(); - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(clientSession, BROKERED_CONTEXT_NOTE); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(clientSession, BROKERED_CONTEXT_NOTE); if (serializedCtx == null) { throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java index d4cfcf5570..3ed3dd7f90 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpConfirmLinkAuthenticator.java @@ -20,6 +20,7 @@ package org.keycloak.authentication.authenticators.broker; import org.keycloak.authentication.AuthenticationFlowContext; import org.keycloak.authentication.AuthenticationFlowError; import org.keycloak.authentication.AuthenticationFlowException; +import org.keycloak.authentication.AuthenticationProcessor; import org.keycloak.authentication.authenticators.broker.util.ExistingUserInfo; import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; import org.keycloak.broker.provider.BrokeredIdentityContext; @@ -65,9 +66,12 @@ public class IdpConfirmLinkAuthenticator extends AbstractIdpAuthenticator { String action = formData.getFirst("submitAction"); if (action != null && action.equals("updateProfile")) { - context.getAuthenticationSession().setAuthNote(ENFORCE_UPDATE_PROFILE, "true"); - context.getAuthenticationSession().removeAuthNote(EXISTING_USER_INFO); - context.resetFlow(); + context.resetFlow(() -> { + AuthenticationSessionModel authSession = context.getAuthenticationSession(); + + serializedCtx.saveToAuthenticationSession(authSession, BROKERED_CONTEXT_NOTE); + authSession.setAuthNote(ENFORCE_UPDATE_PROFILE, "true"); + }); } else if (action != null && action.equals("linkAccount")) { context.success(); } else { diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java index 27a30e8647..72064a0f04 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java @@ -38,6 +38,7 @@ import org.keycloak.models.UserModel; import org.keycloak.services.ServicesLogger; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; @@ -53,16 +54,17 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator @Override protected void authenticateImpl(AuthenticationFlowContext context, SerializedBrokeredIdentityContext serializedCtx, BrokeredIdentityContext brokerContext) { - /*KeycloakSession session = context.getSession(); + KeycloakSession session = context.getSession(); RealmModel realm = context.getRealm(); - ClientSessionModel clientSession = context.getClientSession(); + AuthenticationSessionModel authSession = context.getAuthenticationSession(); - if (realm.getSmtpConfig().size() == 0) { + // TODO:mposolda (or hmlnarik :) - uncomment and have this working and have AbstractFirstBrokerLoginTest.testLinkAccountByEmailVerification tp PASS +// if (realm.getSmtpConfig().size() == 0) { ServicesLogger.LOGGER.smtpNotConfigured(); context.attempted(); return; - } - +// } +/* VerifyEmail.setupKey(clientSession); UserModel existingUser = getExistingUser(session, realm, clientSession); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java index 245f258a56..c430fef78b 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java @@ -127,7 +127,7 @@ public class IdpReviewProfileAuthenticator extends AbstractIdpAuthenticator { AttributeFormDataProcessor.process(formData, realm, userCtx); - userCtx.saveToLoginSession(context.getAuthenticationSession(), BROKERED_CONTEXT_NOTE); + userCtx.saveToAuthenticationSession(context.getAuthenticationSession(), BROKERED_CONTEXT_NOTE); logger.debugf("Profile updated successfully after first authentication with identity provider '%s' for broker user '%s'.", brokerContext.getIdpConfig().getAlias(), userCtx.getUsername()); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java index edcc030e52..0ea8157d6b 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpUsernamePasswordForm.java @@ -58,7 +58,7 @@ public class IdpUsernamePasswordForm extends UsernamePasswordForm { } protected LoginFormsProvider setupForm(AuthenticationFlowContext context, MultivaluedMap formData, UserModel existingUser) { - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(context.getAuthenticationSession(), AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(context.getAuthenticationSession(), AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); if (serializedCtx == null) { throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java index e648242ab2..a9c6d1e893 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/util/SerializedBrokeredIdentityContext.java @@ -313,8 +313,8 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { return ctx; } - // Save this context as note to clientSession - public void saveToLoginSession(AuthenticationSessionModel authSession, String noteKey) { + // Save this context as note to authSession + public void saveToAuthenticationSession(AuthenticationSessionModel authSession, String noteKey) { try { String asString = JsonSerialization.writeValueAsString(this); authSession.setAuthNote(noteKey, asString); @@ -323,7 +323,7 @@ public class SerializedBrokeredIdentityContext implements UpdateProfileContext { } } - public static SerializedBrokeredIdentityContext readFromLoginSession(AuthenticationSessionModel authSession, String noteKey) { + public static SerializedBrokeredIdentityContext readFromAuthenticationSession(AuthenticationSessionModel authSession, String noteKey) { String asString = authSession.getAuthNote(noteKey); if (asString == null) { return null; diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java index 73c92cf2ef..cf7e1a0ba2 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java @@ -51,7 +51,7 @@ public class CookieAuthenticator implements Authenticator { if (protocol.requireReauthentication(authResult.getSession(), clientSession)) { context.attempted(); } else { - clientSession.setNote(AuthenticationManager.SSO_AUTH, "true"); + clientSession.setClientNote(AuthenticationManager.SSO_AUTH, "true"); context.setUser(authResult.getUser()); context.attachUserSession(authResult.getSession()); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java index eaa95bbf95..bd81263109 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java @@ -59,7 +59,7 @@ public class UsernamePasswordForm extends AbstractUsernameFormAuthenticator impl @Override public void authenticate(AuthenticationFlowContext context) { MultivaluedMap formData = new MultivaluedMapImpl<>(); - String loginHint = context.getAuthenticationSession().getNote(OIDCLoginProtocol.LOGIN_HINT_PARAM); + String loginHint = context.getAuthenticationSession().getClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM); String rememberMeUsername = AuthenticationManager.getRememberMeUsername(context.getRealm(), context.getHttpRequest().getHttpHeaders()); @@ -72,7 +72,6 @@ public class UsernamePasswordForm extends AbstractUsernameFormAuthenticator impl } } Response challengeResponse = challenge(context, formData); - context.getAuthenticationSession().setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, context.getExecution().getId()); context.challenge(challengeResponse); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java index 46f800ea28..89048acd5e 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java @@ -92,7 +92,7 @@ public class ValidateX509CertificateUsername extends AbstractX509ClientCertifica UserModel user; try { context.getEvent().detail(Details.USERNAME, userIdentity.toString()); - context.getAuthenticationSession().setNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, userIdentity.toString()); + context.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, userIdentity.toString()); user = getUserIdentityToModelMapper(config).find(context, userIdentity); } catch(ModelDuplicateException e) { diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java index 01345bacf8..2aa5a63140 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java @@ -166,7 +166,6 @@ public class X509ClientCertificateAuthenticator extends AbstractX509ClientCertif // to call the method "challenge" results in a wrong/unexpected behavior. // The question is whether calling "forceChallenge" here is ok from // the design viewpoint? - context.getAuthenticationSession().setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, context.getExecution().getId()); context.forceChallenge(createSuccessResponse(context, certs[0].getSubjectDN().getName())); // Do not set the flow status yet, we want to display a form to let users // choose whether to accept the identity from certificate or to specify username/password explicitly diff --git a/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java b/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java index ad13212f14..6567aef923 100755 --- a/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java +++ b/services/src/main/java/org/keycloak/authentication/forms/RegistrationUserCreation.java @@ -134,7 +134,7 @@ public class RegistrationUserCreation implements FormAction, FormActionFactory { user.setEnabled(true); user.setEmail(email); - context.getAuthenticationSession().setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, username); + context.getAuthenticationSession().setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, username); AttributeFormDataProcessor.process(formData, context.getRealm(), user); context.setUser(user); context.getEvent().user(user); diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java index 8a7ea61114..82cbddfcb3 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java +++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java @@ -62,10 +62,14 @@ import org.keycloak.models.RoleModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.protocol.oidc.TokenManager; +import org.keycloak.models.utils.KeycloakModelUtils; +import org.keycloak.protocol.ProtocolMapper; +import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper; import org.keycloak.representations.AccessToken; import org.keycloak.representations.idm.authorization.ResourceRepresentation; import org.keycloak.representations.idm.authorization.ScopeRepresentation; import org.keycloak.services.Urls; +import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.resources.admin.RealmAuth; import org.keycloak.sessions.AuthenticationSessionModel; @@ -229,11 +233,14 @@ public class PolicyEvaluationService { if (clientId != null) { ClientModel clientModel = realm.getClientById(clientId); - AuthenticationSessionModel authSession = keycloakSession.authenticationSessions().createAuthenticationSession(realm, clientModel, false); - authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); - userSession = keycloakSession.sessions().createUserSession(realm, userModel, userModel.getUsername(), "127.0.0.1", "passwd", false, null, null); + String id = KeycloakModelUtils.generateId(); - clientSession = new TokenManager().attachAuthenticationSession(keycloakSession, userSession, authSession); + AuthenticationSessionModel authSession = keycloakSession.authenticationSessions().createAuthenticationSession(id, realm, clientModel); + authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + userSession = keycloakSession.sessions().createUserSession(id, realm, userModel, userModel.getUsername(), "127.0.0.1", "passwd", false, null, null); + + AuthenticationManager.setRolesAndMappersInSession(authSession); + clientSession = TokenManager.attachAuthenticationSession(keycloakSession, userSession, authSession); Set requestedRoles = new HashSet<>(); for (String roleId : clientSession.getRoles()) { diff --git a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java index 7f02e43632..339747a560 100755 --- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java +++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java @@ -37,6 +37,7 @@ import org.keycloak.services.messages.Messages; import javax.ws.rs.GET; import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Response; @@ -240,6 +241,8 @@ public abstract class AbstractOAuth2IdentityProvider 0 ? tokenResponse.getExpiresIn() + currentTime : 0; - userSession.setNote(FEDERATED_TOKEN_EXPIRATION, Long.toString(expiration)); - userSession.setNote(FEDERATED_REFRESH_TOKEN, tokenResponse.getRefreshToken()); - userSession.setNote(FEDERATED_ACCESS_TOKEN, tokenResponse.getToken()); - userSession.setNote(FEDERATED_ID_TOKEN, tokenResponse.getIdToken()); + authSession.setUserSessionNote(FEDERATED_TOKEN_EXPIRATION, Long.toString(expiration)); + authSession.setUserSessionNote(FEDERATED_REFRESH_TOKEN, tokenResponse.getRefreshToken()); + authSession.setUserSessionNote(FEDERATED_ACCESS_TOKEN, tokenResponse.getToken()); + authSession.setUserSessionNote(FEDERATED_ID_TOKEN, tokenResponse.getIdToken()); } @Override diff --git a/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java b/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java index 5825f60554..dc38d59ab9 100755 --- a/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java +++ b/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java @@ -71,6 +71,7 @@ import javax.ws.rs.POST; import javax.ws.rs.Path; import javax.ws.rs.QueryParam; import javax.ws.rs.PathParam; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.MediaType; @@ -436,7 +437,8 @@ public class SAMLEndpoint { return callback.authenticated(identity); - + } catch (WebApplicationException e) { + return e.getResponse(); } catch (Exception e) { throw new IdentityBrokerException("Could not process response from SAML identity provider.", e); } diff --git a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java index c28cda8936..5f02b8e413 100755 --- a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java +++ b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java @@ -56,6 +56,7 @@ import java.util.TreeSet; import org.keycloak.dom.saml.v2.metadata.KeyTypes; import org.keycloak.keys.KeyMetadata; import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator; +import org.keycloak.sessions.AuthenticationSessionModel; /** * @author Pedro Igor @@ -132,17 +133,17 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider identityProviders = realm.getIdentityProviders(); identityProviders = LoginFormsUtil.filterIdentityProviders(identityProviders, session, realm, attributes, formData); - attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUri, uriInfo)); + attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUriWithCode)); attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri)); @@ -340,6 +346,11 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { } URI baseUri = uriBuilder.build(); + if (accessCode != null) { + uriBuilder.queryParam(OAuth2Constants.CODE, accessCode); + } + URI baseUriWithCode = uriBuilder.build(); + ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending"); Theme theme; try { @@ -391,7 +402,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { List identityProviders = realm.getIdentityProviders(); identityProviders = LoginFormsUtil.filterIdentityProviders(identityProviders, session, realm, attributes, formData); - attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUri, uriInfo)); + attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUriWithCode)); attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri)); attributes.put("requiredActionUrl", new RequiredActionUrlFormatterMethod(realm, baseUri)); diff --git a/services/src/main/java/org/keycloak/forms/login/freemarker/model/IdentityProviderBean.java b/services/src/main/java/org/keycloak/forms/login/freemarker/model/IdentityProviderBean.java index 696e19b5fc..986d0efc21 100755 --- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/IdentityProviderBean.java +++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/IdentityProviderBean.java @@ -42,7 +42,7 @@ public class IdentityProviderBean { private RealmModel realm; private final KeycloakSession session; - public IdentityProviderBean(RealmModel realm, KeycloakSession session, List identityProviders, URI baseURI, UriInfo uriInfo) { + public IdentityProviderBean(RealmModel realm, KeycloakSession session, List identityProviders, URI baseURI) { this.realm = realm; this.session = session; diff --git a/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java b/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java index e81e9e59e0..89680bb890 100755 --- a/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java +++ b/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java @@ -17,17 +17,25 @@ package org.keycloak.protocol; +import org.jboss.logging.Logger; import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.authentication.AuthenticationProcessor; import org.keycloak.common.ClientConnection; +import org.keycloak.common.util.ObjectUtil; import org.keycloak.events.Details; import org.keycloak.events.EventBuilder; import org.keycloak.models.AuthenticationFlowModel; +import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; +import org.keycloak.models.UserSessionModel; import org.keycloak.protocol.LoginProtocol.Error; import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; +import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.resources.LoginActionsService; +import org.keycloak.services.util.CacheControlUtil; +import org.keycloak.services.util.PageExpiredRedirect; import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Context; @@ -42,6 +50,10 @@ import javax.ws.rs.core.UriInfo; */ public abstract class AuthorizationEndpointBase { + private static final Logger logger = Logger.getLogger(AuthorizationEndpointBase.class); + + public static final String APP_INITIATED_FLOW = "APP_INITIATED_FLOW"; + protected RealmModel realm; protected EventBuilder event; protected AuthenticationManager authManager; @@ -103,15 +115,13 @@ public abstract class AuthorizationEndpointBase { // processor.attachSession(); } else { Response response = protocol.sendError(authSession, Error.PASSIVE_LOGIN_REQUIRED); - session.authenticationSessions().removeAuthenticationSession(realm, authSession); return response; } AuthenticationManager.setRolesAndMappersInSession(authSession); - if (processor.isActionRequired()) { + if (processor.nextRequiredAction() != null) { Response response = protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED); - session.authenticationSessions().removeAuthenticationSession(realm, authSession); return response; } @@ -125,7 +135,7 @@ public abstract class AuthorizationEndpointBase { try { RestartLoginCookie.setRestartCookie(session, realm, clientConnection, uriInfo, authSession); if (redirectToAuthentication) { - return processor.redirectToFlow(null); + return processor.redirectToFlow(); } return processor.authenticate(); } catch (Exception e) { @@ -138,4 +148,115 @@ public abstract class AuthorizationEndpointBase { return realm.getBrowserFlow(); } + + protected AuthorizationEndpointChecks getOrCreateAuthenticationSession(ClientModel client, String requestState) { + AuthenticationSessionManager manager = new AuthenticationSessionManager(session); + String authSessionId = manager.getCurrentAuthenticationSessionId(realm); + AuthenticationSessionModel authSession = authSessionId==null ? null : session.authenticationSessions().getAuthenticationSession(realm, authSessionId); + + if (authSession != null) { + + ClientSessionCode check = new ClientSessionCode<>(session, realm, authSession); + if (!check.isActionActive(ClientSessionCode.ActionType.LOGIN)) { + + logger.infof("Authentication session '%s' exists, but is expired. Restart existing authentication session", authSession.getId()); + authSession.restartSession(realm, client); + return new AuthorizationEndpointChecks(authSession); + + } else if (isNewRequest(authSession, client, requestState)) { + // Check if we have lastProcessedExecution and restart the session just if yes. Otherwise update just client information from the AuthorizationEndpoint request. + // This difference is needed, because of logout from JS applications in multiple browser tabs. + if (hasProcessedExecution(authSession)) { + logger.info("New request from application received, but authentication session already exists. Restart existing authentication session"); + authSession.restartSession(realm, client); + } else { + logger.info("New request from application received, but authentication session already exists. Update client information in existing authentication session"); + authSession.clearClientNotes(); // update client data + authSession.updateClient(client); + } + + return new AuthorizationEndpointChecks(authSession); + + } else { + logger.info("Re-sent some previous request to Authorization endpoint. Likely browser 'back' or 'refresh' button."); + + // See if we have lastProcessedExecution note. If yes, we are expired. Also if we are in different flow than initial one. Otherwise it is browser refresh of initial username/password form + if (!shouldShowExpirePage(authSession)) { + return new AuthorizationEndpointChecks(authSession); + } else { + CacheControlUtil.noBackButtonCacheControlHeader(); + + Response response = new PageExpiredRedirect(session, realm, uriInfo) + .showPageExpired(authSession); + return new AuthorizationEndpointChecks(response); + } + } + } + + UserSessionModel userSession = authSessionId==null ? null : session.sessions().getUserSession(realm, authSessionId); + + if (userSession != null) { + logger.infof("Sent request to authz endpoint. We don't have authentication session with ID '%s' but we have userSession. Will re-create authentication session with same ID", authSessionId); + authSession = session.authenticationSessions().createAuthenticationSession(authSessionId, realm, client); + } else { + authSession = manager.createAuthenticationSession(realm, client, true); + logger.infof("Sent request to authz endpoint. Created new authentication session with ID '%s'", authSession.getId()); + } + + return new AuthorizationEndpointChecks(authSession); + + } + + private boolean hasProcessedExecution(AuthenticationSessionModel authSession) { + String lastProcessedExecution = authSession.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION); + return (lastProcessedExecution != null); + } + + // See if we have lastProcessedExecution note. If yes, we are expired. Also if we are in different flow than initial one. Otherwise it is browser refresh of initial username/password form + private boolean shouldShowExpirePage(AuthenticationSessionModel authSession) { + if (hasProcessedExecution(authSession)) { + return true; + } + + String initialFlow = authSession.getClientNote(APP_INITIATED_FLOW); + if (initialFlow == null) { + initialFlow = LoginActionsService.AUTHENTICATE_PATH; + } + + String lastFlow = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); + // Check if we transitted between flows (eg. clicking "register" on login screen) + if (!initialFlow.equals(lastFlow)) { + logger.infof("Transition between flows! Current flow: %s, Previous flow: %s", initialFlow, lastFlow); + + if (lastFlow == null || LoginActionsService.isFlowTransitionAllowed(initialFlow, lastFlow)) { + authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, initialFlow); + authSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + return false; + } else { + return true; + } + } + + return false; + } + + // Try to see if it is new request from the application, or refresh of some previous request + protected abstract boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestState); + + + protected static class AuthorizationEndpointChecks { + public final AuthenticationSessionModel authSession; + public final Response response; + + private AuthorizationEndpointChecks(Response response) { + this.authSession = null; + this.response = response; + } + + private AuthorizationEndpointChecks(AuthenticationSessionModel authSession) { + this.authSession = authSession; + this.response = null; + } + } + } \ No newline at end of file diff --git a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java index 22d764dc20..0e488e18d7 100644 --- a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java +++ b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java @@ -28,6 +28,7 @@ import org.keycloak.models.KeyManager; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.util.CookieHelper; import org.keycloak.sessions.AuthenticationSessionModel; @@ -38,7 +39,7 @@ import java.util.HashMap; import java.util.Map; /** - * This is an an encoded token that is stored as a cookie so that if there is a client timeout, then the client session + * This is an an encoded token that is stored as a cookie so that if there is a client timeout, then the authentication session * can be restarted. * * @author Bill Burke @@ -47,8 +48,6 @@ import java.util.Map; public class RestartLoginCookie { private static final Logger logger = Logger.getLogger(RestartLoginCookie.class); public static final String KC_RESTART = "KC_RESTART"; - @JsonProperty("cs") - protected String authenticationSession; @JsonProperty("cid") protected String clientId; @@ -65,14 +64,6 @@ public class RestartLoginCookie { @JsonProperty("notes") protected Map notes = new HashMap<>(); - public String getAuthenticationSession() { - return authenticationSession; - } - - public void setAuthenticationSession(String authenticationSession) { - this.authenticationSession = authenticationSession; - } - public Map getNotes() { return notes; } @@ -128,8 +119,7 @@ public class RestartLoginCookie { this.clientId = clientSession.getClient().getClientId(); this.authMethod = clientSession.getProtocol(); this.redirectUri = clientSession.getRedirectUri(); - this.authenticationSession = clientSession.getId(); - for (Map.Entry entry : clientSession.getNotes().entrySet()) { + for (Map.Entry entry : clientSession.getClientNotes().entrySet()) { notes.put(entry.getKey(), entry.getValue()); } } @@ -150,10 +140,6 @@ public class RestartLoginCookie { public static AuthenticationSessionModel restartSession(KeycloakSession session, RealmModel realm) throws Exception { - return restartSessionByClientSession(session, realm); - } - - private static AuthenticationSessionModel restartSessionByClientSession(KeycloakSession session, RealmModel realm) throws Exception { Cookie cook = session.getContext().getRequestHeaders().getCookies().get(KC_RESTART); if (cook == null) { logger.debug("KC_RESTART cookie doesn't exist"); @@ -171,12 +157,12 @@ public class RestartLoginCookie { ClientModel client = realm.getClientByClientId(cookie.getClientId()); if (client == null) return null; - AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, client, true); authSession.setProtocol(cookie.getAuthMethod()); authSession.setRedirectUri(cookie.getRedirectUri()); authSession.setAction(cookie.getAction()); for (Map.Entry entry : cookie.getNotes().entrySet()) { - authSession.setNote(entry.getKey(), entry.getValue()); + authSession.setClientNote(entry.getKey(), entry.getValue()); } return authSession; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java index 59b7835007..13d24a7926 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java @@ -36,6 +36,7 @@ import org.keycloak.protocol.oidc.utils.OIDCResponseType; import org.keycloak.representations.AccessTokenResponse; import org.keycloak.services.ServicesLogger; import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ResourceAdminManager; import org.keycloak.sessions.CommonClientSessionModel; @@ -130,9 +131,7 @@ public class OIDCLoginProtocol implements LoginProtocol { } - private void setupResponseTypeAndMode(CommonClientSessionModel clientSession) { - String responseType = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); - String responseMode = clientSession.getNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM); + private void setupResponseTypeAndMode(String responseType, String responseMode) { this.responseType = OIDCResponseType.parse(responseType); this.responseMode = OIDCResponseMode.parse(responseMode, this.responseType); this.event.detail(Details.RESPONSE_TYPE, responseType); @@ -171,9 +170,12 @@ public class OIDCLoginProtocol implements LoginProtocol { @Override - public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { - AuthenticatedClientSessionModel clientSession = accessCode.getClientSession(); - setupResponseTypeAndMode(clientSession); + public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, clientSession); + + String responseTypeParam = clientSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); + String responseModeParam = clientSession.getNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM); + setupResponseTypeAndMode(responseTypeParam, responseModeParam); String redirect = clientSession.getRedirectUri(); OIDCRedirectUriBuilder redirectUri = OIDCRedirectUriBuilder.fromUri(redirect, responseMode); @@ -230,15 +232,16 @@ public class OIDCLoginProtocol implements LoginProtocol { @Override public Response sendError(AuthenticationSessionModel authSession, Error error) { - setupResponseTypeAndMode(authSession); + String responseTypeParam = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); + String responseModeParam = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM); + setupResponseTypeAndMode(responseTypeParam, responseModeParam); String redirect = authSession.getRedirectUri(); - String state = authSession.getNote(OIDCLoginProtocol.STATE_PARAM); + String state = authSession.getClientNote(OIDCLoginProtocol.STATE_PARAM); OIDCRedirectUriBuilder redirectUri = OIDCRedirectUriBuilder.fromUri(redirect, responseMode).addParam(OAuth2Constants.ERROR, translateError(error)); if (state != null) redirectUri.addParam(OAuth2Constants.STATE, state); - session.authenticationSessions().removeAuthenticationSession(realm, authSession); - RestartLoginCookie.expireRestartCookie(realm, session.getContext().getConnection(), uriInfo); + new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, true); return redirectUri.build(); } @@ -296,13 +299,13 @@ public class OIDCLoginProtocol implements LoginProtocol { } protected boolean isPromptLogin(AuthenticationSessionModel authSession) { - String prompt = authSession.getNote(OIDCLoginProtocol.PROMPT_PARAM); + String prompt = authSession.getClientNote(OIDCLoginProtocol.PROMPT_PARAM); return TokenUtil.hasPrompt(prompt, OIDCLoginProtocol.PROMPT_VALUE_LOGIN); } protected boolean isAuthTimeExpired(UserSessionModel userSession, AuthenticationSessionModel authSession) { String authTime = userSession.getNote(AuthenticationManager.AUTH_TIME); - String maxAge = authSession.getNote(OIDCLoginProtocol.MAX_AGE_PARAM); + String maxAge = authSession.getClientNote(OIDCLoginProtocol.MAX_AGE_PARAM); if (maxAge == null) { return false; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java index cd7c65cfe5..93df9b0d69 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java @@ -57,6 +57,7 @@ import org.keycloak.representations.IDToken; import org.keycloak.representations.RefreshToken; import org.keycloak.services.ErrorResponseException; import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.UserSessionManager; import org.keycloak.sessions.AuthenticationSessionModel; @@ -358,14 +359,18 @@ public class TokenManager { public static AuthenticatedClientSessionModel attachAuthenticationSession(KeycloakSession session, UserSessionModel userSession, AuthenticationSessionModel authSession) { ClientModel client = authSession.getClient(); - AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession); + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(client.getId()); + if (clientSession == null) { + clientSession = session.sessions().createClientSession(userSession.getRealm(), client, userSession); + } + clientSession.setRedirectUri(authSession.getRedirectUri()); clientSession.setProtocol(authSession.getProtocol()); clientSession.setRoles(authSession.getRoles()); clientSession.setProtocolMappers(authSession.getProtocolMappers()); - Map transferredNotes = authSession.getNotes(); + Map transferredNotes = authSession.getClientNotes(); for (Map.Entry entry : transferredNotes.entrySet()) { clientSession.setNote(entry.getKey(), entry.getValue()); } @@ -378,7 +383,7 @@ public class TokenManager { clientSession.setTimestamp(Time.currentTime()); // Remove authentication session now - session.authenticationSessions().removeAuthenticationSession(userSession.getRealm(), authSession); + new AuthenticationSessionManager(session).removeAuthenticationSession(userSession.getRealm(), authSession, true); return clientSession; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java index 6691712e38..0cd0219a00 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java @@ -41,6 +41,7 @@ import org.keycloak.protocol.oidc.utils.RedirectUtils; import org.keycloak.services.ErrorPageException; import org.keycloak.services.ServicesLogger; import org.keycloak.services.Urls; +import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.util.CacheControlUtil; @@ -67,7 +68,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { * Prefix used to store additional HTTP GET params from original client request into {@link AuthenticationSessionModel} note to be available later in Authenticators, RequiredActions etc. Prefix is used to * prevent collisions with internally used notes. * - * @see AuthenticationSessionModel#getNote(String) + * @see AuthenticationSessionModel#getClientNote(String) */ public static final String LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX = "client_request_param_"; @@ -126,7 +127,13 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { return errorResponse; } - createLoginSession(); + AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, request.getState()); + if (checks.response != null) { + return checks.response; + } + + authenticationSession = checks.authSession; + updateAuthenticationSession(); // So back button doesn't work CacheControlUtil.noBackButtonCacheControlHeader(); @@ -164,6 +171,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { return this; } + private void checkSsl() { if (!uriInfo.getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) { event.error(Errors.SSL_REQUIRED); @@ -358,39 +366,57 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { } } - private void createLoginSession() { - authenticationSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + + @Override + protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String stateFromRequest) { + if (stateFromRequest==null) { + return true; + } + + // Check if it's different client + if (!clientFromRequest.equals(authSession.getClient())) { + return true; + } + + // If state is same, we likely have the refresh of some previous request + String stateFromSession = authSession.getClientNote(OIDCLoginProtocol.STATE_PARAM); + return !stateFromRequest.equals(stateFromSession); + } + + + private void updateAuthenticationSession() { authenticationSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); authenticationSession.setRedirectUri(redirectUri); authenticationSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - authenticationSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, request.getResponseType()); - authenticationSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, request.getRedirectUriParam()); - authenticationSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + authenticationSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, request.getResponseType()); + authenticationSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, request.getRedirectUriParam()); + authenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); - if (request.getState() != null) authenticationSession.setNote(OIDCLoginProtocol.STATE_PARAM, request.getState()); - if (request.getNonce() != null) authenticationSession.setNote(OIDCLoginProtocol.NONCE_PARAM, request.getNonce()); - if (request.getMaxAge() != null) authenticationSession.setNote(OIDCLoginProtocol.MAX_AGE_PARAM, String.valueOf(request.getMaxAge())); - if (request.getScope() != null) authenticationSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, request.getScope()); - if (request.getLoginHint() != null) authenticationSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, request.getLoginHint()); - if (request.getPrompt() != null) authenticationSession.setNote(OIDCLoginProtocol.PROMPT_PARAM, request.getPrompt()); - if (request.getIdpHint() != null) authenticationSession.setNote(AdapterConstants.KC_IDP_HINT, request.getIdpHint()); - if (request.getResponseMode() != null) authenticationSession.setNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM, request.getResponseMode()); + if (request.getState() != null) authenticationSession.setClientNote(OIDCLoginProtocol.STATE_PARAM, request.getState()); + if (request.getNonce() != null) authenticationSession.setClientNote(OIDCLoginProtocol.NONCE_PARAM, request.getNonce()); + if (request.getMaxAge() != null) authenticationSession.setClientNote(OIDCLoginProtocol.MAX_AGE_PARAM, String.valueOf(request.getMaxAge())); + if (request.getScope() != null) authenticationSession.setClientNote(OIDCLoginProtocol.SCOPE_PARAM, request.getScope()); + if (request.getLoginHint() != null) authenticationSession.setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, request.getLoginHint()); + if (request.getPrompt() != null) authenticationSession.setClientNote(OIDCLoginProtocol.PROMPT_PARAM, request.getPrompt()); + if (request.getIdpHint() != null) authenticationSession.setClientNote(AdapterConstants.KC_IDP_HINT, request.getIdpHint()); + if (request.getResponseMode() != null) authenticationSession.setClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM, request.getResponseMode()); // https://tools.ietf.org/html/rfc7636#section-4 - if (request.getCodeChallenge() != null) loginSession.setNote(OIDCLoginProtocol.CODE_CHALLENGE_PARAM, request.getCodeChallenge()); + if (request.getCodeChallenge() != null) authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_PARAM, request.getCodeChallenge()); if (request.getCodeChallengeMethod() != null) { - loginSession.setNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, request.getCodeChallengeMethod()); + authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, request.getCodeChallengeMethod()); } else { - loginSession.setNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, OIDCLoginProtocol.PKCE_METHOD_PLAIN); + authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, OIDCLoginProtocol.PKCE_METHOD_PLAIN); } if (request.getAdditionalReqParams() != null) { for (String paramName : request.getAdditionalReqParams().keySet()) { - authenticationSession.setNote(LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + paramName, request.getAdditionalReqParams().get(paramName)); + authenticationSession.setClientNote(LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + paramName, request.getAdditionalReqParams().get(paramName)); } } } + private Response buildAuthorizationCodeAuthorizationResponse() { this.event.event(EventType.LOGIN); authenticationSession.setAuthNote(Details.AUTH_TYPE, CODE_AUTH_TYPE); @@ -405,6 +431,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { String flowId = flow.getId(); AuthenticationProcessor processor = createProcessor(authenticationSession, flowId, LoginActionsService.REGISTRATION_PATH); + authenticationSession.setClientNote(APP_INITIATED_FLOW, LoginActionsService.REGISTRATION_PATH); return processor.authenticate(); } @@ -416,6 +443,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { String flowId = flow.getId(); AuthenticationProcessor processor = createProcessor(authenticationSession, flowId, LoginActionsService.RESET_CREDENTIALS_PATH); + authenticationSession.setClientNote(APP_INITIATED_FLOW, LoginActionsService.REGISTRATION_PATH); return processor.authenticate(); } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java index 2a6c2dc68f..d564840dce 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java @@ -47,6 +47,7 @@ import org.keycloak.services.ErrorResponseException; import org.keycloak.services.ServicesLogger; import org.keycloak.services.Urls; import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.ClientManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.RealmManager; @@ -416,11 +417,11 @@ public class TokenEndpoint { } String scope = formParams.getFirst(OAuth2Constants.SCOPE); - AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client, false); + AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, client, false); authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); authSession.setAction(AuthenticatedClientSessionModel.Action.AUTHENTICATE.name()); - authSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); - authSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); + authSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + authSession.setClientNote(OIDCLoginProtocol.SCOPE_PARAM, scope); AuthenticationFlowModel flow = realm.getDirectGrantFlow(); String flowId = flow.getId(); @@ -442,6 +443,9 @@ public class TokenEndpoint { throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Account is not fully set up", Response.Status.BAD_REQUEST); } + + AuthenticationManager.setRolesAndMappersInSession(authSession); + AuthenticatedClientSessionModel clientSession = processor.attachSession(); UserSessionModel userSession = processor.getUserSession(); updateUserSessionFromClientAuth(userSession); @@ -492,14 +496,16 @@ public class TokenEndpoint { String scope = formParams.getFirst(OAuth2Constants.SCOPE); - AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client, false); + AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, client, false); + authSession.setAuthenticatedUser(clientUser); authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); - authSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); - authSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); + authSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + authSession.setClientNote(OIDCLoginProtocol.SCOPE_PARAM, scope); - UserSessionModel userSession = session.sessions().createUserSession(realm, clientUser, clientUsername, clientConnection.getRemoteAddr(), ServiceAccountConstants.CLIENT_AUTH, false, null, null); + UserSessionModel userSession = session.sessions().createUserSession(authSession.getId(), realm, clientUser, clientUsername, clientConnection.getRemoteAddr(), ServiceAccountConstants.CLIENT_AUTH, false, null, null); event.session(userSession); + AuthenticationManager.setRolesAndMappersInSession(authSession); AuthenticatedClientSessionModel clientSession = TokenManager.attachAuthenticationSession(session, userSession, authSession); // Notes about client details diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java b/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java index db43a7506d..10e45a23fd 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java @@ -57,6 +57,7 @@ import org.keycloak.saml.common.exceptions.ProcessingException; import org.keycloak.saml.common.util.XmlKeyInfoKeyNameTransformer; import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator; import org.keycloak.services.ErrorPage; +import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ResourceAdminManager; import org.keycloak.services.messages.Messages; @@ -177,7 +178,7 @@ public class SamlProtocol implements LoginProtocol { } else { SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(authSession.getRedirectUri()).issuer(getResponseIssuer(realm)).status(translateErrorToSAMLStatus(error).get()); try { - JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder().relayState(authSession.getNote(GeneralConstants.RELAY_STATE)); + JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder().relayState(authSession.getClientNote(GeneralConstants.RELAY_STATE)); SamlClient samlClient = new SamlClient(client); KeyManager keyManager = session.keys(); if (samlClient.requiresRealmSignature()) { @@ -206,8 +207,7 @@ public class SamlProtocol implements LoginProtocol { } } } finally { - RestartLoginCookie.expireRestartCookie(realm, session.getContext().getConnection(), uriInfo); - session.authenticationSessions().removeAuthenticationSession(realm, authSession); + new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, true); } } @@ -250,10 +250,16 @@ public class SamlProtocol implements LoginProtocol { return RealmsResource.realmBaseUrl(uriInfo).build(realm.getName()).toString(); } - protected boolean isPostBinding(CommonClientSessionModel authSession) { + protected boolean isPostBinding(AuthenticationSessionModel authSession) { ClientModel client = authSession.getClient(); SamlClient samlClient = new SamlClient(client); - return SamlProtocol.SAML_POST_BINDING.equals(authSession.getNote(SamlProtocol.SAML_BINDING)) || samlClient.forcePostBinding(); + return SamlProtocol.SAML_POST_BINDING.equals(authSession.getClientNote(SamlProtocol.SAML_BINDING)) || samlClient.forcePostBinding(); + } + + protected boolean isPostBinding(AuthenticatedClientSessionModel clientSession) { + ClientModel client = clientSession.getClient(); + SamlClient samlClient = new SamlClient(client); + return SamlProtocol.SAML_POST_BINDING.equals(clientSession.getNote(SamlProtocol.SAML_BINDING)) || samlClient.forcePostBinding(); } public static boolean isLogoutPostBindingForInitiator(UserSessionModel session) { @@ -286,7 +292,7 @@ public class SamlProtocol implements LoginProtocol { return (logoutRedirectUrl == null || logoutRedirectUrl.trim().isEmpty()); } - protected String getNameIdFormat(SamlClient samlClient, CommonClientSessionModel clientSession) { + protected String getNameIdFormat(SamlClient samlClient, AuthenticatedClientSessionModel clientSession) { String nameIdFormat = clientSession.getNote(GeneralConstants.NAMEID_FORMAT); boolean forceFormat = samlClient.forceNameIDFormat(); @@ -353,8 +359,8 @@ public class SamlProtocol implements LoginProtocol { } @Override - public Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode) { - AuthenticatedClientSessionModel clientSession = accessCode.getClientSession(); + public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, clientSession); ClientModel client = clientSession.getClient(); SamlClient samlClient = new SamlClient(client); String requestID = clientSession.getNote(SAML_REQUEST_ID); diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java index 29daf1e5ee..f81d25dad6 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java @@ -55,6 +55,7 @@ import org.keycloak.saml.common.constants.JBossSAMLURIConstants; import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder; import org.keycloak.services.ErrorPage; import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.RealmsResource; import org.keycloak.services.util.CacheControlUtil; @@ -89,7 +90,7 @@ import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator; import org.keycloak.sessions.AuthenticationSessionModel; /** - * Resource class for the oauth/openid connect token service + * Resource class for the saml connect token service * * @author Bill Burke * @version $Revision: 1 $ @@ -101,6 +102,8 @@ public class SamlService extends AuthorizationEndpointBase { @Context protected KeycloakSession session; + private String requestRelayState; + public SamlService(RealmModel realm, EventBuilder event) { super(realm, event); } @@ -271,13 +274,19 @@ public class SamlService extends AuthorizationEndpointBase { return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI); } - AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, relayState); + if (checks.response != null) { + return checks.response; + } + + AuthenticationSessionModel authSession = checks.authSession; + authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL); authSession.setRedirectUri(redirect); authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - authSession.setNote(SamlProtocol.SAML_BINDING, bindingType); - authSession.setNote(GeneralConstants.RELAY_STATE, relayState); - authSession.setNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID()); + authSession.setClientNote(SamlProtocol.SAML_BINDING, bindingType); + authSession.setClientNote(GeneralConstants.RELAY_STATE, relayState); + authSession.setClientNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID()); // Handle NameIDPolicy from SP NameIDPolicyType nameIdPolicy = requestAbstractType.getNameIDPolicy(); @@ -286,7 +295,7 @@ public class SamlService extends AuthorizationEndpointBase { String nameIdFormat = nameIdFormatUri.toString(); // TODO: Handle AllowCreate too, relevant for persistent NameID. if (isSupportedNameIdFormat(nameIdFormat)) { - authSession.setNote(GeneralConstants.NAMEID_FORMAT, nameIdFormat); + authSession.setClientNote(GeneralConstants.NAMEID_FORMAT, nameIdFormat); } else { event.detail(Details.REASON, "unsupported_nameid_format"); event.error(Errors.INVALID_SAML_AUTHN_REQUEST); @@ -302,7 +311,7 @@ public class SamlService extends AuthorizationEndpointBase { BaseIDAbstractType baseID = subject.getSubType().getBaseID(); if (baseID != null && baseID instanceof NameIDType) { NameIDType nameID = (NameIDType) baseID; - authSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, nameID.getValue()); + authSession.setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, nameID.getValue()); } } @@ -443,6 +452,16 @@ public class SamlService extends AuthorizationEndpointBase { return !realm.getSslRequired().isRequired(clientConnection); } } + + public Response execute(String samlRequest, String samlResponse, String relayState) { + Response response = basicChecks(samlRequest, samlResponse); + if (response != null) + return response; + if (samlRequest != null) + return handleSamlRequest(samlRequest, relayState); + else + return handleSamlResponse(samlResponse, relayState); + } } protected class PostBindingProtocol extends BindingProtocol { @@ -467,16 +486,6 @@ public class SamlService extends AuthorizationEndpointBase { return SamlProtocol.SAML_POST_BINDING; } - public Response execute(String samlRequest, String samlResponse, String relayState) { - Response response = basicChecks(samlRequest, samlResponse); - if (response != null) - return response; - if (samlRequest != null) - return handleSamlRequest(samlRequest, relayState); - else - return handleSamlResponse(samlResponse, relayState); - } - } protected class RedirectBindingProtocol extends BindingProtocol { @@ -507,16 +516,6 @@ public class SamlService extends AuthorizationEndpointBase { return SamlProtocol.SAML_REDIRECT_BINDING; } - public Response execute(String samlRequest, String samlResponse, String relayState) { - Response response = basicChecks(samlRequest, samlResponse); - if (response != null) - return response; - if (samlRequest != null) - return handleSamlRequest(samlRequest, relayState); - else - return handleSamlResponse(samlResponse, relayState); - } - } protected Response newBrowserAuthentication(AuthenticationSessionModel authSession, boolean isPassive, boolean redirectToAuthentication) { @@ -616,7 +615,7 @@ public class SamlService extends AuthorizationEndpointBase { return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI); } - AuthenticationSessionModel authSession = createLoginSessionForIdpInitiatedSso(this.session, this.realm, client, relayState); + AuthenticationSessionModel authSession = getOrCreateLoginSessionForIdpInitiatedSso(this.session, this.realm, client, relayState); return newBrowserAuthentication(authSession, false, false); } @@ -632,7 +631,7 @@ public class SamlService extends AuthorizationEndpointBase { * @param relayState Optional relay state - free field as per SAML specification * @return */ - public static AuthenticationSessionModel createLoginSessionForIdpInitiatedSso(KeycloakSession session, RealmModel realm, ClientModel client, String relayState) { + public AuthenticationSessionModel getOrCreateLoginSessionForIdpInitiatedSso(KeycloakSession session, RealmModel realm, ClientModel client, String relayState) { String bindingType = SamlProtocol.SAML_POST_BINDING; if (client.getManagementUrl() == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) != null) { bindingType = SamlProtocol.SAML_REDIRECT_BINDING; @@ -648,23 +647,49 @@ public class SamlService extends AuthorizationEndpointBase { redirect = client.getManagementUrl(); } - AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, null); + if (checks.response != null) { + throw new IllegalStateException("Not expected to detect re-sent request for IDP initiated SSO"); + } + + AuthenticationSessionModel authSession = checks.authSession; authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL); authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); - authSession.setNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING); - authSession.setNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true"); + authSession.setClientNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING); + authSession.setClientNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true"); authSession.setRedirectUri(redirect); if (relayState == null) { relayState = client.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE); } if (relayState != null && !relayState.trim().equals("")) { - authSession.setNote(GeneralConstants.RELAY_STATE, relayState); + authSession.setClientNote(GeneralConstants.RELAY_STATE, relayState); } return authSession; } + + @Override + protected boolean isNewRequest(AuthenticationSessionModel authSession, ClientModel clientFromRequest, String requestRelayState) { + // No support of browser "refresh" or "back" buttons for SAML IDP initiated SSO. So always treat as new request + String idpInitiated = authSession.getClientNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN); + if (Boolean.parseBoolean(idpInitiated)) { + return true; + } + + if (requestRelayState == null) { + return true; + } + + // Check if it's different client + if (!clientFromRequest.equals(authSession.getClient())) { + return true; + } + + return !requestRelayState.equals(authSession.getClientNote(GeneralConstants.RELAY_STATE)); + } + @POST @NoCache @Consumes({"application/soap+xml",MediaType.TEXT_XML}) diff --git a/services/src/main/java/org/keycloak/services/Urls.java b/services/src/main/java/org/keycloak/services/Urls.java index 8735cc8900..b86c04fd80 100755 --- a/services/src/main/java/org/keycloak/services/Urls.java +++ b/services/src/main/java/org/keycloak/services/Urls.java @@ -207,8 +207,7 @@ public class Urls { } public static URI realmLoginRestartPage(URI baseUri, String realmId) { - return loginActionsBase(baseUri).path(LoginActionsService.class, "authenticate") - .queryParam("restart", "true") + return loginActionsBase(baseUri).path(LoginActionsService.class, "restartSession") .build(realmId); } diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 10b5e3d1c8..0ba5d77ced 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -39,6 +39,7 @@ import org.keycloak.jose.jws.AlgorithmType; import org.keycloak.jose.jws.JWSBuilder; import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; +import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ClientTemplateModel; import org.keycloak.models.KeyManager; import org.keycloak.models.KeycloakSession; @@ -52,16 +53,19 @@ import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.LoginProtocol; import org.keycloak.protocol.LoginProtocol.Error; +import org.keycloak.protocol.RestartLoginCookie; import org.keycloak.protocol.oidc.TokenManager; import org.keycloak.representations.AccessToken; import org.keycloak.services.ServicesLogger; import org.keycloak.services.Urls; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.IdentityBrokerService; +import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.resources.RealmsResource; import org.keycloak.services.util.CookieHelper; import org.keycloak.services.util.P3PHelper; import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.CommonClientSessionModel; import javax.crypto.SecretKey; import javax.ws.rs.core.Cookie; @@ -69,6 +73,7 @@ import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.NewCookie; import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import java.net.URI; import java.security.PublicKey; @@ -88,6 +93,9 @@ public class AuthenticationManager { public static final String SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS= "SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS"; public static final String END_AFTER_REQUIRED_ACTIONS = "END_AFTER_REQUIRED_ACTIONS"; + // Last authenticated client in userSession. + public static final String LAST_AUTHENTICATED_CLIENT = "LAST_AUTHENTICATED_CLIENT"; + // userSession note with authTime (time when authentication flow including requiredActions was finished) public static final String AUTH_TIME = "AUTH_TIME"; // clientSession note with flag that clientSession was authenticated through SSO cookie @@ -470,7 +478,9 @@ public class AuthenticationManager { userSession.setNote(AUTH_TIME, String.valueOf(authTime)); } - return protocol.authenticated(userSession, new ClientSessionCode<>(session, realm, clientSession)); + userSession.setNote(LAST_AUTHENTICATED_CLIENT, clientSession.getClient().getId()); + + return protocol.authenticated(userSession, clientSession); } @@ -485,11 +495,32 @@ public class AuthenticationManager { HttpRequest request, UriInfo uriInfo, EventBuilder event) { Response requiredAction = actionRequired(session, authSession, clientConnection, request, uriInfo, event); if (requiredAction != null) return requiredAction; - return finishedRequiredActions(session, authSession, clientConnection, request, uriInfo, event); + return finishedRequiredActions(session, authSession, null, clientConnection, request, uriInfo, event); } - public static Response finishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, + + public static Response redirectToRequiredActions(KeycloakSession session, RealmModel realm, AuthenticationSessionModel authSession, UriInfo uriInfo, String requiredAction) { + // redirect to non-action url so browser refresh button works without reposting past data + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, authSession); + accessCode.setAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name()); + authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, LoginActionsService.REQUIRED_ACTION); + authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, requiredAction); + + UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo) + .path(LoginActionsService.REQUIRED_ACTION); + + if (requiredAction != null) { + uriBuilder.queryParam("execution", requiredAction); + } + + URI redirect = uriBuilder.build(realm.getName()); + return Response.status(302).location(redirect).build(); + + } + + + public static Response finishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event) { if (authSession.getAuthNote(END_AFTER_REQUIRED_ACTIONS) != null) { LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class) @@ -506,10 +537,12 @@ public class AuthenticationManager { .createInfoPage(); return response; + // TODO:mposolda doublecheck if restart-cookie and authentication session are cleared in this flow + } RealmModel realm = authSession.getRealm(); - AuthenticatedClientSessionModel clientSession = AuthenticationProcessor.attachSession(authSession, null, session, realm, clientConnection, event); + AuthenticatedClientSessionModel clientSession = AuthenticationProcessor.attachSession(authSession, userSession, session, realm, clientConnection, event); event.event(EventType.LOGIN); event.session(clientSession.getUserSession()); @@ -517,16 +550,22 @@ public class AuthenticationManager { return redirectAfterSuccessfulFlow(session, realm, clientSession.getUserSession(), clientSession, request, uriInfo, clientConnection, event, authSession.getProtocol()); } - public static boolean isActionRequired(final KeycloakSession session, final AuthenticationSessionModel authSession, - final ClientConnection clientConnection, - final HttpRequest request, final UriInfo uriInfo, final EventBuilder event) { + // Return null if action is not required. Or the name of the requiredAction in case it is required. + public static String nextRequiredAction(final KeycloakSession session, final AuthenticationSessionModel authSession, + final ClientConnection clientConnection, + final HttpRequest request, final UriInfo uriInfo, final EventBuilder event) { final RealmModel realm = authSession.getRealm(); final UserModel user = authSession.getAuthenticatedUser(); final ClientModel client = authSession.getClient(); evaluateRequiredActionTriggers(session, authSession, clientConnection, request, uriInfo, event, realm, user); - if (!user.getRequiredActions().isEmpty() || !authSession.getRequiredActions().isEmpty()) return true; + if (!user.getRequiredActions().isEmpty()) { + return user.getRequiredActions().iterator().next(); + } + if (!authSession.getRequiredActions().isEmpty()) { + return authSession.getRequiredActions().iterator().next(); + } if (client.isConsentRequired()) { @@ -539,13 +578,13 @@ public class AuthenticationManager { if (grantedConsent != null && grantedConsent.isRoleGranted(r)) { continue; } - return true; + return CommonClientSessionModel.Action.OAUTH_GRANT.name(); } for (ProtocolMapperModel protocolMapper : accessCode.getRequestedProtocolMappers()) { if (protocolMapper.isConsentRequired() && protocolMapper.getConsentText() != null) { if (grantedConsent == null || !grantedConsent.isProtocolMapperGranted(protocolMapper)) { - return true; + return CommonClientSessionModel.Action.OAUTH_GRANT.name(); } } } @@ -554,7 +593,7 @@ public class AuthenticationManager { } else { event.detail(Details.CONSENT, Details.CONSENT_VALUE_NO_CONSENT_REQUIRED); } - return false; + return null; } @@ -617,7 +656,7 @@ public class AuthenticationManager { accessCode. setAction(AuthenticatedClientSessionModel.Action.REQUIRED_ACTIONS.name()); - authSession.setAuthNote(CURRENT_REQUIRED_ACTION, AuthenticatedClientSessionModel.Action.OAUTH_GRANT.name()); + authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, AuthenticatedClientSessionModel.Action.OAUTH_GRANT.name()); return session.getProvider(LoginFormsProvider.class) .setClientSessionCode(accessCode.getCode()) @@ -641,7 +680,7 @@ public class AuthenticationManager { Set requestedRoles = new HashSet(); // todo scope param protocol independent - String scopeParam = authSession.getNote(OAuth2Constants.SCOPE); + String scopeParam = authSession.getClientNote(OAuth2Constants.SCOPE); for (RoleModel r : TokenManager.getAccess(scopeParam, true, client, user)) { requestedRoles.add(r.getId()); } @@ -697,7 +736,7 @@ public class AuthenticationManager { return response; } else if (context.getStatus() == RequiredActionContext.Status.CHALLENGE) { - authSession.setAuthNote(CURRENT_REQUIRED_ACTION, model.getProviderId()); + authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, model.getProviderId()); return context.getChallenge(); } else if (context.getStatus() == RequiredActionContext.Status.SUCCESS) { diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java new file mode 100644 index 0000000000..04271f1c24 --- /dev/null +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java @@ -0,0 +1,115 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.services.managers; + +import javax.ws.rs.core.UriInfo; + +import org.jboss.logging.Logger; +import org.keycloak.common.ClientConnection; +import org.keycloak.models.ClientModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import org.keycloak.models.UserSessionModel; +import org.keycloak.protocol.RestartLoginCookie; +import org.keycloak.services.util.CookieHelper; +import org.keycloak.sessions.AuthenticationSessionModel; + +/** + * @author Marek Posolda + */ +public class AuthenticationSessionManager { + + private static final String AUTH_SESSION_ID = "AUTH_SESSION_ID"; + + private static final Logger log = Logger.getLogger(AuthenticationSessionManager.class); + + private final KeycloakSession session; + + public AuthenticationSessionManager(KeycloakSession session) { + this.session = session; + } + + + public AuthenticationSessionModel createAuthenticationSession(RealmModel realm, ClientModel client, boolean browserCookie) { + AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client); + + if (browserCookie) { + setAuthSessionCookie(authSession.getId(), realm); + } + + return authSession; + } + + + public String getCurrentAuthenticationSessionId(RealmModel realm) { + return getAuthSessionCookie(); + } + + + public AuthenticationSessionModel getCurrentAuthenticationSession(RealmModel realm) { + String authSessionId = getAuthSessionCookie(); + return authSessionId==null ? null : session.authenticationSessions().getAuthenticationSession(realm, authSessionId); + } + + + public void setAuthSessionCookie(String authSessionId, RealmModel realm) { + UriInfo uriInfo = session.getContext().getUri(); + String cookiePath = AuthenticationManager.getRealmCookiePath(realm, uriInfo); + + boolean sslRequired = realm.getSslRequired().isRequired(session.getContext().getConnection()); + CookieHelper.addCookie(AUTH_SESSION_ID, authSessionId, cookiePath, null, null, -1, sslRequired, true); + + // TODO trace with isTraceEnabled + log.infof("Set AUTH_SESSION_ID cookie with value %s", authSessionId); + } + + + public String getAuthSessionCookie() { + String cookieVal = CookieHelper.getCookieValue(AUTH_SESSION_ID); + + if (log.isTraceEnabled()) { + if (cookieVal != null) { + log.tracef("Found AUTH_SESSION_ID cookie with value %s", cookieVal); + } else { + log.tracef("Not found AUTH_SESSION_ID cookie"); + } + } + + return cookieVal; + } + + + public void removeAuthenticationSession(RealmModel realm, AuthenticationSessionModel authSession, boolean expireRestartCookie) { + log.infof("Removing authSession '%s'. Expire restart cookie: %b", authSession.getId(), expireRestartCookie); + session.authenticationSessions().removeAuthenticationSession(realm, authSession); + + // expire restart cookie + if (expireRestartCookie) { + ClientConnection clientConnection = session.getContext().getConnection(); + UriInfo uriInfo = session.getContext().getUri(); + RestartLoginCookie.expireRestartCookie(realm, clientConnection, uriInfo); + } + } + + + // Check to see if we already have authenticationSession with same ID + public UserSessionModel getUserSession(AuthenticationSessionModel authSession) { + return session.sessions().getUserSession(authSession.getRealm(), authSession.getId()); + } + +} diff --git a/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java b/services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java similarity index 84% rename from server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java rename to services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java index 873c614c04..ce7a8a1c48 100755 --- a/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java +++ b/services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java @@ -27,7 +27,6 @@ import org.keycloak.models.ProtocolMapperModel; import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; import org.keycloak.models.utils.KeycloakModelUtils; -import org.keycloak.OAuth2Constants; import org.keycloak.sessions.CommonClientSessionModel; import java.security.MessageDigest; @@ -44,8 +43,6 @@ public class ClientSessionCode private static final Logger logger = Logger.getLogger(ClientSessionCode.class); - private static final String NEXT_CODE = ClientSessionCode.class.getName() + ".nextCode"; - private KeycloakSession session; private final RealmModel realm; private final CLIENT_SESSION commonLoginSession; @@ -112,7 +109,8 @@ public class ClientSessionCode } public static CLIENT_SESSION getClientSession(String code, KeycloakSession session, RealmModel realm, Class sessionClass) { - CLIENT_SESSION clientSession = CodeGenerateUtil.parseSession(code, session, realm, sessionClass); + CommonClientSessionModel clientSessionn = CodeGenerateUtil.getParser(sessionClass).parseSession(code, session, realm);; + CLIENT_SESSION clientSession = sessionClass.cast(clientSessionn); // TODO:mposolda Move this to somewhere else? Maybe LoginActionsService.sessionCodeChecks should be somehow even for non-action URLs... if (clientSession != null) { @@ -164,7 +162,8 @@ public class ClientSessionCode } public void removeExpiredClientSession() { - CodeGenerateUtil.removeExpiredSession(session, commonLoginSession); + CodeGenerateUtil.ClientSessionParser parser = CodeGenerateUtil.getParser(commonLoginSession.getClass()); + parser.removeExpiredSession(session, commonLoginSession); } @@ -206,12 +205,12 @@ public class ClientSessionCode } public String getCode() { - String nextCode = (String) session.getAttribute(NEXT_CODE + "." + commonLoginSession.getId()); + CodeGenerateUtil.ClientSessionParser parser = CodeGenerateUtil.getParser(commonLoginSession.getClass()); + String nextCode = parser.getNote(commonLoginSession, ACTIVE_CODE); if (nextCode == null) { nextCode = generateCode(commonLoginSession); - session.setAttribute(NEXT_CODE + "." + commonLoginSession.getId(), nextCode); } else { - logger.debug("Code already generated for session, using code from session attributes"); + logger.debug("Code already generated for session, using same code"); } return nextCode; } @@ -225,22 +224,10 @@ public class ClientSessionCode sb.append('.'); sb.append(authSession.getId()); - // https://tools.ietf.org/html/rfc7636#section-4 - String codeChallenge = authSession.getNote(OAuth2Constants.CODE_CHALLENGE); - String codeChallengeMethod = authSession.getNote(OAuth2Constants.CODE_CHALLENGE_METHOD); - if (codeChallenge != null) { - logger.debugf("PKCE received codeChallenge = %s", codeChallenge); - if (codeChallengeMethod == null) { - logger.debug("PKCE not received codeChallengeMethod, treating plain"); - codeChallengeMethod = OAuth2Constants.PKCE_METHOD_PLAIN; - } else { - logger.debugf("PKCE received codeChallengeMethod = %s", codeChallengeMethod); - } - } + CodeGenerateUtil.ClientSessionParser parser = CodeGenerateUtil.getParser(authSession.getClass()); - String code = CodeGenerateUtil.generateCode(authSession, actionId); - - authSession.setNote(ACTIVE_CODE, code); + String code = parser.generateCode(authSession, actionId); + parser.setNote(authSession, ACTIVE_CODE, code); return code; } catch (Exception e) { @@ -250,13 +237,15 @@ public class ClientSessionCode public static boolean verifyCode(String code, CommonClientSessionModel authSession) { try { - String activeCode = authSession.getNote(ACTIVE_CODE); + CodeGenerateUtil.ClientSessionParser parser = CodeGenerateUtil.getParser(authSession.getClass()); + + String activeCode = parser.getNote(authSession, ACTIVE_CODE); if (activeCode == null) { logger.debug("Active code not found in client session"); return false; } - authSession.removeNote(ACTIVE_CODE); + parser.removeNote(authSession, ACTIVE_CODE); return MessageDigest.isEqual(code.getBytes(), activeCode.getBytes()); } catch (Exception e) { diff --git a/server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java b/services/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java similarity index 61% rename from server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java rename to services/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java index 5313e73626..eac0e642c9 100644 --- a/server-spi-private/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java +++ b/services/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java @@ -20,6 +20,8 @@ package org.keycloak.services.managers; import java.util.HashMap; import java.util.Map; +import org.jboss.logging.Logger; +import org.keycloak.OAuth2Constants; import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; @@ -34,7 +36,9 @@ import org.keycloak.sessions.AuthenticationSessionModel; */ class CodeGenerateUtil { - private static final Map, ClientSessionParser> PARSERS = new HashMap<>(); + private static final Logger logger = Logger.getLogger(CodeGenerateUtil.class); + + private static final Map, ClientSessionParser> PARSERS = new HashMap<>(); static { PARSERS.put(ClientSessionModel.class, new ClientSessionModelParser()); @@ -43,26 +47,10 @@ class CodeGenerateUtil { } - public static CS parseSession(String code, KeycloakSession session, RealmModel realm, Class expectedClazz) { - ClientSessionParser parser = PARSERS.get(expectedClazz); - CommonClientSessionModel result = parser.parseSession(code, session, realm); - return expectedClazz.cast(result); - } - - public static String generateCode(CommonClientSessionModel clientSession, String actionId) { - ClientSessionParser parser = getParser(clientSession); - return parser.generateCode(clientSession, actionId); - } - - public static void removeExpiredSession(KeycloakSession session, CommonClientSessionModel clientSession) { - ClientSessionParser parser = getParser(clientSession); - parser.removeExpiredSession(session, clientSession); - } - - private static ClientSessionParser getParser(CommonClientSessionModel clientSession) { + static ClientSessionParser getParser(Class clientSessionClass) { for (Class c : PARSERS.keySet()) { - if (c.isAssignableFrom(clientSession.getClass())) { + if (c.isAssignableFrom(clientSessionClass)) { return PARSERS.get(c); } } @@ -70,7 +58,7 @@ class CodeGenerateUtil { } - private interface ClientSessionParser { + interface ClientSessionParser { CS parseSession(String code, KeycloakSession session, RealmModel realm); @@ -78,6 +66,12 @@ class CodeGenerateUtil { void removeExpiredSession(KeycloakSession session, CS clientSession); + String getNote(CS clientSession, String name); + + void removeNote(CS clientSession, String name); + + void setNote(CS clientSession, String name, String value); + } @@ -114,6 +108,21 @@ class CodeGenerateUtil { public void removeExpiredSession(KeycloakSession session, ClientSessionModel clientSession) { session.sessions().removeClientSession(clientSession.getRealm(), clientSession); } + + @Override + public String getNote(ClientSessionModel clientSession, String name) { + return clientSession.getNote(name); + } + + @Override + public void removeNote(ClientSessionModel clientSession, String name) { + clientSession.removeNote(name); + } + + @Override + public void setNote(ClientSessionModel clientSession, String name, String value) { + clientSession.setNote(name, value); + } } @@ -122,7 +131,7 @@ class CodeGenerateUtil { @Override public AuthenticationSessionModel parseSession(String code, KeycloakSession session, RealmModel realm) { // Read authSessionID from cookie. Code is ignored for now - return session.authenticationSessions().getCurrentAuthenticationSession(realm); + return new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm); } @Override @@ -132,7 +141,22 @@ class CodeGenerateUtil { @Override public void removeExpiredSession(KeycloakSession session, AuthenticationSessionModel clientSession) { - session.authenticationSessions().removeAuthenticationSession(clientSession.getRealm(), clientSession); + new AuthenticationSessionManager(session).removeAuthenticationSession(clientSession.getRealm(), clientSession, true); + } + + @Override + public String getNote(AuthenticationSessionModel clientSession, String name) { + return clientSession.getAuthNote(name); + } + + @Override + public void removeNote(AuthenticationSessionModel clientSession, String name) { + clientSession.removeAuthNote(name); + } + + @Override + public void setNote(AuthenticationSessionModel clientSession, String name, String value) { + clientSession.setAuthNote(name, value); } } @@ -168,6 +192,21 @@ class CodeGenerateUtil { sb.append(userSessionId); sb.append('.'); sb.append(clientUUID); + + // TODO:mposolda codeChallengeMethod is not used anywhere. Not sure if it's bug of PKCE contribution. Doublecheck the PKCE specification what should be done regarding code + // https://tools.ietf.org/html/rfc7636#section-4 + String codeChallenge = clientSession.getNote(OAuth2Constants.CODE_CHALLENGE); + String codeChallengeMethod = clientSession.getNote(OAuth2Constants.CODE_CHALLENGE_METHOD); + if (codeChallenge != null) { + logger.debugf("PKCE received codeChallenge = %s", codeChallenge); + if (codeChallengeMethod == null) { + logger.debug("PKCE not received codeChallengeMethod, treating plain"); + codeChallengeMethod = OAuth2Constants.PKCE_METHOD_PLAIN; + } else { + logger.debugf("PKCE received codeChallengeMethod = %s", codeChallengeMethod); + } + } + return sb.toString(); } @@ -176,6 +215,20 @@ class CodeGenerateUtil { throw new IllegalStateException("Not yet implemented"); } + @Override + public String getNote(AuthenticatedClientSessionModel clientSession, String name) { + return clientSession.getNote(name); + } + + @Override + public void removeNote(AuthenticatedClientSessionModel clientSession, String name) { + clientSession.removeNote(name); + } + + @Override + public void setNote(AuthenticatedClientSessionModel clientSession, String name, String value) { + clientSession.setNote(name, value); + } } diff --git a/services/src/main/java/org/keycloak/services/messages/Messages.java b/services/src/main/java/org/keycloak/services/messages/Messages.java index d9d3c4ea97..295f07b27e 100755 --- a/services/src/main/java/org/keycloak/services/messages/Messages.java +++ b/services/src/main/java/org/keycloak/services/messages/Messages.java @@ -33,6 +33,8 @@ public class Messages { public static final String EXPIRED_CODE = "expiredCodeMessage"; + public static final String EXPIRED_ACTION = "expiredActionMessage"; + public static final String MISSING_FIRST_NAME = "missingFirstNameMessage"; public static final String MISSING_LAST_NAME = "missingLastNameMessage"; @@ -197,5 +199,10 @@ public class Messages { public static final String FAILED_LOGOUT = "failedLogout"; public static final String CONSENT_DENIED="consentDenied"; + public static final String ALREADY_LOGGED_IN="alreadyLoggedIn"; + + public static final String DIFFERENT_USER_AUTHENTICATED = "differentUserAuthenticated"; + + public static final String BROKER_LINKING_SESSION_EXPIRED = "brokerLinkingSessionExpired"; } diff --git a/services/src/main/java/org/keycloak/services/resources/AccountService.java b/services/src/main/java/org/keycloak/services/resources/AccountService.java index 1894686285..9dd9c4b55c 100755 --- a/services/src/main/java/org/keycloak/services/resources/AccountService.java +++ b/services/src/main/java/org/keycloak/services/resources/AccountService.java @@ -56,6 +56,7 @@ import org.keycloak.services.managers.UserSessionManager; import org.keycloak.services.messages.Messages; import org.keycloak.services.util.ResolveRelative; import org.keycloak.services.validation.Validation; +import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.storage.ReadOnlyException; import org.keycloak.util.JsonSerialization; @@ -205,14 +206,18 @@ public class AccountService extends AbstractSecuredLocalService { setReferrerOnPage(); - String forwardedError = auth.getClientSession().getNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE); - if (forwardedError != null) { - try { - FormMessage errorMessage = JsonSerialization.readValue(forwardedError, FormMessage.class); - account.setError(errorMessage.getMessage(), errorMessage.getParameters()); - auth.getClientSession().removeNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE); - } catch (IOException ioe) { - throw new RuntimeException(ioe); + UserSessionModel userSession = auth.getClientSession().getUserSession(); + AuthenticationSessionModel authSession = session.authenticationSessions().getAuthenticationSession(realm, userSession.getId()); + if (authSession != null) { + String forwardedError = authSession.getAuthNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE); + if (forwardedError != null) { + try { + FormMessage errorMessage = JsonSerialization.readValue(forwardedError, FormMessage.class); + account.setError(errorMessage.getMessage(), errorMessage.getParameters()); + authSession.removeAuthNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE); + } catch (IOException ioe) { + throw new RuntimeException(ioe); + } } } @@ -766,7 +771,7 @@ public class AccountService extends AbstractSecuredLocalService { try { String nonce = UUID.randomUUID().toString(); MessageDigest md = MessageDigest.getInstance("SHA-256"); - String input = nonce + auth.getSession().getId() + auth.getClientSession().getId() + providerId; + String input = nonce + auth.getSession().getId() + client.getClientId() + providerId; byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8)); String hash = Base64Url.encode(check); URI linkUrl = Urls.identityProviderLinkRequest(this.uriInfo.getBaseUri(), providerId, realm.getName()); diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java index 749228594e..ded189d1cd 100755 --- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java +++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java @@ -16,977 +16,1127 @@ */ package org.keycloak.services.resources; +import org.jboss.logging.Logger; +import org.jboss.resteasy.annotations.cache.NoCache; +import org.jboss.resteasy.spi.HttpRequest; +import org.jboss.resteasy.spi.ResteasyProviderFactory; +import org.keycloak.authentication.AuthenticationProcessor; +import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator; +import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants; +import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; +import org.keycloak.broker.provider.AuthenticationRequest; +import org.keycloak.broker.provider.BrokeredIdentityContext; import org.keycloak.broker.provider.IdentityBrokerException; import org.keycloak.broker.provider.IdentityProvider; import org.keycloak.broker.provider.IdentityProviderFactory; +import org.keycloak.broker.provider.IdentityProviderMapper; +import org.keycloak.broker.saml.SAMLEndpoint; import org.keycloak.broker.social.SocialIdentityProvider; +import org.keycloak.common.ClientConnection; +import org.keycloak.common.util.Base64Url; +import org.keycloak.common.util.ObjectUtil; +import org.keycloak.common.util.Time; +import org.keycloak.common.util.UriUtils; +import org.keycloak.events.Details; +import org.keycloak.events.Errors; +import org.keycloak.events.EventBuilder; +import org.keycloak.events.EventType; +import org.keycloak.forms.login.LoginFormsProvider; +import org.keycloak.models.AccountRoles; +import org.keycloak.models.AuthenticatedClientSessionModel; +import org.keycloak.models.AuthenticationFlowModel; +import org.keycloak.models.ClientModel; +import org.keycloak.models.Constants; +import org.keycloak.models.FederatedIdentityModel; +import org.keycloak.models.IdentityProviderMapperModel; import org.keycloak.models.IdentityProviderModel; import org.keycloak.models.KeycloakSession; +import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.RealmModel; +import org.keycloak.models.RoleModel; +import org.keycloak.models.UserModel; +import org.keycloak.models.UserSessionModel; +import org.keycloak.models.utils.FormMessage; +import org.keycloak.protocol.oidc.OIDCLoginProtocol; +import org.keycloak.protocol.oidc.TokenManager; +import org.keycloak.protocol.oidc.utils.RedirectUtils; +import org.keycloak.protocol.saml.SamlProtocol; +import org.keycloak.protocol.saml.SamlService; import org.keycloak.provider.ProviderFactory; +import org.keycloak.representations.AccessToken; +import org.keycloak.services.ErrorPage; +import org.keycloak.services.ErrorPageException; +import org.keycloak.services.ErrorResponse; +import org.keycloak.services.ServicesLogger; +import org.keycloak.services.Urls; +import org.keycloak.services.managers.AppAuthManager; +import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; +import org.keycloak.services.managers.BruteForceProtector; +import org.keycloak.services.managers.ClientSessionCode; +import org.keycloak.services.messages.Messages; +import org.keycloak.services.util.CacheControlUtil; +import org.keycloak.services.validation.Validation; +import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.util.JsonSerialization; +import java.io.IOException; +import java.net.URI; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Objects; +import java.util.Optional; +import java.util.Set; +import java.util.UUID; + +import javax.ws.rs.GET; +import javax.ws.rs.OPTIONS; +import javax.ws.rs.POST; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.HttpHeaders; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; +import javax.ws.rs.core.UriInfo; /** *

* * @author Pedro Igor */ -public class IdentityBrokerService { -//public class IdentityBrokerService implements IdentityProvider.AuthenticationCallback { -// -// private static final Logger logger = Logger.getLogger(IdentityBrokerService.class); -// -// private final RealmModel realmModel; -// -// @Context -// private UriInfo uriInfo; -// -// @Context -// private KeycloakSession session; -// -// @Context -// private ClientConnection clientConnection; -// -// @Context -// private HttpRequest request; -// -// @Context -// private HttpHeaders headers; -// -// private EventBuilder event; -// -// -// public IdentityBrokerService(RealmModel realmModel) { -// if (realmModel == null) { -// throw new IllegalArgumentException("Realm can not be null."); -// } -// this.realmModel = realmModel; -// } -// -// public void init() { -// this.event = new EventBuilder(realmModel, session, clientConnection).event(EventType.IDENTITY_PROVIDER_LOGIN); -// } -// -// private void checkRealm() { -// if (!realmModel.isEnabled()) { -// event.error(Errors.REALM_DISABLED); -// throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED); -// } -// } -// -// private ClientModel checkClient(String clientId) { -// if (clientId == null) { -// event.error(Errors.INVALID_REQUEST); -// throw new ErrorPageException(session, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM); -// } -// -// event.client(clientId); -// -// ClientModel client = realmModel.getClientByClientId(clientId); -// if (client == null) { -// event.error(Errors.CLIENT_NOT_FOUND); -// throw new ErrorPageException(session, Messages.INVALID_REQUEST); -// } -// -// if (!client.isEnabled()) { -// event.error(Errors.CLIENT_DISABLED); -// throw new ErrorPageException(session, Messages.INVALID_REQUEST); -// } -// return client; -// -// } -// -// /** -// * Closes off CORS preflight requests for account linking -// * -// * @param providerId -// * @return -// */ -// @OPTIONS -// @Path("/{provider_id}/link") -// public Response clientIntiatedAccountLinkingPreflight(@PathParam("provider_id") String providerId) { -// return Response.status(403).build(); // don't allow preflight -// } -// -// -// @GET -// @NoCache -// @Path("/{provider_id}/link") -// public Response clientInitiatedAccountLinking(@PathParam("provider_id") String providerId, -// @QueryParam("redirect_uri") String redirectUri, -// @QueryParam("client_id") String clientId, -// @QueryParam("nonce") String nonce, -// @QueryParam("hash") String hash -// ) { -// this.event.event(EventType.CLIENT_INITIATED_ACCOUNT_LINKING); -// checkRealm(); -// ClientModel client = checkClient(clientId); -// AuthenticationManager authenticationManager = new AuthenticationManager(); -// redirectUri = RedirectUtils.verifyRedirectUri(uriInfo, redirectUri, realmModel, client); -// if (redirectUri == null) { -// event.error(Errors.INVALID_REDIRECT_URI); -// throw new ErrorPageException(session, Messages.INVALID_REQUEST); -// } -// -// if (nonce == null || hash == null) { -// event.error(Errors.INVALID_REDIRECT_URI); -// throw new ErrorPageException(session, Messages.INVALID_REQUEST); -// -// } -// -// // only allow origins from client. Not sure we need this as I don't believe cookies can be -// // sent if CORS preflight requests can't execute. -// String origin = headers.getRequestHeaders().getFirst("Origin"); -// if (origin != null) { -// String redirectOrigin = UriUtils.getOrigin(redirectUri); -// if (!redirectOrigin.equals(origin)) { -// event.error(Errors.ILLEGAL_ORIGIN); -// throw new ErrorPageException(session, Messages.INVALID_REQUEST); -// -// } -// } -// -// AuthResult cookieResult = authenticationManager.authenticateIdentityCookie(session, realmModel, true); -// String errorParam = "link_error"; -// if (cookieResult == null) { -// event.error(Errors.NOT_LOGGED_IN); -// UriBuilder builder = UriBuilder.fromUri(redirectUri) -// .queryParam(errorParam, Errors.NOT_LOGGED_IN) -// .queryParam("nonce", nonce); -// -// return Response.status(302).location(builder.build()).build(); -// } -// -// -// -// ClientLoginSessionModel clientSession = null; -// for (ClientLoginSessionModel cs : cookieResult.getSession().getAuthenticatedClientSessions().values()) { -// if (cs.getClient().getClientId().equals(clientId)) { -// byte[] decoded = Base64Url.decode(hash); -// MessageDigest md = null; -// try { -// md = MessageDigest.getInstance("SHA-256"); -// } catch (NoSuchAlgorithmException e) { -// throw new ErrorPageException(session, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST); -// } -// String input = nonce + cookieResult.getSession().getId() + cs.getId() + providerId; -// byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8)); -// if (MessageDigest.isEqual(decoded, check)) { -// clientSession = cs; -// break; -// } -// } -// } -// if (clientSession == null) { -// event.error(Errors.INVALID_TOKEN); -// throw new ErrorPageException(session, Messages.INVALID_REQUEST); -// } -// -// -// -// ClientModel accountService = this.realmModel.getClientByClientId(ACCOUNT_MANAGEMENT_CLIENT_ID); -// if (!accountService.getId().equals(client.getId())) { -// RoleModel manageAccountRole = accountService.getRole(MANAGE_ACCOUNT); -// -// if (!clientSession.getRoles().contains(manageAccountRole.getId())) { -// RoleModel linkRole = accountService.getRole(MANAGE_ACCOUNT_LINKS); -// if (!clientSession.getRoles().contains(linkRole.getId())) { -// event.error(Errors.NOT_ALLOWED); -// UriBuilder builder = UriBuilder.fromUri(redirectUri) -// .queryParam(errorParam, Errors.NOT_ALLOWED) -// .queryParam("nonce", nonce); -// return Response.status(302).location(builder.build()).build(); -// } -// } -// } -// -// -// IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId); -// if (identityProviderModel == null) { -// event.error(Errors.UNKNOWN_IDENTITY_PROVIDER); -// UriBuilder builder = UriBuilder.fromUri(redirectUri) -// .queryParam(errorParam, Errors.UNKNOWN_IDENTITY_PROVIDER) -// .queryParam("nonce", nonce); -// return Response.status(302).location(builder.build()).build(); -// -// } -// -// -// // TODO: Create AuthenticationSessionModel and Login cookie and set the state inside. See my notes document -// ClientSessionCode clientSessionCode = new ClientSessionCode(session, realmModel, clientSession); -// clientSessionCode.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); -// clientSessionCode.getCode(); -// clientSession.setRedirectUri(redirectUri); -// clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, UUID.randomUUID().toString()); -// -// event.success(); -// -// -// try { -// IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); -// Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode)); -// -// if (response != null) { -// if (isDebugEnabled()) { -// logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response); -// } -// return response; -// } -// } catch (IdentityBrokerException e) { -// return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId); -// } catch (Exception e) { -// return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId); -// } -// -// return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST); -// -// } -// -// -// @POST -// @Path("/{provider_id}/login") -// public Response performPostLogin(@PathParam("provider_id") String providerId, @QueryParam("code") String code) { -// return performLogin(providerId, code); -// } -// -// @GET -// @NoCache -// @Path("/{provider_id}/login") -// public Response performLogin(@PathParam("provider_id") String providerId, @QueryParam("code") String code) { -// this.event.detail(Details.IDENTITY_PROVIDER, providerId); -// -// if (isDebugEnabled()) { -// logger.debugf("Sending authentication request to identity provider [%s].", providerId); -// } -// -// try { -// ParsedCodeContext parsedCode = parseClientSessionCode(code); -// if (parsedCode.response != null) { -// return parsedCode.response; -// } -// -// ClientSessionCode clientSessionCode = parsedCode.clientSessionCode; -// IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId); -// if (identityProviderModel == null) { -// throw new IdentityBrokerException("Identity Provider [" + providerId + "] not found."); -// } -// if (identityProviderModel.isLinkOnly()) { -// throw new IdentityBrokerException("Identity Provider [" + providerId + "] is not allowed to perform a login."); -// -// } -// IdentityProviderFactory providerFactory = getIdentityProviderFactory(session, identityProviderModel); -// -// IdentityProvider identityProvider = providerFactory.create(session, identityProviderModel); -// -// Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode)); -// -// if (response != null) { -// if (isDebugEnabled()) { -// logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response); -// } -// return response; -// } -// } catch (IdentityBrokerException e) { -// return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId); -// } catch (Exception e) { -// return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId); -// } -// -// return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST); -// } -// -// @Path("{provider_id}/endpoint") -// public Object getEndpoint(@PathParam("provider_id") String providerId) { -// IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); -// Object callback = identityProvider.callback(realmModel, this, event); -// ResteasyProviderFactory.getInstance().injectProperties(callback); -// //resourceContext.initResource(brokerService); -// return callback; -// -// -// } -// -// @Path("{provider_id}/token") -// @OPTIONS -// public Response retrieveTokenPreflight() { -// return Cors.add(this.request, Response.ok()).auth().preflight().build(); -// } -// -// @GET -// @NoCache -// @Path("{provider_id}/token") -// public Response retrieveToken(@PathParam("provider_id") String providerId) { -// return getToken(providerId, false); -// } -// -// private boolean canReadBrokerToken(AccessToken token) { -// Map resourceAccess = token.getResourceAccess(); -// AccessToken.Access brokerRoles = resourceAccess == null ? null : resourceAccess.get(Constants.BROKER_SERVICE_CLIENT_ID); -// return brokerRoles != null && brokerRoles.isUserInRole(Constants.READ_TOKEN_ROLE); -// } -// -// private Response getToken(String providerId, boolean forceRetrieval) { -// this.event.event(EventType.IDENTITY_PROVIDER_RETRIEVE_TOKEN); -// -// try { -// AppAuthManager authManager = new AppAuthManager(); -// AuthResult authResult = authManager.authenticateBearerToken(this.session, this.realmModel, this.uriInfo, this.clientConnection, this.request.getHttpHeaders()); -// -// if (authResult != null) { -// AccessToken token = authResult.getToken(); -// String[] audience = token.getAudience(); -// ClientModel clientModel = this.realmModel.getClientByClientId(audience[0]); -// -// if (clientModel == null) { -// return badRequest("Invalid client."); -// } -// -// session.getContext().setClient(clientModel); -// -// ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID); -// if (brokerClient == null) { -// return corsResponse(forbidden("Realm has not migrated to support the broker token exchange service"), clientModel); -// -// } -// if (!canReadBrokerToken(token)) { -// return corsResponse(forbidden("Client [" + clientModel.getClientId() + "] not authorized to retrieve tokens from identity provider [" + providerId + "]."), clientModel); -// -// } -// -// IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); -// IdentityProviderModel identityProviderConfig = getIdentityProviderConfig(providerId); -// -// if (identityProviderConfig.isStoreToken()) { -// FederatedIdentityModel identity = this.session.users().getFederatedIdentity(authResult.getUser(), providerId, this.realmModel); -// -// if (identity == null) { -// return corsResponse(badRequest("User [" + authResult.getUser().getId() + "] is not associated with identity provider [" + providerId + "]."), clientModel); -// } -// -// this.event.success(); -// -// return corsResponse(identityProvider.retrieveToken(session, identity), clientModel); -// } -// -// return corsResponse(badRequest("Identity Provider [" + providerId + "] does not support this operation."), clientModel); -// } -// -// return badRequest("Invalid token."); -// } catch (IdentityBrokerException e) { -// return redirectToErrorPage(Messages.COULD_NOT_OBTAIN_TOKEN, e, providerId); -// } catch (Exception e) { -// return redirectToErrorPage(Messages.UNEXPECTED_ERROR_RETRIEVING_TOKEN, e, providerId); -// } -// } -// -// public Response authenticated(BrokeredIdentityContext context) { -// IdentityProviderModel identityProviderConfig = context.getIdpConfig(); -// -// final ParsedCodeContext parsedCode; -// if (context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID) != null) { -// parsedCode = samlIdpInitiatedSSO((String) context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID)); -// } else { -// parsedCode = parseClientSessionCode(context.getCode()); -// } -// if (parsedCode.response != null) { -// return parsedCode.response; -// } -// ClientSessionCode clientCode = parsedCode.clientSessionCode; -// -// String providerId = identityProviderConfig.getAlias(); -// if (!identityProviderConfig.isStoreToken()) { -// if (isDebugEnabled()) { -// logger.debugf("Token will not be stored for identity provider [%s].", providerId); -// } -// context.setToken(null); -// } -// -// AuthenticationSessionModel authSession = clientCode.getClientSession(); -// context.setAuthenticationSession(authenticationSession); -// -// session.getContext().setClient(authenticationSession.getClient()); -// -// context.getIdp().preprocessFederatedIdentity(session, realmModel, context); -// Set mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); -// if (mappers != null) { -// KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); -// for (IdentityProviderMapperModel mapper : mappers) { -// IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); -// target.preprocessFederatedIdentity(session, realmModel, mapper, context); -// } -// } -// -// FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(providerId, context.getId(), -// context.getUsername(), context.getToken()); -// -// this.event.event(EventType.IDENTITY_PROVIDER_LOGIN) -// .detail(Details.REDIRECT_URI, authenticationSession.getRedirectUri()) -// .detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); -// -// UserModel federatedUser = this.session.users().getUserByFederatedIdentity(federatedIdentityModel, this.realmModel); -// -// // Check if federatedUser is already authenticated (this means linking social into existing federatedUser account) -// if (authenticationSession.getUserSession() != null) { -// return performAccountLinking(clientSession, context, federatedIdentityModel, federatedUser); -// } -// -// if (federatedUser == null) { -// -// logger.debugf("Federated user not found for provider '%s' and broker username '%s' . Redirecting to flow for firstBrokerLogin", providerId, context.getUsername()); -// -// String username = context.getModelUsername(); -// if (username == null) { -// if (this.realmModel.isRegistrationEmailAsUsername() && !Validation.isBlank(context.getEmail())) { -// username = context.getEmail(); -// } else if (context.getUsername() == null) { -// username = context.getIdpConfig().getAlias() + "." + context.getId(); -// } else { -// username = context.getUsername(); -// } -// } -// username = username.trim(); -// context.setModelUsername(username); -// -// clientSession.setTimestamp(Time.currentTime()); -// -// SerializedBrokeredIdentityContext ctx = SerializedBrokeredIdentityContext.serialize(context); -// ctx.saveToClientSession(clientSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); -// -// URI redirect = LoginActionsService.firstBrokerLoginProcessor(uriInfo) -// .queryParam(OAuth2Constants.CODE, clientCode.getCode()) -// .build(realmModel.getName()); -// return Response.status(302).location(redirect).build(); -// -// } else { -// Response response = validateUser(federatedUser, realmModel); -// if (response != null) { -// return response; -// } -// -// updateFederatedIdentity(context, federatedUser); -// clientSession.setAuthenticatedUser(federatedUser); -// -// return finishOrRedirectToPostBrokerLogin(clientSession, context, false, parsedCode.clientSessionCode); -// } -// } -// -// public Response validateUser(UserModel user, RealmModel realm) { -// if (!user.isEnabled()) { -// event.error(Errors.USER_DISABLED); -// return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); -// } -// if (realm.isBruteForceProtected()) { -// if (session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(session, realm, user)) { -// event.error(Errors.USER_TEMPORARILY_DISABLED); -// return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); -// } -// } -// return null; -// } -// -// // Callback from LoginActionsService after first login with broker was done and Keycloak account is successfully linked/created -// @GET -// @NoCache -// @Path("/after-first-broker-login") -// public Response afterFirstBrokerLogin(@QueryParam("code") String code) { -// ParsedCodeContext parsedCode = parseClientSessionCode(code); -// if (parsedCode.response != null) { -// return parsedCode.response; -// } -// return afterFirstBrokerLogin(parsedCode.clientSessionCode); -// } -// -// private Response afterFirstBrokerLogin(ClientSessionCode clientSessionCode) { -// ClientSessionModel clientSession = clientSessionCode.getClientSession(); -// -// try { -// this.event.detail(Details.CODE_ID, clientSession.getId()) -// .removeDetail("auth_method"); -// -// SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); -// if (serializedCtx == null) { -// throw new IdentityBrokerException("Not found serialized context in clientSession"); -// } -// BrokeredIdentityContext context = serializedCtx.deserialize(session, clientSession); -// String providerId = context.getIdpConfig().getAlias(); -// -// event.detail(Details.IDENTITY_PROVIDER, providerId); -// event.detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); -// -// // firstBrokerLogin workflow finished. Removing note now -// clientSession.removeNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); -// -// UserModel federatedUser = clientSession.getAuthenticatedUser(); -// if (federatedUser == null) { -// throw new IdentityBrokerException("Couldn't found authenticated federatedUser in clientSession"); -// } -// -// event.user(federatedUser); -// event.detail(Details.USERNAME, federatedUser.getUsername()); -// -// if (context.getIdpConfig().isAddReadTokenRoleOnCreate()) { -// ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID); -// if (brokerClient == null) { -// throw new IdentityBrokerException("Client 'broker' not available. Maybe realm has not migrated to support the broker token exchange service"); -// } -// RoleModel readTokenRole = brokerClient.getRole(Constants.READ_TOKEN_ROLE); -// federatedUser.grantRole(readTokenRole); -// } -// -// // Add federated identity link here -// FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(context.getIdpConfig().getAlias(), context.getId(), -// context.getUsername(), context.getToken()); -// session.users().addFederatedIdentity(realmModel, federatedUser, federatedIdentityModel); -// -// -// String isRegisteredNewUser = clientSession.getNote(AbstractIdpAuthenticator.BROKER_REGISTERED_NEW_USER); -// if (Boolean.parseBoolean(isRegisteredNewUser)) { -// -// logger.debugf("Registered new user '%s' after first login with identity provider '%s'. Identity provider username is '%s' . ", federatedUser.getUsername(), providerId, context.getUsername()); -// -// context.getIdp().importNewUser(session, realmModel, federatedUser, context); -// Set mappers = realmModel.getIdentityProviderMappersByAlias(providerId); -// if (mappers != null) { -// KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); -// for (IdentityProviderMapperModel mapper : mappers) { -// IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); -// target.importNewUser(session, realmModel, federatedUser, mapper, context); -// } -// } -// -// if (context.getIdpConfig().isTrustEmail() && !Validation.isBlank(federatedUser.getEmail()) && !Boolean.parseBoolean(clientSession.getNote(AbstractIdpAuthenticator.UPDATE_PROFILE_EMAIL_CHANGED))) { -// logger.debugf("Email verified automatically after registration of user '%s' through Identity provider '%s' ", federatedUser.getUsername(), context.getIdpConfig().getAlias()); -// federatedUser.setEmailVerified(true); -// } -// -// event.event(EventType.REGISTER) -// .detail(Details.REGISTER_METHOD, "broker") -// .detail(Details.EMAIL, federatedUser.getEmail()) -// .success(); -// -// } else { -// logger.debugf("Linked existing keycloak user '%s' with identity provider '%s' . Identity provider username is '%s' .", federatedUser.getUsername(), providerId, context.getUsername()); -// -// event.event(EventType.FEDERATED_IDENTITY_LINK) -// .success(); -// -// updateFederatedIdentity(context, federatedUser); -// } -// -// return finishOrRedirectToPostBrokerLogin(clientSession, context, true, clientSessionCode); -// -// } catch (Exception e) { -// return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); -// } -// } -// -// -// private Response finishOrRedirectToPostBrokerLogin(ClientSessionModel clientSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode clientSessionCode) { -// String postBrokerLoginFlowId = context.getIdpConfig().getPostBrokerLoginFlowId(); -// if (postBrokerLoginFlowId == null) { -// -// logger.debugf("Skip redirect to postBrokerLogin flow. PostBrokerLogin flow not set for identityProvider '%s'.", context.getIdpConfig().getAlias()); -// return afterPostBrokerLoginFlowSuccess(clientSession, context, wasFirstBrokerLogin, clientSessionCode); -// } else { -// -// logger.debugf("Redirect to postBrokerLogin flow after authentication with identityProvider '%s'.", context.getIdpConfig().getAlias()); -// -// clientSession.setTimestamp(Time.currentTime()); -// -// SerializedBrokeredIdentityContext ctx = SerializedBrokeredIdentityContext.serialize(context); -// ctx.saveToClientSession(clientSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); -// -// clientSession.setNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN, String.valueOf(wasFirstBrokerLogin)); -// -// URI redirect = LoginActionsService.postBrokerLoginProcessor(uriInfo) -// .queryParam(OAuth2Constants.CODE, clientSessionCode.getCode()) -// .build(realmModel.getName()); -// return Response.status(302).location(redirect).build(); -// } -// } -// -// -// // Callback from LoginActionsService after postBrokerLogin flow is finished -// @GET -// @NoCache -// @Path("/after-post-broker-login") -// public Response afterPostBrokerLoginFlow(@QueryParam("code") String code) { -// ParsedCodeContext parsedCode = parseClientSessionCode(code); -// if (parsedCode.response != null) { -// return parsedCode.response; -// } -// AuthenticationSessionModel authenticationSession = parsedCode.clientSessionCode.getClientSession(); -// -// try { -// SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromLoginSession(authenticationSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); -// if (serializedCtx == null) { -// throw new IdentityBrokerException("Not found serialized context in clientSession. Note " + PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT + " was null"); -// } -// BrokeredIdentityContext context = serializedCtx.deserialize(session, authenticationSession); -// -// String wasFirstBrokerLoginNote = authenticationSession.getNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); -// boolean wasFirstBrokerLogin = Boolean.parseBoolean(wasFirstBrokerLoginNote); -// -// // Ensure the post-broker-login flow was successfully finished -// String authStateNoteKey = PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + context.getIdpConfig().getAlias(); -// String authState = authenticationSession.getNote(authStateNoteKey); -// if (!Boolean.parseBoolean(authState)) { -// throw new IdentityBrokerException("Invalid request. Not found the flag that post-broker-login flow was finished"); -// } -// -// // remove notes -// authenticationSession.removeNote(PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); -// authenticationSession.removeNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); -// -// return afterPostBrokerLoginFlowSuccess(authenticationSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode); -// } catch (IdentityBrokerException e) { -// return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); -// } -// } -// -// private Response afterPostBrokerLoginFlowSuccess(ClientSessionModel clientSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode clientSessionCode) { -// String providerId = context.getIdpConfig().getAlias(); -// UserModel federatedUser = clientSession.getAuthenticatedUser(); -// -// if (wasFirstBrokerLogin) { -// -// String isDifferentBrowser = clientSession.getNote(AbstractIdpAuthenticator.IS_DIFFERENT_BROWSER); -// if (Boolean.parseBoolean(isDifferentBrowser)) { -// session.sessions().removeClientSession(realmModel, clientSession); -// return session.getProvider(LoginFormsProvider.class) -// .setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, context.getIdpConfig().getAlias(), context.getUsername()) -// .createInfoPage(); -// } else { -// return finishBrokerAuthentication(context, federatedUser, clientSession, providerId); -// } -// -// } else { -// -// boolean firstBrokerLoginInProgress = (clientSession.getNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); -// if (firstBrokerLoginInProgress) { -// logger.debugf("Reauthenticated with broker '%s' when linking user '%s' with other broker", context.getIdpConfig().getAlias(), federatedUser.getUsername()); -// -// UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realmModel, clientSession); -// if (!linkingUser.getId().equals(federatedUser.getId())) { -// return redirectToErrorPage(Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, federatedUser.getUsername(), linkingUser.getUsername()); -// } -// -// return afterFirstBrokerLogin(clientSessionCode); -// } else { -// return finishBrokerAuthentication(context, federatedUser, clientSession, providerId); -// } -// } -// } -// -// -// private Response finishBrokerAuthentication(BrokeredIdentityContext context, UserModel federatedUser, ClientSessionModel clientSession, String providerId) { -// UserSessionModel userSession = this.session.sessions() -// .createUserSession(this.realmModel, federatedUser, federatedUser.getUsername(), this.clientConnection.getRemoteAddr(), "broker", false, context.getBrokerSessionId(), context.getBrokerUserId()); -// -// this.event.user(federatedUser); -// this.event.session(userSession); -// -// // TODO: This is supposed to be called after requiredActions are processed -// TokenManager.attachClientSession(userSession, clientSession); -// context.getIdp().attachUserSession(userSession, clientSession, context); -// userSession.setNote(Details.IDENTITY_PROVIDER, providerId); -// userSession.setNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); -// -// if (isDebugEnabled()) { -// logger.debugf("Performing local authentication for user [%s].", federatedUser); -// } -// -// return AuthenticationProcessor.redirectToRequiredActions(session, realmModel, clientSession, uriInfo); -// } -// -// -// @Override -// public Response cancelled(String code) { -// ParsedCodeContext parsedCode = parseClientSessionCode(code); -// if (parsedCode.response != null) { -// return parsedCode.response; -// } -// ClientSessionCode clientCode = parsedCode.clientSessionCode; -// -// Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.CONSENT_DENIED); -// if (accountManagementFailedLinking != null) { -// return accountManagementFailedLinking; -// } -// -// return browserAuthentication(clientCode.getClientSession(), null); -// } -// -// @Override -// public Response error(String code, String message) { -// ParsedCodeContext parsedCode = parseClientSessionCode(code); -// if (parsedCode.response != null) { -// return parsedCode.response; -// } -// ClientSessionCode clientCode = parsedCode.clientSessionCode; -// -// Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), message); -// if (accountManagementFailedLinking != null) { -// return accountManagementFailedLinking; -// } -// -// return browserAuthentication(clientCode.getClientSession(), message); -// } -// -// private Response performAccountLinking(ClientSessionModel clientSession, BrokeredIdentityContext context, FederatedIdentityModel newModel, UserModel federatedUser) { -// this.event.event(EventType.FEDERATED_IDENTITY_LINK); -// -// -// -// UserModel authenticatedUser = clientSession.getUserSession().getUser(); -// -// if (federatedUser != null && !authenticatedUser.getId().equals(federatedUser.getId())) { -// return redirectToAccountErrorPage(clientSession, Messages.IDENTITY_PROVIDER_ALREADY_LINKED, context.getIdpConfig().getAlias()); -// } -// -// if (!authenticatedUser.hasRole(this.realmModel.getClientByClientId(ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(MANAGE_ACCOUNT))) { -// return redirectToErrorPage(Messages.INSUFFICIENT_PERMISSION); -// } -// -// if (!authenticatedUser.isEnabled()) { -// return redirectToAccountErrorPage(clientSession, Messages.ACCOUNT_DISABLED); -// } -// -// -// -// if (federatedUser != null) { -// if (context.getIdpConfig().isStoreToken()) { -// FederatedIdentityModel oldModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel); -// if (!ObjectUtil.isEqualOrBothNull(context.getToken(), oldModel.getToken())) { -// this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, newModel); -// if (isDebugEnabled()) { -// logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias()); -// } -// } -// } -// } else { -// this.session.users().addFederatedIdentity(this.realmModel, authenticatedUser, newModel); -// } -// context.getIdp().attachUserSession(clientSession.getUserSession(), clientSession, context); -// -// -// if (isDebugEnabled()) { -// logger.debugf("Linking account [%s] from identity provider [%s] to user [%s].", newModel, context.getIdpConfig().getAlias(), authenticatedUser); -// } -// -// this.event.user(authenticatedUser) -// .detail(Details.USERNAME, authenticatedUser.getUsername()) -// .detail(Details.IDENTITY_PROVIDER, newModel.getIdentityProvider()) -// .detail(Details.IDENTITY_PROVIDER_USERNAME, newModel.getUserName()) -// .success(); -// -// // we do this to make sure that the parent IDP is logged out when this user session is complete. -// -// clientSession.getUserSession().setNote(Details.IDENTITY_PROVIDER, context.getIdpConfig().getAlias()); -// clientSession.getUserSession().setNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); -// -// return Response.status(302).location(UriBuilder.fromUri(clientSession.getRedirectUri()).build()).build(); -// } -// -// private void updateFederatedIdentity(BrokeredIdentityContext context, UserModel federatedUser) { -// FederatedIdentityModel federatedIdentityModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel); -// -// // Skip DB write if tokens are null or equal -// updateToken(context, federatedUser, federatedIdentityModel); -// context.getIdp().updateBrokeredUser(session, realmModel, federatedUser, context); -// Set mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); -// if (mappers != null) { -// KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); -// for (IdentityProviderMapperModel mapper : mappers) { -// IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); -// target.updateBrokeredUser(session, realmModel, federatedUser, mapper, context); -// } -// } -// -// } -// -// private void updateToken(BrokeredIdentityContext context, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel) { -// if (context.getIdpConfig().isStoreToken() && !ObjectUtil.isEqualOrBothNull(context.getToken(), federatedIdentityModel.getToken())) { -// federatedIdentityModel.setToken(context.getToken()); -// -// this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel); -// -// if (isDebugEnabled()) { -// logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias()); -// } -// } -// } -// -// private ParsedCodeContext parseClientSessionCode(String code) { -// ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel, AuthenticationSessionModel.class); -// -// if (clientCode != null) { -// AuthenticationSessionModel authenticationSession = clientCode.getClientSession(); -// -// ClientModel client = authenticationSession.getClient(); -// -// if (client != null) { -// -// logger.debugf("Got authorization code from client [%s].", client.getClientId()); -// this.event.client(client); -// this.session.getContext().setClient(client); -// -// if (!clientCode.isValid(AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { -// logger.debugf("Authorization code is not valid. Client session ID: %s, Client session's action: %s", authenticationSession.getId(), authenticationSession.getAction()); -// -// // Check if error happened during login or during linking from account management -// Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.STALE_CODE_ACCOUNT); -// Response staleCodeError = (accountManagementFailedLinking != null) ? accountManagementFailedLinking : redirectToErrorPage(Messages.STALE_CODE); -// -// -// return ParsedCodeContext.response(staleCodeError); -// } -// -// if (isDebugEnabled()) { -// logger.debugf("Authorization code is valid."); -// } -// -// return ParsedCodeContext.clientSessionCode(clientCode); -// } -// } -// -// logger.debugf("Authorization code is not valid. Code: %s", code); -// Response staleCodeError = redirectToErrorPage(Messages.STALE_CODE); -// return ParsedCodeContext.response(staleCodeError); -// } -// -// /** -// * If there is a client whose SAML IDP-initiated SSO URL name is set to the -// * given {@code clientUrlName}, creates a fresh client session for that -// * client and returns a {@link ParsedCodeContext} object with that session. -// * Otherwise returns "client not found" response. -// * -// * @param clientUrlName -// * @return see description -// */ -// private ParsedCodeContext samlIdpInitiatedSSO(final String clientUrlName) { -// event.event(EventType.LOGIN); -// CacheControlUtil.noBackButtonCacheControlHeader(); -// Optional oClient = this.realmModel.getClients().stream() -// .filter(c -> Objects.equals(c.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME), clientUrlName)) -// .findFirst(); -// -// if (! oClient.isPresent()) { -// event.error(Errors.CLIENT_NOT_FOUND); -// return ParsedCodeContext.response(redirectToErrorPage(Messages.CLIENT_NOT_FOUND)); -// } -// -// ClientSessionModel clientSession = SamlService.createClientSessionForIdpInitiatedSso(session, realmModel, oClient.get(), null); -// -// return ParsedCodeContext.clientSessionCode(new ClientSessionCode(session, this.realmModel, clientSession)); -// } -// -// private Response checkAccountManagementFailedLinking(LoginSessionModel authenticationSession, String error, Object... parameters) { -// if (clientSession.getUserSession() != null && clientSession.getClient() != null && clientSession.getClient().getClientId().equals(ACCOUNT_MANAGEMENT_CLIENT_ID)) { -// -// this.event.event(EventType.FEDERATED_IDENTITY_LINK); -// UserModel user = clientSession.getUserSession().getUser(); -// this.event.user(user); -// this.event.detail(Details.USERNAME, user.getUsername()); -// -// return redirectToAccountErrorPage(clientSession, error, parameters); -// } else { -// return null; -// } -// } -// -// private AuthenticationRequest createAuthenticationRequest(String providerId, ClientSessionCode clientSessionCode) { -// AuthenticationSessionModel authenticationSession = null; -// String relayState = null; -// -// if (clientSessionCode != null) { -// authenticationSession = clientSessionCode.getClientSession(); -// relayState = clientSessionCode.getCode(); -// } -// -// return new AuthenticationRequest(this.session, this.realmModel, clientSession, this.request, this.uriInfo, relayState, getRedirectUri(providerId)); -// } -// -// private String getRedirectUri(String providerId) { -// return Urls.identityProviderAuthnResponse(this.uriInfo.getBaseUri(), providerId, this.realmModel.getName()).toString(); -// } -// -// private Response redirectToErrorPage(String message, Object ... parameters) { -// return redirectToErrorPage(message, null, parameters); -// } -// -// private Response redirectToErrorPage(String message, Throwable throwable, Object ... parameters) { -// if (message == null) { -// message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR; -// } -// -// fireErrorEvent(message, throwable); -// return ErrorPage.error(this.session, message, parameters); -// } -// -// private Response redirectToAccountErrorPage(ClientSessionModel clientSession, String message, Object ... parameters) { -// fireErrorEvent(message); -// -// FormMessage errorMessage = new FormMessage(message, parameters); -// try { -// String serializedError = JsonSerialization.writeValueAsString(errorMessage); -// clientSession.setNote(AccountService.ACCOUNT_MGMT_FORWARDED_ERROR_NOTE, serializedError); -// } catch (IOException ioe) { -// throw new RuntimeException(ioe); -// } -// -// return Response.status(302).location(UriBuilder.fromUri(clientSession.getRedirectUri()).build()).build(); -// } -// -// private Response redirectToLoginPage(Throwable t, ClientSessionCode clientCode) { -// String message = t.getMessage(); -// -// if (message == null) { -// message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR; -// } -// -// fireErrorEvent(message); -// return browserAuthentication(clientCode.getClientSession(), message); -// } -// -// protected Response browserAuthentication(ClientSessionModel clientSession, String errorMessage) { -// this.event.event(EventType.LOGIN); -// AuthenticationFlowModel flow = realmModel.getBrowserFlow(); -// String flowId = flow.getId(); -// AuthenticationProcessor processor = new AuthenticationProcessor(); -// processor.setClientSession(clientSession) -// .setFlowPath(LoginActionsService.AUTHENTICATE_PATH) -// .setFlowId(flowId) -// .setBrowserFlow(true) -// .setConnection(clientConnection) -// .setEventBuilder(event) -// .setRealm(realmModel) -// .setSession(session) -// .setUriInfo(uriInfo) -// .setRequest(request); -// if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage)); -// -// try { -// CacheControlUtil.noBackButtonCacheControlHeader(); -// return processor.authenticate(); -// } catch (Exception e) { -// return processor.handleBrowserException(e); -// } -// } -// -// -// private Response badRequest(String message) { -// fireErrorEvent(message); -// return ErrorResponse.error(message, Status.BAD_REQUEST); -// } -// -// private Response forbidden(String message) { -// fireErrorEvent(message); -// return ErrorResponse.error(message, Status.FORBIDDEN); -// } +public class IdentityBrokerService implements IdentityProvider.AuthenticationCallback { + + // Authentication session note, which references identity provider that is currently linked + private static final String LINKING_IDENTITY_PROVIDER = "LINKING_IDENTITY_PROVIDER"; + + private static final Logger logger = Logger.getLogger(IdentityBrokerService.class); + + private final RealmModel realmModel; + + @Context + private UriInfo uriInfo; + + @Context + private KeycloakSession session; + + @Context + private ClientConnection clientConnection; + + @Context + private HttpRequest request; + + @Context + private HttpHeaders headers; + + private EventBuilder event; + + + public IdentityBrokerService(RealmModel realmModel) { + if (realmModel == null) { + throw new IllegalArgumentException("Realm can not be null."); + } + this.realmModel = realmModel; + } + + public void init() { + this.event = new EventBuilder(realmModel, session, clientConnection).event(EventType.IDENTITY_PROVIDER_LOGIN); + } + + private void checkRealm() { + if (!realmModel.isEnabled()) { + event.error(Errors.REALM_DISABLED); + throw new ErrorPageException(session, Messages.REALM_NOT_ENABLED); + } + } + + private ClientModel checkClient(String clientId) { + if (clientId == null) { + event.error(Errors.INVALID_REQUEST); + throw new ErrorPageException(session, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM); + } + + event.client(clientId); + + ClientModel client = realmModel.getClientByClientId(clientId); + if (client == null) { + event.error(Errors.CLIENT_NOT_FOUND); + throw new ErrorPageException(session, Messages.INVALID_REQUEST); + } + + if (!client.isEnabled()) { + event.error(Errors.CLIENT_DISABLED); + throw new ErrorPageException(session, Messages.INVALID_REQUEST); + } + return client; + + } + + /** + * Closes off CORS preflight requests for account linking + * + * @param providerId + * @return + */ + @OPTIONS + @Path("/{provider_id}/link") + public Response clientIntiatedAccountLinkingPreflight(@PathParam("provider_id") String providerId) { + return Response.status(403).build(); // don't allow preflight + } + + + @GET + @NoCache + @Path("/{provider_id}/link") + public Response clientInitiatedAccountLinking(@PathParam("provider_id") String providerId, + @QueryParam("redirect_uri") String redirectUri, + @QueryParam("client_id") String clientId, + @QueryParam("nonce") String nonce, + @QueryParam("hash") String hash + ) { + this.event.event(EventType.CLIENT_INITIATED_ACCOUNT_LINKING); + checkRealm(); + ClientModel client = checkClient(clientId); + redirectUri = RedirectUtils.verifyRedirectUri(uriInfo, redirectUri, realmModel, client); + if (redirectUri == null) { + event.error(Errors.INVALID_REDIRECT_URI); + throw new ErrorPageException(session, Messages.INVALID_REQUEST); + } + + if (nonce == null || hash == null) { + event.error(Errors.INVALID_REDIRECT_URI); + throw new ErrorPageException(session, Messages.INVALID_REQUEST); + + } + + // only allow origins from client. Not sure we need this as I don't believe cookies can be + // sent if CORS preflight requests can't execute. + String origin = headers.getRequestHeaders().getFirst("Origin"); + if (origin != null) { + String redirectOrigin = UriUtils.getOrigin(redirectUri); + if (!redirectOrigin.equals(origin)) { + event.error(Errors.ILLEGAL_ORIGIN); + throw new ErrorPageException(session, Messages.INVALID_REQUEST); + + } + } + + AuthenticationManager.AuthResult cookieResult = AuthenticationManager.authenticateIdentityCookie(session, realmModel, true); + String errorParam = "link_error"; + if (cookieResult == null) { + event.error(Errors.NOT_LOGGED_IN); + UriBuilder builder = UriBuilder.fromUri(redirectUri) + .queryParam(errorParam, Errors.NOT_LOGGED_IN) + .queryParam("nonce", nonce); + + return Response.status(302).location(builder.build()).build(); + } + + + + AuthenticatedClientSessionModel clientSession = null; + for (AuthenticatedClientSessionModel cs : cookieResult.getSession().getAuthenticatedClientSessions().values()) { + if (cs.getClient().getClientId().equals(clientId)) { + byte[] decoded = Base64Url.decode(hash); + MessageDigest md = null; + try { + md = MessageDigest.getInstance("SHA-256"); + } catch (NoSuchAlgorithmException e) { + throw new ErrorPageException(session, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST); + } + String input = nonce + cookieResult.getSession().getId() + clientId + providerId; + byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8)); + if (MessageDigest.isEqual(decoded, check)) { + clientSession = cs; + break; + } + } + } + if (clientSession == null) { + event.error(Errors.INVALID_TOKEN); + throw new ErrorPageException(session, Messages.INVALID_REQUEST); + } + + + + ClientModel accountService = this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); + if (!accountService.getId().equals(client.getId())) { + RoleModel manageAccountRole = accountService.getRole(AccountRoles.MANAGE_ACCOUNT); + + if (!clientSession.getRoles().contains(manageAccountRole.getId())) { + RoleModel linkRole = accountService.getRole(AccountRoles.MANAGE_ACCOUNT_LINKS); + if (!clientSession.getRoles().contains(linkRole.getId())) { + event.error(Errors.NOT_ALLOWED); + UriBuilder builder = UriBuilder.fromUri(redirectUri) + .queryParam(errorParam, Errors.NOT_ALLOWED) + .queryParam("nonce", nonce); + return Response.status(302).location(builder.build()).build(); + } + } + } + + + IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId); + if (identityProviderModel == null) { + event.error(Errors.UNKNOWN_IDENTITY_PROVIDER); + UriBuilder builder = UriBuilder.fromUri(redirectUri) + .queryParam(errorParam, Errors.UNKNOWN_IDENTITY_PROVIDER) + .queryParam("nonce", nonce); + return Response.status(302).location(builder.build()).build(); + + } + + + // Create AuthenticationSessionModel with same ID like userSession and refresh cookie + UserSessionModel userSession = cookieResult.getSession(); + AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(userSession.getId(), realmModel, client); + new AuthenticationSessionManager(session).setAuthSessionCookie(userSession.getId(), realmModel); + + ClientSessionCode clientSessionCode = new ClientSessionCode<>(session, realmModel, authSession); + clientSessionCode.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name()); + clientSessionCode.getCode(); + authSession.setProtocol(client.getProtocol()); + authSession.setRedirectUri(redirectUri); + authSession.setClientNote(OIDCLoginProtocol.STATE_PARAM, UUID.randomUUID().toString()); + authSession.setAuthNote(LINKING_IDENTITY_PROVIDER, cookieResult.getSession().getId() + clientId + providerId); + + event.success(); + + try { + IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); + Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode)); + + if (response != null) { + if (isDebugEnabled()) { + logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response); + } + return response; + } + } catch (IdentityBrokerException e) { + return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId); + } catch (Exception e) { + return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId); + } + + return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST); + + } + + + @POST + @Path("/{provider_id}/login") + public Response performPostLogin(@PathParam("provider_id") String providerId, @QueryParam("code") String code) { + return performLogin(providerId, code); + } + + @GET + @NoCache + @Path("/{provider_id}/login") + public Response performLogin(@PathParam("provider_id") String providerId, @QueryParam("code") String code) { + this.event.detail(Details.IDENTITY_PROVIDER, providerId); + + if (isDebugEnabled()) { + logger.debugf("Sending authentication request to identity provider [%s].", providerId); + } + + try { + ParsedCodeContext parsedCode = parseClientSessionCode(code); + if (parsedCode.response != null) { + return parsedCode.response; + } + + ClientSessionCode clientSessionCode = parsedCode.clientSessionCode; + IdentityProviderModel identityProviderModel = realmModel.getIdentityProviderByAlias(providerId); + if (identityProviderModel == null) { + throw new IdentityBrokerException("Identity Provider [" + providerId + "] not found."); + } + if (identityProviderModel.isLinkOnly()) { + throw new IdentityBrokerException("Identity Provider [" + providerId + "] is not allowed to perform a login."); + + } + IdentityProviderFactory providerFactory = getIdentityProviderFactory(session, identityProviderModel); + + IdentityProvider identityProvider = providerFactory.create(session, identityProviderModel); + + Response response = identityProvider.performLogin(createAuthenticationRequest(providerId, clientSessionCode)); + + if (response != null) { + if (isDebugEnabled()) { + logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, response); + } + return response; + } + } catch (IdentityBrokerException e) { + return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId); + } catch (Exception e) { + return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId); + } + + return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST); + } + + @Path("{provider_id}/endpoint") + public Object getEndpoint(@PathParam("provider_id") String providerId) { + IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); + Object callback = identityProvider.callback(realmModel, this, event); + ResteasyProviderFactory.getInstance().injectProperties(callback); + //resourceContext.initResource(brokerService); + return callback; + + + } + + @Path("{provider_id}/token") + @OPTIONS + public Response retrieveTokenPreflight() { + return Cors.add(this.request, Response.ok()).auth().preflight().build(); + } + + @GET + @NoCache + @Path("{provider_id}/token") + public Response retrieveToken(@PathParam("provider_id") String providerId) { + return getToken(providerId, false); + } + + private boolean canReadBrokerToken(AccessToken token) { + Map resourceAccess = token.getResourceAccess(); + AccessToken.Access brokerRoles = resourceAccess == null ? null : resourceAccess.get(Constants.BROKER_SERVICE_CLIENT_ID); + return brokerRoles != null && brokerRoles.isUserInRole(Constants.READ_TOKEN_ROLE); + } + + private Response getToken(String providerId, boolean forceRetrieval) { + this.event.event(EventType.IDENTITY_PROVIDER_RETRIEVE_TOKEN); + + try { + AppAuthManager authManager = new AppAuthManager(); + AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(this.session, this.realmModel, this.uriInfo, this.clientConnection, this.request.getHttpHeaders()); + + if (authResult != null) { + AccessToken token = authResult.getToken(); + String[] audience = token.getAudience(); + ClientModel clientModel = this.realmModel.getClientByClientId(audience[0]); + + if (clientModel == null) { + return badRequest("Invalid client."); + } + + session.getContext().setClient(clientModel); + + ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID); + if (brokerClient == null) { + return corsResponse(forbidden("Realm has not migrated to support the broker token exchange service"), clientModel); + + } + if (!canReadBrokerToken(token)) { + return corsResponse(forbidden("Client [" + clientModel.getClientId() + "] not authorized to retrieve tokens from identity provider [" + providerId + "]."), clientModel); + + } + + IdentityProvider identityProvider = getIdentityProvider(session, realmModel, providerId); + IdentityProviderModel identityProviderConfig = getIdentityProviderConfig(providerId); + + if (identityProviderConfig.isStoreToken()) { + FederatedIdentityModel identity = this.session.users().getFederatedIdentity(authResult.getUser(), providerId, this.realmModel); + + if (identity == null) { + return corsResponse(badRequest("User [" + authResult.getUser().getId() + "] is not associated with identity provider [" + providerId + "]."), clientModel); + } + + this.event.success(); + + return corsResponse(identityProvider.retrieveToken(session, identity), clientModel); + } + + return corsResponse(badRequest("Identity Provider [" + providerId + "] does not support this operation."), clientModel); + } + + return badRequest("Invalid token."); + } catch (IdentityBrokerException e) { + return redirectToErrorPage(Messages.COULD_NOT_OBTAIN_TOKEN, e, providerId); + } catch (Exception e) { + return redirectToErrorPage(Messages.UNEXPECTED_ERROR_RETRIEVING_TOKEN, e, providerId); + } + } + + public Response authenticated(BrokeredIdentityContext context) { + IdentityProviderModel identityProviderConfig = context.getIdpConfig(); + + final ParsedCodeContext parsedCode; + if (context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID) != null) { + parsedCode = samlIdpInitiatedSSO((String) context.getContextData().get(SAMLEndpoint.SAML_IDP_INITIATED_CLIENT_ID)); + } else { + parsedCode = parseClientSessionCode(context.getCode()); + } + if (parsedCode.response != null) { + return parsedCode.response; + } + ClientSessionCode clientCode = parsedCode.clientSessionCode; + + String providerId = identityProviderConfig.getAlias(); + if (!identityProviderConfig.isStoreToken()) { + if (isDebugEnabled()) { + logger.debugf("Token will not be stored for identity provider [%s].", providerId); + } + context.setToken(null); + } + + AuthenticationSessionModel authenticationSession = clientCode.getClientSession(); + context.setAuthenticationSession(authenticationSession); + + session.getContext().setClient(authenticationSession.getClient()); + + context.getIdp().preprocessFederatedIdentity(session, realmModel, context); + Set mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); + if (mappers != null) { + KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); + for (IdentityProviderMapperModel mapper : mappers) { + IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); + target.preprocessFederatedIdentity(session, realmModel, mapper, context); + } + } + + FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(providerId, context.getId(), + context.getUsername(), context.getToken()); + + this.event.event(EventType.IDENTITY_PROVIDER_LOGIN) + .detail(Details.REDIRECT_URI, authenticationSession.getRedirectUri()) + .detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); + + UserModel federatedUser = this.session.users().getUserByFederatedIdentity(federatedIdentityModel, this.realmModel); + + // Check if federatedUser is already authenticated (this means linking social into existing federatedUser account) + UserSessionModel userSession = new AuthenticationSessionManager(session).getUserSession(authenticationSession); + if (shouldPerformAccountLinking(authenticationSession, userSession, providerId)) { + return performAccountLinking(authenticationSession, userSession, context, federatedIdentityModel, federatedUser); + } + + if (federatedUser == null) { + + logger.debugf("Federated user not found for provider '%s' and broker username '%s' . Redirecting to flow for firstBrokerLogin", providerId, context.getUsername()); + + String username = context.getModelUsername(); + if (username == null) { + if (this.realmModel.isRegistrationEmailAsUsername() && !Validation.isBlank(context.getEmail())) { + username = context.getEmail(); + } else if (context.getUsername() == null) { + username = context.getIdpConfig().getAlias() + "." + context.getId(); + } else { + username = context.getUsername(); + } + } + username = username.trim(); + context.setModelUsername(username); + + // Redirect to firstBrokerLogin after successful login and ensure that previous authentication state removed + AuthenticationProcessor.resetFlow(authenticationSession, LoginActionsService.FIRST_BROKER_LOGIN_PATH); + + SerializedBrokeredIdentityContext ctx = SerializedBrokeredIdentityContext.serialize(context); + ctx.saveToAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); + + URI redirect = LoginActionsService.firstBrokerLoginProcessor(uriInfo) + .build(realmModel.getName()); + return Response.status(302).location(redirect).build(); + + } else { + Response response = validateUser(federatedUser, realmModel); + if (response != null) { + return response; + } + + updateFederatedIdentity(context, federatedUser); + authenticationSession.setAuthenticatedUser(federatedUser); + + return finishOrRedirectToPostBrokerLogin(authenticationSession, context, false, parsedCode.clientSessionCode); + } + } + + + public Response validateUser(UserModel user, RealmModel realm) { + if (!user.isEnabled()) { + event.error(Errors.USER_DISABLED); + return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); + } + if (realm.isBruteForceProtected()) { + if (session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(session, realm, user)) { + event.error(Errors.USER_TEMPORARILY_DISABLED); + return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); + } + } + return null; + } + + // Callback from LoginActionsService after first login with broker was done and Keycloak account is successfully linked/created + @GET + @NoCache + @Path("/after-first-broker-login") + public Response afterFirstBrokerLogin(@QueryParam("code") String code) { + ParsedCodeContext parsedCode = parseClientSessionCode(code); + if (parsedCode.response != null) { + return parsedCode.response; + } + return afterFirstBrokerLogin(parsedCode.clientSessionCode); + } + + private Response afterFirstBrokerLogin(ClientSessionCode clientSessionCode) { + AuthenticationSessionModel authSession = clientSessionCode.getClientSession(); + + try { + this.event.detail(Details.CODE_ID, authSession.getId()) + .removeDetail("auth_method"); + + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); + if (serializedCtx == null) { + throw new IdentityBrokerException("Not found serialized context in clientSession"); + } + BrokeredIdentityContext context = serializedCtx.deserialize(session, authSession); + String providerId = context.getIdpConfig().getAlias(); + + event.detail(Details.IDENTITY_PROVIDER, providerId); + event.detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); + + // Ensure the first-broker-login flow was successfully finished + String authProvider = authSession.getAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS); + if (authProvider == null || !authProvider.equals(providerId)) { + throw new IdentityBrokerException("Invalid request. Not found the flag that first-broker-login flow was finished"); + } + + // firstBrokerLogin workflow finished. Removing note now + authSession.removeAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); + + UserModel federatedUser = authSession.getAuthenticatedUser(); + if (federatedUser == null) { + throw new IdentityBrokerException("Couldn't found authenticated federatedUser in authentication session"); + } + + event.user(federatedUser); + event.detail(Details.USERNAME, federatedUser.getUsername()); + + if (context.getIdpConfig().isAddReadTokenRoleOnCreate()) { + ClientModel brokerClient = realmModel.getClientByClientId(Constants.BROKER_SERVICE_CLIENT_ID); + if (brokerClient == null) { + throw new IdentityBrokerException("Client 'broker' not available. Maybe realm has not migrated to support the broker token exchange service"); + } + RoleModel readTokenRole = brokerClient.getRole(Constants.READ_TOKEN_ROLE); + federatedUser.grantRole(readTokenRole); + } + + // Add federated identity link here + FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(context.getIdpConfig().getAlias(), context.getId(), + context.getUsername(), context.getToken()); + session.users().addFederatedIdentity(realmModel, federatedUser, federatedIdentityModel); + + + String isRegisteredNewUser = authSession.getAuthNote(AbstractIdpAuthenticator.BROKER_REGISTERED_NEW_USER); + if (Boolean.parseBoolean(isRegisteredNewUser)) { + + logger.debugf("Registered new user '%s' after first login with identity provider '%s'. Identity provider username is '%s' . ", federatedUser.getUsername(), providerId, context.getUsername()); + + context.getIdp().importNewUser(session, realmModel, federatedUser, context); + Set mappers = realmModel.getIdentityProviderMappersByAlias(providerId); + if (mappers != null) { + KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); + for (IdentityProviderMapperModel mapper : mappers) { + IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); + target.importNewUser(session, realmModel, federatedUser, mapper, context); + } + } + + if (context.getIdpConfig().isTrustEmail() && !Validation.isBlank(federatedUser.getEmail()) && !Boolean.parseBoolean(authSession.getAuthNote(AbstractIdpAuthenticator.UPDATE_PROFILE_EMAIL_CHANGED))) { + logger.debugf("Email verified automatically after registration of user '%s' through Identity provider '%s' ", federatedUser.getUsername(), context.getIdpConfig().getAlias()); + federatedUser.setEmailVerified(true); + } + + event.event(EventType.REGISTER) + .detail(Details.REGISTER_METHOD, "broker") + .detail(Details.EMAIL, federatedUser.getEmail()) + .success(); + + } else { + logger.debugf("Linked existing keycloak user '%s' with identity provider '%s' . Identity provider username is '%s' .", federatedUser.getUsername(), providerId, context.getUsername()); + + event.event(EventType.FEDERATED_IDENTITY_LINK) + .success(); + + updateFederatedIdentity(context, federatedUser); + } + + return finishOrRedirectToPostBrokerLogin(authSession, context, true, clientSessionCode); + + } catch (Exception e) { + return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); + } + } + + + private Response finishOrRedirectToPostBrokerLogin(AuthenticationSessionModel authSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode clientSessionCode) { + String postBrokerLoginFlowId = context.getIdpConfig().getPostBrokerLoginFlowId(); + if (postBrokerLoginFlowId == null) { + + logger.debugf("Skip redirect to postBrokerLogin flow. PostBrokerLogin flow not set for identityProvider '%s'.", context.getIdpConfig().getAlias()); + return afterPostBrokerLoginFlowSuccess(authSession, context, wasFirstBrokerLogin, clientSessionCode); + } else { + + logger.debugf("Redirect to postBrokerLogin flow after authentication with identityProvider '%s'.", context.getIdpConfig().getAlias()); + + authSession.setTimestamp(Time.currentTime()); + + SerializedBrokeredIdentityContext ctx = SerializedBrokeredIdentityContext.serialize(context); + ctx.saveToAuthenticationSession(authSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); + + authSession.setAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN, String.valueOf(wasFirstBrokerLogin)); + + URI redirect = LoginActionsService.postBrokerLoginProcessor(uriInfo) + .build(realmModel.getName()); + return Response.status(302).location(redirect).build(); + } + } + + + // Callback from LoginActionsService after postBrokerLogin flow is finished + @GET + @NoCache + @Path("/after-post-broker-login") + public Response afterPostBrokerLoginFlow(@QueryParam("code") String code) { + ParsedCodeContext parsedCode = parseClientSessionCode(code); + if (parsedCode.response != null) { + return parsedCode.response; + } + AuthenticationSessionModel authenticationSession = parsedCode.clientSessionCode.getClientSession(); + + try { + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); + if (serializedCtx == null) { + throw new IdentityBrokerException("Not found serialized context in clientSession. Note " + PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT + " was null"); + } + BrokeredIdentityContext context = serializedCtx.deserialize(session, authenticationSession); + + String wasFirstBrokerLoginNote = authenticationSession.getAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); + boolean wasFirstBrokerLogin = Boolean.parseBoolean(wasFirstBrokerLoginNote); + + // Ensure the post-broker-login flow was successfully finished + String authStateNoteKey = PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + context.getIdpConfig().getAlias(); + String authState = authenticationSession.getAuthNote(authStateNoteKey); + if (!Boolean.parseBoolean(authState)) { + throw new IdentityBrokerException("Invalid request. Not found the flag that post-broker-login flow was finished"); + } + + // remove notes + authenticationSession.removeAuthNote(PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT); + authenticationSession.removeAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN); + + return afterPostBrokerLoginFlowSuccess(authenticationSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode); + } catch (IdentityBrokerException e) { + return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); + } + } + + private Response afterPostBrokerLoginFlowSuccess(AuthenticationSessionModel authSession, BrokeredIdentityContext context, boolean wasFirstBrokerLogin, ClientSessionCode clientSessionCode) { + String providerId = context.getIdpConfig().getAlias(); + UserModel federatedUser = authSession.getAuthenticatedUser(); + + if (wasFirstBrokerLogin) { + + String isDifferentBrowser = authSession.getAuthNote(AbstractIdpAuthenticator.IS_DIFFERENT_BROWSER); + if (Boolean.parseBoolean(isDifferentBrowser)) { + new AuthenticationSessionManager(session).removeAuthenticationSession(realmModel, authSession, true); + return session.getProvider(LoginFormsProvider.class) + .setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, context.getIdpConfig().getAlias(), context.getUsername()) + .createInfoPage(); + } else { + return finishBrokerAuthentication(context, federatedUser, authSession, providerId); + } + + } else { + + boolean firstBrokerLoginInProgress = (authSession.getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); + if (firstBrokerLoginInProgress) { + logger.debugf("Reauthenticated with broker '%s' when linking user '%s' with other broker", context.getIdpConfig().getAlias(), federatedUser.getUsername()); + + UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realmModel, authSession); + if (!linkingUser.getId().equals(federatedUser.getId())) { + return redirectToErrorPage(Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, federatedUser.getUsername(), linkingUser.getUsername()); + } + + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); + authSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, serializedCtx.getIdentityProviderId()); + + return afterFirstBrokerLogin(clientSessionCode); + } else { + return finishBrokerAuthentication(context, federatedUser, authSession, providerId); + } + } + } + + + private Response finishBrokerAuthentication(BrokeredIdentityContext context, UserModel federatedUser, AuthenticationSessionModel authSession, String providerId) { + authSession.setAuthNote(AuthenticationProcessor.BROKER_SESSION_ID, context.getBrokerSessionId()); + authSession.setAuthNote(AuthenticationProcessor.BROKER_USER_ID, context.getBrokerUserId()); + + this.event.user(federatedUser); + + context.getIdp().authenticationFinished(authSession, context); + authSession.setUserSessionNote(Details.IDENTITY_PROVIDER, providerId); + authSession.setUserSessionNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); + + if (isDebugEnabled()) { + logger.debugf("Performing local authentication for user [%s].", federatedUser); + } + + AuthenticationManager.setRolesAndMappersInSession(authSession); + + String nextRequiredAction = AuthenticationManager.nextRequiredAction(session, authSession, clientConnection, request, uriInfo, event); + if (nextRequiredAction != null) { + return AuthenticationManager.redirectToRequiredActions(session, realmModel, authSession, uriInfo, nextRequiredAction); + } else { + event.detail(Details.CODE_ID, authSession.getId()); // todo This should be set elsewhere. find out why tests fail. Don't know where this is supposed to be set + return AuthenticationManager.finishedRequiredActions(session, authSession, null, clientConnection, request, uriInfo, event); + } + } + + + @Override + public Response cancelled(String code) { + ParsedCodeContext parsedCode = parseClientSessionCode(code); + if (parsedCode.response != null) { + return parsedCode.response; + } + ClientSessionCode clientCode = parsedCode.clientSessionCode; + + Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.CONSENT_DENIED); + if (accountManagementFailedLinking != null) { + return accountManagementFailedLinking; + } + + return browserAuthentication(clientCode.getClientSession(), null); + } + + @Override + public Response error(String code, String message) { + ParsedCodeContext parsedCode = parseClientSessionCode(code); + if (parsedCode.response != null) { + return parsedCode.response; + } + ClientSessionCode clientCode = parsedCode.clientSessionCode; + + Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), message); + if (accountManagementFailedLinking != null) { + return accountManagementFailedLinking; + } + + return browserAuthentication(clientCode.getClientSession(), message); + } + + + private boolean shouldPerformAccountLinking(AuthenticationSessionModel authSession, UserSessionModel userSession, String providerId) { + String noteFromSession = authSession.getAuthNote(LINKING_IDENTITY_PROVIDER); + if (noteFromSession == null) { + return false; + } + + boolean linkingValid; + if (userSession == null) { + linkingValid = false; + } else { + String expectedNote = userSession.getId() + authSession.getClient().getClientId() + providerId; + linkingValid = expectedNote.equals(noteFromSession); + } + + if (linkingValid) { + authSession.removeAuthNote(LINKING_IDENTITY_PROVIDER); + return true; + } else { + throw new ErrorPageException(session, Messages.BROKER_LINKING_SESSION_EXPIRED); + } + } + + + private Response performAccountLinking(AuthenticationSessionModel authSession, UserSessionModel userSession, BrokeredIdentityContext context, FederatedIdentityModel newModel, UserModel federatedUser) { + logger.debugf("Will try to link identity provider [%s] to user [%s]", context.getIdpConfig().getAlias(), userSession.getUser().getUsername()); + + this.event.event(EventType.FEDERATED_IDENTITY_LINK); + + + + UserModel authenticatedUser = userSession.getUser(); + authSession.setAuthenticatedUser(authenticatedUser); + + if (federatedUser != null && !authenticatedUser.getId().equals(federatedUser.getId())) { + return redirectToErrorWhenLinkingFailed(authSession, Messages.IDENTITY_PROVIDER_ALREADY_LINKED, context.getIdpConfig().getAlias()); + } + + if (!authenticatedUser.hasRole(this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(AccountRoles.MANAGE_ACCOUNT))) { + return redirectToErrorPage(Messages.INSUFFICIENT_PERMISSION); + } + + if (!authenticatedUser.isEnabled()) { + return redirectToErrorWhenLinkingFailed(authSession, Messages.ACCOUNT_DISABLED); + } + + + + if (federatedUser != null) { + if (context.getIdpConfig().isStoreToken()) { + FederatedIdentityModel oldModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel); + if (!ObjectUtil.isEqualOrBothNull(context.getToken(), oldModel.getToken())) { + this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, newModel); + if (isDebugEnabled()) { + logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias()); + } + } + } + } else { + this.session.users().addFederatedIdentity(this.realmModel, authenticatedUser, newModel); + } + context.getIdp().authenticationFinished(authSession, context); + + AuthenticationManager.setRolesAndMappersInSession(authSession); + TokenManager.attachAuthenticationSession(session, userSession, authSession); + + if (isDebugEnabled()) { + logger.debugf("Linking account [%s] from identity provider [%s] to user [%s].", newModel, context.getIdpConfig().getAlias(), authenticatedUser); + } + + this.event.user(authenticatedUser) + .detail(Details.USERNAME, authenticatedUser.getUsername()) + .detail(Details.IDENTITY_PROVIDER, newModel.getIdentityProvider()) + .detail(Details.IDENTITY_PROVIDER_USERNAME, newModel.getUserName()) + .success(); + + // we do this to make sure that the parent IDP is logged out when this user session is complete. + // But for the case when userSession was previously authenticated with broker1 and now is linked to another broker2, we shouldn't override broker1 notes with the broker2 for sure. + // Maybe broker logout should be rather always skiped in case of broker-linking + if (userSession.getNote(Details.IDENTITY_PROVIDER) == null) { + userSession.setNote(Details.IDENTITY_PROVIDER, context.getIdpConfig().getAlias()); + userSession.setNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); + } + + return Response.status(302).location(UriBuilder.fromUri(authSession.getRedirectUri()).build()).build(); + } + + + private Response redirectToErrorWhenLinkingFailed(AuthenticationSessionModel authSession, String message, Object... parameters) { + if (authSession.getClient() != null && authSession.getClient().getClientId().equals(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID)) { + return redirectToAccountErrorPage(authSession, message, parameters); + } else { + return redirectToErrorPage(message, parameters); // Should rather redirect to app instead and display error here? + } + } + + + private void updateFederatedIdentity(BrokeredIdentityContext context, UserModel federatedUser) { + FederatedIdentityModel federatedIdentityModel = this.session.users().getFederatedIdentity(federatedUser, context.getIdpConfig().getAlias(), this.realmModel); + + // Skip DB write if tokens are null or equal + updateToken(context, federatedUser, federatedIdentityModel); + context.getIdp().updateBrokeredUser(session, realmModel, federatedUser, context); + Set mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias()); + if (mappers != null) { + KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); + for (IdentityProviderMapperModel mapper : mappers) { + IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper()); + target.updateBrokeredUser(session, realmModel, federatedUser, mapper, context); + } + } + + } + + private void updateToken(BrokeredIdentityContext context, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel) { + if (context.getIdpConfig().isStoreToken() && !ObjectUtil.isEqualOrBothNull(context.getToken(), federatedIdentityModel.getToken())) { + federatedIdentityModel.setToken(context.getToken()); + + this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel); + + if (isDebugEnabled()) { + logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias()); + } + } + } + + private ParsedCodeContext parseClientSessionCode(String code) { + ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, this.session, this.realmModel, AuthenticationSessionModel.class); + ClientSessionCode clientCode = parseResult.getCode(); + + if (clientCode != null) { + AuthenticationSessionModel authenticationSession = clientCode.getClientSession(); + + ClientModel client = authenticationSession.getClient(); + + if (client != null) { + + logger.debugf("Got authorization code from client [%s].", client.getClientId()); + this.event.client(client); + this.session.getContext().setClient(client); + + if (!clientCode.isValid(AuthenticationSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + logger.debugf("Authorization code is not valid. Client session ID: %s, Client session's action: %s", authenticationSession.getId(), authenticationSession.getAction()); + + // Check if error happened during login or during linking from account management + Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.STALE_CODE_ACCOUNT); + Response staleCodeError = (accountManagementFailedLinking != null) ? accountManagementFailedLinking : redirectToErrorPage(Messages.STALE_CODE); + + + return ParsedCodeContext.response(staleCodeError); + } + + if (isDebugEnabled()) { + logger.debugf("Authorization code is valid."); + } + + return ParsedCodeContext.clientSessionCode(clientCode); + } + } + + // TODO:mposolda rather some different page? Maybe "PageExpired" page? + logger.debugf("Authorization code is not valid. Code: %s", code); + Response staleCodeError = redirectToErrorPage(Messages.STALE_CODE); + return ParsedCodeContext.response(staleCodeError); + } + + /** + * If there is a client whose SAML IDP-initiated SSO URL name is set to the + * given {@code clientUrlName}, creates a fresh client session for that + * client and returns a {@link ParsedCodeContext} object with that session. + * Otherwise returns "client not found" response. + * + * @param clientUrlName + * @return see description + */ + private ParsedCodeContext samlIdpInitiatedSSO(final String clientUrlName) { + event.event(EventType.LOGIN); + CacheControlUtil.noBackButtonCacheControlHeader(); + Optional oClient = this.realmModel.getClients().stream() + .filter(c -> Objects.equals(c.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME), clientUrlName)) + .findFirst(); + + if (! oClient.isPresent()) { + event.error(Errors.CLIENT_NOT_FOUND); + return ParsedCodeContext.response(redirectToErrorPage(Messages.CLIENT_NOT_FOUND)); + } + + SamlService samlService = new SamlService(realmModel, event); + AuthenticationSessionModel authSession = samlService.getOrCreateLoginSessionForIdpInitiatedSso(session, realmModel, oClient.get(), null); + + return ParsedCodeContext.clientSessionCode(new ClientSessionCode<>(session, this.realmModel, authSession)); + } + + private Response checkAccountManagementFailedLinking(AuthenticationSessionModel authSession, String error, Object... parameters) { + UserSessionModel userSession = new AuthenticationSessionManager(session).getUserSession(authSession); + if (userSession != null && authSession.getClient() != null && authSession.getClient().getClientId().equals(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID)) { + + this.event.event(EventType.FEDERATED_IDENTITY_LINK); + UserModel user = userSession.getUser(); + this.event.user(user); + this.event.detail(Details.USERNAME, user.getUsername()); + + return redirectToAccountErrorPage(authSession, error, parameters); + } else { + return null; + } + } + + private AuthenticationRequest createAuthenticationRequest(String providerId, ClientSessionCode clientSessionCode) { + AuthenticationSessionModel authSession = null; + String relayState = null; + + if (clientSessionCode != null) { + authSession = clientSessionCode.getClientSession(); + relayState = clientSessionCode.getCode(); + } + + return new AuthenticationRequest(this.session, this.realmModel, authSession, this.request, this.uriInfo, relayState, getRedirectUri(providerId)); + } + + private String getRedirectUri(String providerId) { + return Urls.identityProviderAuthnResponse(this.uriInfo.getBaseUri(), providerId, this.realmModel.getName()).toString(); + } + + private Response redirectToErrorPage(String message, Object ... parameters) { + return redirectToErrorPage(message, null, parameters); + } + + private Response redirectToErrorPage(String message, Throwable throwable, Object ... parameters) { + if (message == null) { + message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR; + } + + fireErrorEvent(message, throwable); + + if (throwable != null && throwable instanceof WebApplicationException) { + WebApplicationException webEx = (WebApplicationException) throwable; + return webEx.getResponse(); + } + + return ErrorPage.error(this.session, message, parameters); + } + + private Response redirectToAccountErrorPage(AuthenticationSessionModel authSession, String message, Object ... parameters) { + fireErrorEvent(message); + + FormMessage errorMessage = new FormMessage(message, parameters); + try { + String serializedError = JsonSerialization.writeValueAsString(errorMessage); + authSession.setAuthNote(AccountService.ACCOUNT_MGMT_FORWARDED_ERROR_NOTE, serializedError); + } catch (IOException ioe) { + throw new RuntimeException(ioe); + } + + return Response.status(302).location(UriBuilder.fromUri(authSession.getRedirectUri()).build()).build(); + } + + private Response redirectToLoginPage(Throwable t, ClientSessionCode clientCode) { + String message = t.getMessage(); + + if (message == null) { + message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR; + } + + fireErrorEvent(message); + return browserAuthentication(clientCode.getClientSession(), message); + } + + protected Response browserAuthentication(AuthenticationSessionModel authSession, String errorMessage) { + this.event.event(EventType.LOGIN); + AuthenticationFlowModel flow = realmModel.getBrowserFlow(); + String flowId = flow.getId(); + AuthenticationProcessor processor = new AuthenticationProcessor(); + processor.setAuthenticationSession(authSession) + .setFlowPath(LoginActionsService.AUTHENTICATE_PATH) + .setFlowId(flowId) + .setBrowserFlow(true) + .setConnection(clientConnection) + .setEventBuilder(event) + .setRealm(realmModel) + .setSession(session) + .setUriInfo(uriInfo) + .setRequest(request); + if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage)); + + try { + CacheControlUtil.noBackButtonCacheControlHeader(); + return processor.authenticate(); + } catch (Exception e) { + return processor.handleBrowserException(e); + } + } + + + private Response badRequest(String message) { + fireErrorEvent(message); + return ErrorResponse.error(message, Response.Status.BAD_REQUEST); + } + + private Response forbidden(String message) { + fireErrorEvent(message); + return ErrorResponse.error(message, Response.Status.FORBIDDEN); + } public static IdentityProvider getIdentityProvider(KeycloakSession session, RealmModel realm, String alias) { IdentityProviderModel identityProviderModel = realm.getIdentityProviderByAlias(alias); @@ -1017,7 +1167,7 @@ public class IdentityBrokerService { return availableProviders.get(model.getProviderId()); } -/* + private IdentityProviderModel getIdentityProviderConfig(String providerId) { IdentityProviderModel model = this.realmModel.getIdentityProviderByAlias(providerId); if (model == null) { @@ -1073,10 +1223,10 @@ public class IdentityBrokerService { private static class ParsedCodeContext { - private ClientSessionCode clientSessionCode; + private ClientSessionCode clientSessionCode; private Response response; - public static ParsedCodeContext clientSessionCode(ClientSessionCode clientSessionCode) { + public static ParsedCodeContext clientSessionCode(ClientSessionCode clientSessionCode) { ParsedCodeContext ctx = new ParsedCodeContext(); ctx.clientSessionCode = clientSessionCode; return ctx; @@ -1088,5 +1238,5 @@ public class IdentityBrokerService { return ctx; } } - */ + } diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 6792964c74..23fc616fdf 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -29,10 +29,14 @@ import org.keycloak.TokenVerifier.Predicate; import org.keycloak.TokenVerifier.TokenTypeCheck; import org.keycloak.authentication.*; import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator; +import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants; +import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; +import org.keycloak.broker.provider.BrokeredIdentityContext; import org.keycloak.common.ClientConnection; import org.keycloak.common.VerificationException; import org.keycloak.common.util.ObjectUtil; +import org.keycloak.common.util.Time; import org.keycloak.events.Details; import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; @@ -50,7 +54,9 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; import org.keycloak.models.UserConsentModel; import org.keycloak.models.UserModel; +import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.FormMessage; +import org.keycloak.protocol.AuthorizationEndpointBase; import org.keycloak.protocol.LoginProtocol; import org.keycloak.protocol.LoginProtocol.Error; import org.keycloak.protocol.RestartLoginCookie; @@ -62,11 +68,14 @@ import org.keycloak.services.ErrorPage; import org.keycloak.services.ServicesLogger; import org.keycloak.services.Urls; import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; import org.keycloak.services.util.CacheControlUtil; -import org.keycloak.services.util.CookieHelper; +import org.keycloak.services.util.PageExpiredRedirect; +import org.keycloak.services.util.BrowserHistoryHelper; import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.CommonClientSessionModel; import org.keycloak.sessions.CommonClientSessionModel.Action; import javax.ws.rs.Consumes; @@ -76,7 +85,6 @@ import javax.ws.rs.Path; import javax.ws.rs.QueryParam; import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Context; -import javax.ws.rs.core.Cookie; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; @@ -99,7 +107,6 @@ public class LoginActionsService { private static final Logger logger = Logger.getLogger(LoginActionsService.class); - public static final String ACTION_COOKIE = "KEYCLOAK_ACTION"; public static final String AUTHENTICATE_PATH = "authenticate"; public static final String REGISTRATION_PATH = "registration"; public static final String RESET_CREDENTIALS_PATH = "reset-credentials"; @@ -107,6 +114,10 @@ public class LoginActionsService { public static final String FIRST_BROKER_LOGIN_PATH = "first-broker-login"; public static final String POST_BROKER_LOGIN_PATH = "post-broker-login"; + public static final String RESTART_PATH = "restart"; + + public static final String FORWARDED_ERROR_MESSAGE_NOTE = "forwardedErrorMessage"; + private RealmModel realm; @Context @@ -172,9 +183,9 @@ public class LoginActionsService { } } - private SessionCodeChecks checksForCode(String code, String execution, String flowPath, boolean wantsRestartSession) { - SessionCodeChecks res = new SessionCodeChecks(code, execution, flowPath, wantsRestartSession); - res.initialVerifyCode(); + private SessionCodeChecks checksForCode(String code, String execution, String flowPath) { + SessionCodeChecks res = new SessionCodeChecks(code, execution, flowPath); + res.initialVerify(); return res; } @@ -189,13 +200,11 @@ public class LoginActionsService { private final String code; private final String execution; private final String flowPath; - private final boolean wantsRestartSession; - public SessionCodeChecks(String code, String execution, String flowPath, boolean wantsRestartSession) { + public SessionCodeChecks(String code, String execution, String flowPath) { this.code = code; this.execution = execution; this.flowPath = flowPath; - this.wantsRestartSession = wantsRestartSession; } public AuthenticationSessionModel getAuthenticationSession() { @@ -211,81 +220,109 @@ public class LoginActionsService { } - boolean verifyCode(String requiredAction, ClientSessionCode.ActionType actionType) { + boolean verifyCode(String expectedAction, ClientSessionCode.ActionType actionType) { if (failed()) { return false; } - if (!clientCode.isValidAction(requiredAction)) { + if (!isActionActive(actionType)) { + return false; + } + + if (!clientCode.isValidAction(expectedAction)) { AuthenticationSessionModel authSession = getAuthenticationSession(); if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(authSession.getAction())) { // TODO:mposolda debug or trace - logger.info("Incorrect flow '%s' . User authenticated already. Trying requiredActions now."); - response = AuthenticationManager.nextActionAfterAuthentication(session, authSession, clientConnection, request, uriInfo, event); + logger.info("Incorrect flow '%s' . User authenticated already. Redirecting to requiredActions now."); + response = redirectToRequiredActions(null); return false; - } // TODO:mposolda - /*else if (clientSession.getUserSession() != null && clientSession.getUserSession().getState() == UserSessionModel.State.LOGGED_IN) { - response = session.getProvider(LoginFormsProvider.class) - .setSuccess(Messages.ALREADY_LOGGED_IN) - .createInfoPage(); + } else { + // TODO:mposolda could this happen? Doublecheck if we use other AuthenticationSession.Action besides AUTHENTICATE and REQUIRED_ACTIONS + logger.errorf("Bad action. Expected action '%s', current action '%s'", expectedAction, authSession.getAction()); + response = ErrorPage.error(session, Messages.EXPIRED_CODE); return false; - }*/ + } } - return isActionActive(actionType); - } - - private boolean isValidAction(String requiredAction) { - if (!clientCode.isValidAction(requiredAction)) { - invalidAction(); - return false; - } return true; } - private void invalidAction() { - event.client(getAuthenticationSession().getClient()); - event.error(Errors.INVALID_CODE); - response = ErrorPage.error(session, Messages.INVALID_CODE); - } private boolean isActionActive(ClientSessionCode.ActionType actionType) { if (!clientCode.isActionActive(actionType)) { event.client(getAuthenticationSession().getClient()); event.clone().error(Errors.EXPIRED_CODE); - if (getAuthenticationSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) { - AuthenticationSessionModel authSession = getAuthenticationSession(); - AuthenticationProcessor.resetFlow(authSession); - response = processAuthentication(false, null, authSession, Messages.LOGIN_TIMEOUT); - return false; - } - response = ErrorPage.error(session, Messages.EXPIRED_CODE); + + AuthenticationSessionModel authSession = getAuthenticationSession(); + AuthenticationProcessor.resetFlow(authSession, AUTHENTICATE_PATH); + response = processAuthentication(false, null, authSession, Messages.LOGIN_TIMEOUT); return false; } return true; } - private boolean initialVerifyCode() { + + private AuthenticationSessionModel initialVerifyAuthSession() { // Basic realm checks if (!checkSsl()) { event.error(Errors.SSL_REQUIRED); response = ErrorPage.error(session, Messages.HTTPS_REQUIRED); - return false; + return null; } if (!realm.isEnabled()) { event.error(Errors.REALM_DISABLED); response = ErrorPage.error(session, Messages.REALM_NOT_ENABLED); + return null; + } + + // authenticationSession retrieve + AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(code, session, realm, AuthenticationSessionModel.class); + if (authSession != null) { + return authSession; + } + + // See if we are already authenticated and userSession with same ID exists. + String sessionId = new AuthenticationSessionManager(session).getCurrentAuthenticationSessionId(realm); + if (sessionId != null) { + UserSessionModel userSession = session.sessions().getUserSession(realm, sessionId); + if (userSession != null) { + + LoginFormsProvider loginForm = session.getProvider(LoginFormsProvider.class) + .setSuccess(Messages.ALREADY_LOGGED_IN); + + ClientModel client = null; + String lastClientUuid = userSession.getNote(AuthenticationManager.LAST_AUTHENTICATED_CLIENT); + if (lastClientUuid != null) { + client = realm.getClientById(lastClientUuid); + } + + if (client != null) { + session.getContext().setClient(client); + } else { + loginForm.setAttribute("skipLink", true); + } + + response = loginForm.createInfoPage(); + return null; + } + } + + // Otherwise just try to restart from the cookie + response = restartAuthenticationSessionFromCookie(); + return null; + } + + + private boolean initialVerify() { + // Basic realm checks and authenticationSession retrieve + AuthenticationSessionModel authSession = initialVerifyAuthSession(); + if (authSession == null) { return false; } - // authenticationSession retrieve and check if we need session restart - AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(code, session, realm, AuthenticationSessionModel.class); - if (authSession == null) { - response = restartAuthenticationSession(false); - return false; - } - if (wantsRestartSession) { - response = restartAuthenticationSession(true); + // Check cached response from previous action request + response = BrowserHistoryHelper.getInstance().loadSavedResponse(session, authSession); + if (response != null) { return false; } @@ -309,16 +346,16 @@ public class LoginActionsService { // Check if it's action or not if (code == null) { - String lastExecFromSession = authSession.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION); + String lastExecFromSession = authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); String lastFlow = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); // Check if we transitted between flows (eg. clicking "register" on login screen) if (execution==null && !flowPath.equals(lastFlow)) { logger.infof("Transition between flows! Current flow: %s, Previous flow: %s", flowPath, lastFlow); - if (lastFlow == null || isFlowTransitionAllowed(lastFlow)) { + if (lastFlow == null || isFlowTransitionAllowed(flowPath, lastFlow)) { authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, flowPath); - authSession.removeAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION); + authSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); lastExecFromSession = null; } } @@ -329,8 +366,7 @@ public class LoginActionsService { actionRequest = false; return true; } else { - logger.info("Redirecting to page expired page."); - response = showPageExpired(flowPath, authSession); + response = showPageExpired(authSession); return false; } } else { @@ -339,13 +375,15 @@ public class LoginActionsService { if (clientCode == null) { // In case that is replayed action, but sent to the same FORM like actual FORM, we just re-render the page - if (ObjectUtil.isEqualOrBothNull(execution, authSession.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION))) { + if (ObjectUtil.isEqualOrBothNull(execution, authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION))) { String latestFlowPath = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); URI redirectUri = getLastExecutionUrl(latestFlowPath, execution); + logger.infof("Invalid action code, but execution matches. So just redirecting to %s", redirectUri); + authSession.setAuthNote(FORWARDED_ERROR_MESSAGE_NOTE, Messages.EXPIRED_ACTION); response = Response.status(Response.Status.FOUND).location(redirectUri).build(); } else { - response = showPageExpired(flowPath, authSession); + response = showPageExpired(authSession); } return false; } @@ -357,38 +395,32 @@ public class LoginActionsService { } } - private boolean isFlowTransitionAllowed(String lastFlow) { - if (flowPath.equals(AUTHENTICATE_PATH) && (lastFlow.equals(REGISTRATION_PATH) || lastFlow.equals(RESET_CREDENTIALS_PATH))) { - return true; - } - - if (flowPath.equals(REGISTRATION_PATH) && (lastFlow.equals(AUTHENTICATE_PATH))) { - return true; - } - - if (flowPath.equals(RESET_CREDENTIALS_PATH) && (lastFlow.equals(AUTHENTICATE_PATH))) { - return true; - } - - return false; - } public boolean verifyRequiredAction(String executedAction) { if (failed()) { return false; } - if (!isValidAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name())) return false; + if (!clientCode.isValidAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name())) { + // TODO:mposolda debug or trace + logger.infof("Expected required action, but session action is '%s' . Showing expired page now.", getAuthenticationSession().getAction()); + event.client(getAuthenticationSession().getClient()); + event.error(Errors.INVALID_CODE); + + response = showPageExpired(getAuthenticationSession()); + + return false; + } + if (!isActionActive(ClientSessionCode.ActionType.USER)) return false; final AuthenticationSessionModel authSession = getAuthenticationSession(); if (actionRequest) { - String currentRequiredAction = authSession.getAuthNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); + String currentRequiredAction = authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); if (executedAction == null || !executedAction.equals(currentRequiredAction)) { logger.debug("required action doesn't match current required action"); - authSession.removeAuthNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); - response = redirectToRequiredActions(currentRequiredAction, authSession); + response = redirectToRequiredActions(currentRequiredAction); return false; } } @@ -397,8 +429,33 @@ public class LoginActionsService { } - protected Response restartAuthenticationSession(boolean managedRestart) { - logger.infof("Login restart requested or authentication session not found. Trying to restart from cookie. Managed restart: %s", managedRestart); + public static boolean isFlowTransitionAllowed(String currentFlow, String previousFlow) { + if (currentFlow.equals(AUTHENTICATE_PATH) && (previousFlow.equals(REGISTRATION_PATH) || previousFlow.equals(RESET_CREDENTIALS_PATH))) { + return true; + } + + if (currentFlow.equals(REGISTRATION_PATH) && (previousFlow.equals(AUTHENTICATE_PATH))) { + return true; + } + + if (currentFlow.equals(RESET_CREDENTIALS_PATH) && (previousFlow.equals(AUTHENTICATE_PATH) || previousFlow.equals(FIRST_BROKER_LOGIN_PATH))) { + return true; + } + + if (currentFlow.equals(FIRST_BROKER_LOGIN_PATH) && (previousFlow.equals(AUTHENTICATE_PATH) || previousFlow.equals(POST_BROKER_LOGIN_PATH))) { + return true; + } + + if (currentFlow.equals(POST_BROKER_LOGIN_PATH) && (previousFlow.equals(AUTHENTICATE_PATH) || previousFlow.equals(FIRST_BROKER_LOGIN_PATH))) { + return true; + } + + return false; + } + + + protected Response restartAuthenticationSessionFromCookie() { + logger.info("Authentication session not found. Trying to restart from cookie."); AuthenticationSessionModel authSession = null; try { authSession = RestartLoginCookie.restartSession(session, realm); @@ -409,17 +466,20 @@ public class LoginActionsService { if (authSession != null) { event.clone(); + event.detail(Details.RESTART_AFTER_TIMEOUT, "true"); + event.error(Errors.EXPIRED_CODE); - String warningMessage = null; - if (managedRestart) { - event.detail(Details.RESTART_REQUESTED, "true"); - } else { - event.detail(Details.RESTART_AFTER_TIMEOUT, "true"); - warningMessage = Messages.LOGIN_TIMEOUT; + String warningMessage = Messages.LOGIN_TIMEOUT; + authSession.setAuthNote(FORWARDED_ERROR_MESSAGE_NOTE, warningMessage); + + String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW); + if (flowPath == null) { + flowPath = AUTHENTICATE_PATH; } - event.error(Errors.EXPIRED_CODE); - return processFlow(false, null, authSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), warningMessage, new AuthenticationProcessor()); + URI redirectUri = getLastExecutionUrl(flowPath, null); + logger.infof("Authentication session restart from cookie succeeded. Redirecting to %s", redirectUri); + return Response.status(Response.Status.FOUND).location(redirectUri).build(); } else { event.error(Errors.INVALID_CODE); return ErrorPage.error(session, Messages.INVALID_CODE); @@ -427,29 +487,50 @@ public class LoginActionsService { } - protected Response showPageExpired(String flowPath, AuthenticationSessionModel authSession) { - String executionId = authSession==null ? null : authSession.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION); - String latestFlowPath = authSession==null ? flowPath : authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); - URI lastStepUrl = getLastExecutionUrl(latestFlowPath, executionId); - - logger.infof("Redirecting to 'page expired' now. Will use URL: %s", lastStepUrl); - - return session.getProvider(LoginFormsProvider.class) - .setActionUri(lastStepUrl) - .createLoginExpiredPage(); + protected Response showPageExpired(AuthenticationSessionModel authSession) { + return new PageExpiredRedirect(session, realm, uriInfo) + .showPageExpired(authSession); } protected URI getLastExecutionUrl(String flowPath, String executionId) { - UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo) - .path(flowPath); - - if (executionId != null) { - uriBuilder.queryParam("execution", executionId); - } - return uriBuilder.build(realm.getName()); + return new PageExpiredRedirect(session, realm, uriInfo) + .getLastExecutionUrl(flowPath, executionId); } + + /** + * protocol independent page for restart of the flow + * + * @return + */ + @Path(RESTART_PATH) + @GET + public Response restartSession() { + event.event(EventType.RESTART_AUTHENTICATION); + SessionCodeChecks checks = new SessionCodeChecks(null, null, null); + + AuthenticationSessionModel authSession = checks.initialVerifyAuthSession(); + if (authSession == null) { + return checks.response; + } + + String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW); + if (flowPath == null) { + flowPath = AUTHENTICATE_PATH; + } + + AuthenticationProcessor.resetFlow(authSession, flowPath); + + // TODO:mposolda Check it's better to put it to AuthenticationProcessor.resetFlow (with consider of brokering) + authSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name()); + + URI redirectUri = getLastExecutionUrl(flowPath, null); + logger.infof("Flow restart requested. Redirecting to %s", redirectUri); + return Response.status(Response.Status.FOUND).location(redirectUri).build(); + } + + /** * protocol independent login page entry point * @@ -459,13 +540,10 @@ public class LoginActionsService { @Path(AUTHENTICATE_PATH) @GET public Response authenticate(@QueryParam("code") String code, - @QueryParam("execution") String execution, - @QueryParam("restart") String restart) { + @QueryParam("execution") String execution) { event.event(EventType.LOGIN); - boolean wantsSessionRestart = Boolean.parseBoolean(restart); - - SessionCodeChecks checks = checksForCode(code, execution, AUTHENTICATE_PATH, wantsSessionRestart); + SessionCodeChecks checks = checksForCode(code, execution, AUTHENTICATE_PATH); if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response; } @@ -491,17 +569,31 @@ public class LoginActionsService { .setSession(session) .setUriInfo(uriInfo) .setRequest(request); - if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage)); + if (errorMessage != null) { + processor.setForwardedErrorMessage(new FormMessage(null, errorMessage)); + } + // Check the forwarded error message, which was set by previous HTTP request + String forwardedErrorMessage = authSession.getAuthNote(FORWARDED_ERROR_MESSAGE_NOTE); + if (forwardedErrorMessage != null) { + authSession.removeAuthNote(FORWARDED_ERROR_MESSAGE_NOTE); + processor.setForwardedErrorMessage(new FormMessage(null, forwardedErrorMessage)); + } + + + Response response; try { if (action) { - return processor.authenticationAction(execution); + response = processor.authenticationAction(execution); } else { - return processor.authenticate(); + response = processor.authenticate(); } } catch (Exception e) { - return processor.handleBrowserException(e); + response = processor.handleBrowserException(e); + authSession = processor.getAuthenticationSession(); // Could be changed (eg. Forked flow) } + + return BrowserHistoryHelper.getInstance().saveResponseAndRedirect(session, authSession, response, action); } /** @@ -514,7 +606,7 @@ public class LoginActionsService { @POST public Response authenticateForm(@QueryParam("code") String code, @QueryParam("execution") String execution) { - return authenticate(code, execution, null); + return authenticate(code, execution); } @Path(RESET_CREDENTIALS_PATH) @@ -538,7 +630,6 @@ public class LoginActionsService { /** * Verifies that the authentication session has not yet been converted to user session, in other words * that the user has not yet completed authentication and logged in. - * @param t token */ private class IsAuthenticationSessionNotConvertedToUserSession implements Predicate { @@ -587,13 +678,13 @@ public class LoginActionsService { if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); - session.authenticationSessions().removeAuthenticationSession(realm, authenticationSession); + new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authenticationSession, true); throw new LoginActionsServiceException(ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER)); } if (! client.isEnabled()) { event.error(Errors.CLIENT_NOT_FOUND); - session.authenticationSessions().removeAuthenticationSession(realm, authenticationSession); + new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authenticationSession, true); throw new LoginActionsServiceException(ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED)); } @@ -637,7 +728,7 @@ public class LoginActionsService { } if (authSession == null) { // timeout or logged-already (NOPE - this is handled by IsAuthenticationSessionNotConvertedToUserSession) - throw new LoginActionsServiceException(restartAuthenticationSession(false)); + throw new LoginActionsServiceException(restartAuthenticationSessionFromCookie()); } event @@ -653,7 +744,6 @@ public class LoginActionsService { /** * This check verifies that if the token has not authentication session set, a new authentication session is introduced * for the given client and reset-credentials flow is started with this new session. - * @param */ private class ResetCredsIntroduceAuthenticationSessionIfNotSet implements Predicate { @@ -702,7 +792,7 @@ public class LoginActionsService { if (authSession != null && ! Objects.equals(authSession.getAction(), this.expectedAction.name())) { if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(authSession.getAction())) { - throw new LoginActionsServiceException(redirectToRequiredActions(null, authSession)); + throw new LoginActionsServiceException(redirectToRequiredActions(null)); } } @@ -723,12 +813,14 @@ public class LoginActionsService { public Response resetCredentialsGET(@QueryParam("code") String code, @QueryParam("execution") String execution, @QueryParam(Constants.KEY) String key) { + event.event(EventType.RESET_PASSWORD); + if (code != null && key != null) { // TODO:mposolda better handling of error throw new IllegalStateException("Illegal state"); } - AuthenticationSessionModel authSession = session.authenticationSessions().getCurrentAuthenticationSession(realm); + AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm); // we allow applications to link to reset credentials without going through OAuth or SAML handshakes if (authSession == null && key == null && code == null) { @@ -755,15 +847,15 @@ public class LoginActionsService { // set up the account service as the endpoint to call. ClientModel client = realm.getClientByClientId(clientId); - authSession = session.authenticationSessions().createAuthenticationSession(realm, client, true); + authSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, client, true); authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); //authSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); - String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); + String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); // TODO:mposolda It seems that this should be taken from client rather then hardcoded to account? authSession.setRedirectUri(redirectUri); - authSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE); - authSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); - authSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + authSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE); + authSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); + authSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); return authSession; } @@ -776,7 +868,7 @@ public class LoginActionsService { */ protected Response resetCredentials(String code, String execution) { event.event(EventType.RESET_PASSWORD); - SessionCodeChecks checks = checksForCode(code, execution, RESET_CREDENTIALS_PATH, false); + SessionCodeChecks checks = checksForCode(code, execution, RESET_CREDENTIALS_PATH); if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) { return checks.response; } @@ -835,7 +927,7 @@ public class LoginActionsService { .client(token.getAuthenticationSession().getClient()) .error(Errors.EXPIRED_CODE); AuthenticationSessionModel authSession = token.getAuthenticationSession(); - AuthenticationProcessor.resetFlow(authSession); + AuthenticationProcessor.resetFlow(authSession, AUTHENTICATE_PATH); return processAuthentication(false, null, authSession, Messages.LOGIN_TIMEOUT); } @@ -866,8 +958,7 @@ public class LoginActionsService { if (!isSameBrowser(authSession)) { logger.debug("Action request processed in different browser."); - // TODO:mposolda improve this. The code should be merged with the InfinispanLoginSessionProvider code and rather extracted from the infinispan provider - setAuthSessionCookie(authSession.getId()); + new AuthenticationSessionManager(session).setAuthSessionCookie(authSession.getId(), realm); authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); } @@ -878,7 +969,7 @@ public class LoginActionsService { // Verify if action is processed in same browser. private boolean isSameBrowser(AuthenticationSessionModel actionTokenSession) { - String cookieSessionId = session.authenticationSessions().getCurrentAuthenticationSessionId(realm); + String cookieSessionId = new AuthenticationSessionManager(session).getCurrentAuthenticationSessionId(realm); if (cookieSessionId == null) { return false; @@ -901,11 +992,12 @@ public class LoginActionsService { if (actionTokenSession.getId().equals(parentSessionId)) { // It's the correct browser. Let's remove forked session as we won't continue from the login form (browser flow) but from the resetCredentialsByToken flow - session.authenticationSessions().removeAuthenticationSession(realm, forkedSession); + // Don't expire KC_RESTART cookie at this point + new AuthenticationSessionManager(session).removeAuthenticationSession(realm, forkedSession, false); logger.infof("Removed forked session: %s", forkedSession.getId()); // Refresh browser cookie - setAuthSessionCookie(parentSessionId); + new AuthenticationSessionManager(session).setAuthSessionCookie(parentSessionId, realm); return true; } else { @@ -913,16 +1005,6 @@ public class LoginActionsService { } } - // TODO:mposolda improve this. The code should be merged with the InfinispanLoginSessionProvider code and rather extracted from the infinispan provider - private void setAuthSessionCookie(String authSessionId) { - logger.infof("Set browser cookie to %s", authSessionId); - - String cookiePath = CookieHelper.getRealmCookiePath(realm); - boolean sslRequired = realm.getSslRequired().isRequired(session.getContext().getConnection()); - CookieHelper.addCookie("AUTH_SESSION_ID", authSessionId, cookiePath, null, null, -1, sslRequired, true); - } - - protected Response processResetCredentials(boolean actionRequest, String execution, AuthenticationSessionModel authSession, String errorMessage) { AuthenticationProcessor authProcessor = new AuthenticationProcessor() { @@ -937,11 +1019,13 @@ public class LoginActionsService { return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, authenticationSession.getAuthenticatedUser().getUsername(), linkingUser.getUsername()); } - logger.debugf("Forget-password flow finished when authenticated user '%s' after first broker login.", linkingUser.getUsername()); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); + authSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, serializedCtx.getIdentityProviderId()); - // TODO:mposolda Isn't this a bug that we redirect to 'afterBrokerLoginEndpoint' without rather continue with firstBrokerLogin and other authenticators like OTP? - //return redirectToAfterBrokerLoginEndpoint(authSession, true); - return null; + logger.debugf("Forget-password flow finished when authenticated user '%s' after first broker login with identity provider '%s'.", + linkingUser.getUsername(), serializedCtx.getIdentityProviderId()); + + return redirectToAfterBrokerLoginEndpoint(authSession, true); } else { return super.authenticationComplete(); } @@ -992,7 +1076,7 @@ public class LoginActionsService { return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED); } - SessionCodeChecks checks = checksForCode(code, execution, REGISTRATION_PATH, false); + SessionCodeChecks checks = checksForCode(code, execution, REGISTRATION_PATH); if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response; } @@ -1008,55 +1092,56 @@ public class LoginActionsService { return processRegistration(checks.actionRequest, execution, clientSession, null); } - // TODO:mposolda broker login -/* + @Path(FIRST_BROKER_LOGIN_PATH) @GET public Response firstBrokerLoginGet(@QueryParam("code") String code, @QueryParam("execution") String execution) { - return brokerLoginFlow(code, execution, true); + return brokerLoginFlow(code, execution, FIRST_BROKER_LOGIN_PATH); } @Path(FIRST_BROKER_LOGIN_PATH) @POST public Response firstBrokerLoginPost(@QueryParam("code") String code, @QueryParam("execution") String execution) { - return brokerLoginFlow(code, execution, true); + return brokerLoginFlow(code, execution, FIRST_BROKER_LOGIN_PATH); } @Path(POST_BROKER_LOGIN_PATH) @GET public Response postBrokerLoginGet(@QueryParam("code") String code, @QueryParam("execution") String execution) { - return brokerLoginFlow(code, execution, false); + return brokerLoginFlow(code, execution, POST_BROKER_LOGIN_PATH); } @Path(POST_BROKER_LOGIN_PATH) @POST public Response postBrokerLoginPost(@QueryParam("code") String code, @QueryParam("execution") String execution) { - return brokerLoginFlow(code, execution, false); + return brokerLoginFlow(code, execution, POST_BROKER_LOGIN_PATH); } - protected Response brokerLoginFlow(String code, String execution, final boolean firstBrokerLogin) { + protected Response brokerLoginFlow(String code, String execution, String flowPath) { + boolean firstBrokerLogin = flowPath.equals(FIRST_BROKER_LOGIN_PATH); + EventType eventType = firstBrokerLogin ? EventType.IDENTITY_PROVIDER_FIRST_LOGIN : EventType.IDENTITY_PROVIDER_POST_LOGIN; event.event(eventType); - SessionCodeChecks checks = checksForCode(code); + SessionCodeChecks checks = checksForCode(code, execution, flowPath); if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { return checks.response; } event.detail(Details.CODE_ID, code); - final ClientSessionModel clientSessionn = checks.getClientSession(); + final AuthenticationSessionModel authSession = checks.getAuthenticationSession(); String noteKey = firstBrokerLogin ? AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE : PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT; - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromClientSession(clientSessionn, noteKey); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, noteKey); if (serializedCtx == null) { ServicesLogger.LOGGER.notFoundSerializedCtxInClientSession(noteKey); throw new WebApplicationException(ErrorPage.error(session, "Not found serialized context in clientSession.")); } - BrokeredIdentityContext brokerContext = serializedCtx.deserialize(session, clientSessionn); + BrokeredIdentityContext brokerContext = serializedCtx.deserialize(session, authSession); final String identityProviderAlias = brokerContext.getIdpConfig().getAlias(); String flowId = firstBrokerLogin ? brokerContext.getIdpConfig().getFirstBrokerLoginFlowId() : brokerContext.getIdpConfig().getPostBrokerLoginFlowId(); @@ -1078,23 +1163,24 @@ public class LoginActionsService { @Override protected Response authenticationComplete() { - if (!firstBrokerLogin) { + if (firstBrokerLogin) { + authSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, identityProviderAlias); + } else { String authStateNoteKey = PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + identityProviderAlias; - clientSessionn.setNote(authStateNoteKey, "true"); + authSession.setAuthNote(authStateNoteKey, "true"); } - return redirectToAfterBrokerLoginEndpoint(clientSession, firstBrokerLogin); + return redirectToAfterBrokerLoginEndpoint(authSession, firstBrokerLogin); } }; - String flowPath = firstBrokerLogin ? FIRST_BROKER_LOGIN_PATH : POST_BROKER_LOGIN_PATH; - return processFlow(execution, clientSessionn, flowPath, brokerLoginFlow, null, processor); + return processFlow(checks.actionRequest, execution, authSession, flowPath, brokerLoginFlow, null, processor); } - private Response redirectToAfterBrokerLoginEndpoint(ClientSessionModel clientSession, boolean firstBrokerLogin) { - ClientSessionCode accessCode = new ClientSessionCode(session, realm, clientSession); - clientSession.setTimestamp(Time.currentTime()); + private Response redirectToAfterBrokerLoginEndpoint(AuthenticationSessionModel authSession, boolean firstBrokerLogin) { + ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, authSession); + authSession.setTimestamp(Time.currentTime()); URI redirect = firstBrokerLogin ? Urls.identityProviderAfterFirstBrokerLogin(uriInfo.getBaseUri(), realm.getName(), accessCode.getCode()) : Urls.identityProviderAfterPostBrokerLogin(uriInfo.getBaseUri(), realm.getName(), accessCode.getCode()) ; @@ -1102,7 +1188,7 @@ public class LoginActionsService { return Response.status(302).location(redirect).build(); } -*/ + /** * OAuth grant page. You should not invoked this directly! @@ -1116,7 +1202,7 @@ public class LoginActionsService { public Response processConsent(final MultivaluedMap formData) { event.event(EventType.LOGIN); String code = formData.getFirst("code"); - SessionCodeChecks checks = checksForCode(code, null, REQUIRED_ACTION, false); + SessionCodeChecks checks = checksForCode(code, null, REQUIRED_ACTION); if (!checks.verifyRequiredAction(ClientSessionModel.Action.OAUTH_GRANT.name())) { return checks.response; } @@ -1159,7 +1245,6 @@ public class LoginActionsService { event.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED); event.success(); - // TODO:mposolda So assume that requiredActions were already done in this stage. Doublecheck... AuthenticatedClientSessionModel clientSession = AuthenticationProcessor.attachSession(authSession, null, session, realm, clientConnection, event); return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, clientSession.getUserSession(), clientSession, request, uriInfo, clientConnection, event, authSession.getProtocol()); } @@ -1276,27 +1361,12 @@ public class LoginActionsService { return null; } - private String getActionCookie() { - return getActionCookie(headers, realm, uriInfo, clientConnection); - } - - public static String getActionCookie(HttpHeaders headers, RealmModel realm, UriInfo uriInfo, ClientConnection clientConnection) { - Cookie cookie = headers.getCookies().get(ACTION_COOKIE); - AuthenticationManager.expireCookie(realm, ACTION_COOKIE, AuthenticationManager.getRealmCookiePath(realm, uriInfo), realm.getSslRequired().isRequired(clientConnection), clientConnection); - return cookie != null ? cookie.getValue() : null; - } - - // TODO: Remove this method. We will be able to use login-session-cookie - public static void createActionCookie(RealmModel realm, UriInfo uriInfo, ClientConnection clientConnection, String sessionId) { - CookieHelper.addCookie(ACTION_COOKIE, sessionId, AuthenticationManager.getRealmCookiePath(realm, uriInfo), null, null, -1, realm.getSslRequired().isRequired(clientConnection), true); - } - private void initLoginEvent(AuthenticationSessionModel authSession) { - String responseType = authSession.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); + String responseType = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); if (responseType == null) { responseType = "code"; } - String respMode = authSession.getNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM); + String respMode = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM); OIDCResponseMode responseMode = OIDCResponseMode.parse(respMode, OIDCResponseType.parse(responseType)); event.event(EventType.LOGIN).client(authSession.getClient()) @@ -1345,7 +1415,9 @@ public class LoginActionsService { } private Response processRequireAction(final String code, String action) { - SessionCodeChecks checks = checksForCode(code, action, REQUIRED_ACTION, false); + event.event(EventType.CUSTOM_REQUIRED_ACTION); + + SessionCodeChecks checks = checksForCode(code, action, REQUIRED_ACTION); if (!checks.verifyRequiredAction(action)) { return checks.response; } @@ -1375,21 +1447,24 @@ public class LoginActionsService { throw new RuntimeException("Cannot call ignore within processAction()"); } }; + + Response response; provider.processAction(context); + + authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, action); + if (context.getStatus() == RequiredActionContext.Status.SUCCESS) { event.clone().success(); initLoginEvent(authSession); event.event(EventType.LOGIN); authSession.removeRequiredAction(factory.getId()); authSession.getAuthenticatedUser().removeRequiredAction(factory.getId()); - authSession.removeAuthNote(AuthenticationManager.CURRENT_REQUIRED_ACTION); + authSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); - return redirectToRequiredActions(action, authSession); - } - if (context.getStatus() == RequiredActionContext.Status.CHALLENGE) { - return context.getChallenge(); - } - if (context.getStatus() == RequiredActionContext.Status.FAILURE) { + response = AuthenticationManager.nextActionAfterAuthentication(session, authSession, clientConnection, request, uriInfo, event); + } else if (context.getStatus() == RequiredActionContext.Status.CHALLENGE) { + response = context.getChallenge(); + } else if (context.getStatus() == RequiredActionContext.Status.FAILURE) { LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, authSession.getProtocol()); protocol.setRealm(context.getRealm()) .setHttpHeaders(context.getHttpRequest().getHttpHeaders()) @@ -1397,18 +1472,16 @@ public class LoginActionsService { .setEventBuilder(event); event.detail(Details.CUSTOM_REQUIRED_ACTION, action); - Response response = protocol.sendError(authSession, Error.CONSENT_DENIED); + response = protocol.sendError(authSession, Error.CONSENT_DENIED); event.error(Errors.REJECTED_BY_USER); - return response; - + } else { + throw new RuntimeException("Unreachable"); } - throw new RuntimeException("Unreachable"); + return BrowserHistoryHelper.getInstance().saveResponseAndRedirect(session, authSession, response, true); } - private Response redirectToRequiredActions(String action, AuthenticationSessionModel authSession) { - authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, action); - + private Response redirectToRequiredActions(String action) { UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo) .path(LoginActionsService.REQUIRED_ACTION); diff --git a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java index ab99d5d65c..bb8de2d918 100755 --- a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java +++ b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java @@ -234,16 +234,12 @@ public class RealmsResource { public IdentityBrokerService getBrokerService(final @PathParam("realm") String name) { RealmModel realm = init(name); - // TODO:mposolda - /* IdentityBrokerService brokerService = new IdentityBrokerService(realm); ResteasyProviderFactory.getInstance().injectProperties(brokerService); brokerService.init(); return brokerService; - */ - return null; } @OPTIONS diff --git a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java index c04b99e959..fe6fe0ffcc 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java @@ -45,6 +45,7 @@ import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserLoginFailureModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; +import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.models.utils.ModelToRepresentation; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.provider.ProviderFactory; @@ -332,7 +333,8 @@ public class UsersResource { } EventBuilder event = new EventBuilder(realm, session, clientConnection); - UserSessionModel userSession = session.sessions().createUserSession(realm, user, user.getUsername(), clientConnection.getRemoteAddr(), "impersonate", false, null, null); + String sessionId = KeycloakModelUtils.generateId(); + UserSessionModel userSession = session.sessions().createUserSession(sessionId, realm, user, user.getUsername(), clientConnection.getRemoteAddr(), "impersonate", false, null, null); AuthenticationManager.createLoginCookie(session, realm, userSession.getUser(), userSession, uriInfo, clientConnection); URI redirect = AccountService.accountServiceApplicationPage(uriInfo).build(realm.getName()); Map result = new HashMap<>(); diff --git a/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java b/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java new file mode 100644 index 0000000000..89cda2c6fe --- /dev/null +++ b/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java @@ -0,0 +1,191 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.services.util; + +import java.net.URI; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import javax.ws.rs.core.Response; + +import org.jboss.logging.Logger; +import org.keycloak.models.KeycloakSession; +import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.theme.BrowserSecurityHeaderSetup; +import org.keycloak.utils.MediaType; + +/** + * The point of this is to improve experience of browser history (back/forward/refresh buttons), but ensure there is no more redirects then necessary. + * + * Ideally we want to: + * - Remove all POST requests from browser history, because browsers don't automatically re-send them when click "back" button. POSTS in history causes unfriendly dialogs and browser "Page is expired" pages. + * + * - Keep the browser URL to match the flow and execution from authentication session. This means that browser refresh works fine and show us the correct form. + * + * - Avoid redirects. This is possible with javascript based approach (JavascriptHistoryReplace). The RedirectAfterPostHelper requires one redirect after POST, but works even on browser without javascript and + * on old browsers where "history.replaceState" is unsupported. + * + * @author Marek Posolda + */ +public abstract class BrowserHistoryHelper { + + protected static final Logger logger = Logger.getLogger(BrowserHistoryHelper.class); + + public abstract Response saveResponseAndRedirect(KeycloakSession session, AuthenticationSessionModel authSession, Response response, boolean actionRequest); + + public abstract Response loadSavedResponse(KeycloakSession session, AuthenticationSessionModel authSession); + + + // Always rely on javascript for now + public static BrowserHistoryHelper getInstance() { + return new JavascriptHistoryReplace(); + //return new RedirectAfterPostHelper(); + //return new NoOpHelper(); + } + + + // IMPL + + private static class JavascriptHistoryReplace extends BrowserHistoryHelper { + + private static final Pattern HEAD_END_PATTERN = Pattern.compile(""); + + @Override + public Response saveResponseAndRedirect(KeycloakSession session, AuthenticationSessionModel authSession, Response response, boolean actionRequest) { + if (!actionRequest) { + return response; + } + + // For now, handle just status 200 with String body. See if more is needed... + if (response.getStatus() == 200) { + Object entity = response.getEntity(); + if (entity instanceof String) { + String responseString = (String) entity; + + URI lastExecutionURL = new PageExpiredRedirect(session, session.getContext().getRealm(), session.getContext().getUri()).getLastExecutionUrl(authSession); + + // Inject javascript for history "replaceState" + String responseWithJavascript = responseWithJavascript(responseString, lastExecutionURL.toString()); + + return Response.fromResponse(response).entity(responseWithJavascript).build(); + } + } + + return response; + } + + @Override + public Response loadSavedResponse(KeycloakSession session, AuthenticationSessionModel authSession) { + return null; + } + + + private String responseWithJavascript(String origHtml, String lastExecutionUrl) { + Matcher m = HEAD_END_PATTERN.matcher(origHtml); + + if (m.find()) { + int start = m.start(); + + String javascript = getJavascriptText(lastExecutionUrl); + + return new StringBuilder(origHtml.substring(0, start)) + .append(javascript ) + .append(origHtml.substring(start)) + .toString(); + } else { + return origHtml; + } + } + + private String getJavascriptText(String lastExecutionUrl) { + return new StringBuilder("") + .toString(); + } + + } + + + private static class RedirectAfterPostHelper extends BrowserHistoryHelper { + + private static final String CACHED_RESPONSE = "cached.response"; + + @Override + public Response saveResponseAndRedirect(KeycloakSession session, AuthenticationSessionModel authSession, Response response, boolean actionRequest) { + if (!actionRequest) { + return response; + } + + // For now, handle just status 200 with String body. See if more is needed... + if (response.getStatus() == 200) { + Object entity = response.getEntity(); + if (entity instanceof String) { + String responseString = (String) entity; + authSession.setAuthNote(CACHED_RESPONSE, responseString); + + URI lastExecutionURL = new PageExpiredRedirect(session, session.getContext().getRealm(), session.getContext().getUri()).getLastExecutionUrl(authSession); + + // TODO:mposolda trace + logger.infof("Saved response challenge and redirect to %s", lastExecutionURL); + + return Response.status(302).location(lastExecutionURL).build(); + } + } + + return response; + } + + + @Override + public Response loadSavedResponse(KeycloakSession session, AuthenticationSessionModel authSession) { + String savedResponse = authSession.getAuthNote(CACHED_RESPONSE); + if (savedResponse != null) { + authSession.removeAuthNote(CACHED_RESPONSE); + + // TODO:mposolda trace + logger.infof("Restored previously saved request"); + + Response.ResponseBuilder builder = Response.status(200).type(MediaType.TEXT_HTML_UTF_8).entity(savedResponse); + BrowserSecurityHeaderSetup.headers(builder, session.getContext().getRealm()); // TODO:mposolda cRather all the headers from the saved response should be added here. + return builder.build(); + } + + return null; + } + + } + + + private static class NoOpHelper extends BrowserHistoryHelper { + + @Override + public Response saveResponseAndRedirect(KeycloakSession session, AuthenticationSessionModel authSession, Response response, boolean actionRequest) { + return response; + } + + + @Override + public Response loadSavedResponse(KeycloakSession session, AuthenticationSessionModel authSession) { + return null; + } + + } +} diff --git a/server-spi-private/src/main/java/org/keycloak/services/util/CookieHelper.java b/services/src/main/java/org/keycloak/services/util/CookieHelper.java similarity index 87% rename from server-spi-private/src/main/java/org/keycloak/services/util/CookieHelper.java rename to services/src/main/java/org/keycloak/services/util/CookieHelper.java index 45335478d3..2005695b54 100755 --- a/server-spi-private/src/main/java/org/keycloak/services/util/CookieHelper.java +++ b/services/src/main/java/org/keycloak/services/util/CookieHelper.java @@ -24,6 +24,7 @@ import org.jboss.resteasy.spi.ResteasyProviderFactory; import org.keycloak.common.util.ServerCookie; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; +import org.keycloak.services.managers.AuthenticationManager; import javax.ws.rs.core.Cookie; import javax.ws.rs.core.HttpHeaders; @@ -63,13 +64,4 @@ public class CookieHelper { return cookie != null ? cookie.getValue() : null; } - - public static String getRealmCookiePath(RealmModel realm) { - UriInfo uriInfo = ResteasyProviderFactory.getContextData(UriInfo.class); - UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder(); - URI uri = baseUriBuilder.path("/realms/{realm}").build(realm.getName()); - return uri.getRawPath(); - } - - } diff --git a/services/src/main/java/org/keycloak/services/util/PageExpiredRedirect.java b/services/src/main/java/org/keycloak/services/util/PageExpiredRedirect.java new file mode 100644 index 0000000000..83f0ce52ad --- /dev/null +++ b/services/src/main/java/org/keycloak/services/util/PageExpiredRedirect.java @@ -0,0 +1,90 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.services.util; + +import java.net.URI; + +import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; +import javax.ws.rs.core.UriInfo; + +import org.jboss.logging.Logger; +import org.keycloak.authentication.AuthenticationProcessor; +import org.keycloak.forms.login.LoginFormsProvider; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import org.keycloak.protocol.AuthorizationEndpointBase; +import org.keycloak.services.resources.LoginActionsService; +import org.keycloak.sessions.AuthenticationSessionModel; + +/** + * @author Marek Posolda + */ +public class PageExpiredRedirect { + + protected static final Logger logger = Logger.getLogger(PageExpiredRedirect.class); + + private final KeycloakSession session; + private final RealmModel realm; + private final UriInfo uriInfo; + + public PageExpiredRedirect(KeycloakSession session, RealmModel realm, UriInfo uriInfo) { + this.session = session; + this.realm = realm; + this.uriInfo = uriInfo; + } + + + public Response showPageExpired(AuthenticationSessionModel authSession) { + URI lastStepUrl = getLastExecutionUrl(authSession); + + logger.infof("Redirecting to 'page expired' now. Will use last step URL: %s", lastStepUrl); + + return session.getProvider(LoginFormsProvider.class) + .setActionUri(lastStepUrl) + .createLoginExpiredPage(); + } + + + public URI getLastExecutionUrl(String flowPath, String executionId) { + UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo) + .path(flowPath); + + if (executionId != null) { + uriBuilder.queryParam("execution", executionId); + } + return uriBuilder.build(realm.getName()); + } + + + public URI getLastExecutionUrl(AuthenticationSessionModel authSession) { + String executionId = authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + String latestFlowPath = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); + + if (latestFlowPath == null) { + latestFlowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW); + } + + if (latestFlowPath == null) { + latestFlowPath = LoginActionsService.AUTHENTICATE_PATH; + } + + return getLastExecutionUrl(latestFlowPath, executionId); + } + +} diff --git a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java index f81abc91ae..a8c42b1726 100755 --- a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java +++ b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java @@ -26,13 +26,13 @@ import org.keycloak.broker.social.SocialIdentityProvider; import org.keycloak.common.ClientConnection; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.services.ErrorPage; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; +import org.keycloak.sessions.AuthenticationSessionModel; import twitter4j.Twitter; import twitter4j.TwitterFactory; import twitter4j.auth.AccessToken; @@ -40,6 +40,7 @@ import twitter4j.auth.RequestToken; import javax.ws.rs.GET; import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.MediaType; @@ -54,6 +55,10 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider { protected static final Logger logger = Logger.getLogger(TwitterIdentityProvider.class); + + private static final String TWITTER_TOKEN = "twitter_token"; + private static final String TWITTER_TOKENSECRET = "twitter_tokenSecret"; + public TwitterIdentityProvider(KeycloakSession session, OAuth2IdentityProviderConfig config) { super(session, config); } @@ -72,10 +77,10 @@ public class TwitterIdentityProvider extends AbstractIdentityProviderMarek Posolda + */ +public class LoginExpiredPage extends AbstractPage { + + @FindBy(id = "loginRestartLink") + private WebElement loginRestartLink; + + @FindBy(id = "loginContinueLink") + private WebElement loginContinueLink; + + + public void clickLoginRestartLink() { + loginRestartLink.click(); + } + + public void clickLoginContinueLink() { + loginContinueLink.click(); + } + + + public boolean isCurrent() { + return driver.getTitle().equals("Page has expired"); + } + + public void open() { + throw new UnsupportedOperationException(); + } +} diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/RegisterPage.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/RegisterPage.java index 810ba84105..0fb07bf2cc 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/RegisterPage.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/RegisterPage.java @@ -54,6 +54,9 @@ public class RegisterPage extends AbstractPage { @FindBy(className = "instruction") private WebElement loginInstructionMessage; + @FindBy(linkText = "« Back to Login") + private WebElement backToLoginLink; + public void register(String firstName, String lastName, String email, String username, String password, String passwordConfirm) { firstNameInput.clear(); @@ -125,6 +128,10 @@ public class RegisterPage extends AbstractPage { submitButton.click(); } + public void clickBackToLogin() { + backToLoginLink.click(); + } + public String getError() { return loginErrorMessage != null ? loginErrorMessage.getText() : null; } diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java index 682e745bd7..7489ee2840 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java @@ -41,6 +41,7 @@ import org.keycloak.constants.AdapterConstants; import org.keycloak.jose.jwk.JSONWebKeySet; import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.crypto.RSAProvider; +import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.OIDCLoginProtocolService; import org.keycloak.protocol.oidc.utils.OIDCResponseType; @@ -73,7 +74,7 @@ import java.util.*; */ public class OAuthClient { public static final String SERVER_ROOT = AuthServerTestEnricher.getAuthServerContextRoot(); - public static final String AUTH_SERVER_ROOT = SERVER_ROOT + "/auth"; + public static String AUTH_SERVER_ROOT = SERVER_ROOT + "/auth"; public static final String APP_ROOT = AUTH_SERVER_ROOT + "/realms/master/app"; private static final boolean sslRequired = Boolean.parseBoolean(System.getProperty("auth.server.ssl.required")); @@ -89,7 +90,7 @@ public class OAuthClient { private String redirectUri; - private String state; + private StateParamProvider state; private String scope; @@ -162,7 +163,7 @@ public class OAuthClient { realm = "test"; clientId = "test-app"; redirectUri = APP_ROOT + "/auth"; - state = "mystate"; + state = KeycloakModelUtils::generateId; scope = null; uiLocales = null; clientSessionState = null; @@ -607,6 +608,7 @@ public class OAuthClient { if (redirectUri != null) { b.queryParam(OAuth2Constants.REDIRECT_URI, redirectUri); } + String state = this.state.getState(); if (state != null) { b.queryParam(OAuth2Constants.STATE, state); } @@ -692,8 +694,17 @@ public class OAuthClient { return this; } - public OAuthClient state(String state) { - this.state = state; + public OAuthClient stateParamHardcoded(String value) { + this.state = () -> { + return value; + }; + return this; + } + + public OAuthClient stateParamRandom() { + this.state = () -> { + return KeycloakModelUtils.generateId(); + }; return this; } @@ -927,4 +938,12 @@ public class OAuthClient { return publicKeys.get(realm); } + + private interface StateParamProvider { + + String getState(); + + } + + } \ No newline at end of file diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountTest.java index dcc4246733..eba81f4db2 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountTest.java @@ -158,7 +158,6 @@ public class AccountTest extends AbstractTestRealmKeycloakTest { @Before public void before() { - oauth.state("mystate"); // keycloak enforces that a state param has been sent by client userId = findUser("test-user@localhost").getId(); // Revert any password policy and user password changes @@ -854,7 +853,6 @@ public class AccountTest extends AbstractTestRealmKeycloakTest { try { OAuthClient oauth2 = new OAuthClient(); oauth2.init(adminClient, driver2); - oauth2.state("mystate"); oauth2.doLogin("view-sessions", "password"); EventRepresentation login2Event = events.expectLogin().user(userId).detail(Details.USERNAME, "view-sessions").assertEvent(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java index eb719d884b..1846d4280e 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java @@ -87,9 +87,6 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo @Before public void before() { - oauth.state("mystate"); // have to set this as keycloak validates that state is sent - - ApiUtil.removeUserByUsername(testRealm(), "test-user@localhost"); UserRepresentation user = UserBuilder.create().enabled(true) .username("test-user@localhost") diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionResetPasswordTest.java index d457b0bcad..1f68b59e21 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionResetPasswordTest.java @@ -59,11 +59,6 @@ public class RequiredActionResetPasswordTest extends AbstractTestRealmKeycloakTe @Page protected LoginPasswordUpdatePage changePasswordPage; - @Before - public void before() { - oauth.state("mystate"); // have to set this as keycloak validates that state is sent - } - @Test public void tempPassword() throws Exception { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractClientInitiatedAccountLinkTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractClientInitiatedAccountLinkTest.java index 72e8c46622..750df031f7 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractClientInitiatedAccountLinkTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractClientInitiatedAccountLinkTest.java @@ -38,10 +38,14 @@ import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.testsuite.adapter.AbstractServletsAdapterTest; +import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.arquillian.AuthServerTestEnricher; import org.keycloak.testsuite.broker.BrokerTestTools; import org.keycloak.testsuite.page.AbstractPageWithInjectedUrl; +import org.keycloak.testsuite.pages.AccountUpdateProfilePage; +import org.keycloak.testsuite.pages.ErrorPage; import org.keycloak.testsuite.pages.LoginPage; +import org.keycloak.testsuite.pages.LoginUpdateProfilePage; import org.keycloak.testsuite.pages.UpdateAccountInformationPage; import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.WaitUtils; @@ -72,11 +76,17 @@ public abstract class AbstractClientInitiatedAccountLinkTest extends AbstractSer public static final String PARENT_USERNAME = "parent"; @Page - protected UpdateAccountInformationPage profilePage; + protected LoginUpdateProfilePage loginUpdateProfilePage; + + @Page + protected AccountUpdateProfilePage profilePage; @Page private LoginPage loginPage; + @Page + protected ErrorPage errorPage; + public static class ClientApp extends AbstractPageWithInjectedUrl { public static final String DEPLOYMENT_NAME = "client-linking"; @@ -532,6 +542,92 @@ public abstract class AbstractClientInitiatedAccountLinkTest extends AbstractSer } + + @Test + public void testAccountNotLinkedAutomatically() throws Exception { + RealmResource realm = adminClient.realms().realm(CHILD_IDP); + List links = realm.users().get(childUserId).getFederatedIdentity(); + Assert.assertTrue(links.isEmpty()); + + // Login to account mgmt first + profilePage.open(CHILD_IDP); + WaitUtils.waitForPageToLoad(driver); + + Assert.assertTrue(loginPage.isCurrent(CHILD_IDP)); + loginPage.login("child", "password"); + profilePage.assertCurrent(); + + // Now in another tab, open login screen with "prompt=login" . Login screen will be displayed even if I have SSO cookie + UriBuilder linkBuilder = UriBuilder.fromUri(appPage.getInjectedUrl().toString()) + .path("nosuch"); + String linkUrl = linkBuilder.clone() + .queryParam(OIDCLoginProtocol.PROMPT_PARAM, OIDCLoginProtocol.PROMPT_VALUE_LOGIN) + .build().toString(); + + navigateTo(linkUrl); + Assert.assertTrue(loginPage.isCurrent(CHILD_IDP)); + loginPage.clickSocial(PARENT_IDP); + Assert.assertTrue(loginPage.isCurrent(PARENT_IDP)); + loginPage.login(PARENT_USERNAME, "password"); + + // Test I was not automatically linked. + links = realm.users().get(childUserId).getFederatedIdentity(); + Assert.assertTrue(links.isEmpty()); + + loginUpdateProfilePage.assertCurrent(); + loginUpdateProfilePage.update("Joe", "Doe", "joe@parent.com"); + + errorPage.assertCurrent(); + Assert.assertEquals("You are already authenticated as different user 'child' in this session. Please logout first.", errorPage.getError()); + + logoutAll(); + + // Remove newly created user + String newUserId = ApiUtil.findUserByUsername(realm, "parent").getId(); + getCleanup("child").addUserId(newUserId); + } + + + @Test + public void testAccountLinkingExpired() throws Exception { + RealmResource realm = adminClient.realms().realm(CHILD_IDP); + List links = realm.users().get(childUserId).getFederatedIdentity(); + Assert.assertTrue(links.isEmpty()); + + // Login to account mgmt first + profilePage.open(CHILD_IDP); + WaitUtils.waitForPageToLoad(driver); + + Assert.assertTrue(loginPage.isCurrent(CHILD_IDP)); + loginPage.login("child", "password"); + profilePage.assertCurrent(); + + // Now in another tab, request account linking + UriBuilder linkBuilder = UriBuilder.fromUri(appPage.getInjectedUrl().toString()) + .path("link"); + String linkUrl = linkBuilder.clone() + .queryParam("realm", CHILD_IDP) + .queryParam("provider", PARENT_IDP).build().toString(); + navigateTo(linkUrl); + + Assert.assertTrue(loginPage.isCurrent(PARENT_IDP)); + + // Logout "child" userSession in the meantime (for example through admin request) + realm.logoutAll(); + + // Finish login on parent. + loginPage.login(PARENT_USERNAME, "password"); + + // Test I was not automatically linked + links = realm.users().get(childUserId).getFederatedIdentity(); + Assert.assertTrue(links.isEmpty()); + + errorPage.assertCurrent(); + Assert.assertEquals("Requested broker account linking, but current session is no longer valid.", errorPage.getError()); + + logoutAll(); + } + private void navigateTo(String uri) { driver.navigate().to(uri); WaitUtils.waitForPageToLoad(driver); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java new file mode 100644 index 0000000000..6cbe92f39e --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java @@ -0,0 +1,376 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.forms; + +import java.io.IOException; + +import javax.mail.MessagingException; +import javax.mail.internet.MimeMessage; + +import org.jboss.arquillian.graphene.page.Page; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.keycloak.events.Details; +import org.keycloak.events.Errors; +import org.keycloak.events.EventType; +import org.keycloak.models.UserModel; +import org.keycloak.representations.idm.RealmRepresentation; +import org.keycloak.representations.idm.UserRepresentation; +import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; +import org.keycloak.testsuite.AssertEvents; +import org.keycloak.testsuite.admin.ApiUtil; +import org.keycloak.testsuite.pages.AppPage; +import org.keycloak.testsuite.pages.ErrorPage; +import org.keycloak.testsuite.pages.InfoPage; +import org.keycloak.testsuite.pages.LoginExpiredPage; +import org.keycloak.testsuite.pages.LoginPage; +import org.keycloak.testsuite.pages.LoginPasswordResetPage; +import org.keycloak.testsuite.pages.LoginPasswordUpdatePage; +import org.keycloak.testsuite.pages.LoginUpdateProfilePage; +import org.keycloak.testsuite.pages.OAuthGrantPage; +import org.keycloak.testsuite.pages.RegisterPage; +import org.keycloak.testsuite.pages.VerifyEmailPage; +import org.keycloak.testsuite.util.GreenMailRule; +import org.keycloak.testsuite.util.OAuthClient; +import org.keycloak.testsuite.util.UserBuilder; + +import static org.junit.Assert.assertEquals; + +/** + * Test for browser back/forward/refresh buttons + * + * @author Marek Posolda + */ +public class BrowserButtonsTest extends AbstractTestRealmKeycloakTest { + + private String userId; + + @Override + public void configureTestRealm(RealmRepresentation testRealm) { + } + + @Before + public void setup() { + UserRepresentation user = UserBuilder.create() + .username("login-test") + .email("login@test.com") + .enabled(true) + .requiredAction(UserModel.RequiredAction.UPDATE_PROFILE.toString()) + .requiredAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString()) + .build(); + + userId = ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), user, "password"); + expectedMessagesCount = 0; + getCleanup().addUserId(userId); + + oauth.clientId("test-app"); + } + + @Rule + public GreenMailRule greenMail = new GreenMailRule(); + + @Page + protected AppPage appPage; + + @Page + protected LoginPage loginPage; + + @Page + protected ErrorPage errorPage; + + @Page + protected InfoPage infoPage; + + @Page + protected VerifyEmailPage verifyEmailPage; + + @Page + protected LoginPasswordResetPage resetPasswordPage; + + @Page + protected LoginPasswordUpdatePage updatePasswordPage; + + @Page + protected LoginUpdateProfilePage updateProfilePage; + + @Page + protected LoginExpiredPage loginExpiredPage; + + @Page + protected RegisterPage registerPage; + + @Page + protected OAuthGrantPage grantPage; + + @Rule + public AssertEvents events = new AssertEvents(this); + + private int expectedMessagesCount; + + + // KEYCLOAK-4670 - Flow 1 + @Test + public void invalidLoginAndBackButton() throws IOException, MessagingException { + loginPage.open(); + + loginPage.login("login-test2", "invalid"); + loginPage.assertCurrent(); + + loginPage.login("login-test3", "invalid"); + loginPage.assertCurrent(); + + // Click browser back. Should be still on login page (TODO: Retest with real browsers like FF or Chrome. Maybe they need some additional actions to confirm re-sending POST request ) + driver.navigate().back(); + loginPage.assertCurrent(); + + // Click browser refresh. Should be still on login page + driver.navigate().refresh(); + loginPage.assertCurrent(); + } + + + // KEYCLOAK-4670 - Flow 2 + @Test + public void requiredActionsBackForwardTest() throws IOException, MessagingException { + loginPage.open(); + + // Login and assert on "updatePassword" page + loginPage.login("login-test", "password"); + updatePasswordPage.assertCurrent(); + + // Update password and assert on "updateProfile" page + updatePasswordPage.changePassword("password", "password"); + updateProfilePage.assertCurrent(); + + // Click browser back. Assert on "Page expired" page + driver.navigate().back(); + loginExpiredPage.assertCurrent(); + + // Click browser forward. Assert on "updateProfile" page again + driver.navigate().forward(); + updateProfilePage.assertCurrent(); + + + // Successfully update profile and assert user logged + updateProfilePage.update("John", "Doe3", "john@doe3.com"); + appPage.assertCurrent(); + } + + + // KEYCLOAK-4670 - Flow 3 extended + @Test + public void requiredActionsBackAndRefreshTest() throws IOException, MessagingException { + loginPage.open(); + + // Login and assert on "updatePassword" page + loginPage.login("login-test", "password"); + updatePasswordPage.assertCurrent(); + + // Click browser refresh. Assert still on updatePassword page + driver.navigate().refresh(); + updatePasswordPage.assertCurrent(); + + // Update password and assert on "updateProfile" page + updatePasswordPage.changePassword("password", "password"); + updateProfilePage.assertCurrent(); + + // Click browser back. Assert on "Page expired" page + driver.navigate().back(); + loginExpiredPage.assertCurrent(); + + // Click browser refresh. Assert still on "Page expired" page + driver.navigate().refresh(); + loginExpiredPage.assertCurrent(); + + // Click "login restart" and assert on loginPage + loginExpiredPage.clickLoginRestartLink(); + loginPage.assertCurrent(); + + // Login again and assert on "updateProfile" page + loginPage.login("login-test", "password"); + updateProfilePage.assertCurrent(); + + // Click browser back. Assert on "Page expired" page + driver.navigate().back(); + loginExpiredPage.assertCurrent(); + + // Click "login continue" and assert on updateProfile page + loginExpiredPage.clickLoginContinueLink(); + updateProfilePage.assertCurrent(); + + // Successfully update profile and assert user logged + updateProfilePage.update("John", "Doe3", "john@doe3.com"); + appPage.assertCurrent(); + } + + + // KEYCLOAK-4670 - Flow 4 + @Test + public void consentRefresh() { + oauth.clientId("third-party"); + + // Login and go through required actions + loginPage.open(); + loginPage.login("login-test", "password"); + updatePasswordPage.changePassword("password", "password"); + updateProfilePage.update("John", "Doe3", "john@doe3.com"); + + // Assert on consent screen + grantPage.assertCurrent(); + + // Click browser back. Assert on "page expired" + driver.navigate().back(); + loginExpiredPage.assertCurrent(); + + // Click continue login. Assert on consent screen again + loginExpiredPage.clickLoginContinueLink(); + grantPage.assertCurrent(); + + // Click refresh. Assert still on consent screen + driver.navigate().refresh(); + grantPage.assertCurrent(); + + // Confirm consent. Assert authenticated + grantPage.accept(); + appPage.assertCurrent(); + } + + + // KEYCLOAK-4670 - Flow 5 + @Test + public void clickBackButtonAfterReturnFromRegister() { + loginPage.open(); + loginPage.clickRegister(); + registerPage.assertCurrent(); + + // Click "Back to login" link on registerPage + registerPage.clickBackToLogin(); + loginPage.assertCurrent(); + + // Click browser "back" button. Should be back on register page + driver.navigate().back(); + registerPage.assertCurrent(); + } + + @Test + public void clickBackButtonFromRegisterPage() { + loginPage.open(); + loginPage.clickRegister(); + registerPage.assertCurrent(); + + // Click browser "back" button. Should be back on login page + driver.navigate().back(); + loginPage.assertCurrent(); + } + + + @Test + public void backButtonToAuthorizationEndpoint() { + loginPage.open(); + + // Login and assert on "updatePassword" page + loginPage.login("login-test", "password"); + updatePasswordPage.assertCurrent(); + + // Click browser back. I should be on 'page expired' . URL corresponds to OIDC AuthorizationEndpoint + driver.navigate().back(); + loginExpiredPage.assertCurrent(); + + // Click 'restart' link. I should be on login page + loginExpiredPage.clickLoginRestartLink(); + loginPage.assertCurrent(); + } + + + @Test + public void backButtonInResetPasswordFlow() throws Exception { + // Click on "forgot password" and type username + loginPage.open(); + loginPage.resetPassword(); + + resetPasswordPage.assertCurrent(); + + resetPasswordPage.changePassword("login-test"); + + loginPage.assertCurrent(); + assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); + + // Receive email + MimeMessage message = greenMail.getReceivedMessages()[greenMail.getReceivedMessages().length - 1]; + + String changePasswordUrl = ResetPasswordTest.getPasswordResetEmailLink(message); + + driver.navigate().to(changePasswordUrl.trim()); + + updatePasswordPage.assertCurrent(); + + // Click browser back. Should be on 'page expired' + driver.navigate().back(); + loginExpiredPage.assertCurrent(); + + // Click 'continue' should be on updatePasswordPage + loginExpiredPage.clickLoginContinueLink(); + updatePasswordPage.assertCurrent(); + + // Click browser back. Should be on 'page expired' + driver.navigate().back(); + loginExpiredPage.assertCurrent(); + + // Click 'restart' . Should be on login page + loginExpiredPage.clickLoginRestartLink(); + loginPage.assertCurrent(); + + } + + + @Test + public void appInitiatedRegistrationWithBackButton() throws Exception { + // Send request from the application directly to 'registrations' + String appInitiatedRegisterUrl = oauth.getLoginFormUrl(); + appInitiatedRegisterUrl = appInitiatedRegisterUrl.replace("openid-connect/auth", "openid-connect/registrations"); // Should be done better way... + driver.navigate().to(appInitiatedRegisterUrl); + registerPage.assertCurrent(); + + + // Click 'back to login' + registerPage.clickBackToLogin(); + loginPage.assertCurrent(); + + // Login + loginPage.login("login-test", "password"); + updatePasswordPage.assertCurrent(); + + // Click browser back. Should be on 'page expired' + driver.navigate().back(); + loginExpiredPage.assertCurrent(); + + // Click 'continue' should be on updatePasswordPage + loginExpiredPage.clickLoginContinueLink(); + updatePasswordPage.assertCurrent(); + + // Click browser back. Should be on 'page expired' + driver.navigate().back(); + loginExpiredPage.assertCurrent(); + + // Click 'restart' . Check that I was put to the registration page as flow was initiated as registration flow + loginExpiredPage.clickLoginRestartLink(); + registerPage.assertCurrent(); + } + +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java index 63ed003dcb..07006771b3 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java @@ -23,21 +23,26 @@ import org.junit.Test; import org.keycloak.OAuth2Constants; import org.keycloak.admin.client.resource.UserResource; import org.keycloak.events.Details; +import org.keycloak.events.Errors; import org.keycloak.events.EventType; import org.keycloak.models.BrowserSecurityHeaders; +import org.keycloak.models.Constants; import org.keycloak.representations.idm.EventRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; import org.keycloak.testsuite.admin.ApiUtil; +import org.keycloak.testsuite.arquillian.AuthServerTestEnricher; import org.keycloak.testsuite.pages.AppPage; import org.keycloak.testsuite.pages.AppPage.RequestType; import org.keycloak.testsuite.pages.ErrorPage; import org.keycloak.testsuite.pages.LoginPage; import org.keycloak.testsuite.pages.LoginPasswordUpdatePage; +import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.RealmBuilder; import org.keycloak.testsuite.util.UserBuilder; +import org.openqa.selenium.NoSuchElementException; import javax.ws.rs.client.Client; import javax.ws.rs.client.ClientBuilder; @@ -47,6 +52,7 @@ import java.util.Map; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotEquals; +import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; /** @@ -395,18 +401,7 @@ public class LoginTest extends AbstractTestRealmKeycloakTest { events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent().getSessionId(); } - @Test - public void loginTimeout() { - loginPage.open(); - setTimeOffset(1850); - - loginPage.login("login-test", "password"); - - setTimeOffset(0); - - events.expectLogin().clearDetails().detail(Details.CODE_ID, AssertEvents.isCodeId()).user((String) null).session((String) null).error("expired_code").assertEvent().getSessionId(); - } @Test public void loginLoginHint() { @@ -555,11 +550,33 @@ public class LoginTest extends AbstractTestRealmKeycloakTest { } } + + // Login timeout scenarios + // KEYCLOAK-1037 @Test public void loginExpiredCode() { loginPage.open(); setTimeOffset(5000); + // No explicitly call "removeExpired". Hence authSession will still exists, but will be expired + //testingClient.testing().removeExpired("test"); + + loginPage.login("login@test.com", "password"); + loginPage.assertCurrent(); + + Assert.assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError()); + setTimeOffset(0); + + events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails() + .assertEvent(); + } + + // KEYCLOAK-1037 + @Test + public void loginExpiredCodeWithExplicitRemoveExpired() { + loginPage.open(); + setTimeOffset(5000); + // Explicitly call "removeExpired". Hence authSession won't exist, but will be restarted from the KC_RESTART testingClient.testing().removeExpired("test"); loginPage.login("login@test.com", "password"); @@ -567,13 +584,68 @@ public class LoginTest extends AbstractTestRealmKeycloakTest { //loginPage.assertCurrent(); loginPage.assertCurrent(); - //Assert.assertEquals("Login timeout. Please login again.", loginPage.getError()); + Assert.assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError()); setTimeOffset(0); - events.expectLogin().user((String) null).session((String) null).error("expired_code").clearDetails() + events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails() .detail(Details.RESTART_AFTER_TIMEOUT, "true") .client((String) null) .assertEvent(); } + + @Test + public void loginExpiredCodeAndExpiredCookies() { + loginPage.open(); + + driver.manage().deleteAllCookies(); + + // Cookies are expired including KC_RESTART. No way to continue login. Error page must be shown + loginPage.login("login@test.com", "password"); + errorPage.assertCurrent(); + } + + + + @Test + public void openLoginFormWithDifferentApplication() throws Exception { + // Login form shown after redirect from admin console + oauth.clientId(Constants.ADMIN_CONSOLE_CLIENT_ID); + oauth.redirectUri(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/admin/test/console"); + oauth.openLoginForm(); + + // Login form shown after redirect from app + oauth.clientId("test-app"); + oauth.redirectUri(OAuthClient.APP_ROOT + "/auth"); + oauth.openLoginForm(); + + assertTrue(loginPage.isCurrent()); + loginPage.login("test-user@localhost", "password"); + appPage.assertCurrent(); + + events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent(); + } + + @Test + public void openLoginFormAfterExpiredCode() throws Exception { + oauth.openLoginForm(); + + setTimeOffset(5000); + + oauth.openLoginForm(); + + loginPage.assertCurrent(); + try { + String loginError = loginPage.getError(); + Assert.fail("Not expected to have error on loginForm. Error is: " + loginError); + } catch (NoSuchElementException nsee) { + // Expected + } + + loginPage.login("test-user@localhost", "password"); + appPage.assertCurrent(); + + events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent(); + } + } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LogoutTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LogoutTest.java index db66debfc1..7fc3f743d0 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LogoutTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LogoutTest.java @@ -126,7 +126,7 @@ public class LogoutTest extends AbstractTestRealmKeycloakTest { // Check session 1 not logged-in oauth.openLoginForm(); - assertEquals(oauth.getLoginFormUrl(), driver.getCurrentUrl()); + loginPage.assertCurrent(); // Login session 3 oauth.doLogin("test-user@localhost", "password"); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java new file mode 100644 index 0000000000..cec079d674 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java @@ -0,0 +1,248 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.forms; + +import org.jboss.arquillian.graphene.page.Page; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.keycloak.models.UserModel; +import org.keycloak.representations.idm.RealmRepresentation; +import org.keycloak.representations.idm.UserRepresentation; +import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; +import org.keycloak.testsuite.Assert; +import org.keycloak.testsuite.AssertEvents; +import org.keycloak.testsuite.admin.ApiUtil; +import org.keycloak.testsuite.pages.AppPage; +import org.keycloak.testsuite.pages.ErrorPage; +import org.keycloak.testsuite.pages.InfoPage; +import org.keycloak.testsuite.pages.LoginExpiredPage; +import org.keycloak.testsuite.pages.LoginPage; +import org.keycloak.testsuite.pages.LoginPasswordResetPage; +import org.keycloak.testsuite.pages.LoginPasswordUpdatePage; +import org.keycloak.testsuite.pages.LoginUpdateProfilePage; +import org.keycloak.testsuite.pages.OAuthGrantPage; +import org.keycloak.testsuite.pages.RegisterPage; +import org.keycloak.testsuite.pages.VerifyEmailPage; +import org.keycloak.testsuite.util.GreenMailRule; +import org.keycloak.testsuite.util.UserBuilder; + +/** + * Tries to test multiple browser tabs + * + * @author Marek Posolda + */ +public class MultipleTabsLoginTest extends AbstractTestRealmKeycloakTest { + + private String userId; + + @Override + public void configureTestRealm(RealmRepresentation testRealm) { + } + + @Before + public void setup() { + UserRepresentation user = UserBuilder.create() + .username("login-test") + .email("login@test.com") + .enabled(true) + .requiredAction(UserModel.RequiredAction.UPDATE_PROFILE.toString()) + .requiredAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString()) + .build(); + + userId = ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), user, "password"); + getCleanup().addUserId(userId); + + oauth.clientId("test-app"); + } + + @Rule + public GreenMailRule greenMail = new GreenMailRule(); + + @Page + protected AppPage appPage; + + @Page + protected LoginPage loginPage; + + @Page + protected ErrorPage errorPage; + + @Page + protected InfoPage infoPage; + + @Page + protected VerifyEmailPage verifyEmailPage; + + @Page + protected LoginPasswordResetPage resetPasswordPage; + + @Page + protected LoginPasswordUpdatePage updatePasswordPage; + + @Page + protected LoginUpdateProfilePage updateProfilePage; + + @Page + protected LoginExpiredPage loginExpiredPage; + + @Page + protected RegisterPage registerPage; + + @Page + protected OAuthGrantPage grantPage; + + @Rule + public AssertEvents events = new AssertEvents(this); + + + // Test for scenario when user is logged into JS application in 2 browser tabs. Then click "logout" in tab1 and he is logged-out from both tabs (tab2 is logged-out automatically due to session iframe few seconds later) + // Now both browser tabs show the 1st login screen and we need to make sure that actionURL (code with execution) is valid on both tabs, so user won't have error page when he tries to login from tab1 + @Test + public void openMultipleTabs() { + oauth.openLoginForm(); + loginPage.assertCurrent(); + String actionUrl1 = getActionUrl(driver.getPageSource()); + + oauth.openLoginForm(); + loginPage.assertCurrent(); + String actionUrl2 = getActionUrl(driver.getPageSource()); + + Assert.assertEquals(actionUrl1, actionUrl2); + + } + + + private String getActionUrl(String pageSource) { + return pageSource.split("action=\"")[1].split("\"")[0].replaceAll("&", "&"); + } + + + @Test + public void multipleTabsParallelLoginTest() { + oauth.openLoginForm(); + loginPage.assertCurrent(); + + loginPage.login("login-test", "password"); + updatePasswordPage.assertCurrent(); + + String tab1Url = driver.getCurrentUrl(); + + // Simulate login in different browser tab tab2. I will be on loginPage again. + oauth.openLoginForm(); + loginPage.assertCurrent(); + + // Login in tab2 + loginPage.login("login-test", "password"); + updatePasswordPage.assertCurrent(); + + updatePasswordPage.changePassword("password", "password"); + updateProfilePage.update("John", "Doe3", "john@doe3.com"); + appPage.assertCurrent(); + + // Try to go back to tab 1. We should have ALREADY_LOGGED_IN info page + driver.navigate().to(tab1Url); + infoPage.assertCurrent(); + Assert.assertEquals("You are already logged in.", infoPage.getInfo()); + + infoPage.clickBackToApplicationLink(); + appPage.assertCurrent(); + } + + + @Test + public void expiredAuthenticationAction_currentCodeExpiredExecution() { + // Simulate to open login form in 2 tabs + oauth.openLoginForm(); + loginPage.assertCurrent(); + String actionUrl1 = getActionUrl(driver.getPageSource()); + + // Click "register" in tab2 + loginPage.clickRegister(); + registerPage.assertCurrent(); + + // Simulate going back to tab1 and confirm login form. Page "showExpired" should be shown (NOTE: WebDriver does it with GET, when real browser would do it with POST. Improve test if needed...) + driver.navigate().to(actionUrl1); + loginExpiredPage.assertCurrent(); + + // Click on continue and assert I am on "register" form + loginExpiredPage.clickLoginContinueLink(); + registerPage.assertCurrent(); + + // Finally click "Back to login" and authenticate + registerPage.clickBackToLogin(); + loginPage.assertCurrent(); + + // Login success now + loginPage.login("login-test", "password"); + updatePasswordPage.changePassword("password", "password"); + updateProfilePage.update("John", "Doe3", "john@doe3.com"); + appPage.assertCurrent(); + } + + + @Test + public void expiredAuthenticationAction_expiredCodeCurrentExecution() { + // Simulate to open login form in 2 tabs + oauth.openLoginForm(); + loginPage.assertCurrent(); + String actionUrl1 = getActionUrl(driver.getPageSource()); + + loginPage.login("invalid", "invalid"); + loginPage.assertCurrent(); + Assert.assertEquals("Invalid username or password.", loginPage.getError()); + + // Simulate going back to tab1 and confirm login form. Login page with "action expired" message should be shown (NOTE: WebDriver does it with GET, when real browser would do it with POST. Improve test if needed...) + driver.navigate().to(actionUrl1); + loginPage.assertCurrent(); + Assert.assertEquals("Action expired. Please continue with login now.", loginPage.getError()); + + // Login success now + loginPage.login("login-test", "password"); + updatePasswordPage.changePassword("password", "password"); + updateProfilePage.update("John", "Doe3", "john@doe3.com"); + appPage.assertCurrent(); + } + + + @Test + public void expiredAuthenticationAction_expiredCodeExpiredExecution() { + // Open tab1 + oauth.openLoginForm(); + loginPage.assertCurrent(); + String actionUrl1 = getActionUrl(driver.getPageSource()); + + // Authenticate in tab2 + loginPage.login("login-test", "password"); + updatePasswordPage.assertCurrent(); + + // Simulate going back to tab1 and confirm login form. Page "Page expired" should be shown (NOTE: WebDriver does it with GET, when real browser would do it with POST. Improve test if needed...) + driver.navigate().to(actionUrl1); + loginExpiredPage.assertCurrent(); + + // Finish login + loginExpiredPage.clickLoginContinueLink(); + updatePasswordPage.assertCurrent(); + + updatePasswordPage.changePassword("password", "password"); + updateProfilePage.update("John", "Doe3", "john@doe3.com"); + appPage.assertCurrent(); + } + + +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java index 9afade5378..95f5a08cde 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java @@ -172,8 +172,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { String changePasswordUrl = resetPassword("login-test"); events.clear(); - // TODO:hmlnarik is this correct?? - assertSecondPasswordResetFails(changePasswordUrl, "test-app"); // KC_RESTART exists, hence client-ID is taken from it. + assertSecondPasswordResetFails(changePasswordUrl, null); // KC_RESTART doesn't exists, it was deleted after first successful reset-password flow was finished } @Test @@ -195,7 +194,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { assertEquals("An error occurred, please login again through your application.", errorPage.getError()); events.expect(EventType.RESET_PASSWORD) - .client(clientId) + .client((String) null) .session((String) null) .user(userId) .detail(Details.USERNAME, "login-test") @@ -286,9 +285,10 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { } private void resetPasswordInvalidPassword(String username, String password, String error) throws IOException, MessagingException { + initiateResetPasswordFromResetPasswordPage(username); - events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).user(userId).session((String)null) + events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).user(userId).session((String) null) .detail(Details.USERNAME, username).detail(Details.EMAIL, "login@test.com").assertEvent(); assertEquals(expectedMessagesCount, greenMail.getReceivedMessages().length); @@ -299,6 +299,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { driver.navigate().to(changePasswordUrl.trim()); + updatePasswordPage.assertCurrent(); updatePasswordPage.changePassword(password, password); @@ -308,7 +309,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { events.expectRequiredAction(EventType.UPDATE_PASSWORD_ERROR).error(Errors.PASSWORD_REJECTED).user(userId).detail(Details.USERNAME, "login-test").assertEvent().getSessionId(); } - public void initiateResetPasswordFromResetPasswordPage(String username) { + private void initiateResetPasswordFromResetPasswordPage(String username) { loginPage.open(); loginPage.resetPassword(); @@ -547,7 +548,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { } @Test - public void resetPasswordWithPasswordHisoryPolicy() throws IOException, MessagingException { + public void resetPasswordWithPasswordHistoryPolicy() throws IOException, MessagingException { //Block passwords that are equal to previous passwords. Default value is 3. setPasswordPolicy("passwordHistory"); @@ -563,13 +564,14 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { resetPasswordInvalidPassword("login-test", "password1", "Invalid password: must not be equal to any of last 3 passwords."); resetPasswordInvalidPassword("login-test", "password2", "Invalid password: must not be equal to any of last 3 passwords."); - setTimeOffset(8000000); + setTimeOffset(6000000); resetPassword("login-test", "password3"); resetPasswordInvalidPassword("login-test", "password1", "Invalid password: must not be equal to any of last 3 passwords."); resetPasswordInvalidPassword("login-test", "password2", "Invalid password: must not be equal to any of last 3 passwords."); resetPasswordInvalidPassword("login-test", "password3", "Invalid password: must not be equal to any of last 3 passwords."); + setTimeOffset(8000000); resetPassword("login-test", "password"); } finally { setTimeOffset(0); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/SSOTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/SSOTest.java index 22f75da2dd..90b8049713 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/SSOTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/SSOTest.java @@ -23,9 +23,12 @@ import org.junit.Rule; import org.junit.Test; import org.keycloak.OAuth2Constants; import org.keycloak.events.Details; +import org.keycloak.events.EventType; +import org.keycloak.models.UserModel; import org.keycloak.representations.IDToken; import org.keycloak.representations.idm.EventRepresentation; import org.keycloak.representations.idm.RealmRepresentation; +import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; import org.keycloak.testsuite.drone.Different; @@ -33,6 +36,7 @@ import org.keycloak.testsuite.pages.AccountUpdateProfilePage; import org.keycloak.testsuite.pages.AppPage; import org.keycloak.testsuite.pages.AppPage.RequestType; import org.keycloak.testsuite.pages.LoginPage; +import org.keycloak.testsuite.pages.LoginPasswordUpdatePage; import org.keycloak.testsuite.util.OAuthClient; import org.openqa.selenium.WebDriver; @@ -59,6 +63,9 @@ public class SSOTest extends AbstractTestRealmKeycloakTest { @Page protected AccountUpdateProfilePage profilePage; + @Page + protected LoginPasswordUpdatePage updatePasswordPage; + @Rule public AssertEvents events = new AssertEvents(this); @@ -109,6 +116,7 @@ public class SSOTest extends AbstractTestRealmKeycloakTest { events.clear(); } + @Test public void multipleSessions() { loginPage.open(); @@ -124,7 +132,6 @@ public class SSOTest extends AbstractTestRealmKeycloakTest { OAuthClient oauth2 = new OAuthClient(); oauth2.init(adminClient, driver2); - oauth2.state("mystate"); oauth2.doLogin("test-user@localhost", "password"); EventRepresentation login2 = events.expectLogin().assertEvent(); @@ -158,4 +165,38 @@ public class SSOTest extends AbstractTestRealmKeycloakTest { } } + + @Test + public void loginWithRequiredActionAddedInTheMeantime() { + // SSO login + loginPage.open(); + loginPage.login("test-user@localhost", "password"); + + assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); + Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); + + EventRepresentation loginEvent = events.expectLogin().assertEvent(); + String sessionId = loginEvent.getSessionId(); + + // Add update-profile required action to user now + UserRepresentation user = testRealm().users().get(loginEvent.getUserId()).toRepresentation(); + user.getRequiredActions().add(UserModel.RequiredAction.UPDATE_PASSWORD.toString()); + testRealm().users().get(loginEvent.getUserId()).update(user); + + // Attempt SSO login. update-password form is shown + oauth.openLoginForm(); + updatePasswordPage.assertCurrent(); + + updatePasswordPage.changePassword("password", "password"); + events.expectRequiredAction(EventType.UPDATE_PASSWORD).assertEvent(); + + assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); + + loginEvent = events.expectLogin().removeDetail(Details.USERNAME).client("test-app").assertEvent(); + String sessionId2 = loginEvent.getSessionId(); + assertEquals(sessionId, sessionId2); + + + } + } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java index 729f0c5626..0ca77853b1 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java @@ -16,8 +16,6 @@ */ package org.keycloak.testsuite.oauth; -import org.jboss.arquillian.graphene.page.Page; -import org.junit.After; import org.junit.Assert; import org.junit.Before; import org.junit.Rule; @@ -31,7 +29,6 @@ import org.keycloak.protocol.oidc.utils.OIDCResponseMode; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.AssertEvents; -import org.keycloak.testsuite.pages.ErrorPage; import org.keycloak.testsuite.util.ClientManager; import org.keycloak.testsuite.util.OAuthClient; import org.openqa.selenium.By; @@ -61,11 +58,12 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { public void clientConfiguration() { oauth.responseType(OAuth2Constants.CODE); oauth.responseMode(null); + oauth.stateParamRandom(); } @Test public void authorizationRequest() throws IOException { - oauth.state("OpenIdConnect.AuthenticationProperties=2302984sdlk"); + oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); @@ -100,8 +98,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { public void authorizationValidRedirectUri() throws IOException { ClientManager.realm(adminClient.realm("test")).clientId("test-app").addRedirectUris(oauth.getRedirectUri()); - oauth.state("mystate"); - OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); Assert.assertTrue(response.isRedirected()); @@ -113,7 +109,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { @Test public void authorizationRequestNoState() throws IOException { - oauth.state(null); + oauth.stateParamHardcoded(null); OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); @@ -143,7 +139,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { @Test public void authorizationRequestFormPostResponseMode() throws IOException { oauth.responseMode(OIDCResponseMode.FORM_POST.toString().toLowerCase()); - oauth.state("OpenIdConnect.AuthenticationProperties=2302984sdlk"); + oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); oauth.doLoginGrant("test-user@localhost", "password"); String sources = driver.getPageSource(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ResourceOwnerPasswordCredentialsGrantTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ResourceOwnerPasswordCredentialsGrantTest.java index de83d4e18a..efaf4bdc5a 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ResourceOwnerPasswordCredentialsGrantTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ResourceOwnerPasswordCredentialsGrantTest.java @@ -36,6 +36,7 @@ import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.testsuite.AbstractKeycloakTest; +import org.keycloak.testsuite.Assert; import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.ClientManager; @@ -204,6 +205,8 @@ public class ResourceOwnerPasswordCredentialsGrantTest extends AbstractKeycloakT .removeDetail(Details.CONSENT) .assertEvent(); + Assert.assertTrue(login.equals(accessToken.getPreferredUsername()) || login.equals(accessToken.getEmail())); + assertEquals(accessToken.getSessionState(), refreshToken.getSessionState()); OAuthClient.AccessTokenResponse refreshedResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "secret"); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java index 57a2102351..ac8e3592cf 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java @@ -324,6 +324,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestParamUnsigned() throws Exception { + oauth.stateParamHardcoded("mystate2"); + String validRedirectUri = oauth.getRedirectUri(); TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); @@ -344,12 +346,14 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest oauth.request(requestStr); OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); Assert.assertNotNull(response.getCode()); - Assert.assertEquals("mystate", response.getState()); + Assert.assertEquals("mystate2", response.getState()); assertTrue(appPage.isCurrent()); } @Test public void requestUriParamUnsigned() throws Exception { + oauth.stateParamHardcoded("mystate1"); + String validRedirectUri = oauth.getRedirectUri(); TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); @@ -367,12 +371,14 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); Assert.assertNotNull(response.getCode()); - Assert.assertEquals("mystate", response.getState()); + Assert.assertEquals("mystate1", response.getState()); assertTrue(appPage.isCurrent()); } @Test public void requestUriParamSigned() throws Exception { + oauth.stateParamHardcoded("mystate3"); + String validRedirectUri = oauth.getRedirectUri(); TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); @@ -412,7 +418,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Check signed request_uri will pass OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); Assert.assertNotNull(response.getCode()); - Assert.assertEquals("mystate", response.getState()); + Assert.assertEquals("mystate3", response.getState()); assertTrue(appPage.isCurrent()); // Revert requiring signature for client diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java index b047595f5d..14c98dd759 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java @@ -69,11 +69,13 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent } @Test - public void testDisabledUser() { + public void testDisabledUser() throws Exception { KeycloakSession session = brokerServerRule.startSession(); setUpdateProfileFirstLogin(session.realms().getRealmByName("realm-with-broker"), IdentityProviderRepresentation.UPFLM_OFF); brokerServerRule.stopSession(session, true); + Thread.sleep(10000000); + driver.navigate().to("http://localhost:8081/test-app"); loginPage.clickSocial(getProviderId()); loginPage.login("test-user", "password"); @@ -328,7 +330,7 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent } @Test - public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() { + public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() throws Exception { RealmModel realm = getRealm(); realm.setRegistrationEmailAsUsername(true); setUpdateProfileFirstLogin(realm, IdentityProviderRepresentation.UPFLM_OFF); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java index 58c4ca18f3..c8e9d9bb37 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java @@ -116,7 +116,7 @@ public class OIDCKeyCloakServerBrokerBasicTest extends AbstractKeycloakIdentityP } @Test - public void testDisabledUser() { + public void testDisabledUser() throws Exception { super.testDisabledUser(); } @@ -156,7 +156,7 @@ public class OIDCKeyCloakServerBrokerBasicTest extends AbstractKeycloakIdentityP } @Test - public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() { + public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() throws Exception { super.testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername(); } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithConsentTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithConsentTest.java index 078666fb43..b576cbf866 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithConsentTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithConsentTest.java @@ -143,6 +143,7 @@ public class OIDCKeycloakServerBrokerWithConsentTest extends AbstractIdentityPro this.session = brokerServerRule.startSession(); session.sessions().removeExpired(getRealm()); + session.authenticationSessions().removeExpired(getRealm()); brokerServerRule.stopSession(this.session, true); this.session = brokerServerRule.startSession(); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerBasicTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerBasicTest.java index 3b83f03955..8afc49b692 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerBasicTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerBasicTest.java @@ -128,7 +128,7 @@ public class SAMLKeyCloakServerBrokerBasicTest extends AbstractKeycloakIdentityP } @Test - public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() { + public void testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername() throws Exception { super.testSuccessfulAuthenticationWithoutUpdateProfile_newUser_emailAsUsername(); } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java index e747683399..8ee397a69f 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java @@ -28,6 +28,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.UserManager; import org.keycloak.models.UserModel; import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.CommonClientSessionModel; import org.keycloak.testsuite.rule.KeycloakRule; /** @@ -77,7 +78,7 @@ public class AuthenticationSessionProviderTest { ClientModel client1 = realm.getClientByClientId("test-app"); UserModel user1 = session.users().getUserByUsername("user1", realm); - AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client1, false); + AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client1); authSession.setAction("foo"); authSession.setTimestamp(100); @@ -86,7 +87,8 @@ public class AuthenticationSessionProviderTest { // Ensure session is here authSession = session.authenticationSessions().getAuthenticationSession(realm, authSession.getId()); - testLoginSession(authSession, client1.getId(), null, "foo", 100); + testLoginSession(authSession, client1.getId(), null, "foo"); + Assert.assertEquals(100, authSession.getTimestamp()); // Update and commit authSession.setAction("foo-updated"); @@ -97,7 +99,8 @@ public class AuthenticationSessionProviderTest { // Ensure session was updated authSession = session.authenticationSessions().getAuthenticationSession(realm, authSession.getId()); - testLoginSession(authSession, client1.getId(), user1.getId(), "foo-updated", 200); + testLoginSession(authSession, client1.getId(), user1.getId(), "foo-updated"); + Assert.assertEquals(200, authSession.getTimestamp()); // Remove and commit session.authenticationSessions().removeAuthenticationSession(realm, authSession); @@ -109,14 +112,52 @@ public class AuthenticationSessionProviderTest { } - private void testLoginSession(AuthenticationSessionModel authSession, String expectedClientId, String expectedUserId, String expectedAction, int expectedTimestamp) { + @Test + public void testLoginSessionRestart() { + ClientModel client1 = realm.getClientByClientId("test-app"); + UserModel user1 = session.users().getUserByUsername("user1", realm); + + AuthenticationSessionModel authSession = session.authenticationSessions().createAuthenticationSession(realm, client1); + + authSession.setAction("foo"); + authSession.setTimestamp(100); + + authSession.setAuthenticatedUser(user1); + authSession.setAuthNote("foo", "bar"); + authSession.setClientNote("foo2", "bar2"); + authSession.setExecutionStatus("123", CommonClientSessionModel.ExecutionStatus.SUCCESS); + + resetSession(); + + client1 = realm.getClientByClientId("test-app"); + authSession = session.authenticationSessions().getAuthenticationSession(realm, authSession.getId()); + authSession.restartSession(realm, client1); + + resetSession(); + + authSession = session.authenticationSessions().getAuthenticationSession(realm, authSession.getId()); + testLoginSession(authSession, client1.getId(), null, null); + Assert.assertTrue(authSession.getTimestamp() > 0); + + Assert.assertTrue(authSession.getClientNotes().isEmpty()); + Assert.assertNull(authSession.getAuthNote("foo2")); + Assert.assertTrue(authSession.getExecutionStatus().isEmpty()); + + } + + private void testLoginSession(AuthenticationSessionModel authSession, String expectedClientId, String expectedUserId, String expectedAction) { Assert.assertEquals(expectedClientId, authSession.getClient().getId()); + if (expectedUserId == null) { Assert.assertNull(authSession.getAuthenticatedUser()); } else { Assert.assertEquals(expectedUserId, authSession.getAuthenticatedUser().getId()); } - Assert.assertEquals(expectedAction, authSession.getAction()); - Assert.assertEquals(expectedTimestamp, authSession.getTimestamp()); + + if (expectedAction == null) { + Assert.assertNull(authSession.getAction()); + } else { + Assert.assertEquals(expectedAction, authSession.getAction()); + } } } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/CacheTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/CacheTest.java index abbf9122c5..68746c0014 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/CacheTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/CacheTest.java @@ -103,7 +103,7 @@ public class CacheTest { user.setFirstName("firstName"); user.addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP); - UserSessionModel userSession = session.sessions().createUserSession(realm, user, "testAddUserNotAddedToCache", "127.0.0.1", "auth", false, null, null); + UserSessionModel userSession = session.sessions().createUserSession("123", realm, user, "testAddUserNotAddedToCache", "127.0.0.1", "auth", false, null, null); UserModel user2 = userSession.getUser(); user.setLastName("lastName"); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ClusterSessionCleanerTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ClusterSessionCleanerTest.java index 7b6de1bb5c..66894f63ba 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ClusterSessionCleanerTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ClusterSessionCleanerTest.java @@ -75,7 +75,7 @@ public class ClusterSessionCleanerTest { RealmModel realm1 = session1.realms().getRealmByName(REALM_NAME); UserModel user1 = session1.users().getUserByUsername("test-user@localhost", realm1); for (int i=0 ; i<15 ; i++) { - session1.sessions().createUserSession(realm1, user1, user1.getUsername(), "127.0.0.1", "form", true, null, null); + session1.sessions().createUserSession("123", realm1, user1, user1.getUsername(), "127.0.0.1", "form", true, null, null); } session1 = commit(server1, session1); @@ -87,7 +87,7 @@ public class ClusterSessionCleanerTest { Assert.assertEquals(user2.getId(), user1.getId()); for (int i=0 ; i<15 ; i++) { - session2.sessions().createUserSession(realm2, user2, user2.getUsername(), "127.0.0.1", "form", true, null, null); + session2.sessions().createUserSession("456", realm2, user2, user2.getUsername(), "127.0.0.1", "form", true, null, null); } session2 = commit(server2, session2); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java index 4e13b30061..683a490bb6 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java @@ -31,6 +31,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.UserLoginFailureModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; +import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.models.UserManager; import org.keycloak.testsuite.rule.KeycloakRule; @@ -283,11 +284,11 @@ public class UserSessionProviderTest { Set expiredClientSessions = new HashSet(); Time.setOffset(-(realm.getSsoSessionMaxLifespan() + 1)); - expired.add(session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); + expired.add(session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); expiredClientSessions.add(session.sessions().createClientSession(realm, client).getId()); Time.setOffset(0); - UserSessionModel s = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.1", "form", true, null, null); + UserSessionModel s = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.1", "form", true, null, null); //s.setLastSessionRefresh(Time.currentTime() - (realm.getSsoSessionIdleTimeout() + 1)); s.setLastSessionRefresh(0); expired.add(s.getId()); @@ -299,7 +300,7 @@ public class UserSessionProviderTest { Set valid = new HashSet(); Set validClientSessions = new HashSet(); - valid.add(session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); + valid.add(session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); validClientSessions.add(session.sessions().createClientSession(realm, client).getId()); resetSession(); @@ -427,7 +428,7 @@ public class UserSessionProviderTest { try { for (int i = 0; i < 25; i++) { Time.setOffset(i); - UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0." + i, "form", false, null, null); + UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0." + i, "form", false, null, null); ClientSessionModel clientSession = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")); clientSession.setUserSession(userSession); clientSession.setRedirectUri("http://redirect"); @@ -450,7 +451,7 @@ public class UserSessionProviderTest { @Test public void testCreateAndGetInSameTransaction() { - UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); ClientSessionModel clientSession = createClientSession(realm.getClientByClientId("test-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); Assert.assertNotNull(session.sessions().getUserSession(realm, userSession.getId())); @@ -463,7 +464,7 @@ public class UserSessionProviderTest { @Test public void testClientLoginSessions() { - UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); ClientModel client1 = realm.getClientByClientId("test-app"); ClientModel client2 = realm.getClientByClientId("third-party"); @@ -527,6 +528,27 @@ public class UserSessionProviderTest { Assert.assertNull(clientSessions.get(client1.getId())); } + + @Test + public void testFailCreateExistingSession() { + UserSessionModel userSession = session.sessions().createUserSession("123", realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + + // commit + resetSession(); + + + try { + session.sessions().createUserSession("123", realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + kc.stopSession(session, true); + Assert.fail("Not expected to successfully create duplicated userSession"); + } catch (IllegalStateException e) { + // Expected + session = kc.startSession(); + } + + } + + private void testClientLoginSession(AuthenticatedClientSessionModel clientLoginSession, String expectedClientId, String expectedUserSessionId, String expectedAction, int expectedTimestamp) { Assert.assertEquals(expectedClientId, clientLoginSession.getClient().getClientId()); Assert.assertEquals(expectedUserSessionId, clientLoginSession.getUserSession().getId()); @@ -632,7 +654,7 @@ public class UserSessionProviderTest { private UserSessionModel[] createSessions() { UserSessionModel[] sessions = new UserSessionModel[3]; - sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); + sessions[0] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); Set roles = new HashSet(); roles.add("one"); @@ -645,10 +667,10 @@ public class UserSessionProviderTest { createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); - sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + sessions[1] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); - sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); + sessions[2] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); resetSession(); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KeycloakRule.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KeycloakRule.java index 9c61e05c46..2904ef854e 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KeycloakRule.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KeycloakRule.java @@ -21,7 +21,6 @@ import org.keycloak.Config; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; -import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.RealmManager; import org.keycloak.testsuite.ApplicationServlet; diff --git a/testsuite/integration/src/test/resources/log4j.properties b/testsuite/integration/src/test/resources/log4j.properties index decc0aacd4..4ba41afdce 100755 --- a/testsuite/integration/src/test/resources/log4j.properties +++ b/testsuite/integration/src/test/resources/log4j.properties @@ -80,7 +80,6 @@ log4j.logger.org.apache.directory.server.ldap.LdapProtocolHandler=error #log4j.logger.org.apache.http.impl.conn=debug # Enable to view details from identity provider authenticator -# log4j.logger.org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator=trace - -# TODO: Remove -log4j.logger.org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider=debug \ No newline at end of file +log4j.logger.org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator=trace +log4j.logger.org.keycloak.services.resources.IdentityBrokerService=trace +log4j.logger.org.keycloak.broker=trace diff --git a/themes/src/main/resources/theme/base/login/login-page-expired.ftl b/themes/src/main/resources/theme/base/login/login-page-expired.ftl index 5812f316cb..f58c25db33 100644 --- a/themes/src/main/resources/theme/base/login/login-page-expired.ftl +++ b/themes/src/main/resources/theme/base/login/login-page-expired.ftl @@ -6,7 +6,8 @@ ${msg("pageExpiredTitle")} <#elseif section = "form">

- ${msg("pageExpiredMsg1")} ${msg("doClickHere")} . ${msg("pageExpiredMsg2")} ${msg("doClickHere")} . + ${msg("pageExpiredMsg1")} ${msg("doClickHere")} . + ${msg("pageExpiredMsg2")} ${msg("doClickHere")} .

\ No newline at end of file diff --git a/themes/src/main/resources/theme/base/login/messages/messages_en.properties b/themes/src/main/resources/theme/base/login/messages/messages_en.properties index 994caa7e68..3d55559341 100755 --- a/themes/src/main/resources/theme/base/login/messages/messages_en.properties +++ b/themes/src/main/resources/theme/base/login/messages/messages_en.properties @@ -127,6 +127,7 @@ invalidEmailMessage=Invalid email address. accountDisabledMessage=Account is disabled, contact admin. accountTemporarilyDisabledMessage=Account is temporarily disabled, contact admin or try again later. expiredCodeMessage=Login timeout. Please login again. +expiredActionMessage=Action expired. Please continue with login now. missingFirstNameMessage=Please specify first name. missingLastNameMessage=Please specify last name. @@ -213,6 +214,7 @@ realmSupportsNoCredentialsMessage=Realm does not support any credential type. identityProviderNotUniqueMessage=Realm supports multiple identity providers. Could not determine which identity provider should be used to authenticate with. emailVerifiedMessage=Your email address has been verified. staleEmailVerificationLink=The link you clicked is a old stale link and is no longer valid. Maybe you have already verified your email? +identityProviderAlreadyLinkedMessage=Federated identity returned by {0} is already linked to another user. locale_ca=Catal\u00E0 locale_de=Deutsch @@ -233,5 +235,7 @@ clientNotFoundMessage=Client not found. clientDisabledMessage=Client disabled. invalidParameterMessage=Invalid parameter\: {0} alreadyLoggedIn=You are already logged in. +differentUserAuthenticated=You are already authenticated as different user ''{0}'' in this session. Please logout first. +brokerLinkingSessionExpired=Requested broker account linking, but current session is no longer valid. p3pPolicy=CP="This is not a P3P policy!" From 47aaa5a636d49c04ff180433830c4e86480c71d0 Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Tue, 4 Apr 2017 13:59:16 +0200 Subject: [PATCH 07/30] KEYCLOAK-4627 reset credentials and admin e-mails use action tokens. E-mail verification via action tokens. --- .../AuthenticationFlowContext.java | 8 + .../java/org/keycloak/events/Details.java | 1 + .../java/org/keycloak/events/EventType.java | 2 + .../sessions/AuthenticationSessionModel.java | 55 +- .../AuthenticationProcessor.java | 8 + .../ExplainedVerificationException.java | 51 ++ .../ResetCredentialsActionToken.java | 137 ---- .../ResetCredentialsActionTokenChecks.java | 74 --- .../AbstractActionTokenHander.java | 95 +++ .../actiontoken/ActionTokenContext.java | 134 ++++ .../actiontoken/ActionTokenHandler.java | 119 ++++ .../ActionTokenHandlerFactory.java | 27 + .../actiontoken/ActionTokenHandlerSpi.java | 50 ++ .../{ => actiontoken}/DefaultActionToken.java | 64 +- .../DefaultActionTokenKey.java | 5 +- .../ExplainedTokenVerificationException.java | 60 ++ .../actiontoken/TokenUtils.java | 85 +++ .../ExecuteActionsActionToken.java | 85 +++ .../ExecuteActionsActionTokenHandler.java | 86 +++ .../ResetCredentialsActionToken.java | 53 ++ .../ResetCredentialsActionTokenHandler.java | 120 ++++ .../verifyemail/VerifyEmailActionToken.java | 55 ++ .../VerifyEmailActionTokenHandler.java | 89 +++ .../IdpEmailVerificationAuthenticator.java | 5 +- .../resetcred/ResetCredentialChooseUser.java | 18 +- .../resetcred/ResetCredentialEmail.java | 72 +-- .../requiredactions/VerifyEmail.java | 82 ++- .../FreeMarkerLoginFormsProvider.java | 48 +- .../main/java/org/keycloak/services/Urls.java | 5 + .../resources/LoginActionsService.java | 595 ++++++------------ .../resources/LoginActionsServiceChecks.java | 310 +++++++++ .../resources/admin/UsersResource.java | 132 ++-- ...tion.actiontoken.ActionTokenHandlerFactory | 3 + .../services/org.keycloak.provider.Spi | 2 +- .../page/LoginPasswordUpdatePage.java | 7 + .../testsuite/util/GreenMailRule.java | 34 + .../testsuite/AbstractKeycloakTest.java | 4 + .../org/keycloak/testsuite/AssertEvents.java | 8 +- .../RequiredActionEmailVerificationTest.java | 302 ++++++--- .../RequiredActionResetPasswordTest.java | 4 +- .../org/keycloak/testsuite/admin/ApiUtil.java | 14 + .../keycloak/testsuite/admin/UserTest.java | 72 ++- .../testsuite/forms/RegisterTest.java | 137 +++- .../testsuite/forms/ResetPasswordTest.java | 40 +- 44 files changed, 2431 insertions(+), 926 deletions(-) create mode 100644 services/src/main/java/org/keycloak/authentication/ExplainedVerificationException.java delete mode 100644 services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java delete mode 100644 services/src/main/java/org/keycloak/authentication/ResetCredentialsActionTokenChecks.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/AbstractActionTokenHander.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandlerFactory.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandlerSpi.java rename services/src/main/java/org/keycloak/authentication/{ => actiontoken}/DefaultActionToken.java (60%) rename services/src/main/java/org/keycloak/authentication/{ => actiontoken}/DefaultActionTokenKey.java (84%) create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/ExplainedTokenVerificationException.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/TokenUtils.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionToken.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionToken.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java create mode 100644 services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java create mode 100644 services/src/main/resources/META-INF/services/org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java b/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java index 2159f0912f..fb6e02997a 100755 --- a/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java +++ b/server-spi-private/src/main/java/org/keycloak/authentication/AuthenticationFlowContext.java @@ -79,6 +79,14 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon */ URI getActionUrl(String code); + /** + * Get the action URL for the action token executor. + * + * @param tokenString String representation (JWT) of action token + * @return + */ + URI getActionTokenUrl(String tokenString); + /** * Get the refresh URL for the required action. * diff --git a/server-spi-private/src/main/java/org/keycloak/events/Details.java b/server-spi-private/src/main/java/org/keycloak/events/Details.java index 2483a9b5e3..5e3a9b37e4 100755 --- a/server-spi-private/src/main/java/org/keycloak/events/Details.java +++ b/server-spi-private/src/main/java/org/keycloak/events/Details.java @@ -25,6 +25,7 @@ public interface Details { String EMAIL = "email"; String PREVIOUS_EMAIL = "previous_email"; String UPDATED_EMAIL = "updated_email"; + String ACTION = "action"; String CODE_ID = "code_id"; String REDIRECT_URI = "redirect_uri"; String RESPONSE_TYPE = "response_type"; diff --git a/server-spi-private/src/main/java/org/keycloak/events/EventType.java b/server-spi-private/src/main/java/org/keycloak/events/EventType.java index ea4b1fb9be..583b0d4061 100755 --- a/server-spi-private/src/main/java/org/keycloak/events/EventType.java +++ b/server-spi-private/src/main/java/org/keycloak/events/EventType.java @@ -108,6 +108,8 @@ public enum EventType { CUSTOM_REQUIRED_ACTION_ERROR(true), EXECUTE_ACTIONS(true), EXECUTE_ACTIONS_ERROR(true), + EXECUTE_ACTION_TOKEN(true), + EXECUTE_ACTION_TOKEN_ERROR(true), CLIENT_INFO(false), CLIENT_INFO_ERROR(false), diff --git a/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java index 9602db0db9..8e84f1a445 100644 --- a/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionModel.java @@ -58,22 +58,71 @@ public interface AuthenticationSessionModel extends CommonClientSessionModel { void removeRequiredAction(UserModel.RequiredAction action); - // These are notes you want applied to the UserSessionModel when the client session is attached to it. + /** + * Sets the given user session note to the given value. User session notes are notes + * you want be applied to the UserSessionModel when the client session is attached to it. + */ void setUserSessionNote(String name, String value); + /** + * Retrieves value of given user session note. User session notes are notes + * you want be applied to the UserSessionModel when the client session is attached to it. + */ Map getUserSessionNotes(); + /** + * Clears all user session notes. User session notes are notes + * you want be applied to the UserSessionModel when the client session is attached to it. + */ void clearUserSessionNotes(); - // These are notes used typically by authenticators and authentication flows. They are cleared when authentication session is restarted + /** + * Retrieves value of the given authentication note to the given value. Authentication notes are notes + * used typically by authenticators and authentication flows. They are cleared when + * authentication session is restarted + */ String getAuthNote(String name); + /** + * Sets the given authentication note to the given value. Authentication notes are notes + * used typically by authenticators and authentication flows. They are cleared when + * authentication session is restarted + */ void setAuthNote(String name, String value); + /** + * Removes the given authentication note. Authentication notes are notes + * used typically by authenticators and authentication flows. They are cleared when + * authentication session is restarted + */ void removeAuthNote(String name); + /** + * Clears all authentication note. Authentication notes are notes + * used typically by authenticators and authentication flows. They are cleared when + * authentication session is restarted + */ void clearAuthNotes(); - // These are notes specific to client protocol. They are NOT cleared when authentication session is restarted + /** + * Retrieves value of the given client note to the given value. Client notes are notes + * specific to client protocol. They are NOT cleared when authentication session is restarted. + */ String getClientNote(String name); + /** + * Sets the given client note to the given value. Client notes are notes + * specific to client protocol. They are NOT cleared when authentication session is restarted. + */ void setClientNote(String name, String value); + /** + * Removes the given client note. Client notes are notes + * specific to client protocol. They are NOT cleared when authentication session is restarted. + */ void removeClientNote(String name); + /** + * Retrieves the (name, value) map of client notes. Client notes are notes + * specific to client protocol. They are NOT cleared when authentication session is restarted. + */ Map getClientNotes(); + /** + * Clears all client notes. Client notes are notes + * specific to client protocol. They are NOT cleared when authentication session is restarted. + */ void clearClientNotes(); void updateClient(ClientModel client); diff --git a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java index e633c70730..0daec9ac5e 100755 --- a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java +++ b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java @@ -491,6 +491,14 @@ public class AuthenticationProcessor { .build(getRealm().getName()); } + @Override + public URI getActionTokenUrl(String tokenString) { + return LoginActionsService.actionTokenProcessor(getUriInfo()) + .queryParam("key", tokenString) + .queryParam("execution", getExecution().getId()) + .build(getRealm().getName()); + } + @Override public URI getRefreshExecutionUrl() { return LoginActionsService.loginActionsBaseUrl(getUriInfo()) diff --git a/services/src/main/java/org/keycloak/authentication/ExplainedVerificationException.java b/services/src/main/java/org/keycloak/authentication/ExplainedVerificationException.java new file mode 100644 index 0000000000..7102588336 --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/ExplainedVerificationException.java @@ -0,0 +1,51 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication; + +import org.keycloak.common.VerificationException; + +/** + * + * @author hmlnarik + */ +public class ExplainedVerificationException extends VerificationException { + private final String errorEvent; + + public ExplainedVerificationException(String errorEvent) { + super(); + this.errorEvent = errorEvent; + } + + public ExplainedVerificationException(String errorEvent, String message) { + super(message); + this.errorEvent = errorEvent; + } + + public ExplainedVerificationException(String errorEvent, String message, Throwable cause) { + super(message); + this.errorEvent = errorEvent; + } + + public ExplainedVerificationException(String errorEvent, Throwable cause) { + super(cause); + this.errorEvent = errorEvent; + } + + public String getErrorEvent() { + return errorEvent; + } +} diff --git a/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java b/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java deleted file mode 100644 index 5612a35172..0000000000 --- a/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionToken.java +++ /dev/null @@ -1,137 +0,0 @@ -/* - * Copyright 2017 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.keycloak.authentication; - -import org.keycloak.TokenVerifier; -import org.keycloak.TokenVerifier.Predicate; -import org.keycloak.common.VerificationException; -import org.keycloak.common.util.Time; -import org.keycloak.jose.jws.*; -import org.keycloak.models.*; -import org.keycloak.services.Urls; -import org.keycloak.sessions.AuthenticationSessionModel; -import com.fasterxml.jackson.annotation.JsonIgnore; -import com.fasterxml.jackson.annotation.JsonProperty; -import java.util.Map; -import java.util.UUID; -import javax.ws.rs.core.UriInfo; -import org.jboss.logging.Logger; - -/** - * Representation of a token that represents a time-limited reset credentials action. - *

- * This implementation handles signature. - * - * @author hmlnarik - */ -public class ResetCredentialsActionToken extends DefaultActionToken { - - private static final Logger LOG = Logger.getLogger(ResetCredentialsActionToken.class); - - public static final String RESET_CREDENTIALS_TYPE = "reset-credentials"; - public static final String NOTE_AUTHENTICATION_SESSION_ID = "clientSessionId"; - private static final String JSON_FIELD_AUTHENTICATION_SESSION_ID = "asid"; - private static final String JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP = "lcpt"; - - @JsonIgnore - private AuthenticationSessionModel authenticationSession; - - @JsonProperty(value = JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP) - private Long lastChangedPasswordTimestamp; - - public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, Long lastChangedPasswordTimestamp, String authenticationSessionId) { - super(userId, RESET_CREDENTIALS_TYPE, absoluteExpirationInSecs, actionVerificationNonce); - setNote(NOTE_AUTHENTICATION_SESSION_ID, authenticationSessionId); - this.lastChangedPasswordTimestamp = lastChangedPasswordTimestamp; - } - - public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, Long lastChangedPasswordTimestamp, AuthenticationSessionModel authenticationSession) { - this(userId, absoluteExpirationInSecs, actionVerificationNonce, lastChangedPasswordTimestamp, authenticationSession == null ? null : authenticationSession.getId()); - this.authenticationSession = authenticationSession; - } - - private ResetCredentialsActionToken() { - super(null, null, -1, null); - } - - public AuthenticationSessionModel getAuthenticationSession() { - return this.authenticationSession; - } - - public void setAuthenticationSession(AuthenticationSessionModel authenticationSession) { - this.authenticationSession = authenticationSession; - setAuthenticationSessionId(authenticationSession == null ? null : authenticationSession.getId()); - } - - @JsonProperty(value = JSON_FIELD_AUTHENTICATION_SESSION_ID) - public String getAuthenticationSessionId() { - return getNote(NOTE_AUTHENTICATION_SESSION_ID); - } - - public void setAuthenticationSessionId(String authenticationSessionId) { - setNote(NOTE_AUTHENTICATION_SESSION_ID, authenticationSessionId); - } - - public Long getLastChangedPasswordTimestamp() { - return lastChangedPasswordTimestamp; - } - - public void setLastChangedPasswordTimestamp(Long lastChangedPasswordTimestamp) { - this.lastChangedPasswordTimestamp = lastChangedPasswordTimestamp; - } - - @Override - @JsonIgnore - public Map getNotes() { - Map res = super.getNotes(); - if (this.authenticationSession != null) { - res.put(NOTE_AUTHENTICATION_SESSION_ID, getNote(NOTE_AUTHENTICATION_SESSION_ID)); - } - return res; - } - - public String serialize(KeycloakSession session, RealmModel realm, UriInfo uri) { - String issuerUri = getIssuer(realm, uri); - KeyManager.ActiveHmacKey keys = session.keys().getActiveHmacKey(realm); - - this - .issuedAt(Time.currentTime()) - .id(getActionVerificationNonce().toString()) - .issuer(issuerUri) - .audience(issuerUri); - - return new JWSBuilder() - .kid(keys.getKid()) - .jsonContent(this) - .hmac512(keys.getSecretKey()); - } - - private static String getIssuer(RealmModel realm, UriInfo uri) { - return Urls.realmIssuer(uri.getBaseUri(), realm.getName()); - } - - /** - * Returns a {@code DefaultActionToken} instance decoded from the given string. If decoding fails, returns {@code null} - * - * @param session - * @param actionTokenString - * @return - */ - public static ResetCredentialsActionToken deserialize(String token) throws VerificationException { - return TokenVerifier.create(token, ResetCredentialsActionToken.class).getToken(); - } -} diff --git a/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionTokenChecks.java b/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionTokenChecks.java deleted file mode 100644 index 9afc25c3cb..0000000000 --- a/services/src/main/java/org/keycloak/authentication/ResetCredentialsActionTokenChecks.java +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright 2017 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.keycloak.authentication; - -import org.keycloak.TokenVerifier.Predicate; -import org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail; -import org.keycloak.common.VerificationException; -import org.keycloak.events.Details; -import org.keycloak.events.Errors; -import org.keycloak.events.EventBuilder; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserModel; -import org.keycloak.services.ErrorPage; -import org.keycloak.services.messages.Messages; -import org.keycloak.services.resources.LoginActionsServiceException; -import java.util.Objects; - -/** - * Additional checks for {@link ResetCredentialsActionToken}. - * - * @author hmlnarik - */ -public class ResetCredentialsActionTokenChecks implements Predicate { - - private final KeycloakSession session; - - private final RealmModel realm; - - private final EventBuilder event; - - public ResetCredentialsActionTokenChecks(KeycloakSession session, RealmModel realm, EventBuilder event) { - this.session = session; - this.realm = realm; - this.event = event; - } - - public boolean lastChangedTimestampMatches(ResetCredentialsActionToken t) throws VerificationException { - // TODO:hmlnarik Update to use single-use cache - UserModel m = session.users().getUserById(t.getSubject(), realm); - Long lastChanged = m == null ? null : ResetCredentialEmail.getLastChangedTimestamp(session, realm, m); - - if (! Objects.equals(lastChanged, t.getLastChangedPasswordTimestamp())) { - if (m != null) { - event.detail(Details.USERNAME, m.getUsername()); - } - event.user(t.getSubject()).error(Errors.EXPIRED_CODE); - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.INVALID_CODE)); - } - - return true; - } - - @Override - public boolean test(ResetCredentialsActionToken t) throws VerificationException { - return lastChangedTimestampMatches(t); - - } - -} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/AbstractActionTokenHander.java b/services/src/main/java/org/keycloak/authentication/actiontoken/AbstractActionTokenHander.java new file mode 100644 index 0000000000..e8a9b0265e --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/AbstractActionTokenHander.java @@ -0,0 +1,95 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken; + +import org.keycloak.Config.Scope; +import org.keycloak.authentication.actiontoken.ActionTokenHandler; +import org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory; +import org.keycloak.events.EventType; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.KeycloakSessionFactory; +import org.keycloak.representations.JsonWebToken; +import org.keycloak.services.messages.Messages; + +/** + * + * @author hmlnarik + */ +public abstract class AbstractActionTokenHander implements ActionTokenHandler, ActionTokenHandlerFactory { + + private final String id; + private final Class tokenClass; + private final String defaultErrorMessage; + private final EventType defaultEventType; + private final String defaultEventError; + + public AbstractActionTokenHander(String id, Class tokenClass, String defaultErrorMessage, EventType defaultEventType, String defaultEventError) { + this.id = id; + this.tokenClass = tokenClass; + this.defaultErrorMessage = defaultErrorMessage; + this.defaultEventType = defaultEventType; + this.defaultEventError = defaultEventError; + } + + @Override + public ActionTokenHandler create(KeycloakSession session) { + return this; + } + + @Override + public void init(Scope config) { + } + + @Override + public void postInit(KeycloakSessionFactory factory) { + } + + @Override + public String getId() { + return this.id; + } + + @Override + public void close() { + } + + @Override + public Class getTokenClass() { + return this.tokenClass; + } + + @Override + public EventType eventType() { + return this.defaultEventType; + } + + @Override + public String getDefaultErrorMessage() { + return this.defaultErrorMessage; + } + + @Override + public String getDefaultEventError() { + return this.defaultEventError; + } + + @Override + public String getAuthenticationSessionIdFromToken(T token) { + return token == null ? null : token.getAuthenticationSessionId(); + } + +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java new file mode 100644 index 0000000000..26598c1cee --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java @@ -0,0 +1,134 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken; + +import org.keycloak.OAuth2Constants; +import org.keycloak.common.ClientConnection; +import org.keycloak.events.EventBuilder; +import org.keycloak.models.*; +import org.keycloak.protocol.oidc.OIDCLoginProtocol; +import org.keycloak.representations.JsonWebToken; +import org.keycloak.services.Urls; +import org.keycloak.services.managers.AuthenticationSessionManager; +import org.keycloak.sessions.AuthenticationSessionModel; +import javax.ws.rs.core.UriBuilderException; +import javax.ws.rs.core.UriInfo; +import org.jboss.resteasy.spi.HttpRequest; + +/** + * + * @author hmlnarik + */ +public class ActionTokenContext { + + private final KeycloakSession session; + private final RealmModel realm; + private final UriInfo uriInfo; + private final ClientConnection clientConnection; + private final HttpRequest request; + private EventBuilder event; + private final ActionTokenHandler handler; + private AuthenticationSessionModel authenticationSession; + private boolean authenticationSessionFresh; + private String executionId; + + public ActionTokenContext(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection clientConnection, HttpRequest request, EventBuilder event, ActionTokenHandler handler) { + this.session = session; + this.realm = realm; + this.uriInfo = uriInfo; + this.clientConnection = clientConnection; + this.request = request; + this.event = event; + this.handler = handler; + } + + public EventBuilder getEvent() { + return event; + } + + public void setEvent(EventBuilder event) { + this.event = event; + } + + public KeycloakSession getSession() { + return session; + } + + public RealmModel getRealm() { + return realm; + } + + public UriInfo getUriInfo() { + return uriInfo; + } + + public ClientConnection getClientConnection() { + return clientConnection; + } + + public HttpRequest getRequest() { + return request; + } + + public AuthenticationSessionModel createAuthenticationSessionForClient(String clientId) + throws UriBuilderException, IllegalArgumentException { + AuthenticationSessionModel authSession; + + // set up the account service as the endpoint to call. + ClientModel client = realm.getClientByClientId(clientId == null ? Constants.ACCOUNT_MANAGEMENT_CLIENT_ID : clientId); + + authSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, client, true); + authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); // TODO:mposolda It seems that this should be taken from client rather then hardcoded to account? + authSession.setRedirectUri(redirectUri); + authSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); + authSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE); + authSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + + return authSession; + } + + public boolean isAuthenticationSessionFresh() { + return authenticationSessionFresh; + } + + public AuthenticationSessionModel getAuthenticationSession() { + return authenticationSession; + } + + public void setAuthenticationSession(AuthenticationSessionModel authenticationSession, boolean isFresh) { + this.authenticationSession = authenticationSession; + this.authenticationSessionFresh = isFresh; + if (this.event != null) { + ClientModel client = authenticationSession == null ? null : authenticationSession.getClient(); + this.event.client((String) (client == null ? null : client.getClientId())); + } + } + + public ActionTokenHandler getHandler() { + return handler; + } + + public String getExecutionId() { + return executionId; + } + + public void setExecutionId(String executionId) { + this.executionId = executionId; + } +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java new file mode 100644 index 0000000000..e573df4c74 --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java @@ -0,0 +1,119 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken; + +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.authentication.AuthenticationProcessor; +import org.keycloak.common.VerificationException; +import org.keycloak.events.EventBuilder; +import org.keycloak.events.EventType; +import org.keycloak.models.AuthenticationFlowModel; +import org.keycloak.provider.Provider; +import org.keycloak.representations.JsonWebToken; +import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.sessions.AuthenticationSessionModel; +import javax.ws.rs.core.Response; + +/** + * Handler of the action token. + * + * @author hmlnarik + */ +public interface ActionTokenHandler extends Provider { + + @FunctionalInterface + public interface ProcessFlow { + Response processFlow(boolean action, String execution, AuthenticationSessionModel authSession, String flowPath, AuthenticationFlowModel flow, String errorMessage, AuthenticationProcessor processor); + }; + + /** + * Returns an array of verifiers that are tested prior to handling the token. All verifiers have to pass successfully + * for token to be handled. The returned array must not be {@code null}. + * @param tokenContext + * @return Verifiers or an empty array + */ + default Predicate[] getVerifiers(ActionTokenContext tokenContext) { + return new Predicate[] {}; + } + + /** + * Performs the action as per the token details. This method is only called if all verifiers + * returned in {@link #handleToken} succeed. + * + * @param token + * @param tokenContext + * @return + * @throws VerificationException + */ + Response handleToken(T token, ActionTokenContext tokenContext, ProcessFlow processFlow); + + /** + * Returns the Java token class for use with deserialization. + * @return + */ + Class getTokenClass(); + + /** + * Returns an authentication session ID requested from within the given token + * @param token Token. Can be {@code null} + * @return authentication session ID + */ + String getAuthenticationSessionIdFromToken(T token); + + /** + * Returns a event type logged with {@link EventBuilder} class. + * @return + */ + EventType eventType(); + + /** + * Returns an error to be shown in the {@link EventBuilder} detail when token handling fails and + * no more specific error is provided. + * @return + */ + String getDefaultEventError(); + + /** + * Returns an error to be shown in the response when token handling fails and no more specific + * error message is provided. + * @return + */ + String getDefaultErrorMessage(); + + /** + * Returns a response that restarts a flow that this action token initiates, or {@code null} if + * no special handling is requested. + * + * @return + */ + default Response handleRestartRequest(T token, ActionTokenContext tokenContext, ProcessFlow processFlow) { + return null; + } + + /** + * Creates a fresh authentication session according to the information from the token. + * @param token + * @param tokenContext + * @return + */ + default AuthenticationSessionModel startFreshAuthenticationSession(T token, ActionTokenContext tokenContext) { + AuthenticationSessionModel authSession = tokenContext.createAuthenticationSessionForClient(token.getIssuedFor()); + authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); + return authSession; + } + +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandlerFactory.java b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandlerFactory.java new file mode 100644 index 0000000000..3ca3c17efb --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandlerFactory.java @@ -0,0 +1,27 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken; + +import org.keycloak.provider.ProviderFactory; +import org.keycloak.representations.JsonWebToken; + +/** + * + * @author hmlnarik + */ +public interface ActionTokenHandlerFactory extends ProviderFactory> { +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandlerSpi.java b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandlerSpi.java new file mode 100644 index 0000000000..4a82cedacf --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandlerSpi.java @@ -0,0 +1,50 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken; + +import org.keycloak.provider.Provider; +import org.keycloak.provider.ProviderFactory; +import org.keycloak.provider.Spi; + +/** + * + * @author hmlnarik + */ +public class ActionTokenHandlerSpi implements Spi { + + @Override + public boolean isInternal() { + return true; + } + + @Override + public String getName() { + return NAME; + } + private static final String NAME = "actionTokenHandler"; + + @Override + public Class getProviderClass() { + return ActionTokenHandler.class; + } + + @Override + public Class getProviderFactoryClass() { + return ActionTokenHandlerFactory.class; + } + +} diff --git a/services/src/main/java/org/keycloak/authentication/DefaultActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java similarity index 60% rename from services/src/main/java/org/keycloak/authentication/DefaultActionToken.java rename to services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java index 8c51d1f83a..0f21a44df3 100644 --- a/services/src/main/java/org/keycloak/authentication/DefaultActionToken.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java @@ -15,14 +15,21 @@ * limitations under the License. */ -package org.keycloak.authentication; +package org.keycloak.authentication.actiontoken; import org.keycloak.TokenVerifier.Predicate; import org.keycloak.common.VerificationException; +import org.keycloak.common.util.Time; +import org.keycloak.jose.jws.JWSBuilder; +import org.keycloak.models.KeyManager; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import org.keycloak.services.Urls; import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.annotation.JsonProperty; import java.util.*; +import javax.ws.rs.core.UriInfo; /** * Part of action token that is intended to be used e.g. in link sent in password-reset email. @@ -33,6 +40,7 @@ import java.util.*; public class DefaultActionToken extends DefaultActionTokenKey { public static final String JSON_FIELD_ACTION_VERIFICATION_NONCE = "nonce"; + public static final String JSON_FIELD_AUTHENTICATION_SESSION_ID = "asid"; public static Predicate ACTION_TOKEN_BASIC_CHECKS = t -> { if (t.getActionVerificationNonce() == null) { @@ -46,7 +54,11 @@ public class DefaultActionToken extends DefaultActionTokenKey { * Single-use random value used for verification whether the relevant action is allowed. */ @JsonProperty(value = JSON_FIELD_ACTION_VERIFICATION_NONCE, required = true) - private final UUID actionVerificationNonce; + private UUID actionVerificationNonce; + + public DefaultActionToken() { + super(null, null); + } public DefaultActionToken(String userId, String actionId, int expirationInSecs) { this(userId, actionId, expirationInSecs, UUID.randomUUID()); @@ -65,6 +77,17 @@ public class DefaultActionToken extends DefaultActionTokenKey { expiration = absoluteExpirationInSecs; } + + @JsonProperty(value = JSON_FIELD_AUTHENTICATION_SESSION_ID) + public String getAuthenticationSessionId() { + return (String) getOtherClaims().get(JSON_FIELD_AUTHENTICATION_SESSION_ID); + } + + @JsonProperty(value = JSON_FIELD_AUTHENTICATION_SESSION_ID) + public final void setAuthenticationSessionId(String authenticationSessionId) { + setOtherClaims(JSON_FIELD_AUTHENTICATION_SESSION_ID, authenticationSessionId); + } + public UUID getActionVerificationNonce() { return actionVerificationNonce; } @@ -72,6 +95,9 @@ public class DefaultActionToken extends DefaultActionTokenKey { @JsonIgnore public Map getNotes() { Map res = new HashMap<>(); + if (getAuthenticationSessionId() != null) { + res.put(JSON_FIELD_AUTHENTICATION_SESSION_ID, getAuthenticationSessionId()); + } return res; } @@ -100,4 +126,38 @@ public class DefaultActionToken extends DefaultActionTokenKey { return res instanceof String ? (String) res : null; } + /** + * Updates the following fields and serializes this token into a signed JWT. The list of updated fields follows: + *

    + *
  • {@code id}: random nonce
    • + *
  • {@code issuedAt}: Current time
    • + *
  • {@code issuer}: URI of the given realm
    • + *
  • {@code audience}: URI of the given realm (same as issuer)
    • + *
+ * + * @param session + * @param realm + * @param uri + * @return + */ + public String serialize(KeycloakSession session, RealmModel realm, UriInfo uri) { + String issuerUri = getIssuer(realm, uri); + KeyManager.ActiveHmacKey keys = session.keys().getActiveHmacKey(realm); + + this + .issuedAt(Time.currentTime()) + .id(getActionVerificationNonce().toString()) + .issuer(issuerUri) + .audience(issuerUri); + + return new JWSBuilder() + .kid(keys.getKid()) + .jsonContent(this) + .hmac512(keys.getSecretKey()); + } + + private static String getIssuer(RealmModel realm, UriInfo uri) { + return Urls.realmIssuer(uri.getBaseUri(), realm.getName()); + } + } diff --git a/services/src/main/java/org/keycloak/authentication/DefaultActionTokenKey.java b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java similarity index 84% rename from services/src/main/java/org/keycloak/authentication/DefaultActionTokenKey.java rename to services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java index f9d44db254..117c4659f9 100644 --- a/services/src/main/java/org/keycloak/authentication/DefaultActionTokenKey.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.keycloak.authentication; +package org.keycloak.authentication.actiontoken; import org.keycloak.representations.JsonWebToken; import com.fasterxml.jackson.annotation.JsonIgnore; @@ -25,6 +25,9 @@ import com.fasterxml.jackson.annotation.JsonIgnore; */ public class DefaultActionTokenKey extends JsonWebToken { + // The authenticationSession note with ID of the user authenticated via the action token + public static final String ACTION_TOKEN_USER_ID = "ACTION_TOKEN_USER"; + public DefaultActionTokenKey(String userId, String actionId) { subject = userId; type = actionId; diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/ExplainedTokenVerificationException.java b/services/src/main/java/org/keycloak/authentication/actiontoken/ExplainedTokenVerificationException.java new file mode 100644 index 0000000000..271b2f26d9 --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/ExplainedTokenVerificationException.java @@ -0,0 +1,60 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken; + +import org.keycloak.authentication.ExplainedVerificationException; +import org.keycloak.exceptions.TokenVerificationException; +import org.keycloak.representations.JsonWebToken; + +/** + * Token verification exception that bears an error to be logged via event system + * and a message to show to the user e.g. via {@code ErrorPage.error()}. + * + * @author hmlnarik + */ +public class ExplainedTokenVerificationException extends TokenVerificationException { + private final String errorEvent; + + public ExplainedTokenVerificationException(JsonWebToken token, ExplainedVerificationException cause) { + super(token, cause.getMessage(), cause); + this.errorEvent = cause.getErrorEvent(); + } + + public ExplainedTokenVerificationException(JsonWebToken token, String errorEvent) { + super(token); + this.errorEvent = errorEvent; + } + + public ExplainedTokenVerificationException(JsonWebToken token, String errorEvent, String message) { + super(token, message); + this.errorEvent = errorEvent; + } + + public ExplainedTokenVerificationException(JsonWebToken token, String errorEvent, String message, Throwable cause) { + super(token, message); + this.errorEvent = errorEvent; + } + + public ExplainedTokenVerificationException(JsonWebToken token, String errorEvent, Throwable cause) { + super(token, cause); + this.errorEvent = errorEvent; + } + + public String getErrorEvent() { + return errorEvent; + } +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/TokenUtils.java b/services/src/main/java/org/keycloak/authentication/actiontoken/TokenUtils.java new file mode 100644 index 0000000000..bdaa80415c --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/TokenUtils.java @@ -0,0 +1,85 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken; + +import org.keycloak.TokenVerifier; +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.representations.JsonWebToken; +import java.util.function.BooleanSupplier; + +/** + * + * @author hmlnarik + */ +public class TokenUtils { + /** + * Returns a predicate for use in {@link TokenVerifier} using the given boolean-returning function. + * When the function return {@code false}, this predicate throws a {@link ExplainedTokenVerificationException} + * with {@code message} and {@code errorEvent} set from {@code errorMessage} and {@code errorEvent}, . + * + * @param function + * @param errorEvent + * @param errorMessage + * @return + */ + public static Predicate checkThat(BooleanSupplier function, String errorEvent, String errorMessage) { + return (JsonWebToken t) -> { + if (! function.getAsBoolean()) { + throw new ExplainedTokenVerificationException(t, errorEvent, errorMessage); + } + + return true; + }; + } + + /** + * Returns a predicate for use in {@link TokenVerifier} using the given boolean-returning function. + * When the function return {@code false}, this predicate throws a {@link ExplainedTokenVerificationException} + * with {@code message} and {@code errorEvent} set from {@code errorMessage} and {@code errorEvent}, . + * + * @param function + * @param errorEvent + * @param errorMessage + * @return + */ + public static Predicate checkThat(java.util.function.Predicate function, String errorEvent, String errorMessage) { + return (T t) -> { + if (! function.test(t)) { + throw new ExplainedTokenVerificationException(t, errorEvent, errorMessage); + } + + return true; + }; + } + + + /** + * Returns a predicate that is applied only if the given {@code condition} evaluates to {@true}. In case + * it evaluates to {@code false}, the predicate passes. + * @param + * @param condition Condition guarding execution of the predicate + * @param predicate Predicate that gets tested if the condition evaluates to {@code true} + * @return + */ + public static Predicate onlyIf(java.util.function.Predicate condition, Predicate predicate) { + return t -> (! condition.test(t)) || predicate.test(t); + } + + public static Predicate[] predicates(Predicate... predicate) { + return predicate; + } +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionToken.java new file mode 100644 index 0000000000..4be6f861a0 --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionToken.java @@ -0,0 +1,85 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken.execactions; + +import org.keycloak.TokenVerifier; +import org.keycloak.authentication.actiontoken.DefaultActionToken; +import org.keycloak.common.VerificationException; +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.LinkedList; +import java.util.List; +import java.util.UUID; + +/** + * + * @author hmlnarik + */ +public class ExecuteActionsActionToken extends DefaultActionToken { + + public static final String TOKEN_TYPE = "execute-actions"; + private static final String JSON_FIELD_REQUIRED_ACTIONS = "rqac"; + private static final String JSON_FIELD_REDIRECT_URI = "reduri"; + + public ExecuteActionsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, List requiredActions, String redirectUri, String clientId) { + super(userId, TOKEN_TYPE, absoluteExpirationInSecs, actionVerificationNonce); + setRequiredActions(requiredActions == null ? new LinkedList<>() : new LinkedList<>(requiredActions)); + setRedirectUri(redirectUri); + this.issuedFor = clientId; + } + + private ExecuteActionsActionToken() { + super(null, TOKEN_TYPE, -1, null); + } + + @JsonProperty(value = JSON_FIELD_REQUIRED_ACTIONS) + public List getRequiredActions() { + return (List) getOtherClaims().get(JSON_FIELD_REQUIRED_ACTIONS); + } + + @JsonProperty(value = JSON_FIELD_REQUIRED_ACTIONS) + public final void setRequiredActions(List requiredActions) { + if (requiredActions == null) { + getOtherClaims().remove(JSON_FIELD_REQUIRED_ACTIONS); + } else { + setOtherClaims(JSON_FIELD_REQUIRED_ACTIONS, requiredActions); + } + } + + @JsonProperty(value = JSON_FIELD_REDIRECT_URI) + public String getRedirectUri() { + return (String) getOtherClaims().get(JSON_FIELD_REDIRECT_URI); + } + + @JsonProperty(value = JSON_FIELD_REDIRECT_URI) + public final void setRedirectUri(String redirectUri) { + if (redirectUri == null) { + getOtherClaims().remove(JSON_FIELD_REDIRECT_URI); + } else { + setOtherClaims(JSON_FIELD_REDIRECT_URI, redirectUri); + } + } + + /** + * Returns a {@code ExecuteActionsActionToken} instance decoded from the given string. If decoding fails, returns {@code null} + * + * @param actionTokenString + * @return + */ + public static ExecuteActionsActionToken deserialize(String actionTokenString) throws VerificationException { + return TokenVerifier.create(actionTokenString, ExecuteActionsActionToken.class).getToken(); + } +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java new file mode 100644 index 0000000000..691fff527d --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java @@ -0,0 +1,86 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken.execactions; + +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.authentication.actiontoken.*; +import org.keycloak.events.Errors; +import org.keycloak.events.EventType; +import org.keycloak.models.UserModel; +import org.keycloak.protocol.oidc.OIDCLoginProtocol; +import org.keycloak.protocol.oidc.utils.RedirectUtils; +import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.messages.Messages; +import org.keycloak.services.resources.LoginActionsServiceChecks; +import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.CommonClientSessionModel.Action; +import javax.ws.rs.core.Response; + +/** + * + * @author hmlnarik + */ +public class ExecuteActionsActionTokenHandler extends AbstractActionTokenHander { + + public ExecuteActionsActionTokenHandler() { + super( + ExecuteActionsActionToken.TOKEN_TYPE, + ExecuteActionsActionToken.class, + Messages.INVALID_CODE, + EventType.EXECUTE_ACTIONS, + Errors.NOT_ALLOWED + ); + } + + @Override + public Predicate[] getVerifiers(ActionTokenContext tokenContext) { + return TokenUtils.predicates( + TokenUtils.checkThat( + // either redirect URI is not specified or must be valid for the cllient + t -> t.getRedirectUri() == null + || RedirectUtils.verifyRedirectUri(tokenContext.getUriInfo(), t.getRedirectUri(), + tokenContext.getRealm(), tokenContext.getAuthenticationSession().getClient()) != null, + Errors.INVALID_REDIRECT_URI, + Messages.INVALID_REDIRECT_URI + ) + ); + } + + @Override + public Response handleToken(ExecuteActionsActionToken token, ActionTokenContext tokenContext, ProcessFlow processFlow) { + AuthenticationSessionModel authSession = tokenContext.getAuthenticationSession(); + + String redirectUri = RedirectUtils.verifyRedirectUri(tokenContext.getUriInfo(), token.getRedirectUri(), + tokenContext.getRealm(), authSession.getClient()); + + if (redirectUri != null) { + authSession.setAuthNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, "true"); + + authSession.setRedirectUri(redirectUri); + authSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); + } + + token.getRequiredActions().stream().forEach(authSession::addRequiredAction); + + UserModel user = tokenContext.getAuthenticationSession().getAuthenticatedUser(); + // verify user email as we know it is valid as this entry point would never have gotten here. + user.setEmailVerified(true); + + String nextAction = AuthenticationManager.nextRequiredAction(tokenContext.getSession(), authSession, tokenContext.getClientConnection(), tokenContext.getRequest(), tokenContext.getUriInfo(), tokenContext.getEvent()); + return AuthenticationManager.redirectToRequiredActions(tokenContext.getSession(), tokenContext.getRealm(), authSession, tokenContext.getUriInfo(), nextAction); + } +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken.java new file mode 100644 index 0000000000..67fb452658 --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken.java @@ -0,0 +1,53 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken.resetcred; + +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.UUID; +import org.keycloak.authentication.actiontoken.DefaultActionToken; + +/** + * Representation of a token that represents a time-limited reset credentials action. + * + * @author hmlnarik + */ +public class ResetCredentialsActionToken extends DefaultActionToken { + + public static final String TOKEN_TYPE = "reset-credentials"; + private static final String JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP = "lcpt"; + + @JsonProperty(value = JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP) + private Long lastChangedPasswordTimestamp; + + public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, String authenticationSessionId, Long lastChangedPasswordTimestamp) { + super(userId, TOKEN_TYPE, absoluteExpirationInSecs, actionVerificationNonce); + setAuthenticationSessionId(authenticationSessionId); + this.lastChangedPasswordTimestamp = lastChangedPasswordTimestamp; + } + + private ResetCredentialsActionToken() { + super(null, TOKEN_TYPE, -1, null); + } + + public Long getLastChangedPasswordTimestamp() { + return lastChangedPasswordTimestamp; + } + + public final void setLastChangedPasswordTimestamp(Long lastChangedPasswordTimestamp) { + this.lastChangedPasswordTimestamp = lastChangedPasswordTimestamp; + } +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java new file mode 100644 index 0000000000..fd87a6e41f --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java @@ -0,0 +1,120 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken.resetcred; + +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.authentication.AuthenticationProcessor; +import org.keycloak.authentication.actiontoken.*; +import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator; +import org.keycloak.events.Errors; +import org.keycloak.events.EventType; +import org.keycloak.models.UserModel; +import org.keycloak.services.ErrorPage; +import org.keycloak.services.managers.AuthenticationSessionManager; +import org.keycloak.services.messages.Messages; +import org.keycloak.services.resources.LoginActionsServiceChecks.IsActionRequired; +import org.keycloak.sessions.CommonClientSessionModel.Action; +import javax.ws.rs.core.Response; +import static org.keycloak.services.resources.LoginActionsService.RESET_CREDENTIALS_PATH; + +/** + * + * @author hmlnarik + */ +public class ResetCredentialsActionTokenHandler extends AbstractActionTokenHander { + + public ResetCredentialsActionTokenHandler() { + super( + ResetCredentialsActionToken.TOKEN_TYPE, + ResetCredentialsActionToken.class, + Messages.RESET_CREDENTIAL_NOT_ALLOWED, + EventType.RESET_PASSWORD, + Errors.NOT_ALLOWED + ); + + } + + @Override + public Predicate[] getVerifiers(ActionTokenContext tokenContext) { + return new Predicate[] { + TokenUtils.checkThat(tokenContext.getRealm()::isResetPasswordAllowed, Errors.NOT_ALLOWED, Messages.RESET_CREDENTIAL_NOT_ALLOWED), + + new IsActionRequired(tokenContext, Action.AUTHENTICATE), + +// singleUseCheck, // TODO:hmlnarik - fix with single-use cache + }; + } + + @Override + public Response handleToken(ResetCredentialsActionToken token, ActionTokenContext tokenContext, ProcessFlow processFlow) { + AuthenticationProcessor authProcessor = new ResetCredsAuthenticationProcessor(tokenContext); + + return processFlow.processFlow( + false, + tokenContext.getExecutionId(), + tokenContext.getAuthenticationSession(), + RESET_CREDENTIALS_PATH, + tokenContext.getRealm().getResetCredentialsFlow(), + null, + authProcessor + ); + } + + @Override + public Response handleRestartRequest(ResetCredentialsActionToken token, ActionTokenContext tokenContext, ProcessFlow processFlow) { + // In the case restart is requested, the handling is exactly the same as if a token had been + // handled correctly but with a fresh authentication session + AuthenticationSessionManager asm = new AuthenticationSessionManager(tokenContext.getSession()); + asm.removeAuthenticationSession(tokenContext.getRealm(), tokenContext.getAuthenticationSession(), false); + + tokenContext.setAuthenticationSession(tokenContext.createAuthenticationSessionForClient(null), true); + return handleToken(token, tokenContext, processFlow); + } + + public static class ResetCredsAuthenticationProcessor extends AuthenticationProcessor { + + private final ActionTokenContext tokenContext; + + public ResetCredsAuthenticationProcessor(ActionTokenContext tokenContext) { + this.tokenContext = tokenContext; + } + + @Override + protected Response authenticationComplete() { + boolean firstBrokerLoginInProgress = (tokenContext.getAuthenticationSession().getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); + if (firstBrokerLoginInProgress) { + + UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, tokenContext.getRealm(), tokenContext.getAuthenticationSession()); + if (!linkingUser.getId().equals(tokenContext.getAuthenticationSession().getAuthenticatedUser().getId())) { + return ErrorPage.error(session, + Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, + tokenContext.getAuthenticationSession().getAuthenticatedUser().getUsername(), + linkingUser.getUsername() + ); + } + + logger.debugf("Forget-password flow finished when authenticated user '%s' after first broker login.", linkingUser.getUsername()); + + // TODO:mposolda Isn't this a bug that we redirect to 'afterBrokerLoginEndpoint' without rather continue with firstBrokerLogin and other authenticators like OTP? + //return redirectToAfterBrokerLoginEndpoint(authSession, true); + return null; + } else { + return super.authenticationComplete(); + } + } + } +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionToken.java new file mode 100644 index 0000000000..72e460c6b2 --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionToken.java @@ -0,0 +1,55 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken.verifyemail; + +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.UUID; +import org.keycloak.authentication.actiontoken.DefaultActionToken; + +/** + * Representation of a token that represents a time-limited verify e-mail action. + * + * @author hmlnarik + */ +public class VerifyEmailActionToken extends DefaultActionToken { + + public static final String TOKEN_TYPE = "verify-email"; + + private static final String JSON_FIELD_EMAIL = "eml"; + + @JsonProperty(value = JSON_FIELD_EMAIL) + private String email; + + public VerifyEmailActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, String authenticationSessionId, + String email) { + super(userId, TOKEN_TYPE, absoluteExpirationInSecs, actionVerificationNonce); + setAuthenticationSessionId(authenticationSessionId); + this.email = email; + } + + private VerifyEmailActionToken() { + super(null, TOKEN_TYPE, -1, null); + } + + public String getEmail() { + return email; + } + + public void setEmail(String email) { + this.email = email; + } +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java new file mode 100644 index 0000000000..1d324c2550 --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java @@ -0,0 +1,89 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken.verifyemail; + +import org.keycloak.authentication.actiontoken.AbstractActionTokenHander; +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.authentication.actiontoken.*; +import org.keycloak.events.*; +import org.keycloak.forms.login.LoginFormsProvider; +import org.keycloak.models.UserModel; +import org.keycloak.models.UserModel.RequiredAction; +import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; +import org.keycloak.services.messages.Messages; +import org.keycloak.sessions.AuthenticationSessionModel; +import java.util.Objects; +import javax.ws.rs.core.Response; + +/** + * Action token handler for verification of e-mail address. + * @author hmlnarik + */ +public class VerifyEmailActionTokenHandler extends AbstractActionTokenHander { + + public VerifyEmailActionTokenHandler() { + super( + VerifyEmailActionToken.TOKEN_TYPE, + VerifyEmailActionToken.class, + Messages.STALE_VERIFY_EMAIL_LINK, + EventType.VERIFY_EMAIL, + Errors.INVALID_TOKEN + ); + } + + @Override + public Predicate[] getVerifiers(ActionTokenContext tokenContext) { + return TokenUtils.predicates( + TokenUtils.checkThat( + t -> Objects.equals(t.getEmail(), tokenContext.getAuthenticationSession().getAuthenticatedUser().getEmail()), + Errors.INVALID_EMAIL, getDefaultErrorMessage() + ) + ); + } + + @Override + public Response handleToken(VerifyEmailActionToken token, ActionTokenContext tokenContext, ProcessFlow processFlow) { + UserModel user = tokenContext.getAuthenticationSession().getAuthenticatedUser(); + EventBuilder event = tokenContext.getEvent(); + + event.event(EventType.VERIFY_EMAIL).detail(Details.EMAIL, user.getEmail()); + + AuthenticationSessionModel authSession = tokenContext.getAuthenticationSession(); + + // verify user email as we know it is valid as this entry point would never have gotten here. + user.setEmailVerified(true); + user.removeRequiredAction(RequiredAction.VERIFY_EMAIL); + authSession.removeRequiredAction(RequiredAction.VERIFY_EMAIL); + + event.success(); + + if (tokenContext.isAuthenticationSessionFresh()) { + AuthenticationSessionManager asm = new AuthenticationSessionManager(tokenContext.getSession()); + asm.removeAuthenticationSession(tokenContext.getRealm(), authSession, true); + return tokenContext.getSession().getProvider(LoginFormsProvider.class) + .setSuccess(Messages.EMAIL_VERIFIED) + .createInfoPage(); + } + + tokenContext.setEvent(event.clone().removeDetail(Details.EMAIL).event(EventType.LOGIN)); + + String nextAction = AuthenticationManager.nextRequiredAction(tokenContext.getSession(), authSession, tokenContext.getClientConnection(), tokenContext.getRequest(), tokenContext.getUriInfo(), event); + return AuthenticationManager.redirectToRequiredActions(tokenContext.getSession(), tokenContext.getRealm(), authSession, tokenContext.getUriInfo(), nextAction); + } + +} diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java index 72064a0f04..b70f69b78d 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java @@ -58,12 +58,11 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator RealmModel realm = context.getRealm(); AuthenticationSessionModel authSession = context.getAuthenticationSession(); - // TODO:mposolda (or hmlnarik :) - uncomment and have this working and have AbstractFirstBrokerLoginTest.testLinkAccountByEmailVerification tp PASS -// if (realm.getSmtpConfig().size() == 0) { + if (realm.getSmtpConfig().size() == 0) { ServicesLogger.LOGGER.smtpNotConfigured(); context.attempted(); return; -// } + } /* VerifyEmail.setupKey(clientSession); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java index 4f022a0f45..4be9b9c031 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java @@ -17,12 +17,10 @@ package org.keycloak.authentication.authenticators.resetcred; +import org.keycloak.authentication.actiontoken.DefaultActionTokenKey; import org.jboss.logging.Logger; import org.keycloak.Config; -import org.keycloak.authentication.AuthenticationFlowContext; -import org.keycloak.authentication.AuthenticationFlowError; -import org.keycloak.authentication.Authenticator; -import org.keycloak.authentication.AuthenticatorFactory; +import org.keycloak.authentication.*; import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator; import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; import org.keycloak.events.Details; @@ -62,6 +60,18 @@ public class ResetCredentialChooseUser implements Authenticator, AuthenticatorFa return; } + String actionTokenUserId = context.getAuthenticationSession().getAuthNote(DefaultActionTokenKey.ACTION_TOKEN_USER_ID); + if (actionTokenUserId != null) { + UserModel existingUser = context.getSession().users().getUserById(actionTokenUserId, context.getRealm()); + + // Action token logics handles checks for user ID validity and user being enabled + + logger.debugf("Forget-password triggered when reauthenticating user after authentication via action token. Skipping reset-credential-choose-user screen and using user '%s' ", existingUser.getUsername()); + context.setUser(existingUser); + context.success(); + return; + } + Response challenge = context.form().createPasswordReset(); context.challenge(challenge); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java index 05ed9485f0..4d9b42ecb3 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java @@ -17,10 +17,11 @@ package org.keycloak.authentication.authenticators.resetcred; +import org.keycloak.authentication.actiontoken.DefaultActionTokenKey; import org.keycloak.Config; import org.keycloak.authentication.*; +import org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken; import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; -import org.keycloak.common.VerificationException; import org.keycloak.common.util.Time; import org.keycloak.credential.*; import org.keycloak.email.EmailException; @@ -40,6 +41,7 @@ import java.util.*; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import java.util.concurrent.TimeUnit; +import org.jboss.logging.Logger; /** * @author Bill Burke @@ -47,12 +49,15 @@ import java.util.concurrent.TimeUnit; */ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory { + private static final Logger logger = Logger.getLogger(ResetCredentialEmail.class); + public static final String PROVIDER_ID = "reset-credential-email"; @Override public void authenticate(AuthenticationFlowContext context) { UserModel user = context.getUser(); - String username = context.getAuthenticationSession().getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); + AuthenticationSessionModel authenticationSession = context.getAuthenticationSession(); + String username = authenticationSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME); // we don't want people guessing usernames, so if there was a problem obtaining the user, the user will be null. // just reset login for with a success message @@ -61,6 +66,13 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory return; } + String actionTokenUserId = authenticationSession.getAuthNote(DefaultActionTokenKey.ACTION_TOKEN_USER_ID); + if (actionTokenUserId != null && Objects.equals(user.getId(), actionTokenUserId)) { + logger.debugf("Forget-password triggered when reauthenticating user after authentication via action token. Skipping " + PROVIDER_ID + " screen and using user '%s' ", user.getUsername()); + context.success(); + return; + } + EventBuilder event = context.getEvent(); // we don't want people guessing usernames, so if there is a problem, just continuously challenge @@ -80,20 +92,19 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory Long lastCreatedPassword = getLastChangedTimestamp(keycloakSession, context.getRealm(), user); // We send the secret in the email in a link as a query param. - ResetCredentialsActionToken token = new ResetCredentialsActionToken(user.getId(), absoluteExpirationInSecs, null, lastCreatedPassword, context.getAuthenticationSession()); + ResetCredentialsActionToken token = new ResetCredentialsActionToken(user.getId(), absoluteExpirationInSecs, + null, authenticationSession.getId(), lastCreatedPassword); String link = UriBuilder - .fromUri(context.getRefreshExecutionUrl()) - .queryParam(Constants.KEY, token.serialize(keycloakSession, context.getRealm(), context.getUriInfo())) + .fromUri(context.getActionTokenUrl(token.serialize(context.getSession(), context.getRealm(), context.getUriInfo()))) .build() .toString(); long expirationInMinutes = TimeUnit.SECONDS.toMinutes(validityInSecs); try { - context.getSession().getProvider(EmailTemplateProvider.class).setRealm(context.getRealm()).setUser(user).sendPasswordReset(link, expirationInMinutes); event.clone().event(EventType.SEND_RESET_PASSWORD) .user(user) .detail(Details.USERNAME, username) - .detail(Details.EMAIL, user.getEmail()).detail(Details.CODE_ID, context.getAuthenticationSession().getId()).success(); + .detail(Details.EMAIL, user.getEmail()).detail(Details.CODE_ID, authenticationSession.getId()).success(); context.forkWithSuccessMessage(new FormMessage(Messages.EMAIL_SENT)); } catch (EmailException e) { event.clone().event(EventType.SEND_RESET_PASSWORD) @@ -118,53 +129,6 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory @Override public void action(AuthenticationFlowContext context) { - KeycloakSession keycloakSession = context.getSession(); - String actionTokenString = context.getAuthenticationSession().getAuthNote(ResetCredentialsActionToken.class.getName()); - ResetCredentialsActionToken tokenFromMail = null; - - try { - tokenFromMail = ResetCredentialsActionToken.deserialize(actionTokenString); - } catch (VerificationException ex) { - context.getEvent().detail(Details.REASON, ex.getMessage()); - // flow returns in the next condition so no "return" statmenent here - } - - if (tokenFromMail == null) { - context.getEvent() - .error(Errors.INVALID_CODE); - Response challenge = context.form() - .setError(Messages.INVALID_CODE) - .createErrorPage(); - context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge); - return; - } - - String userId = tokenFromMail.getUserId(); - - Long lastCreatedPasswordMail = tokenFromMail.getLastChangedPasswordTimestamp(); - Long lastCreatedPasswordFromStore = getLastChangedTimestamp(keycloakSession, context.getRealm(), context.getUser()); - - String authenticationSessionId = tokenFromMail.getAuthenticationSessionId(); - AuthenticationSessionModel authenticationSession = authenticationSessionId == null - ? null - : keycloakSession.authenticationSessions().getAuthenticationSession(context.getRealm(), authenticationSessionId); - - if (authenticationSession == null - || ! Objects.equals(lastCreatedPasswordMail, lastCreatedPasswordFromStore) - || ! Objects.equals(userId, context.getUser().getId())) { - context.getEvent() - .user(userId) - .detail(Details.USERNAME, context.getUser().getUsername()) - .detail(Details.TOKEN_ID, tokenFromMail.getId()) - .error(Errors.EXPIRED_CODE); - Response challenge = context.form() - .setError(Messages.EXPIRED_CODE) - .createErrorPage(); - context.failure(AuthenticationFlowError.INTERNAL_ERROR, challenge); - return; - } - - // We now know email is valid, so set it to valid. context.getUser().setEmailVerified(true); context.success(); } diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java index e45ddcb657..fd3ce48018 100755 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java @@ -22,20 +22,23 @@ import org.keycloak.Config; import org.keycloak.authentication.RequiredActionContext; import org.keycloak.authentication.RequiredActionFactory; import org.keycloak.authentication.RequiredActionProvider; +import org.keycloak.authentication.actiontoken.verifyemail.VerifyEmailActionToken; +import org.keycloak.common.util.Time; +import org.keycloak.email.EmailException; +import org.keycloak.email.EmailTemplateProvider; import org.keycloak.events.Details; import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.Constants; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.KeycloakSessionFactory; -import org.keycloak.models.UserModel; +import org.keycloak.models.*; +import org.keycloak.models.UserModel.RequiredAction; import org.keycloak.models.utils.HmacOTP; -import org.keycloak.services.ServicesLogger; -import org.keycloak.services.resources.LoginActionsService; +import org.keycloak.services.Urls; import org.keycloak.services.validation.Validation; -import javax.ws.rs.core.Response; +import org.keycloak.sessions.AuthenticationSessionModel; +import java.util.Objects; +import java.util.concurrent.TimeUnit; +import javax.ws.rs.core.*; /** * @author Bill Burke @@ -52,30 +55,36 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor } @Override public void requiredActionChallenge(RequiredActionContext context) { + AuthenticationSessionModel authSession = context.getAuthenticationSession(); + if (context.getUser().isEmailVerified()) { context.success(); + authSession.removeAuthNote(Constants.VERIFY_EMAIL_KEY); return; } - if (Validation.isBlank(context.getUser().getEmail())) { + String email = context.getUser().getEmail(); + if (Validation.isBlank(email)) { context.ignore(); return; } - // TODO:mposolda - /* - context.getEvent().clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, context.getUser().getEmail()).success(); - LoginActionsService.createActionCookie(context.getRealm(), context.getUriInfo(), context.getConnection(), context.getUserSession().getId()); - - setupKey(context.getClientSession()); - LoginFormsProvider loginFormsProvider = context.getSession().getProvider(LoginFormsProvider.class) .setClientSessionCode(context.generateCode()) - .setClientSession(context.getClientSession()) + .setAuthenticationSession(authSession) .setUser(context.getUser()); - Response challenge = loginFormsProvider.createResponse(UserModel.RequiredAction.VERIFY_EMAIL); + Response challenge; + + // Do not allow resending e-mail by simple page refresh, i.e. when e-mail sent, it should be resent properly via email-verification endpoint + if (! Objects.equals(authSession.getAuthNote(Constants.VERIFY_EMAIL_KEY), email)) { + authSession.setAuthNote(Constants.VERIFY_EMAIL_KEY, email); + context.getEvent().clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, email).success(); + challenge = sendVerifyEmail(context.getSession(), context.generateCode(), context.getUser(), context.getAuthenticationSession()); + } else { + challenge = loginFormsProvider.createResponse(UserModel.RequiredAction.VERIFY_EMAIL); + } + context.challenge(challenge); - */ } @Override @@ -115,8 +124,39 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor return UserModel.RequiredAction.VERIFY_EMAIL.name(); } - public static void setupKey(ClientSessionModel clientSession) { + public static Response sendVerifyEmail(KeycloakSession session, String clientCode, UserModel user, AuthenticationSessionModel authSession) throws UriBuilderException, IllegalArgumentException { + RealmModel realm = session.getContext().getRealm(); + UriInfo uriInfo = session.getContext().getUri(); + + LoginFormsProvider forms = session.getProvider(LoginFormsProvider.class) + .setClientSessionCode(clientCode) + .setAuthenticationSession(authSession) + .setUser(authSession.getAuthenticatedUser()); + + int validityInSecs = realm.getAccessCodeLifespanUserAction(); + int absoluteExpirationInSecs = Time.currentTime() + validityInSecs; +// ExecuteActionsActionToken token = new ExecuteActionsActionToken(user.getId(), absoluteExpirationInSecs, null, +// Collections.singletonList(UserModel.RequiredAction.VERIFY_EMAIL.name()), +// null, null); +// token.setAuthenticationSessionId(authenticationSession.getId()); + + VerifyEmailActionToken token = new VerifyEmailActionToken(user.getId(), absoluteExpirationInSecs, null, authSession.getId(), user.getEmail()); + UriBuilder builder = Urls.actionTokenBuilder(uriInfo.getBaseUri(), token.serialize(session, realm, uriInfo)); + String link = builder.build(realm.getName()).toString(); + long expirationInMinutes = TimeUnit.SECONDS.toMinutes(validityInSecs); + + try { + session.getProvider(EmailTemplateProvider.class).setRealm(realm).setUser(user).sendVerifyEmail(link, expirationInMinutes); + } catch (EmailException e) { + logger.error("Failed to send verification email", e); + return forms.createResponse(RequiredAction.VERIFY_EMAIL); + } + + return forms.createResponse(UserModel.RequiredAction.VERIFY_EMAIL); + } + + public static void setupKey(AuthenticationSessionModel session) { String secret = HmacOTP.generateSecret(10); - clientSession.setNote(Constants.VERIFY_EMAIL_KEY, secret); + session.setAuthNote(Constants.VERIFY_EMAIL_KEY, secret); } } diff --git a/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java b/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java index ffb3f4d7ae..e93df33cf6 100755 --- a/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java +++ b/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java @@ -36,13 +36,7 @@ import org.keycloak.forms.login.freemarker.model.RegisterBean; import org.keycloak.forms.login.freemarker.model.RequiredActionUrlFormatterMethod; import org.keycloak.forms.login.freemarker.model.TotpBean; import org.keycloak.forms.login.freemarker.model.UrlBean; -import org.keycloak.models.ClientModel; -import org.keycloak.models.IdentityProviderModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.ProtocolMapperModel; -import org.keycloak.models.RealmModel; -import org.keycloak.models.RoleModel; -import org.keycloak.models.UserModel; +import org.keycloak.models.*; import org.keycloak.models.utils.FormMessage; import org.keycloak.services.Urls; import org.keycloak.services.messages.Messages; @@ -67,13 +61,7 @@ import javax.ws.rs.core.UriInfo; import java.io.IOException; import java.net.URI; import java.text.MessageFormat; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.LinkedList; -import java.util.List; -import java.util.Locale; -import java.util.Map; -import java.util.Properties; +import java.util.*; /** * @author Stian Thorgersen @@ -119,7 +107,6 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { public Response createResponse(UserModel.RequiredAction action) { RealmModel realm = session.getContext().getRealm(); - UriInfo uriInfo = session.getContext().getUri(); String actionMessage; LoginFormsPages page; @@ -141,21 +128,6 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { page = LoginFormsPages.LOGIN_UPDATE_PASSWORD; break; case VERIFY_EMAIL: - // TODO:mposolda It should be also clientSession (actionTicket) involved here. Not just authSession - /*try { - UriBuilder builder = Urls.loginActionEmailVerificationBuilder(uriInfo.getBaseUri()); - builder.queryParam(OAuth2Constants.CODE, accessCode); - builder.queryParam(Constants.KEY, authSession.getNote(Constants.VERIFY_EMAIL_KEY)); - - String link = builder.build(realm.getName()).toString(); - long expiration = TimeUnit.SECONDS.toMinutes(realm.getAccessCodeLifespanUserAction()); - - session.getProvider(EmailTemplateProvider.class).setRealm(realm).setUser(user).sendVerifyEmail(link, expiration); - } catch (EmailException e) { - logger.error("Failed to send verification email", e); - return setError(Messages.EMAIL_SENT_ERROR).createErrorPage(); - }*/ - actionMessage = Messages.VERIFY_EMAIL; page = LoginFormsPages.LOGIN_VERIFY_EMAIL; break; @@ -183,13 +155,6 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { // for some reason Resteasy 2.3.7 doesn't like query params and form params with the same name and will null out the code form param uriBuilder.replaceQuery(null); } - URI baseUri = uriBuilder.build(); - - if (accessCode != null) { - uriBuilder.queryParam(OAuth2Constants.CODE, accessCode); - } - URI baseUriWithCode = uriBuilder.build(); - for (String k : queryParameterMap.keySet()) { @@ -198,6 +163,13 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { uriBuilder.replaceQueryParam(k, objects); } + // TODO:hmlnarik Why was the following removed in https://github.com/hmlnarik/keycloak/commit/6df8f13109d6ea77b455e04d884994e5831ea52b#diff-d795b851c2db89d5198c897aba4c40c9 + if (accessCode != null) { + uriBuilder.replaceQueryParam(OAuth2Constants.CODE, accessCode); + } + + URI baseUri = uriBuilder.build(); + ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending"); Theme theme; try { @@ -249,7 +221,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { List identityProviders = realm.getIdentityProviders(); identityProviders = LoginFormsUtil.filterIdentityProviders(identityProviders, session, realm, attributes, formData); - attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUriWithCode)); + attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUri)); attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri)); diff --git a/services/src/main/java/org/keycloak/services/Urls.java b/services/src/main/java/org/keycloak/services/Urls.java index b86c04fd80..edeac7692a 100755 --- a/services/src/main/java/org/keycloak/services/Urls.java +++ b/services/src/main/java/org/keycloak/services/Urls.java @@ -182,6 +182,11 @@ public class Urls { return loginActionsBase(baseUri).path(LoginActionsService.class, "executeActions"); } + public static UriBuilder actionTokenBuilder(URI baseUri, String tokenString) { + return loginActionsBase(baseUri).path(LoginActionsService.class, "executeActionToken") + .queryParam("key", tokenString); + } + public static UriBuilder loginResetCredentialsBuilder(URI baseUri) { return loginActionsBase(baseUri).path(LoginActionsService.RESET_CREDENTIALS_PATH); } diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 23fc616fdf..0338964212 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -16,6 +16,8 @@ */ package org.keycloak.services.resources; +import org.keycloak.authentication.actiontoken.DefaultActionToken; +import org.keycloak.authentication.actiontoken.DefaultActionTokenKey; import org.jboss.logging.Logger; import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.OAuth2Constants; @@ -25,13 +27,12 @@ import org.keycloak.authentication.RequiredActionContextResult; import org.keycloak.authentication.RequiredActionFactory; import org.keycloak.authentication.RequiredActionProvider; import org.keycloak.TokenVerifier; -import org.keycloak.TokenVerifier.Predicate; -import org.keycloak.TokenVerifier.TokenTypeCheck; -import org.keycloak.authentication.*; +import org.keycloak.authentication.actiontoken.*; import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator; import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants; import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; +import org.keycloak.authentication.requiredactions.VerifyEmail; import org.keycloak.broker.provider.BrokeredIdentityContext; import org.keycloak.common.ClientConnection; import org.keycloak.common.VerificationException; @@ -54,6 +55,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; import org.keycloak.models.UserConsentModel; import org.keycloak.models.UserModel; +import org.keycloak.models.UserModel.RequiredAction; import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.protocol.AuthorizationEndpointBase; @@ -63,7 +65,6 @@ import org.keycloak.protocol.RestartLoginCookie; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.utils.OIDCResponseMode; import org.keycloak.protocol.oidc.utils.OIDCResponseType; -import org.keycloak.representations.JsonWebToken; import org.keycloak.services.ErrorPage; import org.keycloak.services.ServicesLogger; import org.keycloak.services.Urls; @@ -71,13 +72,13 @@ import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; +import org.keycloak.services.resources.LoginActionsServiceChecks.RestartFlowException; import org.keycloak.services.util.CacheControlUtil; import org.keycloak.services.util.PageExpiredRedirect; import org.keycloak.services.util.BrowserHistoryHelper; import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.sessions.CommonClientSessionModel; -import org.keycloak.sessions.CommonClientSessionModel.Action; import javax.ws.rs.Consumes; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -93,12 +94,8 @@ import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import javax.ws.rs.ext.Providers; import java.net.URI; -import java.util.Objects; -import java.util.function.*; import javax.ws.rs.core.*; -import static org.keycloak.TokenVerifier.optional; -import static org.keycloak.authentication.DefaultActionToken.ACTION_TOKEN_BASIC_CHECKS; -import static org.keycloak.authentication.ResetCredentialsActionToken.RESET_CREDENTIALS_TYPE; +import static org.keycloak.authentication.actiontoken.DefaultActionToken.ACTION_TOKEN_BASIC_CHECKS; /** * @author Stian Thorgersen @@ -153,6 +150,10 @@ public class LoginActionsService { return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "requiredActionPOST"); } + public static UriBuilder actionTokenProcessor(UriInfo uriInfo) { + return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "executeActionToken"); + } + public static UriBuilder registrationFormProcessor(UriInfo uriInfo) { return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "processRegister"); } @@ -189,6 +190,13 @@ public class LoginActionsService { return res; } + private SessionCodeChecks checksForCodeRefreshNotAllowed(String code, String execution, String flowPath) { + SessionCodeChecks res = new SessionCodeChecks(code, execution, flowPath); + res.setAllowRefresh(false); + res.initialVerify(); + return res; + } + private class SessionCodeChecks { @@ -196,6 +204,7 @@ public class LoginActionsService { Response response; ClientSessionCode.ParseResult result; private boolean actionRequest; + private boolean allowRefresh = true; private final String code; private final String execution; @@ -219,6 +228,14 @@ public class LoginActionsService { return response != null; } + public boolean isAllowRefresh() { + return allowRefresh; + } + + public void setAllowRefresh(boolean allowRefresh) { + this.allowRefresh = allowRefresh; + } + boolean verifyCode(String expectedAction, ClientSessionCode.ActionType actionType) { if (failed()) { @@ -275,7 +292,7 @@ public class LoginActionsService { return null; } - // authenticationSession retrieve + // object retrieve AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(code, session, realm, AuthenticationSessionModel.class); if (authSession != null) { return authSession; @@ -375,7 +392,7 @@ public class LoginActionsService { if (clientCode == null) { // In case that is replayed action, but sent to the same FORM like actual FORM, we just re-render the page - if (ObjectUtil.isEqualOrBothNull(execution, authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION))) { + if (allowRefresh && ObjectUtil.isEqualOrBothNull(execution, authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION))) { String latestFlowPath = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); URI redirectUri = getLastExecutionUrl(latestFlowPath, execution); @@ -389,7 +406,7 @@ public class LoginActionsService { } - actionRequest = true; + actionRequest = execution != null; authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, execution); return true; } @@ -612,196 +629,19 @@ public class LoginActionsService { @Path(RESET_CREDENTIALS_PATH) @POST public Response resetCredentialsPOST(@QueryParam("code") String code, - @QueryParam("execution") String execution) { + @QueryParam("execution") String execution, + @QueryParam(Constants.KEY) String key) { + if (key != null) { + return handleActionToken(key, execution); + } + + event.event(EventType.RESET_PASSWORD); + return resetCredentials(code, execution); } - private Predicate checkThat(BooleanSupplier function, String errorEvent, String errorMessage) { - return t -> { - if (! function.getAsBoolean()) { - event.error(errorEvent); - throw new LoginActionsServiceException(ErrorPage.error(session, errorMessage)); - } - - return true; - }; - } - /** - * Verifies that the authentication session has not yet been converted to user session, in other words - * that the user has not yet completed authentication and logged in. - */ - private class IsAuthenticationSessionNotConvertedToUserSession implements Predicate { - - private final Function getAuthenticationSessionIdFromToken; - - public IsAuthenticationSessionNotConvertedToUserSession(Function getAuthenticationSessionIdFromToken) { - this.getAuthenticationSessionIdFromToken = getAuthenticationSessionIdFromToken; - } - - @Override - public boolean test(T t) throws VerificationException { - String authSessionId = t == null ? null : getAuthenticationSessionIdFromToken.apply(t); - if (authSessionId == null) { - return false; - } - - if (session.sessions().getUserSession(realm, authSessionId) != null) { - throw new LoginActionsServiceException( - session.getProvider(LoginFormsProvider.class) - .setSuccess(Messages.ALREADY_LOGGED_IN) - .createInfoPage()); - } - - return true; - } - } - - /** - * Verifies whether client stored in the authentication session both exists and is enabled. If yes, it also sets the client - * into session context. - * @param - */ - private class IsClientValid implements Predicate { - - private final Function getAuthenticationSessionFromToken; - - public IsClientValid(Function getAuthenticationSessionFromToken) { - this.getAuthenticationSessionFromToken = getAuthenticationSessionFromToken; - } - - @Override - public boolean test(T t) throws VerificationException { - AuthenticationSessionModel authenticationSession = getAuthenticationSessionFromToken.apply(t); - - ClientModel client = authenticationSession == null ? null : authenticationSession.getClient(); - - if (client == null) { - event.error(Errors.CLIENT_NOT_FOUND); - new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authenticationSession, true); - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER)); - } - - if (! client.isEnabled()) { - event.error(Errors.CLIENT_NOT_FOUND); - new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authenticationSession, true); - throw new LoginActionsServiceException(ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED)); - } - - session.getContext().setClient(client); - - return true; - } - } - - /** - * This check verifies that: - *
    - *
  • If authentication session ID is not set in the token, passes.
    • - *
  • If auth session ID is set in the token, then the corresponding authentication session exists. - * Then it is set into the token.
    • - *
- * - * @param - */ - private class CanResolveAuthenticationSession implements Predicate { - - private final Function getAuthenticationSessionIdFromToken; - - private final BiConsumer setAuthenticationSessionToToken; - - public CanResolveAuthenticationSession(Function getAuthenticationSessionIdFromToken, - BiConsumer setAuthenticationSessionToToken) { - this.getAuthenticationSessionIdFromToken = getAuthenticationSessionIdFromToken; - this.setAuthenticationSessionToToken = setAuthenticationSessionToToken; - } - - @Override - public boolean test(T t) throws VerificationException { - String authSessionId = t == null ? null : getAuthenticationSessionIdFromToken.apply(t); - - AuthenticationSessionModel authSession; - if (authSessionId == null) { - return true; - } else { - authSession = session.authenticationSessions().getAuthenticationSession(realm, authSessionId); - } - - if (authSession == null) { // timeout or logged-already (NOPE - this is handled by IsAuthenticationSessionNotConvertedToUserSession) - throw new LoginActionsServiceException(restartAuthenticationSessionFromCookie()); - } - - event - .detail(Details.CODE_ID, authSession.getId()) - .client(authSession.getClient()); - - setAuthenticationSessionToToken.accept(t, authSession); - - return true; - } - } - - /** - * This check verifies that if the token has not authentication session set, a new authentication session is introduced - * for the given client and reset-credentials flow is started with this new session. - */ - private class ResetCredsIntroduceAuthenticationSessionIfNotSet implements Predicate { - - private final String defaultClientId; - - public ResetCredsIntroduceAuthenticationSessionIfNotSet(String defaultClientId) { - this.defaultClientId = defaultClientId; - } - - @Override - public boolean test(ResetCredentialsActionToken t) throws VerificationException { - AuthenticationSessionModel authSession = t.getAuthenticationSession(); - - if (authSession == null) { - authSession = createAuthenticationSessionForClient(this.defaultClientId); - throw new LoginActionsServiceException(processResetCredentials(false, null, authSession, null)); - } - - return true; - } - } - - /** - * Verifies that if authentication session exists and any action is required according to it, then it is - * the expected one. - * - * If there is an action required in the session, furthermore it is not the expected one, and the required - * action is redirection to "required actions", it throws with response performing the redirect to required - * actions. - * @param - */ - private class IsActionRequired implements Predicate { - - private final ClientSessionModel.Action expectedAction; - - private final Function getAuthenticationSessionFromToken; - - public IsActionRequired(Action expectedAction, Function getAuthenticationSessionFromToken) { - this.expectedAction = expectedAction; - this.getAuthenticationSessionFromToken = getAuthenticationSessionFromToken; - } - - @Override - public boolean test(T t) throws VerificationException { - AuthenticationSessionModel authSession = getAuthenticationSessionFromToken.apply(t); - - if (authSession != null && ! Objects.equals(authSession.getAction(), this.expectedAction.name())) { - if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(authSession.getAction())) { - throw new LoginActionsServiceException(redirectToRequiredActions(null)); - } - } - - return true; - } - } - - /** - * Endpoint for executing reset credentials flow. If code is null, a client session is created with the account + * Endpoint for executing reset credentials flow. If token is null, a client session is created with the account * service as the client. Successful reset sends you to the account page. Note, account service must be enabled. * * @param code @@ -811,19 +651,11 @@ public class LoginActionsService { @Path(RESET_CREDENTIALS_PATH) @GET public Response resetCredentialsGET(@QueryParam("code") String code, - @QueryParam("execution") String execution, - @QueryParam(Constants.KEY) String key) { - event.event(EventType.RESET_PASSWORD); - - if (code != null && key != null) { - // TODO:mposolda better handling of error - throw new IllegalStateException("Illegal state"); - } - + @QueryParam("execution") String execution) { AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm); // we allow applications to link to reset credentials without going through OAuth or SAML handshakes - if (authSession == null && key == null && code == null) { + if (authSession == null && code == null) { if (!realm.isResetPasswordAllowed()) { event.event(EventType.RESET_PASSWORD); event.error(Errors.NOT_ALLOWED); @@ -831,22 +663,19 @@ public class LoginActionsService { } authSession = createAuthenticationSessionForClient(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); - return processResetCredentials(false, null, authSession, null); + return processResetCredentials(false, null, authSession); } - if (key != null) { - return resetCredentialsByToken(key, execution); - } - + event.event(EventType.RESET_PASSWORD); return resetCredentials(code, execution); } - private AuthenticationSessionModel createAuthenticationSessionForClient(String clientId) + AuthenticationSessionModel createAuthenticationSessionForClient(String clientId) throws UriBuilderException, IllegalArgumentException { AuthenticationSessionModel authSession; // set up the account service as the endpoint to call. - ClientModel client = realm.getClientByClientId(clientId); + ClientModel client = realm.getClientByClientId(clientId == null ? Constants.ACCOUNT_MANAGEMENT_CLIENT_ID : clientId); authSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, client, true); authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); //authSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); @@ -861,13 +690,11 @@ public class LoginActionsService { } /** - * @deprecated In favor of {@link #resetCredentialsByToken(String, String)} * @param code * @param execution * @return */ protected Response resetCredentials(String code, String execution) { - event.event(EventType.RESET_PASSWORD); SessionCodeChecks checks = checksForCode(code, execution, RESET_CREDENTIALS_PATH); if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) { return checks.response; @@ -875,138 +702,192 @@ public class LoginActionsService { final AuthenticationSessionModel authSession = checks.getAuthenticationSession(); if (!realm.isResetPasswordAllowed()) { - event.client(authSession.getClient()); + if (authSession != null) { + event.client(authSession.getClient()); + } event.error(Errors.NOT_ALLOWED); return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } - return processResetCredentials(checks.actionRequest, execution, authSession, null); + return processResetCredentials(checks.actionRequest, execution, authSession); } - protected Response resetCredentialsByToken(String tokenString, String execution) { - event.event(EventType.RESET_PASSWORD); + /** + * Handles a given token using the given token handler. If there is any {@link VerificationException} thrown + * in the handler, it is handled automatically here to reduce boilerplate code. + * + * @param tokenString Original token string + * @param eventError + * @param defaultErrorMessage + * @return + */ + @Path("action-token") + @GET + public Response executeActionToken(@QueryParam("key") String key, + @QueryParam("execution") String execution) { + return handleActionToken(key, execution); + } - ResetCredentialsActionToken token; - ResetCredentialsActionTokenChecks singleUseCheck = new ResetCredentialsActionTokenChecks(session, realm, event); + protected Response handleActionToken(String tokenString, String execution) { + T token; + ActionTokenHandler handler; + ActionTokenContext tokenContext; + String eventError = null; + String defaultErrorMessage = null; + AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm); + + event.event(EventType.EXECUTE_ACTION_TOKEN); + + // First resolve action token handler try { - token = TokenVerifier.createHollow(tokenString, ResetCredentialsActionToken.class) - .secretKey(session.keys().getActiveHmacKey(realm).getSecretKey()) + if (tokenString == null) { + throw new ExplainedTokenVerificationException(null, Errors.NOT_ALLOWED, Messages.INVALID_REQUEST); + } + TokenVerifier tokenVerifier = TokenVerifier.create(tokenString, DefaultActionToken.class); + DefaultActionToken aToken = tokenVerifier.getToken(); + + event + .detail(Details.TOKEN_ID, aToken.getId()) + .detail(Details.ACTION, aToken.getActionId()) + .user(aToken.getUserId()); + + handler = resolveActionTokenHandler(aToken.getActionId()); + eventError = handler.getDefaultEventError(); + defaultErrorMessage = handler.getDefaultErrorMessage(); + + if (! realm.isEnabled()) { + throw new ExplainedTokenVerificationException(aToken, Errors.REALM_DISABLED, Messages.REALM_NOT_ENABLED); + } + if (! checkSsl()) { + throw new ExplainedTokenVerificationException(aToken, Errors.SSL_REQUIRED, Messages.HTTPS_REQUIRED); + } + + tokenVerifier .withChecks( - new TokenTypeCheck(RESET_CREDENTIALS_TYPE), - - checkThat(realm::isEnabled, Errors.REALM_DISABLED, Messages.REALM_NOT_ENABLED), - checkThat(realm::isResetPasswordAllowed, Errors.NOT_ALLOWED, Messages.RESET_CREDENTIAL_NOT_ALLOWED), - checkThat(this::checkSsl, Errors.SSL_REQUIRED, Messages.HTTPS_REQUIRED), - - new IsAuthenticationSessionNotConvertedToUserSession<>(ResetCredentialsActionToken::getAuthenticationSessionId), - - // Authentication session might not be part of the token, hence the following check is optional - optional(new CanResolveAuthenticationSession<>(ResetCredentialsActionToken::getAuthenticationSessionId, ResetCredentialsActionToken::setAuthenticationSession)), - - // Check for being active has to be after authentication session is resolved so that it can be used in error handling + // Token introspection checks TokenVerifier.IS_ACTIVE, - - singleUseCheck, // TODO:hmlnarik make it use a check via generic single-use cache - - new ResetCredsIntroduceAuthenticationSessionIfNotSet(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID), - - new IsActionRequired<>(Action.AUTHENTICATE, ResetCredentialsActionToken::getAuthenticationSession), - new IsClientValid<>(ResetCredentialsActionToken::getAuthenticationSession) + new TokenVerifier.RealmUrlCheck(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())), + ACTION_TOKEN_BASIC_CHECKS ) - .withChecks(ACTION_TOKEN_BASIC_CHECKS) - .verify() - .getToken(); + .secretKey(session.keys().getActiveHmacKey(realm).getSecretKey()) + .verify(); + + // TODO:hmlnarik Optimize + token = TokenVerifier.create(tokenString, handler.getTokenClass()).getToken(); } catch (TokenNotActiveException ex) { - token = (ResetCredentialsActionToken) ex.getToken(); - - if (token != null && token.getAuthenticationSession() != null) { - event.clone() - .client(token.getAuthenticationSession().getClient()) - .error(Errors.EXPIRED_CODE); - AuthenticationSessionModel authSession = token.getAuthenticationSession(); - AuthenticationProcessor.resetFlow(authSession, AUTHENTICATE_PATH); + if (authSession != null) { + event.clone().error(Errors.EXPIRED_CODE); + String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW); + if (flowPath == null) { + flowPath = AUTHENTICATE_PATH; + } + AuthenticationProcessor.resetFlow(authSession, flowPath); return processAuthentication(false, null, authSession, Messages.LOGIN_TIMEOUT); } - event - .detail(Details.REASON, ex.getMessage()) - .error(Errors.NOT_ALLOWED); - return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); - } catch (LoginActionsServiceException ex) { - if (ex.getResponse() == null) { - event - .detail(Details.REASON, ex.getMessage()) - .error(Errors.NOT_ALLOWED); - return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); - } else { - return ex.getResponse(); - } + return handleActionTokenVerificationException(null, ex, Errors.EXPIRED_CODE, defaultErrorMessage); + } catch (ExplainedTokenVerificationException ex) { + return handleActionTokenVerificationException(null, ex, ex.getErrorEvent(), ex.getMessage()); } catch (VerificationException ex) { - event - .detail(Details.REASON, ex.getMessage()) - .error(Errors.NOT_ALLOWED); - return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); + return handleActionTokenVerificationException(null, ex, eventError, defaultErrorMessage); } - final AuthenticationSessionModel authSession = token.getAuthenticationSession(); - authSession.setAuthNote(ResetCredentialsActionToken.class.getName(), tokenString); + // Now proceed with the verification and handle the token + tokenContext = new ActionTokenContext(session, realm, uriInfo, clientConnection, request, event, handler); - // Verify if action is processed in same browser. - if (!isSameBrowser(authSession)) { - logger.debug("Action request processed in different browser."); + try { + tokenContext.setExecutionId(execution); - new AuthenticationSessionManager(session).setAuthSessionCookie(authSession.getId(), realm); + String tokenAuthSessionId = handler.getAuthenticationSessionIdFromToken(token); + if (authSession == null) { + if (tokenAuthSessionId != null) { + // This can happen if the token contains ID but user opens the link in a new browser + LoginActionsServiceChecks.checkNotLoggedInYet(tokenContext, tokenAuthSessionId); + } - authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); - } + authSession = handler.startFreshAuthenticationSession(token, tokenContext); + tokenContext.setAuthenticationSession(authSession, true); - return processResetCredentials(true, execution, authSession, null); - } + initLoginEvent(authSession); + event.event(handler.eventType()); + } else { + initLoginEvent(authSession); + event.event(handler.eventType()); + if (tokenAuthSessionId == null) { + // There exists an authentication session but no auth session ID was received in the action token + logger.debugf("Authentication session exists while reauthentication was requested by using action token %s, restarting.", token.getId()); + new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, false); - // Verify if action is processed in same browser. - private boolean isSameBrowser(AuthenticationSessionModel actionTokenSession) { - String cookieSessionId = new AuthenticationSessionManager(session).getCurrentAuthenticationSessionId(realm); + authSession = handler.startFreshAuthenticationSession(token, tokenContext); + tokenContext.setAuthenticationSession(authSession, true); + } else { + LoginActionsServiceChecks.checkNotLoggedInYet(tokenContext, tokenAuthSessionId); + LoginActionsServiceChecks.checkAuthenticationSessionFromCookieMatchesOneFromToken(tokenContext, tokenAuthSessionId); + } + } - if (cookieSessionId == null) { - return false; - } + LoginActionsServiceChecks.checkIsUserValid(token, tokenContext); + LoginActionsServiceChecks.checkIsClientValid(token, tokenContext); + + session.getContext().setClient(authSession.getClient()); - if (actionTokenSession.getId().equals(cookieSessionId)) { - return true; - } + TokenVerifier.create(token) + .withChecks(handler.getVerifiers(tokenContext)) + .verify(); - // Chance that cookie session was "forked" in browser from some other session - AuthenticationSessionModel forkedSession = session.authenticationSessions().getAuthenticationSession(realm, cookieSessionId); - if (forkedSession == null) { - return false; - } + authSession = tokenContext.getAuthenticationSession(); + event = tokenContext.getEvent(); - String parentSessionId = forkedSession.getAuthNote(AuthenticationProcessor.FORKED_FROM); - if (parentSessionId == null) { - return false; - } + initLoginEvent(authSession); - if (actionTokenSession.getId().equals(parentSessionId)) { - // It's the correct browser. Let's remove forked session as we won't continue from the login form (browser flow) but from the resetCredentialsByToken flow - // Don't expire KC_RESTART cookie at this point - new AuthenticationSessionManager(session).removeAuthenticationSession(realm, forkedSession, false); - logger.infof("Removed forked session: %s", forkedSession.getId()); + authSession.setAuthNote(DefaultActionTokenKey.ACTION_TOKEN_USER_ID, token.getUserId()); - // Refresh browser cookie - new AuthenticationSessionManager(session).setAuthSessionCookie(parentSessionId, realm); - - return true; - } else { - return false; + return handler.handleToken(token, tokenContext, this::processFlow); + } catch (ExplainedTokenVerificationException ex) { + return handleActionTokenVerificationException(tokenContext, ex, ex.getErrorEvent(), ex.getMessage()); + } catch (RestartFlowException ex) { + Response response = handler.handleRestartRequest(token, tokenContext, this::processFlow); + return response == null + ? handleActionTokenVerificationException(tokenContext, ex, eventError, defaultErrorMessage) + : response; + } catch (LoginActionsServiceException ex) { + Response response = ex.getResponse(); + return response == null + ? handleActionTokenVerificationException(tokenContext, ex, eventError, defaultErrorMessage) + : response; + } catch (VerificationException ex) { + return handleActionTokenVerificationException(tokenContext, ex, eventError, defaultErrorMessage); } } + private ActionTokenHandler resolveActionTokenHandler(String actionId) throws VerificationException { + if (actionId == null) { + throw new VerificationException("Action token operation not set"); + } + ActionTokenHandler handler = session.getProvider(ActionTokenHandler.class, actionId); - protected Response processResetCredentials(boolean actionRequest, String execution, AuthenticationSessionModel authSession, String errorMessage) { + if (handler == null) { + throw new VerificationException("Invalid action token operation"); + } + return handler; + } + + private Response handleActionTokenVerificationException(ActionTokenContext tokenContext, VerificationException ex, String eventError, String errorMessage) { + if (tokenContext != null && tokenContext.getAuthenticationSession() != null) { + new AuthenticationSessionManager(session).removeAuthenticationSession(realm, tokenContext.getAuthenticationSession(), true); + } + + event + .detail(Details.REASON, ex == null ? "" : ex.getMessage()) + .error(eventError == null ? Errors.INVALID_CODE : eventError); + return ErrorPage.error(session, errorMessage == null ? Messages.INVALID_CODE : errorMessage); + } + + protected Response processResetCredentials(boolean actionRequest, String execution, AuthenticationSessionModel authSession) { AuthenticationProcessor authProcessor = new AuthenticationProcessor() { @Override @@ -1032,7 +913,7 @@ public class LoginActionsService { } }; - return processFlow(actionRequest, execution, authSession, RESET_CREDENTIALS_PATH, realm.getResetCredentialsFlow(), errorMessage, authProcessor); + return processFlow(actionRequest, execution, authSession, RESET_CREDENTIALS_PATH, realm.getResetCredentialsFlow(), null, authProcessor); } @@ -1251,84 +1132,20 @@ public class LoginActionsService { @Path("email-verification") @GET - public Response emailVerification(@QueryParam("code") String code, @QueryParam("key") String key) { - // TODO:mposolda - /* - event.event(EventType.VERIFY_EMAIL); - if (key != null) { - ClientSessionModel clientSession = null; - String keyFromSession = null; - if (code != null) { - clientSession = ClientSessionCode.getClientSession(code, session, realm); - keyFromSession = clientSession != null ? clientSession.getNote(Constants.VERIFY_EMAIL_KEY) : null; - } + public Response emailVerification(@QueryParam("code") String code, @QueryParam("execution") String execution) { + event.event(EventType.SEND_VERIFY_EMAIL); - if (!key.equals(keyFromSession)) { - ServicesLogger.LOGGER.invalidKeyForEmailVerification(); - event.error(Errors.INVALID_CODE); - throw new WebApplicationException(ErrorPage.error(session, Messages.STALE_VERIFY_EMAIL_LINK)); - } + SessionCodeChecks checks = checksForCodeRefreshNotAllowed(code, execution, REQUIRED_ACTION); + if (!checks.verifyCode(ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { + return checks.response; + } + ClientSessionCode accessCode = checks.clientCode; + AuthenticationSessionModel authSession = checks.getAuthenticationSession(); + initLoginEvent(authSession); - clientSession.removeNote(Constants.VERIFY_EMAIL_KEY); + event.clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, authSession.getAuthenticatedUser().getEmail()).success(); - SessionCodeChecks checks = checksForCode(code); - if (!checks.verifyCode(ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { - if (checks.clientCode == null && checks.result.isClientSessionNotFound() || checks.result.isIllegalHash()) { - return ErrorPage.error(session, Messages.STALE_VERIFY_EMAIL_LINK); - } - return checks.response; - } - - clientSession = checks.getClientSession(); - if (!ClientSessionModel.Action.VERIFY_EMAIL.name().equals(clientSession.getNote(AuthenticationManager.CURRENT_REQUIRED_ACTION))) { - ServicesLogger.LOGGER.reqdActionDoesNotMatch(); - event.error(Errors.INVALID_CODE); - throw new WebApplicationException(ErrorPage.error(session, Messages.STALE_VERIFY_EMAIL_LINK)); - } - - UserSessionModel userSession = clientSession.getUserSession(); - UserModel user = userSession.getUser(); - initEvent(clientSession); - event.event(EventType.VERIFY_EMAIL).detail(Details.EMAIL, user.getEmail()); - - user.setEmailVerified(true); - - user.removeRequiredAction(RequiredAction.VERIFY_EMAIL); - - event.success(); - - String actionCookieValue = getActionCookie(); - if (actionCookieValue == null || !actionCookieValue.equals(userSession.getId())) { - session.sessions().removeClientSession(realm, clientSession); - return session.getProvider(LoginFormsProvider.class) - .setSuccess(Messages.EMAIL_VERIFIED) - .createInfoPage(); - } - - event = event.clone().removeDetail(Details.EMAIL).event(EventType.LOGIN); - - return AuthenticationProcessor.redirectToRequiredActions(session, realm, clientSession, uriInfo); - } else { - SessionCodeChecks checks = checksForCode(code); - if (!checks.verifyCode(ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { - return checks.response; - } - ClientSessionCode accessCode = checks.clientCode; - ClientSessionModel clientSession = checks.getClientSession(); - UserSessionModel userSession = clientSession.getUserSession(); - initEvent(clientSession); - - createActionCookie(realm, uriInfo, clientConnection, userSession.getId()); - - VerifyEmail.setupKey(clientSession); - - return session.getProvider(LoginFormsProvider.class) - .setClientSessionCode(accessCode.getCode()) - .setAuthenticationSession(clientSession) - .setUser(userSession.getUser()) - .createResponse(RequiredAction.VERIFY_EMAIL); - }*/ - return null; + return VerifyEmail.sendVerifyEmail(session, accessCode.getCode(), authSession.getAuthenticatedUser(), authSession); } /** diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java new file mode 100644 index 0000000000..cabb1b65f4 --- /dev/null +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java @@ -0,0 +1,310 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.services.resources; + +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.authentication.AuthenticationProcessor; +import org.keycloak.authentication.actiontoken.DefaultActionToken; +import org.keycloak.authentication.ExplainedVerificationException; +import org.keycloak.authentication.actiontoken.ActionTokenContext; +import org.keycloak.authentication.actiontoken.ExplainedTokenVerificationException; +import org.keycloak.common.VerificationException; +import org.keycloak.events.Errors; +import org.keycloak.forms.login.LoginFormsProvider; +import org.keycloak.models.*; +import org.keycloak.protocol.oidc.utils.RedirectUtils; +import org.keycloak.representations.JsonWebToken; +import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; +import org.keycloak.services.messages.Messages; +import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.CommonClientSessionModel.Action; +import java.util.Objects; +import java.util.function.Consumer; +import org.jboss.logging.Logger; +/** + * + * @author hmlnarik + */ +public class LoginActionsServiceChecks { + + private static final Logger LOG = Logger.getLogger(LoginActionsServiceChecks.class.getName()); + + /** + * Exception signalling that flow needs to be restarted because authentication session IDs from cookie and token do not match. + */ + public static class RestartFlowException extends VerificationException { } + + /** + * This check verifies that user ID (subject) from the token matches + * the one from the authentication session. + */ + public static class AuthenticationSessionUserIdMatchesOneFromToken implements Predicate { + + private final ActionTokenContext context; + + public AuthenticationSessionUserIdMatchesOneFromToken(ActionTokenContext context) { + this.context = context; + } + + @Override + public boolean test(JsonWebToken t) throws VerificationException { + AuthenticationSessionModel authSession = context.getAuthenticationSession(); + + if (authSession == null || authSession.getAuthenticatedUser() == null + || ! Objects.equals(t.getSubject(), authSession.getAuthenticatedUser().getId())) { + throw new ExplainedTokenVerificationException(t, Errors.INVALID_TOKEN, Messages.INVALID_USER); + } + + return true; + } + } + + /** + * Verifies that if authentication session exists and any action is required according to it, then it is + * the expected one. + * + * If there is an action required in the session, furthermore it is not the expected one, and the required + * action is redirection to "required actions", it throws with response performing the redirect to required + * actions. + * @param + */ + public static class IsActionRequired implements Predicate { + + private final ActionTokenContext context; + + private final ClientSessionModel.Action expectedAction; + + public IsActionRequired(ActionTokenContext context, Action expectedAction) { + this.context = context; + this.expectedAction = expectedAction; + } + + @Override + public boolean test(JsonWebToken t) throws VerificationException { + AuthenticationSessionModel authSession = context.getAuthenticationSession(); + + if (authSession != null && ! Objects.equals(authSession.getAction(), this.expectedAction.name())) { + if (Objects.equals(ClientSessionModel.Action.REQUIRED_ACTIONS.name(), authSession.getAction())) { + throw new LoginActionsServiceException( + AuthenticationManager.nextActionAfterAuthentication(context.getSession(), authSession, + context.getClientConnection(), context.getRequest(), context.getUriInfo(), context.getEvent())); + } + throw new ExplainedTokenVerificationException(t, Errors.INVALID_TOKEN, Messages.INVALID_CODE); + } + + return true; + } + } + + /** + * Verifies that the authentication session has not yet been converted to user session, in other words + * that the user has not yet completed authentication and logged in. + */ + public static void checkNotLoggedInYet(ActionTokenContext context, String authSessionId) throws VerificationException { + if (authSessionId == null) { + return; + } + + UserSessionModel userSession = context.getSession().sessions().getUserSession(context.getRealm(), authSessionId); + if (userSession != null) { + LoginFormsProvider loginForm = context.getSession().getProvider(LoginFormsProvider.class) + .setSuccess(Messages.ALREADY_LOGGED_IN); + + ClientModel client = null; + String lastClientUuid = userSession.getNote(AuthenticationManager.LAST_AUTHENTICATED_CLIENT); + if (lastClientUuid != null) { + client = context.getRealm().getClientById(lastClientUuid); + } + + if (client != null) { + context.getSession().getContext().setClient(client); + } else { + loginForm.setAttribute("skipLink", true); + } + + throw new LoginActionsServiceException(loginForm.createInfoPage()); + } + } + + /** + * Verifies whether the user given by ID both exists in the current realm. If yes, + * it optionally also injects the user using the given function (e.g. into session context). + */ + public static void checkIsUserValid(KeycloakSession session, RealmModel realm, String userId, Consumer userSetter) throws VerificationException { + UserModel user = userId == null ? null : session.users().getUserById(userId, realm); + + if (user == null) { + throw new ExplainedVerificationException(Errors.USER_NOT_FOUND, Messages.INVALID_USER); + } + + if (! user.isEnabled()) { + throw new ExplainedVerificationException(Errors.USER_DISABLED, Messages.INVALID_USER); + } + + if (userSetter != null) { + userSetter.accept(user); + } + } + + /** + * Verifies whether the user given by ID both exists in the current realm. If yes, + * it optionally also injects the user using the given function (e.g. into session context). + */ + public static void checkIsUserValid(T token, ActionTokenContext context) throws VerificationException { + try { + checkIsUserValid(context.getSession(), context.getRealm(), token.getUserId(), context.getAuthenticationSession()::setAuthenticatedUser); + } catch (ExplainedVerificationException ex) { + throw new ExplainedTokenVerificationException(token, ex); + } + } + + /** + * Verifies whether the client denoted by client ID in token's {@code iss} ({@code issuedFor}) + * field both exists and is enabled. + */ + public static void checkIsClientValid(KeycloakSession session, ClientModel client) throws VerificationException { + if (client == null) { + throw new ExplainedVerificationException(Errors.CLIENT_NOT_FOUND, Messages.UNKNOWN_LOGIN_REQUESTER); + } + + if (! client.isEnabled()) { + throw new ExplainedVerificationException(Errors.CLIENT_NOT_FOUND, Messages.LOGIN_REQUESTER_NOT_ENABLED); + } + } + + /** + * Verifies whether the client denoted by client ID in token's {@code iss} ({@code issuedFor}) + * field both exists and is enabled. + */ + public static void checkIsClientValid(T token, ActionTokenContext context) throws VerificationException { + String clientId = token.getIssuedFor(); + AuthenticationSessionModel authSession = context.getAuthenticationSession(); + ClientModel client = authSession == null ? null : authSession.getClient(); + + try { + checkIsClientValid(context.getSession(), client); + + if (clientId != null && ! Objects.equals(client.getClientId(), clientId)) { + throw new ExplainedTokenVerificationException(token, Errors.CLIENT_NOT_FOUND, Messages.UNKNOWN_LOGIN_REQUESTER); + } + } catch (ExplainedVerificationException ex) { + throw new ExplainedTokenVerificationException(token, ex); + } + } + + /** + * Verifies whether the given redirect URL, when set, is valid for the given client. + */ + public static class IsRedirectValid implements Predicate { + + private final ActionTokenContext context; + + private final String redirectUri; + + public IsRedirectValid(ActionTokenContext context, String redirectUri) { + this.context = context; + this.redirectUri = redirectUri; + } + + @Override + public boolean test(JsonWebToken t) throws VerificationException { + if (redirectUri == null) { + return true; + } + + ClientModel client = context.getAuthenticationSession().getClient(); + + if (RedirectUtils.verifyRedirectUri(context.getUriInfo(), redirectUri, context.getRealm(), client) == null) { + throw new ExplainedTokenVerificationException(t, Errors.INVALID_REDIRECT_URI, Messages.INVALID_REDIRECT_URI); + } + + return true; + } + } + + /** + * This check verifies that current authentication session is consistent with the one specified in token. + * Examples: + *
    + *
  • 1. Email from administrator with reset e-mail - token does not contain auth session ID
    • + *
  • 2. Email from "verify e-mail" step within flow - token contains auth session ID.
    • + *
  • 3. User clicked the link in an e-mail and gets to a new browser - authentication session cookie is not set
    • + *
  • 4. User clicked the link in an e-mail while having authentication running - authentication session cookie + * is already set in the browser
    • + *
+ * + *
    + *
  • For combinations 1 and 3, 1 and 4, and 2 and 3: Requests next step
    • + *
  • For combination 2 and 4: + *
      + *
    • If the auth session IDs from token and cookie match, pass
      • + *
    • Else if the auth session from cookie was forked and its parent auth session ID + * matches that of token, replaces current auth session with that of parent and passes
      • + *
    • Else requests restart by throwing RestartFlow exception
      • + *
    + *
    • + *
+ * + * When the check passes, it also sets the authentication session in token context accordingly. + * + * @param + */ + public static void checkAuthenticationSessionFromCookieMatchesOneFromToken(ActionTokenContext context, String authSessionIdFromToken) throws VerificationException { + if (authSessionIdFromToken == null) { + throw new RestartFlowException(); + } + + AuthenticationSessionManager asm = new AuthenticationSessionManager(context.getSession()); + String authSessionIdFromCookie = asm.getCurrentAuthenticationSessionId(context.getRealm()); + + if (authSessionIdFromCookie == null) { + throw new RestartFlowException(); + } + + AuthenticationSessionModel authSessionFromCookie = context.getSession() + .authenticationSessions().getAuthenticationSession(context.getRealm(), authSessionIdFromCookie); + if (authSessionFromCookie == null) { // Cookie contains ID of expired auth session + throw new RestartFlowException(); + } + + if (Objects.equals(authSessionIdFromCookie, authSessionIdFromToken)) { + context.setAuthenticationSession(authSessionFromCookie, false); + return; + } + + String parentSessionId = authSessionFromCookie.getAuthNote(AuthenticationProcessor.FORKED_FROM); + if (parentSessionId == null || ! Objects.equals(authSessionIdFromToken, parentSessionId)) { + throw new RestartFlowException(); + } + + AuthenticationSessionModel authSessionFromParent = context.getSession() + .authenticationSessions().getAuthenticationSession(context.getRealm(), parentSessionId); + + // It's the correct browser. Let's remove forked session as we won't continue + // from the login form (browser flow) but from the token's flow + // Don't expire KC_RESTART cookie at this point + asm.removeAuthenticationSession(context.getRealm(), authSessionFromCookie, false); + LOG.infof("Removed forked session: %s", authSessionFromCookie.getId()); + + // Refresh browser cookie + asm.setAuthSessionCookie(parentSessionId, context.getRealm()); + + context.setAuthenticationSession(authSessionFromParent, false); + context.setExecutionId(authSessionFromParent.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION)); + } +} diff --git a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java index fe6fe0ffcc..6f9c2c088a 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java @@ -22,32 +22,23 @@ import org.jboss.resteasy.spi.BadRequestException; import org.jboss.resteasy.spi.NotFoundException; import org.jboss.resteasy.spi.ResteasyProviderFactory; import org.keycloak.authentication.RequiredActionProvider; +import org.keycloak.authentication.actiontoken.execactions.ExecuteActionsActionToken; import org.keycloak.common.ClientConnection; import org.keycloak.common.Profile; +import org.keycloak.common.util.Time; import org.keycloak.credential.CredentialModel; +import org.keycloak.email.EmailException; +import org.keycloak.email.EmailTemplateProvider; import org.keycloak.events.Details; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.events.admin.OperationType; import org.keycloak.events.admin.ResourceType; -import org.keycloak.models.AuthenticatedClientSessionModel; -import org.keycloak.models.ClientModel; -import org.keycloak.models.Constants; -import org.keycloak.models.FederatedIdentityModel; -import org.keycloak.models.GroupModel; -import org.keycloak.models.IdentityProviderModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.ModelDuplicateException; -import org.keycloak.models.ModelException; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserConsentModel; -import org.keycloak.models.UserCredentialModel; -import org.keycloak.models.UserLoginFailureModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.UserSessionModel; +import org.keycloak.models.*; import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.models.utils.ModelToRepresentation; import org.keycloak.protocol.oidc.OIDCLoginProtocol; +import org.keycloak.protocol.oidc.utils.RedirectUtils; import org.keycloak.provider.ProviderFactory; import org.keycloak.representations.idm.CredentialRepresentation; import org.keycloak.representations.idm.FederatedIdentityRepresentation; @@ -59,9 +50,10 @@ import org.keycloak.services.ErrorResponse; import org.keycloak.services.ErrorResponseException; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.BruteForceProtector; -import org.keycloak.models.UserManager; -import org.keycloak.services.managers.UserSessionManager; +import org.keycloak.services.*; +import org.keycloak.services.managers.*; import org.keycloak.services.resources.AccountService; +import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.validation.Validation; import org.keycloak.storage.ReadOnlyException; import org.keycloak.utils.ProfileHelper; @@ -83,15 +75,10 @@ import javax.ws.rs.core.Response.Status; import javax.ws.rs.core.UriInfo; import java.net.URI; import java.text.MessageFormat; -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; -import java.util.Properties; -import java.util.Set; +import java.util.*; +import java.util.concurrent.TimeUnit; +import javax.ws.rs.*; +import javax.ws.rs.core.*; /** * Base resource for managing users @@ -856,8 +843,6 @@ public class UsersResource { List actions) { auth.requireManage(); - // TODO: This stuff must be refactored for actionTickets (clientSessions) - /* UserModel user = session.users().getUserById(id, realm); if (user == null) { return ErrorResponse.error("User not found", Response.Status.NOT_FOUND); @@ -867,26 +852,49 @@ public class UsersResource { return ErrorResponse.error("User email missing", Response.Status.BAD_REQUEST); } - ClientSessionModel clientSession = createClientSession(user, redirectUri, clientId); - for (String action : actions) { - clientSession.addRequiredAction(action); + if (!user.isEnabled()) { + throw new WebApplicationException( + ErrorResponse.error("User is disabled", Response.Status.BAD_REQUEST)); } + + if (redirectUri != null && clientId == null) { + throw new WebApplicationException( + ErrorResponse.error("Client id missing", Response.Status.BAD_REQUEST)); + } + + if (clientId == null) { + clientId = Constants.ACCOUNT_MANAGEMENT_CLIENT_ID; + } + + ClientModel client = realm.getClientByClientId(clientId); + if (client == null || !client.isEnabled()) { + throw new WebApplicationException( + ErrorResponse.error(clientId + " not enabled", Response.Status.BAD_REQUEST)); + } + + String redirect; if (redirectUri != null) { - clientSession.setNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, "true"); - + redirect = RedirectUtils.verifyRedirectUri(uriInfo, redirectUri, realm, client); + if (redirect == null) { + throw new WebApplicationException( + ErrorResponse.error("Invalid redirect uri.", Response.Status.BAD_REQUEST)); + } } - ClientSessionCode accessCode = new ClientSessionCode(session, realm, clientSession); - accessCode.setAction(ClientSessionModel.Action.EXECUTE_ACTIONS.name()); + long relativeExpiration = realm.getAccessCodeLifespanUserAction(); + int expiration = Time.currentTime() + realm.getAccessCodeLifespanUserAction(); + ExecuteActionsActionToken token = new ExecuteActionsActionToken(id, expiration, UUID.randomUUID(), actions, redirectUri, clientId); try { - UriBuilder builder = Urls.executeActionsBuilder(uriInfo.getBaseUri()); - builder.queryParam("key", accessCode.getCode()); + UriBuilder builder = LoginActionsService.actionTokenProcessor(uriInfo); + builder.queryParam("key", token.serialize(session, realm, uriInfo)); String link = builder.build(realm.getName()).toString(); - long expiration = TimeUnit.SECONDS.toMinutes(realm.getAccessCodeLifespanUserAction()); - this.session.getProvider(EmailTemplateProvider.class).setRealm(realm).setUser(user).sendExecuteActions(link, expiration); + this.session.getProvider(EmailTemplateProvider.class) + .setRealm(realm) + .setUser(user) + .sendExecuteActions(link, TimeUnit.SECONDS.toMinutes(relativeExpiration)); //audit.user(user).detail(Details.EMAIL, user.getEmail()).detail(Details.CODE_ID, accessCode.getCodeId()).success(); @@ -896,8 +904,7 @@ public class UsersResource { } catch (EmailException e) { ServicesLogger.LOGGER.failedToSendActionsEmail(e); return ErrorResponse.error("Failed to send execute actions email", Response.Status.INTERNAL_SERVER_ERROR); - }*/ - return null; + } } /** @@ -921,49 +928,6 @@ public class UsersResource { return executeActionsEmail(id, redirectUri, clientId, actions); } - /* - private ClientSessionModel createClientSession(UserModel user, String redirectUri, String clientId) { - - if (!user.isEnabled()) { - throw new WebApplicationException( - ErrorResponse.error("User is disabled", Response.Status.BAD_REQUEST)); - } - - if (redirectUri != null && clientId == null) { - throw new WebApplicationException( - ErrorResponse.error("Client id missing", Response.Status.BAD_REQUEST)); - } - - if (clientId == null) { - clientId = Constants.ACCOUNT_MANAGEMENT_CLIENT_ID; - } - - ClientModel client = realm.getClientByClientId(clientId); - if (client == null || !client.isEnabled()) { - throw new WebApplicationException( - ErrorResponse.error(clientId + " not enabled", Response.Status.BAD_REQUEST)); - } - - String redirect = null; - if (redirectUri != null) { - redirect = RedirectUtils.verifyRedirectUri(uriInfo, redirectUri, realm, client); - if (redirect == null) { - throw new WebApplicationException( - ErrorResponse.error("Invalid redirect uri.", Response.Status.BAD_REQUEST)); - } - } - - - UserSessionModel userSession = session.sessions().createUserSession(realm, user, user.getUsername(), clientConnection.getRemoteAddr(), "form", false, null, null); - //audit.session(userSession); - ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); - clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); - clientSession.setRedirectUri(redirect); - clientSession.setUserSession(userSession); - - return clientSession; - }*/ - @GET @Path("{id}/groups") @NoCache diff --git a/services/src/main/resources/META-INF/services/org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory b/services/src/main/resources/META-INF/services/org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory new file mode 100644 index 0000000000..246758dfdb --- /dev/null +++ b/services/src/main/resources/META-INF/services/org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory @@ -0,0 +1,3 @@ +org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionTokenHandler +org.keycloak.authentication.actiontoken.execactions.ExecuteActionsActionTokenHandler +org.keycloak.authentication.actiontoken.verifyemail.VerifyEmailActionTokenHandler diff --git a/services/src/main/resources/META-INF/services/org.keycloak.provider.Spi b/services/src/main/resources/META-INF/services/org.keycloak.provider.Spi index e234124fa8..873ff8d12d 100755 --- a/services/src/main/resources/META-INF/services/org.keycloak.provider.Spi +++ b/services/src/main/resources/META-INF/services/org.keycloak.provider.Spi @@ -19,4 +19,4 @@ org.keycloak.exportimport.ClientDescriptionConverterSpi org.keycloak.wellknown.WellKnownSpi org.keycloak.services.clientregistration.ClientRegistrationSpi org.keycloak.services.clientregistration.policy.ClientRegistrationPolicySpi - +org.keycloak.authentication.actiontoken.ActionTokenHandlerSpi diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/page/LoginPasswordUpdatePage.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/page/LoginPasswordUpdatePage.java index a7d8706c64..9f3f1968c7 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/page/LoginPasswordUpdatePage.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/page/LoginPasswordUpdatePage.java @@ -18,6 +18,7 @@ package org.keycloak.testsuite.page; import org.jboss.arquillian.drone.api.annotation.Drone; +import org.junit.Assert; import org.openqa.selenium.WebDriver; import org.openqa.selenium.WebElement; import org.openqa.selenium.support.FindBy; @@ -53,6 +54,12 @@ public class LoginPasswordUpdatePage { return driver.getTitle().equals("Update password"); } + public void assertCurrent() { + String name = getClass().getSimpleName(); + Assert.assertTrue("Expected " + name + " but was " + driver.getTitle() + " (" + driver.getCurrentUrl() + ")", + isCurrent()); + } + public void open() { throw new UnsupportedOperationException(); } diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/GreenMailRule.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/GreenMailRule.java index ae7487df99..bc0b7873a5 100755 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/GreenMailRule.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/GreenMailRule.java @@ -74,4 +74,38 @@ public class GreenMailRule extends ExternalResource { return greenMail.getReceivedMessages(); } + /** + * Returns the very last received message. When no message is available, returns {@code null}. + * @return see description + */ + public MimeMessage getLastReceivedMessage() { + MimeMessage[] receivedMessages = greenMail.getReceivedMessages(); + return (receivedMessages == null || receivedMessages.length == 0) + ? null + : receivedMessages[receivedMessages.length - 1]; + } + + /** + * Use this method if you are sending email in a different thread from the one you're testing from. + * Block waits for an email to arrive in any mailbox for any user. + * Implementation Detail: No polling wait implementation + * + * @param timeout maximum time in ms to wait for emailCount of messages to arrive before giving up and returning false + * @param emailCount waits for these many emails to arrive before returning + * @return + * @throws InterruptedException + */ + public boolean waitForIncomingEmail(long timeout, int emailCount) throws InterruptedException { + return greenMail.waitForIncomingEmail(timeout, emailCount); + } + + /** + * Does the same thing as Object.wait(long, int) but with a timeout of 5000ms. + * @param emailCount waits for these many emails to arrive before returning + * @return + * @throws InterruptedException + */ + public boolean waitForIncomingEmail(int emailCount) throws InterruptedException { + return greenMail.waitForIncomingEmail(emailCount); + } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java index ae1db357dd..22513ac714 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java @@ -348,6 +348,10 @@ public abstract class AbstractKeycloakTest { userResource.update(userRepresentation); } + /** + * Sets time offset in seconds that will be added to Time.currentTime() and Time.currentTimeMillis() both for client and server. + * @param offset + */ public void setTimeOffset(int offset) { String response = invokeTimeOffset(offset); resetTimeOffset = offset != 0; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java index 454d205758..38662d1d4c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java @@ -177,7 +177,7 @@ public class AssertEvents implements TestRule { private Matcher realmId; private Matcher userId; private Matcher sessionId; - private HashMap> details; + private HashMap> details; public ExpectedEvent realm(Matcher realmId) { this.realmId = realmId; @@ -242,9 +242,9 @@ public class AssertEvents implements TestRule { return detail(key, CoreMatchers.equalTo(value)); } - public ExpectedEvent detail(String key, Matcher matcher) { + public ExpectedEvent detail(String key, Matcher matcher) { if (details == null) { - details = new HashMap>(); + details = new HashMap>(); } details.put(key, matcher); return this; @@ -287,7 +287,7 @@ public class AssertEvents implements TestRule { // Assert.assertNull(actual.getDetails()); } else { Assert.assertNotNull(actual.getDetails()); - for (Map.Entry> d : details.entrySet()) { + for (Map.Entry> d : details.entrySet()) { String actualValue = actual.getDetails().get(d.getKey()); if (!actual.getDetails().containsKey(d.getKey())) { Assert.fail(d.getKey() + " missing"); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java index 1846d4280e..b31cdfccb5 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java @@ -16,6 +16,7 @@ */ package org.keycloak.testsuite.actions; +import org.keycloak.authentication.actiontoken.verifyemail.VerifyEmailActionToken; import org.jboss.arquillian.graphene.page.Page; import org.junit.Assert; import org.junit.Before; @@ -25,12 +26,15 @@ import org.keycloak.common.util.KeycloakUriBuilder; import org.keycloak.events.Details; import org.keycloak.events.Errors; import org.keycloak.events.EventType; +import org.keycloak.models.Constants; +import org.keycloak.models.UserModel; import org.keycloak.representations.idm.EventRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; import org.keycloak.testsuite.admin.ApiUtil; +import org.keycloak.testsuite.auth.page.AuthRealm; import org.keycloak.testsuite.pages.AppPage; import org.keycloak.testsuite.pages.AppPage.RequestType; import org.keycloak.testsuite.pages.ErrorPage; @@ -47,6 +51,7 @@ import javax.mail.Multipart; import javax.mail.internet.MimeMessage; import java.io.IOException; +import org.hamcrest.Matchers; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; @@ -79,6 +84,8 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo @Page protected ErrorPage errorPage; + private String testUserId; + @Override public void configureTestRealm(RealmRepresentation testRealm) { testRealm.setVerifyEmail(Boolean.TRUE); @@ -91,7 +98,7 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo UserRepresentation user = UserBuilder.create().enabled(true) .username("test-user@localhost") .email("test-user@localhost").build(); - ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), user, "password"); + testUserId = ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), user, "password"); } /** @@ -103,11 +110,11 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo loginPage.open(); loginPage.login("test-user@localhost", "password"); - Assert.assertTrue(verifyEmailPage.isCurrent()); + verifyEmailPage.assertCurrent(); Assert.assertEquals(1, greenMail.getReceivedMessages().length); - MimeMessage message = greenMail.getReceivedMessages()[0]; + MimeMessage message = greenMail.getLastReceivedMessage(); // see testsuite/integration-arquillian/tests/base/src/test/resources/testrealm.json Assert.assertEquals("", message.getHeader("Return-Path")[0]); @@ -121,7 +128,7 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo loginPage.open(); loginPage.login("test-user@localhost", "password"); - Assert.assertTrue(verifyEmailPage.isCurrent()); + verifyEmailPage.assertCurrent(); Assert.assertEquals(1, greenMail.getReceivedMessages().length); @@ -131,19 +138,21 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo AssertEvents.ExpectedEvent emailEvent = events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL).detail("email", "test-user@localhost"); EventRepresentation sendEvent = emailEvent.assertEvent(); - String sessionId = sendEvent.getSessionId(); - String mailCodeId = sendEvent.getDetails().get(Details.CODE_ID); - Assert.assertEquals(mailCodeId, verificationUrl.split("code=")[1].split("\\&")[0].split("\\.")[1]); - driver.navigate().to(verificationUrl.trim()); - events.expectRequiredAction(EventType.VERIFY_EMAIL).session(sessionId).detail("email", "test-user@localhost").detail(Details.CODE_ID, mailCodeId).assertEvent(); + events.expectRequiredAction(EventType.VERIFY_EMAIL) + .user(testUserId) + .detail(Details.USERNAME, "test-user@localhost") + .detail(Details.EMAIL, "test-user@localhost") + .detail(Details.CODE_ID, mailCodeId) + .assertEvent(); + appPage.assertCurrent(); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - events.expectLogin().session(sessionId).detail(Details.CODE_ID, mailCodeId).assertEvent(); + events.expectLogin().user(testUserId).session(mailCodeId).detail(Details.USERNAME, "test-user@localhost").assertEvent(); } @Test @@ -154,15 +163,13 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo String userId = events.expectRegister("verifyEmail", "email@mail.com").assertEvent().getUserId(); - Assert.assertTrue(verifyEmailPage.isCurrent()); + verifyEmailPage.assertCurrent(); Assert.assertEquals(1, greenMail.getReceivedMessages().length); MimeMessage message = greenMail.getReceivedMessages()[0]; - EventRepresentation sendEvent = events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL).user(userId).detail("username", "verifyemail").detail("email", "email@mail.com").assertEvent(); - String sessionId = sendEvent.getSessionId(); - + EventRepresentation sendEvent = events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL).user(userId).detail(Details.USERNAME, "verifyemail").detail("email", "email@mail.com").assertEvent(); String mailCodeId = sendEvent.getDetails().get(Details.CODE_ID); String verificationUrl = getPasswordResetEmailLink(message); @@ -171,9 +178,14 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - events.expectRequiredAction(EventType.VERIFY_EMAIL).user(userId).session(sessionId).detail("username", "verifyemail").detail("email", "email@mail.com").detail(Details.CODE_ID, mailCodeId).assertEvent(); + events.expectRequiredAction(EventType.VERIFY_EMAIL) + .user(userId) + .detail(Details.USERNAME, "verifyemail") + .detail(Details.EMAIL, "email@mail.com") + .detail(Details.CODE_ID, mailCodeId) + .assertEvent(); - events.expectLogin().user(userId).session(sessionId).detail("username", "verifyemail").detail(Details.CODE_ID, mailCodeId).assertEvent(); + events.expectLogin().user(userId).session(mailCodeId).detail(Details.USERNAME, "verifyemail").assertEvent(); } @Test @@ -181,40 +193,95 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo loginPage.open(); loginPage.login("test-user@localhost", "password"); - Assert.assertTrue(verifyEmailPage.isCurrent()); + verifyEmailPage.assertCurrent(); Assert.assertEquals(1, greenMail.getReceivedMessages().length); - EventRepresentation sendEvent = events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL).detail("email", "test-user@localhost").assertEvent(); - String sessionId = sendEvent.getSessionId(); - + EventRepresentation sendEvent = events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL) + .detail("email", "test-user@localhost") + .assertEvent(); String mailCodeId = sendEvent.getDetails().get(Details.CODE_ID); verifyEmailPage.clickResendEmail(); + verifyEmailPage.assertCurrent(); + + events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL) + .detail(Details.CODE_ID, mailCodeId) + .detail("email", "test-user@localhost") + .assertEvent(); Assert.assertEquals(2, greenMail.getReceivedMessages().length); - MimeMessage message = greenMail.getReceivedMessages()[1]; - - events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL).session(sessionId).detail("email", "test-user@localhost").assertEvent(sendEvent); - + MimeMessage message = greenMail.getLastReceivedMessage(); String verificationUrl = getPasswordResetEmailLink(message); driver.navigate().to(verificationUrl.trim()); + appPage.assertCurrent(); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - events.expectRequiredAction(EventType.VERIFY_EMAIL).session(sessionId).detail("email", "test-user@localhost").detail(Details.CODE_ID, mailCodeId).assertEvent(); + events.expectRequiredAction(EventType.VERIFY_EMAIL) + .user(testUserId) + .detail(Details.USERNAME, "test-user@localhost") + .detail(Details.EMAIL, "test-user@localhost") + .detail(Details.CODE_ID, mailCodeId) + .assertEvent(); - events.expectLogin().session(sessionId).assertEvent(); + events.expectLogin().user(testUserId).session(mailCodeId).detail(Details.USERNAME, "test-user@localhost").assertEvent(); } @Test - public void verifyEmailResendFirstInvalidSecondStillValid() throws IOException, MessagingException { + public void verifyEmailResendWithRefreshes() throws IOException, MessagingException { + loginPage.open(); + loginPage.login("test-user@localhost", "password"); + + verifyEmailPage.assertCurrent(); + driver.navigate().refresh(); + + Assert.assertEquals(1, greenMail.getReceivedMessages().length); + + EventRepresentation sendEvent = events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL) + .detail("email", "test-user@localhost") + .assertEvent(); + String mailCodeId = sendEvent.getDetails().get(Details.CODE_ID); + + verifyEmailPage.clickResendEmail(); + verifyEmailPage.assertCurrent(); + driver.navigate().refresh(); + + events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL) + .detail(Details.CODE_ID, mailCodeId) + .detail("email", "test-user@localhost") + .assertEvent(); + + Assert.assertEquals(2, greenMail.getReceivedMessages().length); + + MimeMessage message = greenMail.getLastReceivedMessage(); + String verificationUrl = getPasswordResetEmailLink(message); + + driver.navigate().to(verificationUrl.trim()); + + appPage.assertCurrent(); + Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); + + events.expectRequiredAction(EventType.VERIFY_EMAIL) + .user(testUserId) + .detail(Details.USERNAME, "test-user@localhost") + .detail(Details.EMAIL, "test-user@localhost") + .detail(Details.CODE_ID, mailCodeId) + .assertEvent(); + + events.expectLogin().user(testUserId).session(mailCodeId).detail(Details.USERNAME, "test-user@localhost").assertEvent(); + } + + @Test + public void verifyEmailResendFirstStillValidEvenWithSecond() throws IOException, MessagingException { + // Email verification can be performed any number of times loginPage.open(); loginPage.login("test-user@localhost", "password"); verifyEmailPage.clickResendEmail(); + verifyEmailPage.assertCurrent(); Assert.assertEquals(2, greenMail.getReceivedMessages().length); @@ -224,8 +291,8 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo driver.navigate().to(verificationUrl1.trim()); - assertTrue(errorPage.isCurrent()); - assertEquals("The link you clicked is a old stale link and is no longer valid. Maybe you have already verified your email?", errorPage.getError()); + appPage.assertCurrent(); + Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); MimeMessage message2 = greenMail.getReceivedMessages()[1]; @@ -233,7 +300,38 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo driver.navigate().to(verificationUrl2.trim()); - Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); + infoPage.assertCurrent(); + Assert.assertEquals("You are already logged in.", infoPage.getInfo()); + } + + @Test + public void verifyEmailResendFirstAndSecondStillValid() throws IOException, MessagingException { + // Email verification can be performed any number of times + loginPage.open(); + loginPage.login("test-user@localhost", "password"); + + verifyEmailPage.clickResendEmail(); + verifyEmailPage.assertCurrent(); + + Assert.assertEquals(2, greenMail.getReceivedMessages().length); + + MimeMessage message1 = greenMail.getReceivedMessages()[0]; + + String verificationUrl1 = getPasswordResetEmailLink(message1); + + driver.navigate().to(verificationUrl1.trim()); + + appPage.assertCurrent(); + appPage.logout(); + + MimeMessage message2 = greenMail.getReceivedMessages()[1]; + + String verificationUrl2 = getPasswordResetEmailLink(message2); + + driver.navigate().to(verificationUrl2.trim()); + + infoPage.assertCurrent(); + assertEquals("Your email address has been verified.", infoPage.getInfo()); } @Test @@ -241,92 +339,64 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo loginPage.open(); loginPage.login("test-user@localhost", "password"); - Assert.assertTrue(verifyEmailPage.isCurrent()); + verifyEmailPage.assertCurrent(); Assert.assertEquals(1, greenMail.getReceivedMessages().length); - MimeMessage message = greenMail.getReceivedMessages()[0]; + MimeMessage message = greenMail.getLastReceivedMessage(); String verificationUrl = getPasswordResetEmailLink(message); AssertEvents.ExpectedEvent emailEvent = events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL).detail("email", "test-user@localhost"); EventRepresentation sendEvent = emailEvent.assertEvent(); - String sessionId = sendEvent.getSessionId(); String mailCodeId = sendEvent.getDetails().get(Details.CODE_ID); - Assert.assertEquals(mailCodeId, verificationUrl.split("code=")[1].split("\\&")[0].split("\\.")[1]); - driver.manage().deleteAllCookies(); driver.navigate().to(verificationUrl.trim()); - events.expectRequiredAction(EventType.VERIFY_EMAIL).session(sessionId).detail("email", "test-user@localhost").detail(Details.CODE_ID, mailCodeId).assertEvent(); + events.expectRequiredAction(EventType.VERIFY_EMAIL) + .user(testUserId) + .detail(Details.USERNAME, "test-user@localhost") + .detail(Details.EMAIL, "test-user@localhost") + .detail(Details.CODE_ID, Matchers.not(Matchers.is(mailCodeId))) + .client(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID) // as authentication sessions are browser-specific, + // the client and redirect_uri is unrelated to + // the "test-app" specified in loginPage.open() + .detail(Details.REDIRECT_URI, Matchers.any(String.class)) + .assertEvent(); - assertTrue(infoPage.isCurrent()); + infoPage.assertCurrent(); assertEquals("Your email address has been verified.", infoPage.getInfo()); loginPage.open(); - - assertTrue(loginPage.isCurrent()); - } - - - @Test - public void verifyInvalidKeyOrCode() throws IOException, MessagingException { - loginPage.open(); - loginPage.login("test-user@localhost", "password"); - - Assert.assertTrue(verifyEmailPage.isCurrent()); - String resendEmailLink = verifyEmailPage.getResendEmailLink(); - String keyInsteadCodeURL = resendEmailLink.replace("code=", "key="); - - events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL).detail("email", "test-user@localhost").assertEvent(); - - driver.navigate().to(keyInsteadCodeURL); - - events.expectRequiredAction(EventType.VERIFY_EMAIL_ERROR) - .error(Errors.INVALID_CODE) - .client((String)null) - .user((String)null) - .session((String)null) - .clearDetails() - .assertEvent(); - - String badKeyURL = KeycloakUriBuilder.fromUri(resendEmailLink).replaceQueryParam("key", "foo").build().toString(); - driver.navigate().to(badKeyURL); - - events.expectRequiredAction(EventType.VERIFY_EMAIL_ERROR) - .error(Errors.INVALID_CODE) - .client((String)null) - .user((String)null) - .session((String)null) - .clearDetails() - .assertEvent(); + loginPage.assertCurrent(); } @Test - public void verifyEmailBadCode() throws IOException, MessagingException { + public void verifyEmailInvalidKeyInVerficationLink() throws IOException, MessagingException { loginPage.open(); loginPage.login("test-user@localhost", "password"); - Assert.assertTrue(verifyEmailPage.isCurrent()); + verifyEmailPage.assertCurrent(); Assert.assertEquals(1, greenMail.getReceivedMessages().length); - MimeMessage message = greenMail.getReceivedMessages()[0]; + MimeMessage message = greenMail.getLastReceivedMessage(); String verificationUrl = getPasswordResetEmailLink(message); - verificationUrl = KeycloakUriBuilder.fromUri(verificationUrl).replaceQueryParam("code", "foo").build().toString(); + verificationUrl = KeycloakUriBuilder.fromUri(verificationUrl).replaceQueryParam(Constants.KEY, "foo").build().toString(); events.poll(); driver.navigate().to(verificationUrl.trim()); - assertEquals("The link you clicked is a old stale link and is no longer valid. Maybe you have already verified your email?", errorPage.getError()); + errorPage.assertCurrent(); + assertEquals("An error occurred, please login again through your application.", errorPage.getError()); - events.expectRequiredAction(EventType.VERIFY_EMAIL_ERROR) + events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR) .error(Errors.INVALID_CODE) .client((String)null) .user((String)null) @@ -335,6 +405,80 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo .assertEvent(); } + @Test + public void verifyEmailExpiredCode() throws IOException, MessagingException { + loginPage.open(); + loginPage.login("test-user@localhost", "password"); + + verifyEmailPage.assertCurrent(); + + Assert.assertEquals(1, greenMail.getReceivedMessages().length); + + MimeMessage message = greenMail.getLastReceivedMessage(); + + String verificationUrl = getPasswordResetEmailLink(message); + + events.poll(); + + try { + setTimeOffset(3600); + + driver.navigate().to(verificationUrl.trim()); + + loginPage.assertCurrent(); + assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError()); + + events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR) + .error(Errors.EXPIRED_CODE) + .client((String)null) + .user(testUserId) + .session((String)null) + .clearDetails() + .detail(Details.ACTION, VerifyEmailActionToken.TOKEN_TYPE) + .assertEvent(); + } finally { + setTimeOffset(0); + } + } + + @Test + public void verifyEmailExpiredCodeAndExpiredSession() throws IOException, MessagingException { + loginPage.open(); + loginPage.login("test-user@localhost", "password"); + + verifyEmailPage.assertCurrent(); + + Assert.assertEquals(1, greenMail.getReceivedMessages().length); + + MimeMessage message = greenMail.getLastReceivedMessage(); + + String verificationUrl = getPasswordResetEmailLink(message); + + events.poll(); + + try { + setTimeOffset(3600); + + driver.manage().deleteAllCookies(); + + driver.navigate().to(verificationUrl.trim()); + + errorPage.assertCurrent(); + assertEquals("The link you clicked is a old stale link and is no longer valid. Maybe you have already verified your email?", errorPage.getError()); + + events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR) + .error(Errors.EXPIRED_CODE) + .client((String)null) + .user(testUserId) + .session((String)null) + .clearDetails() + .detail(Details.ACTION, VerifyEmailActionToken.TOKEN_TYPE) + .assertEvent(); + } finally { + setTimeOffset(0); + } + } + public static String getPasswordResetEmailLink(MimeMessage message) throws IOException, MessagingException { Multipart multipart = (Multipart) message.getContent(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionResetPasswordTest.java index 1f68b59e21..59f88fe2a0 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionResetPasswordTest.java @@ -68,11 +68,11 @@ public class RequiredActionResetPasswordTest extends AbstractTestRealmKeycloakTe changePasswordPage.assertCurrent(); changePasswordPage.changePassword("new-password", "new-password"); - String sessionId = events.expectRequiredAction(EventType.UPDATE_PASSWORD).assertEvent().getSessionId(); + events.expectRequiredAction(EventType.UPDATE_PASSWORD).assertEvent(); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - EventRepresentation loginEvent = events.expectLogin().session(sessionId).assertEvent(); + EventRepresentation loginEvent = events.expectLogin().assertEvent(); oauth.openLogout(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ApiUtil.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ApiUtil.java index cc47020a74..56f21ab1ad 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ApiUtil.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ApiUtil.java @@ -137,6 +137,13 @@ public class ApiUtil { return realm.users().get(findUserByUsername(realm, username).getId()); } + /** + * Creates a user + * @param realm + * @param user + * @param password + * @return ID of the new user + */ public static String createUserWithAdminClient(RealmResource realm, UserRepresentation user) { Response response = realm.users().create(user); String createdId = getCreatedId(response); @@ -144,6 +151,13 @@ public class ApiUtil { return createdId; } + /** + * Creates a user and sets the password + * @param realm + * @param user + * @param password + * @return ID of the new user + */ public static String createUserAndResetPasswordWithAdminClient(RealmResource realm, UserRepresentation user, String password) { String id = createUserWithAdminClient(realm, user); resetUserPassword(realm.users().get(id), password, false); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java index 6a75b333c1..7f26d742b3 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java @@ -541,7 +541,7 @@ public class UserTest extends AbstractAdminTest { driver.navigate().to(link); - assertTrue(passwordUpdatePage.isCurrent()); + passwordUpdatePage.assertCurrent(); passwordUpdatePage.changePassword("new-pass", "new-pass"); @@ -549,7 +549,70 @@ public class UserTest extends AbstractAdminTest { driver.navigate().to(link); - assertEquals("We're sorry...", driver.getTitle()); +// TODO:hmlnarik - return back once single-use cache would be implemented +// assertEquals("We're sorry...", driver.getTitle()); + } + + @Test + public void sendResetPasswordEmailSuccessWithRecycledAuthSession() throws IOException, MessagingException { + UserRepresentation userRep = new UserRepresentation(); + userRep.setEnabled(true); + userRep.setUsername("user1"); + userRep.setEmail("user1@test.com"); + + String id = createUser(userRep); + + UserResource user = realm.users().get(id); + List actions = new LinkedList<>(); + actions.add(UserModel.RequiredAction.UPDATE_PASSWORD.name()); + + // The following block creates a client and requests updating password with redirect to this client. + // After clicking the link (starting a fresh auth session with client), the user goes away and sends the email + // with password reset again - now without the client - and attempts to complete the password reset. + { + ClientRepresentation client = new ClientRepresentation(); + client.setClientId("myclient2"); + client.setRedirectUris(new LinkedList<>()); + client.getRedirectUris().add("http://myclient.com/*"); + client.setName("myclient2"); + client.setEnabled(true); + Response response = realm.clients().create(client); + String createdId = ApiUtil.getCreatedId(response); + assertAdminEvents.assertEvent(realmId, OperationType.CREATE, AdminEventPaths.clientResourcePath(createdId), client, ResourceType.CLIENT); + + user.executeActionsEmail("myclient2", "http://myclient.com/home.html", actions); + assertAdminEvents.assertEvent(realmId, OperationType.ACTION, AdminEventPaths.userResourcePath(id) + "/execute-actions-email", ResourceType.USER); + + Assert.assertEquals(1, greenMail.getReceivedMessages().length); + + MimeMessage message = greenMail.getReceivedMessages()[0]; + + String link = MailUtils.getPasswordResetEmailLink(message); + + driver.navigate().to(link); + } + + user.executeActionsEmail(actions); + assertAdminEvents.assertEvent(realmId, OperationType.ACTION, AdminEventPaths.userResourcePath(id) + "/execute-actions-email", ResourceType.USER); + + Assert.assertEquals(2, greenMail.getReceivedMessages().length); + + MimeMessage message = greenMail.getReceivedMessages()[greenMail.getReceivedMessages().length - 1]; + + String link = MailUtils.getPasswordResetEmailLink(message); + + driver.navigate().to(link); + + passwordUpdatePage.assertCurrent(); + + passwordUpdatePage.changePassword("new-pass", "new-pass"); + + assertEquals("Your account has been updated.", driver.getTitle()); + + driver.navigate().to(link); + +// TODO:hmlnarik - return back once single-use cache would be implemented +// assertEquals("We're sorry...", driver.getTitle()); } @Test @@ -601,7 +664,7 @@ public class UserTest extends AbstractAdminTest { driver.navigate().to(link); - assertTrue(passwordUpdatePage.isCurrent()); + passwordUpdatePage.assertCurrent(); passwordUpdatePage.changePassword("new-pass", "new-pass"); @@ -614,7 +677,8 @@ public class UserTest extends AbstractAdminTest { driver.navigate().to(link); - assertEquals("We're sorry...", driver.getTitle()); +// TODO:hmlnarik - return back once single-use cache would be implemented +// assertEquals("We're sorry...", driver.getTitle()); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterTest.java index 1a68d09b5e..346bbd7f43 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterTest.java @@ -21,18 +21,17 @@ import org.junit.Assert; import org.junit.Rule; import org.junit.Test; import org.keycloak.events.Details; +import org.keycloak.events.EventType; +import org.keycloak.models.UserModel; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; -import org.keycloak.testsuite.pages.AccountUpdateProfilePage; -import org.keycloak.testsuite.pages.AppPage; +import org.keycloak.testsuite.pages.*; import org.keycloak.testsuite.pages.AppPage.RequestType; -import org.keycloak.testsuite.pages.LoginPage; -import org.keycloak.testsuite.pages.RegisterPage; -import org.keycloak.testsuite.util.RealmBuilder; -import org.keycloak.testsuite.util.UserBuilder; +import org.keycloak.testsuite.util.*; +import javax.mail.internet.MimeMessage; import static org.jgroups.util.Util.assertTrue; import static org.junit.Assert.assertEquals; @@ -54,9 +53,15 @@ public class RegisterTest extends AbstractTestRealmKeycloakTest { @Page protected RegisterPage registerPage; + @Page + protected VerifyEmailPage verifyEmailPage; + @Page protected AccountUpdateProfilePage accountPage; + @Rule + public GreenMailRule greenMail = new GreenMailRule(); + @Override public void configureTestRealm(RealmRepresentation testRealm) { } @@ -295,10 +300,15 @@ public class RegisterTest extends AbstractTestRealmKeycloakTest { registerPage.register("firstName", "lastName", "registerUserSuccess@email", "registerUserSuccess", "password", "password"); + appPage.assertCurrent(); assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); String userId = events.expectRegister("registerUserSuccess", "registerUserSuccess@email").assertEvent().getUserId(); - events.expectLogin().detail("username", "registerusersuccess").user(userId).assertEvent(); + assertUserRegistered(userId, "registerusersuccess", "registerusersuccess@email"); + } + + private void assertUserRegistered(String userId, String username, String email) { + events.expectLogin().detail("username", username.toLowerCase()).user(userId).assertEvent(); UserRepresentation user = getUser(userId); Assert.assertNotNull(user); @@ -306,12 +316,121 @@ public class RegisterTest extends AbstractTestRealmKeycloakTest { // test that timestamp is current with 10s tollerance Assert.assertTrue((System.currentTimeMillis() - user.getCreatedTimestamp()) < 10000); // test user info is set from form - assertEquals("registerusersuccess", user.getUsername()); - assertEquals("registerusersuccess@email", user.getEmail()); + assertEquals(username.toLowerCase(), user.getUsername()); + assertEquals(email.toLowerCase(), user.getEmail()); assertEquals("firstName", user.getFirstName()); assertEquals("lastName", user.getLastName()); } + @Test + public void registerUserSuccessWithEmailVerification() throws Exception { + RealmRepresentation realm = testRealm().toRepresentation(); + boolean origVerifyEmail = realm.isVerifyEmail(); + + try { + realm.setVerifyEmail(true); + testRealm().update(realm); + + loginPage.open(); + loginPage.clickRegister(); + registerPage.assertCurrent(); + + registerPage.register("firstName", "lastName", "registerUserSuccessWithEmailVerification@email", "registerUserSuccessWithEmailVerification", "password", "password"); + verifyEmailPage.assertCurrent(); + + String userId = events.expectRegister("registerUserSuccessWithEmailVerification", "registerUserSuccessWithEmailVerification@email").assertEvent().getUserId(); + + { + assertTrue("Expecting verify email", greenMail.waitForIncomingEmail(1000, 1)); + + events.expect(EventType.SEND_VERIFY_EMAIL) + .detail(Details.EMAIL, "registerUserSuccessWithEmailVerification@email".toLowerCase()) + .user(userId) + .assertEvent(); + + MimeMessage message = greenMail.getLastReceivedMessage(); + String link = MailUtils.getPasswordResetEmailLink(message); + + driver.navigate().to(link); + } + + events.expectRequiredAction(EventType.VERIFY_EMAIL) + .detail(Details.EMAIL, "registerUserSuccessWithEmailVerification@email".toLowerCase()) + .user(userId) + .assertEvent(); + + assertUserRegistered(userId, "registerUserSuccessWithEmailVerification", "registerUserSuccessWithEmailVerification@email"); + + appPage.assertCurrent(); + assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); + + // test that timestamp is current with 10s tollerance + // test user info is set from form + } finally { + realm.setVerifyEmail(origVerifyEmail); + testRealm().update(realm); + } + } + + @Test + public void registerUserSuccessWithEmailVerificationWithResend() throws Exception { + RealmRepresentation realm = testRealm().toRepresentation(); + boolean origVerifyEmail = realm.isVerifyEmail(); + try { + realm.setVerifyEmail(true); + testRealm().update(realm); + + loginPage.open(); + loginPage.clickRegister(); + registerPage.assertCurrent(); + + registerPage.register("firstName", "lastName", "registerUserSuccessWithEmailVerificationWithResend@email", "registerUserSuccessWithEmailVerificationWithResend", "password", "password"); + verifyEmailPage.assertCurrent(); + + String userId = events.expectRegister("registerUserSuccessWithEmailVerificationWithResend", "registerUserSuccessWithEmailVerificationWithResend@email").assertEvent().getUserId(); + + { + assertTrue("Expecting verify email", greenMail.waitForIncomingEmail(1000, 1)); + + events.expect(EventType.SEND_VERIFY_EMAIL) + .detail(Details.EMAIL, "registerUserSuccessWithEmailVerificationWithResend@email".toLowerCase()) + .user(userId) + .assertEvent(); + + verifyEmailPage.clickResendEmail(); + verifyEmailPage.assertCurrent(); + + assertTrue("Expecting second verify email", greenMail.waitForIncomingEmail(1000, 1)); + + events.expect(EventType.SEND_VERIFY_EMAIL) + .detail(Details.EMAIL, "registerUserSuccessWithEmailVerificationWithResend@email".toLowerCase()) + .user(userId) + .assertEvent(); + + MimeMessage message = greenMail.getLastReceivedMessage(); + String link = MailUtils.getPasswordResetEmailLink(message); + + driver.navigate().to(link); + } + + events.expectRequiredAction(EventType.VERIFY_EMAIL) + .detail(Details.EMAIL, "registerUserSuccessWithEmailVerificationWithResend@email".toLowerCase()) + .user(userId) + .assertEvent(); + + assertUserRegistered(userId, "registerUserSuccessWithEmailVerificationWithResend", "registerUserSuccessWithEmailVerificationWithResend@email"); + + appPage.assertCurrent(); + assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); + + // test that timestamp is current with 10s tollerance + // test user info is set from form + } finally { + realm.setVerifyEmail(origVerifyEmail); + testRealm().update(realm); + } + } + @Test public void registerUserUmlats() { loginPage.open(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java index 95f5a08cde..f322c529e9 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java @@ -16,6 +16,7 @@ */ package org.keycloak.testsuite.forms; +import org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken; import org.jboss.arquillian.graphene.page.Page; import org.keycloak.events.Details; import org.keycloak.events.Errors; @@ -188,18 +189,19 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { } public void assertSecondPasswordResetFails(String changePasswordUrl, String clientId) { - driver.navigate().to(changePasswordUrl.trim()); - - errorPage.assertCurrent(); - assertEquals("An error occurred, please login again through your application.", errorPage.getError()); - - events.expect(EventType.RESET_PASSWORD) - .client((String) null) - .session((String) null) - .user(userId) - .detail(Details.USERNAME, "login-test") - .error(Errors.EXPIRED_CODE) - .assertEvent(); + // TODO:hmlnarik uncomment when single-use cache is implemented +// driver.navigate().to(changePasswordUrl.trim()); +// +// errorPage.assertCurrent(); +// assertEquals("An error occurred, please login again through your application.", errorPage.getError()); +// +// events.expect(EventType.RESET_PASSWORD) +// .client((String) null) +// .session((String) null) +// .user(userId) +// .detail(Details.USERNAME, "login-test") +// .error(Errors.EXPIRED_CODE) +// .assertEvent(); } @Test @@ -304,7 +306,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { updatePasswordPage.changePassword(password, password); - assertTrue(updatePasswordPage.isCurrent()); + updatePasswordPage.assertCurrent(); assertEquals(error, updatePasswordPage.getError()); events.expectRequiredAction(EventType.UPDATE_PASSWORD_ERROR).error(Errors.PASSWORD_REJECTED).user(userId).detail(Details.USERNAME, "login-test").assertEvent().getSessionId(); } @@ -373,7 +375,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError()); - events.expectRequiredAction(EventType.RESET_PASSWORD).error("expired_code").client("test-app").user((String) null).session((String) null).clearDetails().assertEvent(); + events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR).error("expired_code").client((String) null).user(userId).session((String) null).clearDetails().detail(Details.ACTION, ResetCredentialsActionToken.TOKEN_TYPE).assertEvent(); } finally { setTimeOffset(0); } @@ -409,7 +411,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError()); - events.expectRequiredAction(EventType.RESET_PASSWORD).error("expired_code").client("test-app").user((String) null).session((String) null).clearDetails().assertEvent(); + events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR).error("expired_code").client((String) null).user(userId).session((String) null).clearDetails().detail(Details.ACTION, ResetCredentialsActionToken.TOKEN_TYPE).assertEvent(); } finally { setTimeOffset(0); @@ -588,6 +590,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { resetPasswordPage.changePassword(username); + log.info("Should be at login page again."); loginPage.assertCurrent(); assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage()); @@ -606,17 +609,20 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { String changePasswordUrl = getPasswordResetEmailLink(message); + log.debug("Going to reset password URI."); driver.navigate().to(resetUri); // This is necessary to delete KC_RESTART cookie that is restricted to /auth/realms/test path + log.debug("Removing cookies."); driver.manage().deleteAllCookies(); + log.debug("Going to URI from e-mail."); driver.navigate().to(changePasswordUrl.trim()); - System.out.println(driver.getPageSource()); +// System.out.println(driver.getPageSource()); updatePasswordPage.assertCurrent(); updatePasswordPage.changePassword("resetPassword", "resetPassword"); - assertTrue(infoPage.isCurrent()); + infoPage.assertCurrent(); assertEquals("Your account has been updated.", infoPage.getInfo()); } From 168153c6e7fa084c5ee5057d687f20757cd47596 Mon Sep 17 00:00:00 2001 From: mposolda Date: Fri, 21 Apr 2017 14:24:47 +0200 Subject: [PATCH 08/30] KEYCLOAK-4626 Authentication sessions - SAML, offline tokens, broker logout and other fixes --- .../keycloak/adapters/HttpClientBuilder.java | 6 +- .../servlet/OIDCFilterSessionStore.java | 2 +- .../keycloak/representations/AccessToken.java | 12 - .../representations/RefreshToken.java | 1 - examples/kerberos/README.md | 2 +- .../AuthenticatedClientSessionAdapter.java | 24 +- .../infinispan/ClientSessionAdapter.java | 292 ------- .../models/sessions/infinispan/Consumers.java | 17 - ...finispanAuthenticationSessionProvider.java | 2 + .../InfinispanUserSessionProvider.java | 333 ++------ .../infinispan/UserSessionAdapter.java | 51 +- ... => AuthenticatedClientSessionEntity.java} | 11 +- .../entities/ClientSessionEntity.java | 152 ---- .../entities/UserSessionEntity.java | 16 +- .../initializer/OfflineUserSessionLoader.java | 8 +- .../mapreduce/ClientSessionMapper.java | 129 --- .../ClientSessionsOfUserSessionMapper.java | 77 -- .../stream/ClientSessionPredicate.java | 114 --- .../infinispan/stream/Comparators.java | 15 + .../sessions/infinispan/stream/Mappers.java | 38 +- .../stream/UserSessionPredicate.java | 11 + .../JpaUserSessionPersisterProvider.java | 24 +- ...paUserSessionPersisterProviderFactory.java | 1 - .../PersistentClientSessionEntity.java | 35 +- .../META-INF/jpa-changelog-3.2.0.xml | 27 + .../META-INF/jpa-changelog-master.xml | 1 + .../provider/AbstractIdentityProvider.java | 1 - .../provider/AuthenticationRequest.java | 1 - .../forms/login/LoginFormsProvider.java | 2 - .../DisabledUserSessionPersisterProvider.java | 4 +- ...tentAuthenticatedClientSessionAdapter.java | 15 +- .../session/PersistentClientSessionModel.java | 8 - .../session/PersistentUserSessionAdapter.java | 23 +- .../session/UserSessionPersisterProvider.java | 4 +- .../AuthenticatedClientSessionModel.java | 8 +- .../org/keycloak/models/UserSessionModel.java | 8 +- .../keycloak/models/UserSessionProvider.java | 23 +- .../AuthenticationSessionProvider.java | 1 - .../AuthenticationProcessor.java | 42 +- .../DefaultAuthenticationFlow.java | 44 +- .../FormAuthenticationFlow.java | 17 +- .../ResetCredentialsActionTokenHandler.java | 29 +- .../browser/ScriptBasedAuthenticator.java | 2 +- .../requiredactions/VerifyEmail.java | 22 +- .../common/KeycloakIdentity.java | 34 +- .../broker/oidc/OIDCIdentityProvider.java | 1 - .../broker/saml/SAMLIdentityProvider.java | 1 - .../freemarker/model/SessionsBean.java | 5 +- .../FreeMarkerLoginFormsProvider.java | 27 +- .../forms/login/freemarker/model/UrlBean.java | 4 - .../protocol/AuthorizationEndpointBase.java | 33 +- .../keycloak/protocol/oidc/TokenManager.java | 1 - .../oidc/endpoints/AuthorizationEndpoint.java | 4 +- .../oidc/endpoints/TokenEndpoint.java | 14 +- .../AbstractUserRoleMappingMapper.java | 4 +- .../keycloak/protocol/saml/SamlProtocol.java | 12 +- .../keycloak/protocol/saml/SamlService.java | 37 +- .../protocol/saml/SamlSessionUtils.java | 65 ++ .../keycloak/services/ErrorPageException.java | 2 + .../managers/AuthenticationManager.java | 2 +- .../AuthenticationSessionManager.java | 15 +- .../services/managers/ClientManager.java | 6 + .../services/managers/ClientSessionCode.java | 11 +- .../services/managers/CodeGenerateUtil.java | 64 -- .../services/managers/RealmManager.java | 6 + .../services/managers/UserSessionManager.java | 9 +- .../resources/IdentityBrokerService.java | 92 +- .../resources/LoginActionsService.java | 472 ++--------- .../services/resources/SessionCodeChecks.java | 388 +++++++++ .../resources/admin/ClientResource.java | 9 +- .../scheduled/ClearExpiredUserSessions.java | 1 + ....java => AuthenticationFlowURLHelper.java} | 8 +- .../services/util/BrowserHistoryHelper.java | 17 +- .../twitter/TwitterIdentityProvider.java | 10 +- .../keycloak/testsuite/util/OAuthClient.java | 4 +- .../org/keycloak/testsuite/AssertEvents.java | 2 +- .../RequiredActionMultipleActionsTest.java | 38 +- .../actions/RequiredActionTotpSetupTest.java | 21 +- .../RequiredActionUpdateProfileTest.java | 17 +- .../actions/TermsAndConditionsTest.java | 6 +- .../kerberos/AbstractKerberosTest.java | 6 +- .../kerberos/KerberosStandaloneTest.java | 24 +- .../testsuite/forms/BrowserButtonsTest.java | 2 +- .../forms/MultipleTabsLoginTest.java | 44 +- .../testsuite/oauth/AccessTokenTest.java | 9 +- .../oauth/AuthorizationCodeTest.java | 2 +- .../testsuite/oauth/OAuthGrantTest.java | 4 +- .../oidc/OIDCAdvancedRequestParamsTest.java | 25 + .../resources/scripts/client-session-test.js | 2 +- .../org/keycloak/testsuite/OAuthClient.java | 26 +- .../broker/AbstractFirstBrokerLoginTest.java | 189 +++++ .../AbstractKeycloakIdentityProviderTest.java | 2 - ...DCKeycloakServerBrokerWithConsentTest.java | 19 +- .../AuthenticationSessionProviderTest.java | 130 ++- .../model/UserSessionInitializerTest.java | 251 +++--- .../UserSessionPersisterProviderTest.java | 789 +++++++++--------- .../model/UserSessionProviderOfflineTest.java | 786 +++++++++-------- .../model/UserSessionProviderTest.java | 281 +++---- .../testsuite/pages/LoginExpiredPage.java | 51 ++ .../util/cli/AbstractOfflineCacheCommand.java | 4 +- .../util/cli/PersistSessionsCommand.java | 32 +- .../theme/base/login/login-verify-email.ftl | 2 +- 102 files changed, 2589 insertions(+), 3188 deletions(-) delete mode 100755 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java rename model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/{ClientLoginSessionEntity.java => AuthenticatedClientSessionEntity.java} (91%) delete mode 100755 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionMapper.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionsOfUserSessionMapper.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/ClientSessionPredicate.java create mode 100644 model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml create mode 100644 services/src/main/java/org/keycloak/protocol/saml/SamlSessionUtils.java create mode 100644 services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java rename services/src/main/java/org/keycloak/services/util/{PageExpiredRedirect.java => AuthenticationFlowURLHelper.java} (89%) create mode 100644 testsuite/integration/src/test/java/org/keycloak/testsuite/pages/LoginExpiredPage.java diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/HttpClientBuilder.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/HttpClientBuilder.java index e6d658800d..38fa9d309b 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/HttpClientBuilder.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/HttpClientBuilder.java @@ -170,8 +170,8 @@ public class HttpClientBuilder { return this; } - public HttpClientBuilder disableCookieCache() { - this.disableCookieCache = true; + public HttpClientBuilder disableCookieCache(boolean disable) { + this.disableCookieCache = disable; return this; } @@ -334,7 +334,7 @@ public class HttpClientBuilder { } public HttpClient build(AdapterHttpClientConfig adapterConfig) { - disableCookieCache(); // disable cookie cache as we don't want sticky sessions for load balancing + disableCookieCache(true); // disable cookie cache as we don't want sticky sessions for load balancing String truststorePath = adapterConfig.getTruststore(); if (truststorePath != null) { diff --git a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java index e28500beeb..e03158f99a 100755 --- a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java +++ b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java @@ -168,7 +168,7 @@ public class OIDCFilterSessionStore extends FilterSessionStore implements Adapte HttpSession httpSession = request.getSession(); httpSession.setAttribute(KeycloakAccount.class.getName(), sAccount); httpSession.setAttribute(KeycloakSecurityContext.class.getName(), sAccount.getKeycloakSecurityContext()); - if (idMapper != null) idMapper.map(account.getKeycloakSecurityContext().getToken().getClientSession(), account.getPrincipal().getName(), httpSession.getId()); + if (idMapper != null) idMapper.map(account.getKeycloakSecurityContext().getToken().getSessionState(), account.getPrincipal().getName(), httpSession.getId()); //String username = securityContext.getToken().getSubject(); //log.fine("userSessionManagement.login: " + username); } diff --git a/core/src/main/java/org/keycloak/representations/AccessToken.java b/core/src/main/java/org/keycloak/representations/AccessToken.java index 4ef6831678..36778e102d 100755 --- a/core/src/main/java/org/keycloak/representations/AccessToken.java +++ b/core/src/main/java/org/keycloak/representations/AccessToken.java @@ -97,9 +97,6 @@ public class AccessToken extends IDToken { } } - @JsonProperty("client_session") - protected String clientSession; - @JsonProperty("trusted-certs") protected Set trustedCertificates; @@ -156,10 +153,6 @@ public class AccessToken extends IDToken { return resourceAccess.get(resource); } - public String getClientSession() { - return clientSession; - } - public Access addAccess(String service) { Access access = resourceAccess.get(service); if (access != null) return access; @@ -168,11 +161,6 @@ public class AccessToken extends IDToken { return access; } - public AccessToken clientSession(String session) { - this.clientSession = session; - return this; - } - @Override public AccessToken id(String id) { return (AccessToken) super.id(id); diff --git a/core/src/main/java/org/keycloak/representations/RefreshToken.java b/core/src/main/java/org/keycloak/representations/RefreshToken.java index 4b89cf6f70..3a7a95188d 100755 --- a/core/src/main/java/org/keycloak/representations/RefreshToken.java +++ b/core/src/main/java/org/keycloak/representations/RefreshToken.java @@ -40,7 +40,6 @@ public class RefreshToken extends AccessToken { */ public RefreshToken(AccessToken token) { this(); - this.clientSession = token.getClientSession(); this.issuer = token.issuer; this.subject = token.subject; this.issuedFor = token.issuedFor; diff --git a/examples/kerberos/README.md b/examples/kerberos/README.md index 02bffddf99..2c1d335ace 100644 --- a/examples/kerberos/README.md +++ b/examples/kerberos/README.md @@ -47,7 +47,7 @@ is in your `/etc/hosts` before other records for the 127.0.0.1 host to avoid iss **5)** Configure Kerberos client (On linux it's in file `/etc/krb5.conf` ). You need to configure `KEYCLOAK.ORG` realm for host `localhost` and enable `forwardable` flag, which is needed for credential delegation example, as application needs to forward Kerberos ticket and authenticate with it against LDAP server. -See [this file](https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/resources/kerberos/test-krb5.conf) for inspiration. +See [this file](https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/resources/kerberos/test-krb5.conf) for inspiration. On OS X the file to edit (or create) is `/Library/Preferences/edu.mit.Kerberos` with the same syntax as `krb5.conf`. On Windows the file to edit (or create) is `c:\Windows\krb5.ini` with the same syntax as `krb5.conf`. diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java index 6eaba69dad..546e86fafe 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java @@ -27,7 +27,7 @@ import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; -import org.keycloak.models.sessions.infinispan.entities.ClientLoginSessionEntity; +import org.keycloak.models.sessions.infinispan.entities.AuthenticatedClientSessionEntity; import org.keycloak.models.sessions.infinispan.entities.SessionEntity; import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity; @@ -36,14 +36,16 @@ import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity; */ public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSessionModel { - private final ClientLoginSessionEntity entity; + private final AuthenticatedClientSessionEntity entity; + private final ClientModel client; private final InfinispanUserSessionProvider provider; private final Cache cache; private UserSessionAdapter userSession; - public AuthenticatedClientSessionAdapter(ClientLoginSessionEntity entity, UserSessionAdapter userSession, InfinispanUserSessionProvider provider, Cache cache) { + public AuthenticatedClientSessionAdapter(AuthenticatedClientSessionEntity entity, ClientModel client, UserSessionAdapter userSession, InfinispanUserSessionProvider provider, Cache cache) { this.provider = provider; this.entity = entity; + this.client = client; this.cache = cache; this.userSession = userSession; } @@ -55,23 +57,23 @@ public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSes @Override public void setUserSession(UserSessionModel userSession) { - String clientUUID = entity.getClient(); + String clientUUID = client.getId(); UserSessionEntity sessionEntity = this.userSession.getEntity(); // Dettach userSession if (userSession == null) { - if (sessionEntity.getClientLoginSessions() != null) { - sessionEntity.getClientLoginSessions().remove(clientUUID); + if (sessionEntity.getAuthenticatedClientSessions() != null) { + sessionEntity.getAuthenticatedClientSessions().remove(clientUUID); update(); this.userSession = null; } } else { this.userSession = (UserSessionAdapter) userSession; - if (sessionEntity.getClientLoginSessions() == null) { - sessionEntity.setClientLoginSessions(new HashMap<>()); + if (sessionEntity.getAuthenticatedClientSessions() == null) { + sessionEntity.setAuthenticatedClientSessions(new HashMap<>()); } - sessionEntity.getClientLoginSessions().put(clientUUID, entity); + sessionEntity.getAuthenticatedClientSessions().put(clientUUID, entity); update(); } } @@ -104,8 +106,7 @@ public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSes @Override public ClientModel getClient() { - String client = entity.getClient(); - return getRealm().getClientById(client); + return client; } @Override @@ -192,4 +193,5 @@ public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSes copy.putAll(entity.getNotes()); return copy; } + } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java deleted file mode 100755 index 8abf19b2bb..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientSessionAdapter.java +++ /dev/null @@ -1,292 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.sessions.infinispan; - -import org.infinispan.Cache; -import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.UserSessionModel; -import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity; -import org.keycloak.models.sessions.infinispan.entities.SessionEntity; - -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -/** - * @author Stian Thorgersen - */ -public class ClientSessionAdapter implements ClientSessionModel { - - private KeycloakSession session; - private InfinispanUserSessionProvider provider; - private Cache cache; - private RealmModel realm; - private ClientSessionEntity entity; - private boolean offline; - - public ClientSessionAdapter(KeycloakSession session, InfinispanUserSessionProvider provider, Cache cache, RealmModel realm, - ClientSessionEntity entity, boolean offline) { - this.session = session; - this.provider = provider; - this.cache = cache; - this.realm = realm; - this.entity = entity; - this.offline = offline; - } - - @Override - public String getId() { - return entity.getId(); - } - - @Override - public RealmModel getRealm() { - return realm; - } - - @Override - public ClientModel getClient() { - return realm.getClientById(entity.getClient()); - } - - @Override - public UserSessionAdapter getUserSession() { - return entity.getUserSession() != null ? provider.getUserSession(realm, entity.getUserSession(), offline) : null; - } - - @Override - public void setUserSession(UserSessionModel userSession) { - if (userSession == null) { - if (entity.getUserSession() != null) { - provider.dettachSession(getUserSession(), this); - } - entity.setUserSession(null); - } else { - UserSessionAdapter userSessionAdapter = (UserSessionAdapter) userSession; - if (entity.getUserSession() != null) { - if (entity.getUserSession().equals(userSession.getId())) { - return; - } else { - provider.dettachSession(userSessionAdapter, this); - } - } else { - provider.attachSession(userSessionAdapter, this); - } - - entity.setUserSession(userSession.getId()); - } - update(); - } - - @Override - public String getRedirectUri() { - return entity.getRedirectUri(); - } - - @Override - public void setRedirectUri(String uri) { - entity.setRedirectUri(uri); - update(); - } - - @Override - public int getTimestamp() { - return entity.getTimestamp(); - } - - @Override - public void setTimestamp(int timestamp) { - entity.setTimestamp(timestamp); - update(); - } - - @Override - public String getAction() { - return entity.getAction(); - } - - @Override - public void setAction(String action) { - entity.setAction(action); - update(); - } - - @Override - public Set getRoles() { - if (entity.getRoles() == null || entity.getRoles().isEmpty()) return Collections.emptySet(); - return new HashSet<>(entity.getRoles()); - } - - @Override - public void setRoles(Set roles) { - entity.setRoles(roles); - update(); - } - - @Override - public Set getProtocolMappers() { - if (entity.getProtocolMappers() == null || entity.getProtocolMappers().isEmpty()) return Collections.emptySet(); - return new HashSet<>(entity.getProtocolMappers()); - } - - @Override - public void setProtocolMappers(Set protocolMappers) { - entity.setProtocolMappers(protocolMappers); - update(); - } - - @Override - public String getProtocol() { - return entity.getAuthMethod(); - } - - @Override - public void setProtocol(String authMethod) { - entity.setAuthMethod(authMethod); - update(); - } - - @Override - public String getNote(String name) { - return entity.getNotes() != null ? entity.getNotes().get(name) : null; - } - - @Override - public void setNote(String name, String value) { - if (entity.getNotes() == null) { - entity.setNotes(new HashMap()); - } - entity.getNotes().put(name, value); - update(); - } - - @Override - public void removeNote(String name) { - if (entity.getNotes() != null) { - entity.getNotes().remove(name); - update(); - } - } - - @Override - public Map getNotes() { - if (entity.getNotes() == null || entity.getNotes().isEmpty()) return Collections.emptyMap(); - Map copy = new HashMap<>(); - copy.putAll(entity.getNotes()); - return copy; - } - - @Override - public void setUserSessionNote(String name, String value) { - if (entity.getUserSessionNotes() == null) { - entity.setUserSessionNotes(new HashMap()); - } - entity.getUserSessionNotes().put(name, value); - update(); - - } - - @Override - public Map getUserSessionNotes() { - if (entity.getUserSessionNotes() == null) { - return Collections.EMPTY_MAP; - } - HashMap copy = new HashMap<>(); - copy.putAll(entity.getUserSessionNotes()); - return copy; - } - - @Override - public void clearUserSessionNotes() { - entity.setUserSessionNotes(new HashMap()); - update(); - - } - - @Override - public Set getRequiredActions() { - Set copy = new HashSet<>(); - copy.addAll(entity.getRequiredActions()); - return copy; - } - - @Override - public void addRequiredAction(String action) { - entity.getRequiredActions().add(action); - update(); - - } - - @Override - public void removeRequiredAction(String action) { - entity.getRequiredActions().remove(action); - update(); - - } - - @Override - public void addRequiredAction(UserModel.RequiredAction action) { - addRequiredAction(action.name()); - - } - - @Override - public void removeRequiredAction(UserModel.RequiredAction action) { - removeRequiredAction(action.name()); - } - - void update() { - provider.getTx().replace(cache, entity.getId(), entity); - } - @Override - public Map getExecutionStatus() { - return entity.getAuthenticatorStatus(); - } - - @Override - public void setExecutionStatus(String authenticator, ExecutionStatus status) { - entity.getAuthenticatorStatus().put(authenticator, status); - update(); - - } - - @Override - public void clearExecutionStatus() { - entity.getAuthenticatorStatus().clear(); - update(); - } - - @Override - public UserModel getAuthenticatedUser() { - return entity.getAuthUserId() == null ? null : session.users().getUserById(entity.getAuthUserId(), realm); } - - @Override - public void setAuthenticatedUser(UserModel user) { - if (user == null) entity.setAuthUserId(null); - else entity.setAuthUserId(user.getId()); - update(); - - } - -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/Consumers.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/Consumers.java index e55cf3181c..19cb7c7560 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/Consumers.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/Consumers.java @@ -19,11 +19,9 @@ package org.keycloak.models.sessions.infinispan; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; -import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity; import org.keycloak.models.sessions.infinispan.entities.SessionEntity; import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity; -import java.util.HashMap; import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -41,21 +39,6 @@ public class Consumers { return new UserSessionModelsConsumer(provider, realm, offline); } - public static class UserSessionIdAndTimestampConsumer implements Consumer> { - - private Map sessions = new HashMap<>(); - - @Override - public void accept(Map.Entry entry) { - SessionEntity e = entry.getValue(); - if (e instanceof ClientSessionEntity) { - ClientSessionEntity ce = (ClientSessionEntity) e; - sessions.put(ce.getUserSession(), ce.getTimestamp()); - } - } - - } - public static class UserSessionModelsConsumer implements Consumer> { private InfinispanUserSessionProvider provider; diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java index 1e23524fdc..a802544cf7 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java @@ -120,6 +120,7 @@ public class InfinispanAuthenticationSessionProvider implements AuthenticationSe log.debugf("Removed %d expired user sessions for realm '%s'", counter, realm.getName()); } + // TODO: Should likely listen to "RealmRemovedEvent" received from cluster and clean just local sessions @Override public void onRealmRemoved(RealmModel realm) { Iterator> itr = cache.entrySet().stream().filter(AuthenticationSessionPredicate.create(realm.getId())).iterator(); @@ -128,6 +129,7 @@ public class InfinispanAuthenticationSessionProvider implements AuthenticationSe } } + // TODO: Should likely listen to "ClientRemovedEvent" received from cluster and clean just local sessions @Override public void onClientRemoved(RealmModel realm, ClientModel client) { Iterator> itr = cache.entrySet().stream().filter(AuthenticationSessionPredicate.create(realm.getId()).client(client.getId())).iterator(); diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java index e87347e213..0e50a73d3d 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java @@ -25,9 +25,7 @@ import org.keycloak.common.util.Time; import org.keycloak.models.ClientInitialAccessModel; import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; -import org.keycloak.models.KeycloakTransaction; import org.keycloak.models.RealmModel; import org.keycloak.models.UserLoginFailureModel; import org.keycloak.models.UserModel; @@ -35,31 +33,29 @@ import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionProvider; import org.keycloak.models.session.UserSessionPersisterProvider; import org.keycloak.models.sessions.infinispan.entities.ClientInitialAccessEntity; -import org.keycloak.models.sessions.infinispan.entities.ClientLoginSessionEntity; -import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity; +import org.keycloak.models.sessions.infinispan.entities.AuthenticatedClientSessionEntity; import org.keycloak.models.sessions.infinispan.entities.LoginFailureEntity; import org.keycloak.models.sessions.infinispan.entities.LoginFailureKey; import org.keycloak.models.sessions.infinispan.entities.SessionEntity; import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity; import org.keycloak.models.sessions.infinispan.stream.ClientInitialAccessPredicate; -import org.keycloak.models.sessions.infinispan.stream.ClientSessionPredicate; import org.keycloak.models.sessions.infinispan.stream.Comparators; import org.keycloak.models.sessions.infinispan.stream.Mappers; import org.keycloak.models.sessions.infinispan.stream.SessionPredicate; import org.keycloak.models.sessions.infinispan.stream.UserLoginFailurePredicate; import org.keycloak.models.sessions.infinispan.stream.UserSessionPredicate; import org.keycloak.models.utils.KeycloakModelUtils; -import org.keycloak.models.utils.RealmInfoUtil; import java.util.Collection; +import java.util.Collections; import java.util.HashMap; -import java.util.HashSet; import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.function.Consumer; import java.util.function.Predicate; +import java.util.stream.Collectors; import java.util.stream.Stream; /** @@ -90,31 +86,11 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { return offline ? offlineSessionCache : sessionCache; } - - // TODO:mposolda remove - @Override - public ClientSessionModel createClientSession(RealmModel realm, ClientModel client) { - String id = KeycloakModelUtils.generateId(); - - ClientSessionEntity entity = new ClientSessionEntity(); - entity.setId(id); - entity.setRealm(realm.getId()); - entity.setTimestamp(Time.currentTime()); - entity.setClient(client.getId()); - - - tx.put(sessionCache, id, entity); - - ClientSessionAdapter wrap = wrap(realm, entity, false); - return wrap; - } - @Override public AuthenticatedClientSessionModel createClientSession(RealmModel realm, ClientModel client, UserSessionModel userSession) { - ClientLoginSessionEntity entity = new ClientLoginSessionEntity(); - entity.setClient(client.getId()); + AuthenticatedClientSessionEntity entity = new AuthenticatedClientSessionEntity(); - AuthenticatedClientSessionAdapter adapter = new AuthenticatedClientSessionAdapter(entity, (UserSessionAdapter) userSession, this, sessionCache); + AuthenticatedClientSessionAdapter adapter = new AuthenticatedClientSessionAdapter(entity, client, (UserSessionAdapter) userSession, this, sessionCache); adapter.setUserSession(userSession); return adapter; } @@ -123,6 +99,15 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { public UserSessionModel createUserSession(String id, RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId) { UserSessionEntity entity = new UserSessionEntity(); entity.setId(id); + + updateSessionEntity(entity, realm, user, loginUsername, ipAddress, authMethod, rememberMe, brokerSessionId, brokerUserId); + + tx.putIfAbsent(sessionCache, id, entity); + + return wrap(realm, entity, false); + } + + void updateSessionEntity(UserSessionEntity entity, RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId) { entity.setRealm(realm.getId()); entity.setUser(user.getId()); entity.setLoginUsername(loginUsername); @@ -137,41 +122,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { entity.setStarted(currentTime); entity.setLastSessionRefresh(currentTime); - tx.putIfAbsent(sessionCache, id, entity); - return wrap(realm, entity, false); - } - - @Override - public ClientSessionModel getClientSession(RealmModel realm, String id) { - return getClientSession(realm, id, false); - } - - protected ClientSessionModel getClientSession(RealmModel realm, String id, boolean offline) { - Cache cache = getCache(offline); - ClientSessionEntity entity = (ClientSessionEntity) tx.get(cache, id); // Chance created in this transaction - - if (entity == null) { - entity = (ClientSessionEntity) cache.get(id); - } - - return wrap(realm, entity, offline); - } - - @Override - public ClientSessionModel getClientSession(String id) { - // Chance created in this transaction - ClientSessionEntity entity = (ClientSessionEntity) tx.get(sessionCache, id); - - if (entity == null) { - entity = (ClientSessionEntity) sessionCache.get(id); - } - - if (entity != null) { - RealmModel realm = session.realms().getRealm(entity.getRealm()); - return wrap(realm, entity, false); - } - return null; } @Override @@ -230,37 +181,50 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { protected List getUserSessions(final RealmModel realm, ClientModel client, int firstResult, int maxResults, final boolean offline) { final Cache cache = getCache(offline); - Iterator itr = cache.entrySet().stream() - .filter(ClientSessionPredicate.create(realm.getId()).client(client.getId()).requireUserSession()) - .map(Mappers.clientSessionToUserSessionTimestamp()) - .iterator(); + Stream stream = cache.entrySet().stream() + .filter(UserSessionPredicate.create(realm.getId()).client(client.getId())) + .map(Mappers.userSessionEntity()) + .sorted(Comparators.userSessionLastSessionRefresh()); - Map m = new HashMap<>(); - while(itr.hasNext()) { - UserSessionTimestamp next = itr.next(); - if (!m.containsKey(next.getUserSessionId()) || m.get(next.getUserSessionId()).getClientSessionTimestamp() < next.getClientSessionTimestamp()) { - m.put(next.getUserSessionId(), next); - } + // Doesn't work due to ISPN-6575 . TODO Fix once infinispan upgraded to 8.2.2.Final or 9.0 +// if (firstResult > 0) { +// stream = stream.skip(firstResult); +// } +// +// if (maxResults > 0) { +// stream = stream.limit(maxResults); +// } +// +// List entities = stream.collect(Collectors.toList()); + + + // Workaround for ISPN-6575 TODO Fix once infinispan upgraded to 8.2.2.Final or 9.0 and replace with the more effective code above + if (firstResult < 0) { + firstResult = 0; + } + if (maxResults < 0) { + maxResults = Integer.MAX_VALUE; } - Stream stream = new LinkedList<>(m.values()).stream().sorted(Comparators.userSessionTimestamp()); + int count = firstResult + maxResults; + if (count > 0) { + stream = stream.limit(count); + } + List entities = stream.collect(Collectors.toList()); - if (firstResult > 0) { - stream = stream.skip(firstResult); + if (firstResult > entities.size()) { + return Collections.emptyList(); } - if (maxResults > 0) { - stream = stream.limit(maxResults); - } + maxResults = Math.min(maxResults, entities.size() - firstResult); + entities = entities.subList(firstResult, firstResult + maxResults); + final List sessions = new LinkedList<>(); - stream.forEach(new Consumer() { + entities.stream().forEach(new Consumer() { @Override - public void accept(UserSessionTimestamp userSessionTimestamp) { - SessionEntity entity = cache.get(userSessionTimestamp.getUserSessionId()); - if (entity != null) { - sessions.add(wrap(realm, (UserSessionEntity) entity, offline)); - } + public void accept(UserSessionEntity userSessionEntity) { + sessions.add(wrap(realm, userSessionEntity, offline)); } }); @@ -273,7 +237,9 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { } protected long getUserSessionsCount(RealmModel realm, ClientModel client, boolean offline) { - return getCache(offline).entrySet().stream().filter(ClientSessionPredicate.create(realm.getId()).client(client.getId()).requireUserSession()).map(Mappers.clientSessionToUserSessionId()).distinct().count(); + return getCache(offline).entrySet().stream() + .filter(UserSessionPredicate.create(realm.getId()).client(client.getId())) + .count(); } @Override @@ -303,9 +269,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { public void removeExpired(RealmModel realm) { log.debugf("Removing expired sessions"); removeExpiredUserSessions(realm); - removeExpiredClientSessions(realm); removeExpiredOfflineUserSessions(realm); - removeExpiredOfflineClientSessions(realm); removeExpiredClientInitialAccess(realm); } @@ -322,33 +286,11 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { counter++; UserSessionEntity entity = (UserSessionEntity) itr.next().getValue(); tx.remove(sessionCache, entity.getId()); - - if (entity.getClientSessions() != null) { - for (String clientSessionId : entity.getClientSessions()) { - tx.remove(sessionCache, clientSessionId); - } - } } log.debugf("Removed %d expired user sessions for realm '%s'", counter, realm.getName()); } - private void removeExpiredClientSessions(RealmModel realm) { - int expiredDettachedClientSession = Time.currentTime() - RealmInfoUtil.getDettachedClientSessionLifespan(realm); - - // Each cluster node cleanups just local sessions, which are those owned by himself (+ few more taking l1 cache into account) - Iterator> itr = sessionCache.getAdvancedCache().withFlags(Flag.CACHE_MODE_LOCAL) - .entrySet().stream().filter(ClientSessionPredicate.create(realm.getId()).expiredRefresh(expiredDettachedClientSession).requireNullUserSession()).iterator(); - - int counter = 0; - while (itr.hasNext()) { - counter++; - tx.remove(sessionCache, itr.next().getKey()); - } - - log.debugf("Removed %d expired client sessions for realm '%s'", counter, realm.getName()); - } - private void removeExpiredOfflineUserSessions(RealmModel realm) { UserSessionPersisterProvider persister = session.getProvider(UserSessionPersisterProvider.class); int expiredOffline = Time.currentTime() - realm.getOfflineSessionIdleTimeout(); @@ -366,33 +308,14 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { persister.removeUserSession(entity.getId(), true); - for (String clientSessionId : entity.getClientSessions()) { - tx.remove(offlineSessionCache, clientSessionId); + for (String clientUUID : entity.getAuthenticatedClientSessions().keySet()) { + persister.removeClientSession(entity.getId(), clientUUID, true); } } log.debugf("Removed %d expired offline user sessions for realm '%s'", counter, realm.getName()); } - private void removeExpiredOfflineClientSessions(RealmModel realm) { - UserSessionPersisterProvider persister = session.getProvider(UserSessionPersisterProvider.class); - int expiredOffline = Time.currentTime() - realm.getOfflineSessionIdleTimeout(); - - // Each cluster node cleanups just local sessions, which are those owned by himself (+ few more taking l1 cache into account) - Iterator itr = offlineSessionCache.getAdvancedCache().withFlags(Flag.CACHE_MODE_LOCAL) - .entrySet().stream().filter(ClientSessionPredicate.create(realm.getId()).expiredRefresh(expiredOffline)).map(Mappers.sessionId()).iterator(); - - int counter = 0; - while (itr.hasNext()) { - counter++; - String sessionId = itr.next(); - tx.remove(offlineSessionCache, sessionId); - persister.removeClientSession(sessionId, true); - } - - log.debugf("Removed %d expired offline client sessions for realm '%s'", counter, realm.getName()); - } - private void removeExpiredClientInitialAccess(RealmModel realm) { Iterator itr = sessionCache.getAdvancedCache().withFlags(Flag.CACHE_MODE_LOCAL) .entrySet().stream().filter(ClientInitialAccessPredicate.create(realm.getId()).expired(Time.currentTime())).map(Mappers.sessionId()).iterator(); @@ -454,21 +377,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { @Override public void onClientRemoved(RealmModel realm, ClientModel client) { - onClientRemoved(realm, client, true); - onClientRemoved(realm, client, false); - } - - private void onClientRemoved(RealmModel realm, ClientModel client, boolean offline) { - Cache cache = getCache(offline); - - Iterator> itr = cache.entrySet().stream().filter(ClientSessionPredicate.create(realm.getId()).client(client.getId())).iterator(); - while (itr.hasNext()) { - ClientSessionEntity entity = (ClientSessionEntity) itr.next().getValue(); - ClientSessionAdapter adapter = wrap(realm, entity, offline); - adapter.setUserSession(null); - - tx.remove(cache, entity.getId()); - } + // Nothing for now. userSession.getAuthenticatedClientSessions() will check lazily if particular client exists and update userSession on-the-fly. } @@ -484,55 +393,10 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { public void close() { } - void attachSession(UserSessionAdapter userSession, ClientSessionModel clientSession) { - UserSessionEntity entity = userSession.getEntity(); - String clientSessionId = clientSession.getId(); - if (!entity.getClientSessions().contains(clientSessionId)) { - entity.getClientSessions().add(clientSessionId); - userSession.update(); - } - } - - @Override - public void removeClientSession(RealmModel realm, ClientSessionModel clientSession) { - removeClientSession(realm, clientSession, false); - } - - protected void removeClientSession(RealmModel realm, ClientSessionModel clientSession, boolean offline) { - Cache cache = getCache(offline); - - UserSessionModel userSession = clientSession.getUserSession(); - if (userSession != null) { - UserSessionEntity entity = ((UserSessionAdapter) userSession).getEntity(); - if (entity.getClientSessions() != null) { - entity.getClientSessions().remove(clientSession.getId()); - - } - tx.replace(cache, entity.getId(), entity); - } - tx.remove(cache, clientSession.getId()); - } - - - void dettachSession(UserSessionAdapter userSession, ClientSessionModel clientSession) { - UserSessionEntity entity = userSession.getEntity(); - String clientSessionId = clientSession.getId(); - if (entity.getClientSessions() != null && entity.getClientSessions().contains(clientSessionId)) { - entity.getClientSessions().remove(clientSessionId); - userSession.update(); - } - } - protected void removeUserSession(RealmModel realm, UserSessionEntity sessionEntity, boolean offline) { Cache cache = getCache(offline); tx.remove(cache, sessionEntity.getId()); - - if (sessionEntity.getClientSessions() != null) { - for (String clientSessionId : sessionEntity.getClientSessions()) { - tx.remove(cache, clientSessionId); - } - } } InfinispanKeycloakTransaction getTx() { @@ -560,11 +424,6 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { return models; } - ClientSessionAdapter wrap(RealmModel realm, ClientSessionEntity entity, boolean offline) { - Cache cache = getCache(offline); - return entity != null ? new ClientSessionAdapter(session, this, cache, realm, entity, offline) : null; - } - ClientInitialAccessAdapter wrap(RealmModel realm, ClientInitialAccessEntity entity) { Cache cache = getCache(false); return entity != null ? new ClientInitialAccessAdapter(session, this, cache, realm, entity) : null; @@ -574,14 +433,6 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { return entity != null ? new UserLoginFailureAdapter(this, loginFailureCache, key, entity) : null; } - List wrapClientSessions(RealmModel realm, Collection entities, boolean offline) { - List models = new LinkedList<>(); - for (ClientSessionEntity e : entities) { - models.add(wrap(realm, e, offline)); - } - return models; - } - UserSessionEntity getUserSessionEntity(UserSessionModel userSession, boolean offline) { if (userSession instanceof UserSessionAdapter) { return ((UserSessionAdapter) userSession).getEntity(); @@ -594,7 +445,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { @Override public UserSessionModel createOfflineUserSession(UserSessionModel userSession) { - UserSessionAdapter offlineUserSession = importUserSession(userSession, true); + UserSessionAdapter offlineUserSession = importUserSession(userSession, true, false); // started and lastSessionRefresh set to current time int currentTime = Time.currentTime(); @@ -605,7 +456,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { } @Override - public UserSessionModel getOfflineUserSession(RealmModel realm, String userSessionId) { + public UserSessionAdapter getOfflineUserSession(RealmModel realm, String userSessionId) { return getUserSession(realm, userSessionId, true); } @@ -617,26 +468,19 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { } } - // TODO:mposolda - /* + + @Override - public ClientSessionModel createOfflineClientSession(ClientSessionModel clientSession) { - ClientSessionAdapter offlineClientSession = importClientSession(clientSession, true); + public AuthenticatedClientSessionModel createOfflineClientSession(AuthenticatedClientSessionModel clientSession, UserSessionModel offlineUserSession) { + UserSessionAdapter userSessionAdapter = (offlineUserSession instanceof UserSessionAdapter) ? (UserSessionAdapter) offlineUserSession : + getOfflineUserSession(offlineUserSession.getRealm(), offlineUserSession.getId()); + + AuthenticatedClientSessionAdapter offlineClientSession = importClientSession(userSessionAdapter, clientSession); // update timestamp to current time offlineClientSession.setTimestamp(Time.currentTime()); return offlineClientSession; - }*/ - - @Override - public AuthenticatedClientSessionModel createOfflineClientSession(AuthenticatedClientSessionModel clientSession) { - return null; - } - - @Override - public ClientSessionModel getOfflineClientSession(RealmModel realm, String clientSessionId) { - return getClientSession(realm, clientSessionId, true); } @Override @@ -653,12 +497,6 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { return userSessions; } - @Override - public void removeOfflineClientSession(RealmModel realm, String clientSessionId) { - ClientSessionModel clientSession = getOfflineClientSession(realm, clientSessionId); - removeClientSession(realm, clientSession, true); - } - @Override public long getOfflineSessionsCount(RealmModel realm, ClientModel client) { return getUserSessionsCount(realm, client, true); @@ -670,7 +508,7 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { } @Override - public UserSessionAdapter importUserSession(UserSessionModel userSession, boolean offline) { + public UserSessionAdapter importUserSession(UserSessionModel userSession, boolean offline, boolean importAuthenticatedClientSessions) { UserSessionEntity entity = new UserSessionEntity(); entity.setId(userSession.getId()); entity.setRealm(userSession.getRealm().getId()); @@ -688,34 +526,45 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { entity.setStarted(userSession.getStarted()); entity.setLastSessionRefresh(userSession.getLastSessionRefresh()); + Cache cache = getCache(offline); tx.put(cache, userSession.getId(), entity); - return wrap(userSession.getRealm(), entity, offline); + UserSessionAdapter importedSession = wrap(userSession.getRealm(), entity, offline); + + // Handle client sessions + if (importAuthenticatedClientSessions) { + for (AuthenticatedClientSessionModel clientSession : userSession.getAuthenticatedClientSessions().values()) { + importClientSession(importedSession, clientSession); + } + } + + return importedSession; } - @Override - public ClientSessionAdapter importClientSession(ClientSessionModel clientSession, boolean offline) { - ClientSessionEntity entity = new ClientSessionEntity(); - entity.setId(clientSession.getId()); - entity.setRealm(clientSession.getRealm().getId()); + + private AuthenticatedClientSessionAdapter importClientSession(UserSessionAdapter importedUserSession, AuthenticatedClientSessionModel clientSession) { + AuthenticatedClientSessionEntity entity = new AuthenticatedClientSessionEntity(); entity.setAction(clientSession.getAction()); - entity.setAuthenticatorStatus(clientSession.getExecutionStatus()); entity.setAuthMethod(clientSession.getProtocol()); - if (clientSession.getAuthenticatedUser() != null) { - entity.setAuthUserId(clientSession.getAuthenticatedUser().getId()); - } - entity.setClient(clientSession.getClient().getId()); + entity.setNotes(clientSession.getNotes()); entity.setProtocolMappers(clientSession.getProtocolMappers()); entity.setRedirectUri(clientSession.getRedirectUri()); entity.setRoles(clientSession.getRoles()); entity.setTimestamp(clientSession.getTimestamp()); - entity.setUserSessionNotes(clientSession.getUserSessionNotes()); - Cache cache = getCache(offline); - tx.put(cache, clientSession.getId(), entity); - return wrap(clientSession.getRealm(), entity, offline); + Map clientSessions = importedUserSession.getEntity().getAuthenticatedClientSessions(); + if (clientSessions == null) { + clientSessions = new HashMap<>(); + importedUserSession.getEntity().setAuthenticatedClientSessions(clientSessions); + } + + clientSessions.put(clientSession.getClient().getId(), entity); + + importedUserSession.update(); + + return new AuthenticatedClientSessionAdapter(entity, clientSession.getClient(), importedUserSession, this, importedUserSession.getCache()); } @Override diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java index d87612acdf..8ab15f7a0e 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java @@ -19,12 +19,12 @@ package org.keycloak.models.sessions.infinispan; import org.infinispan.Cache; import org.keycloak.models.AuthenticatedClientSessionModel; -import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; -import org.keycloak.models.sessions.infinispan.entities.ClientLoginSessionEntity; +import org.keycloak.models.sessions.infinispan.entities.AuthenticatedClientSessionEntity; import org.keycloak.models.sessions.infinispan.entities.SessionEntity; import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity; @@ -64,15 +64,31 @@ public class UserSessionAdapter implements UserSessionModel { @Override public Map getAuthenticatedClientSessions() { - Map clientSessionEntities = entity.getClientLoginSessions(); + Map clientSessionEntities = entity.getAuthenticatedClientSessions(); Map result = new HashMap<>(); + List removedClientUUIDS = new LinkedList<>(); + if (clientSessionEntities != null) { - clientSessionEntities.forEach((String key, ClientLoginSessionEntity value) -> { - result.put(key, new AuthenticatedClientSessionAdapter(value, this, provider, cache)); + clientSessionEntities.forEach((String key, AuthenticatedClientSessionEntity value) -> { + // Check if client still exists + ClientModel client = realm.getClientById(key); + if (client != null) { + result.put(key, new AuthenticatedClientSessionAdapter(value, client, this, provider, cache)); + } else { + removedClientUUIDS.add(key); + } }); } + // Update user session + if (!removedClientUUIDS.isEmpty()) { + for (String clientUUID : removedClientUUIDS) { + entity.getAuthenticatedClientSessions().remove(clientUUID); + } + update(); + } + return Collections.unmodifiableMap(result); } @@ -101,6 +117,7 @@ public class UserSessionAdapter implements UserSessionModel { @Override public void setUser(UserModel user) { entity.setUser(user.getId()); + update(); } @Override @@ -180,19 +197,14 @@ public class UserSessionAdapter implements UserSessionModel { } @Override - public List getClientSessions() { - if (entity.getClientSessions() != null) { - List clientSessions = new LinkedList<>(); - for (String c : entity.getClientSessions()) { - ClientSessionModel clientSession = provider.getClientSession(realm, c, offline); - if (clientSession != null) { - clientSessions.add(clientSession); - } - } - return clientSessions; - } else { - return Collections.emptyList(); - } + public void restartSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId) { + provider.updateSessionEntity(entity, realm, user, loginUsername, ipAddress, authMethod, rememberMe, brokerSessionId, brokerUserId); + + entity.setState(null); + entity.setNotes(null); + entity.setAuthenticatedClientSessions(null); + + update(); } @Override @@ -217,4 +229,7 @@ public class UserSessionAdapter implements UserSessionModel { provider.getTx().replace(cache, entity.getId(), entity); } + Cache getCache() { + return cache; + } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientLoginSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java similarity index 91% rename from model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientLoginSessionEntity.java rename to model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java index 15ed11d455..c7839f4377 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientLoginSessionEntity.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java @@ -23,10 +23,9 @@ import java.util.Set; /** * @author Marek Posolda */ -public class ClientLoginSessionEntity { +public class AuthenticatedClientSessionEntity { private String id; - private String client; private String authMethod; private String redirectUri; private int timestamp; @@ -44,14 +43,6 @@ public class ClientLoginSessionEntity { this.id = id; } - public String getClient() { - return client; - } - - public void setClient(String client) { - this.client = client; - } - public String getAuthMethod() { return authMethod; } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java deleted file mode 100755 index 0cbdc79d9b..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientSessionEntity.java +++ /dev/null @@ -1,152 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.sessions.infinispan.entities; - -import org.keycloak.models.ClientSessionModel; - -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -/** - * @author Stian Thorgersen - */ -public class ClientSessionEntity extends SessionEntity { - - private String client; - - private String userSession; - - private String authMethod; - - private String redirectUri; - - private int timestamp; - - private String action; - - private Set roles; - private Set protocolMappers; - private Map notes; - private Map userSessionNotes; - private Map authenticatorStatus = new HashMap<>(); - private String authUserId; - private Set requiredActions = new HashSet<>(); - - - public String getClient() { - return client; - } - - public void setClient(String client) { - this.client = client; - } - - public String getUserSession() { - return userSession; - } - - public void setUserSession(String userSession) { - this.userSession = userSession; - } - - public String getAuthMethod() { - return authMethod; - } - - public void setAuthMethod(String authMethod) { - this.authMethod = authMethod; - } - - public String getRedirectUri() { - return redirectUri; - } - - public void setRedirectUri(String redirectUri) { - this.redirectUri = redirectUri; - } - - public int getTimestamp() { - return timestamp; - } - - public void setTimestamp(int timestamp) { - this.timestamp = timestamp; - } - - public String getAction() { - return action; - } - - public void setAction(String action) { - this.action = action; - } - - public Set getRoles() { - return roles; - } - - public void setRoles(Set roles) { - this.roles = roles; - } - - public Set getProtocolMappers() { - return protocolMappers; - } - - public void setProtocolMappers(Set protocolMappers) { - this.protocolMappers = protocolMappers; - } - - public Map getNotes() { - return notes; - } - - public void setNotes(Map notes) { - this.notes = notes; - } - - public Map getAuthenticatorStatus() { - return authenticatorStatus; - } - - public void setAuthenticatorStatus(Map authenticatorStatus) { - this.authenticatorStatus = authenticatorStatus; - } - - public String getAuthUserId() { - return authUserId; - } - - public void setAuthUserId(String authUserId) { - this.authUserId = authUserId; - } - - public Map getUserSessionNotes() { - return userSessionNotes; - } - - public void setUserSessionNotes(Map userSessionNotes) { - this.userSessionNotes = userSessionNotes; - } - - public Set getRequiredActions() { - return requiredActions; - } -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java index 3a5a4eb7f4..54d182f0d8 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java @@ -46,13 +46,11 @@ public class UserSessionEntity extends SessionEntity { private int lastSessionRefresh; - private Set clientSessions = new CopyOnWriteArraySet<>(); - private UserSessionModel.State state; private Map notes = new ConcurrentHashMap<>(); - private Map clientLoginSessions; + private Map authenticatedClientSessions; public String getUser() { return user; @@ -110,10 +108,6 @@ public class UserSessionEntity extends SessionEntity { this.lastSessionRefresh = lastSessionRefresh; } - public Set getClientSessions() { - return clientSessions; - } - public Map getNotes() { return notes; } @@ -122,12 +116,12 @@ public class UserSessionEntity extends SessionEntity { this.notes = notes; } - public Map getClientLoginSessions() { - return clientLoginSessions; + public Map getAuthenticatedClientSessions() { + return authenticatedClientSessions; } - public void setClientLoginSessions(Map clientLoginSessions) { - this.clientLoginSessions = clientLoginSessions; + public void setAuthenticatedClientSessions(Map authenticatedClientSessions) { + this.authenticatedClientSessions = authenticatedClientSessions; } public UserSessionModel.State getState() { diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/initializer/OfflineUserSessionLoader.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/initializer/OfflineUserSessionLoader.java index 83a3885172..2b6fb71752 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/initializer/OfflineUserSessionLoader.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/initializer/OfflineUserSessionLoader.java @@ -19,7 +19,6 @@ package org.keycloak.models.sessions.infinispan.initializer; import org.jboss.logging.Logger; import org.keycloak.cluster.ClusterProvider; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.UserSessionModel; import org.keycloak.models.session.UserSessionPersisterProvider; @@ -64,12 +63,7 @@ public class OfflineUserSessionLoader implements SessionLoader { for (UserSessionModel persistentSession : sessions) { // Save to memory/infinispan - UserSessionModel offlineUserSession = session.sessions().importUserSession(persistentSession, true); - - for (ClientSessionModel persistentClientSession : persistentSession.getClientSessions()) { - ClientSessionModel offlineClientSession = session.sessions().importClientSession(persistentClientSession, true); - offlineClientSession.setUserSession(offlineUserSession); - } + UserSessionModel offlineUserSession = session.sessions().importUserSession(persistentSession, true, true); } return true; diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionMapper.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionMapper.java deleted file mode 100644 index 351921591c..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionMapper.java +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.sessions.infinispan.mapreduce; - -import org.infinispan.distexec.mapreduce.Collector; -import org.infinispan.distexec.mapreduce.Mapper; -import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity; -import org.keycloak.models.sessions.infinispan.entities.SessionEntity; - -import java.io.Serializable; - -/** - * @author Stian Thorgersen - */ -public class ClientSessionMapper implements Mapper, Serializable { - - public ClientSessionMapper(String realm) { - this.realm = realm; - } - - private enum EmitValue { - KEY, ENTITY, USER_SESSION_AND_TIMESTAMP - } - - private String realm; - - private EmitValue emit = EmitValue.ENTITY; - - private String client; - - private String userSession; - - private Long expiredRefresh; - - private Boolean requireNullUserSession = false; - - public static ClientSessionMapper create(String realm) { - return new ClientSessionMapper(realm); - } - - public ClientSessionMapper emitKey() { - emit = EmitValue.KEY; - return this; - } - - public ClientSessionMapper emitUserSessionAndTimestamp() { - emit = EmitValue.USER_SESSION_AND_TIMESTAMP; - return this; - } - - public ClientSessionMapper client(String client) { - this.client = client; - return this; - } - - public ClientSessionMapper userSession(String userSession) { - this.userSession = userSession; - return this; - } - - public ClientSessionMapper expiredRefresh(long expiredRefresh) { - this.expiredRefresh = expiredRefresh; - return this; - } - - public ClientSessionMapper requireNullUserSession(boolean requireNullUserSession) { - this.requireNullUserSession = requireNullUserSession; - return this; - } - - @Override - public void map(String key, SessionEntity e, Collector collector) { - if (!realm.equals(e.getRealm())) { - return; - } - - if (!(e instanceof ClientSessionEntity)) { - return; - } - - ClientSessionEntity entity = (ClientSessionEntity) e; - - if (client != null && !entity.getClient().equals(client)) { - return; - } - - if (userSession != null && !userSession.equals(entity.getUserSession())) { - return; - } - - if (requireNullUserSession && entity.getUserSession() != null) { - return; - } - - if (expiredRefresh != null && entity.getTimestamp() > expiredRefresh) { - return; - } - - switch (emit) { - case KEY: - collector.emit(key, key); - break; - case ENTITY: - collector.emit(key, entity); - break; - case USER_SESSION_AND_TIMESTAMP: - if (entity.getUserSession() != null) { - collector.emit(entity.getUserSession(), entity.getTimestamp()); - } - break; - } - } - -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionsOfUserSessionMapper.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionsOfUserSessionMapper.java deleted file mode 100644 index 971f89af19..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientSessionsOfUserSessionMapper.java +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.sessions.infinispan.mapreduce; - -import org.infinispan.distexec.mapreduce.Collector; -import org.infinispan.distexec.mapreduce.Mapper; -import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity; -import org.keycloak.models.sessions.infinispan.entities.SessionEntity; - -import java.io.Serializable; -import java.util.Collection; - -/** - * Return all clientSessions attached to any from input list of userSessions - * - * @author Marek Posolda - */ -public class ClientSessionsOfUserSessionMapper implements Mapper, Serializable { - - private String realm; - private Collection userSessions; - - private EmitValue emit = EmitValue.ENTITY; - - private enum EmitValue { - KEY, ENTITY - } - - public ClientSessionsOfUserSessionMapper(String realm, Collection userSessions) { - this.realm = realm; - this.userSessions = userSessions; - } - - public ClientSessionsOfUserSessionMapper emitKey() { - emit = EmitValue.KEY; - return this; - } - - @Override - public void map(String key, SessionEntity e, Collector collector) { - if (!realm.equals(e.getRealm())) { - return; - } - - if (!(e instanceof ClientSessionEntity)) { - return; - } - - ClientSessionEntity entity = (ClientSessionEntity) e; - - if (userSessions.contains(entity.getUserSession())) { - switch (emit) { - case KEY: - collector.emit(entity.getId(), entity.getId()); - break; - case ENTITY: - collector.emit(entity.getId(), entity); - break; - } - } - } -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/ClientSessionPredicate.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/ClientSessionPredicate.java deleted file mode 100644 index 0f3ce5aebf..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/ClientSessionPredicate.java +++ /dev/null @@ -1,114 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.sessions.infinispan.stream; - -import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity; -import org.keycloak.models.sessions.infinispan.entities.SessionEntity; - -import java.io.Serializable; -import java.util.Map; -import java.util.function.Predicate; - -/** - * @author Stian Thorgersen - */ -public class ClientSessionPredicate implements Predicate>, Serializable { - - private String realm; - - private String client; - - private String userSession; - - private Long expiredRefresh; - - private Boolean requireUserSession = false; - - private Boolean requireNullUserSession = false; - - private ClientSessionPredicate(String realm) { - this.realm = realm; - } - - public static ClientSessionPredicate create(String realm) { - return new ClientSessionPredicate(realm); - } - - public ClientSessionPredicate client(String client) { - this.client = client; - return this; - } - - public ClientSessionPredicate userSession(String userSession) { - this.userSession = userSession; - return this; - } - - public ClientSessionPredicate expiredRefresh(long expiredRefresh) { - this.expiredRefresh = expiredRefresh; - return this; - } - - public ClientSessionPredicate requireUserSession() { - requireUserSession = true; - return this; - } - - public ClientSessionPredicate requireNullUserSession() { - requireNullUserSession = true; - return this; - } - - @Override - public boolean test(Map.Entry entry) { - SessionEntity e = entry.getValue(); - - if (!realm.equals(e.getRealm())) { - return false; - } - - if (!(e instanceof ClientSessionEntity)) { - return false; - } - - ClientSessionEntity entity = (ClientSessionEntity) e; - - if (client != null && !entity.getClient().equals(client)) { - return false; - } - - if (userSession != null && !userSession.equals(entity.getUserSession())) { - return false; - } - - if (requireUserSession && entity.getUserSession() == null) { - return false; - } - - if (requireNullUserSession && entity.getUserSession() != null) { - return false; - } - - if (expiredRefresh != null && entity.getTimestamp() > expiredRefresh) { - return false; - } - - return true; - } - -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Comparators.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Comparators.java index 4907ec1ed2..ec2a2cb853 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Comparators.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Comparators.java @@ -18,6 +18,8 @@ package org.keycloak.models.sessions.infinispan.stream; import org.keycloak.models.sessions.infinispan.UserSessionTimestamp; +import org.keycloak.models.sessions.infinispan.entities.SessionEntity; +import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity; import java.io.Serializable; import java.util.Comparator; @@ -38,4 +40,17 @@ public class Comparators { } } + + public static Comparator userSessionLastSessionRefresh() { + return new UserSessionLastSessionRefreshComparator(); + } + + private static class UserSessionLastSessionRefreshComparator implements Comparator, Serializable { + + @Override + public int compare(UserSessionEntity u1, UserSessionEntity u2) { + return u1.getLastSessionRefresh() - u2.getLastSessionRefresh(); + } + } + } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Mappers.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Mappers.java index 6bf13580ed..dd2db6821f 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Mappers.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/Mappers.java @@ -18,10 +18,10 @@ package org.keycloak.models.sessions.infinispan.stream; import org.keycloak.models.sessions.infinispan.UserSessionTimestamp; -import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity; import org.keycloak.models.sessions.infinispan.entities.LoginFailureEntity; import org.keycloak.models.sessions.infinispan.entities.LoginFailureKey; import org.keycloak.models.sessions.infinispan.entities.SessionEntity; +import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity; import java.io.Serializable; import java.util.Map; @@ -33,10 +33,6 @@ import java.util.function.Function; */ public class Mappers { - public static Function, UserSessionTimestamp> clientSessionToUserSessionTimestamp() { - return new ClientSessionToUserSessionTimestampMapper(); - } - public static Function>, UserSessionTimestamp> userSessionTimestamp() { return new UserSessionTimestampMapper(); } @@ -49,23 +45,14 @@ public class Mappers { return new SessionEntityMapper(); } + public static Function, UserSessionEntity> userSessionEntity() { + return new UserSessionEntityMapper(); + } + public static Function, LoginFailureKey> loginFailureId() { return new LoginFailureIdMapper(); } - public static Function, String> clientSessionToUserSessionId() { - return new ClientSessionToUserSessionIdMapper(); - } - - private static class ClientSessionToUserSessionTimestampMapper implements Function, UserSessionTimestamp>, Serializable { - @Override - public UserSessionTimestamp apply(Map.Entry entry) { - SessionEntity e = entry.getValue(); - ClientSessionEntity entity = (ClientSessionEntity) e; - return new UserSessionTimestamp(entity.getUserSession(), entity.getTimestamp()); - } - } - private static class UserSessionTimestampMapper implements Function>, org.keycloak.models.sessions.infinispan.UserSessionTimestamp>, Serializable { @Override public org.keycloak.models.sessions.infinispan.UserSessionTimestamp apply(Map.Entry> e) { @@ -87,6 +74,13 @@ public class Mappers { } } + private static class UserSessionEntityMapper implements Function, UserSessionEntity>, Serializable { + @Override + public UserSessionEntity apply(Map.Entry entry) { + return (UserSessionEntity) entry.getValue(); + } + } + private static class LoginFailureIdMapper implements Function, LoginFailureKey>, Serializable { @Override public LoginFailureKey apply(Map.Entry entry) { @@ -94,12 +88,4 @@ public class Mappers { } } - private static class ClientSessionToUserSessionIdMapper implements Function, String>, Serializable { - @Override - public String apply(Map.Entry entry) { - SessionEntity e = entry.getValue(); - ClientSessionEntity entity = (ClientSessionEntity) e; - return entity.getUserSession(); - } - } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/UserSessionPredicate.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/UserSessionPredicate.java index 77ff572305..0cc3fccf97 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/UserSessionPredicate.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/stream/UserSessionPredicate.java @@ -33,6 +33,8 @@ public class UserSessionPredicate implements PredicateMarek Posolda @@ -69,12 +69,11 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv } @Override - public void createClientSession(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession, boolean offline) { + public void createClientSession(AuthenticatedClientSessionModel clientSession, boolean offline) { PersistentAuthenticatedClientSessionAdapter adapter = new PersistentAuthenticatedClientSessionAdapter(clientSession); PersistentClientSessionModel model = adapter.getUpdatedModel(); PersistentClientSessionEntity entity = new PersistentClientSessionEntity(); - entity.setClientSessionId(clientSession.getId()); entity.setClientId(clientSession.getClient().getId()); entity.setTimestamp(clientSession.getTimestamp()); String offlineStr = offlineToString(offline); @@ -122,9 +121,9 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv } @Override - public void removeClientSession(String clientSessionId, boolean offline) { + public void removeClientSession(String userSessionId, String clientUUID, boolean offline) { String offlineStr = offlineToString(offline); - PersistentClientSessionEntity sessionEntity = em.find(PersistentClientSessionEntity.class, new PersistentClientSessionEntity.Key(clientSessionId, offlineStr)); + PersistentClientSessionEntity sessionEntity = em.find(PersistentClientSessionEntity.class, new PersistentClientSessionEntity.Key(userSessionId, clientUUID, offlineStr)); if (sessionEntity != null) { em.remove(sessionEntity); @@ -218,8 +217,6 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv userSessionIds.add(entity.getUserSessionId()); } - // TODO:mposolda - /* if (!userSessionIds.isEmpty()) { TypedQuery query2 = em.createNamedQuery("findClientSessionsByUserSessions", PersistentClientSessionEntity.class); query2.setParameter("userSessionIds", userSessionIds); @@ -230,14 +227,14 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv int j = 0; for (UserSessionModel ss : result) { PersistentUserSessionAdapter userSession = (PersistentUserSessionAdapter) ss; - List currentClientSessions = userSession.getClientSessions(); // This is empty now and we want to fill it + Map currentClientSessions = userSession.getAuthenticatedClientSessions(); // This is empty now and we want to fill it boolean next = true; while (next && j < clientSessions.size()) { PersistentClientSessionEntity clientSession = clientSessions.get(j); if (clientSession.getUserSessionId().equals(userSession.getId())) { - PersistentClientSessionAdapter clientSessAdapter = toAdapter(userSession.getRealm(), userSession, clientSession); - currentClientSessions.add(clientSessAdapter); + PersistentAuthenticatedClientSessionAdapter clientSessAdapter = toAdapter(userSession.getRealm(), userSession, clientSession); + currentClientSessions.put(clientSession.getClientId(), clientSessAdapter); j++; } else { next = false; @@ -245,7 +242,7 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv } } } - */ + return result; } @@ -256,7 +253,7 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv model.setLastSessionRefresh(entity.getLastSessionRefresh()); model.setData(entity.getData()); - List clientSessions = new LinkedList<>(); + Map clientSessions = new HashMap<>(); return new PersistentUserSessionAdapter(model, realm, user, clientSessions); } @@ -264,7 +261,6 @@ public class JpaUserSessionPersisterProvider implements UserSessionPersisterProv ClientModel client = realm.getClientById(entity.getClientId()); PersistentClientSessionModel model = new PersistentClientSessionModel(); - model.setClientSessionId(entity.getClientSessionId()); model.setClientId(entity.getClientId()); model.setUserSessionId(userSession.getId()); model.setUserId(userSession.getUser().getId()); diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProviderFactory.java b/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProviderFactory.java index 35265afe30..e12223df35 100644 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProviderFactory.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProviderFactory.java @@ -20,7 +20,6 @@ package org.keycloak.models.jpa.session; import org.keycloak.Config; import org.keycloak.connections.jpa.JpaConnectionProvider; import org.keycloak.models.KeycloakSession; -import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.session.UserSessionPersisterProvider; import org.keycloak.models.session.UserSessionPersisterProviderFactory; diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/session/PersistentClientSessionEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/session/PersistentClientSessionEntity.java index 7250836580..8910bca948 100644 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/session/PersistentClientSessionEntity.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/session/PersistentClientSessionEntity.java @@ -45,12 +45,10 @@ import java.io.Serializable; public class PersistentClientSessionEntity { @Id - @Column(name="CLIENT_SESSION_ID", length = 36) - protected String clientSessionId; - @Column(name = "USER_SESSION_ID", length = 36) protected String userSessionId; + @Id @Column(name="CLIENT_ID", length = 36) protected String clientId; @@ -64,14 +62,6 @@ public class PersistentClientSessionEntity { @Column(name="DATA") protected String data; - public String getClientSessionId() { - return clientSessionId; - } - - public void setClientSessionId(String clientSessionId) { - this.clientSessionId = clientSessionId; - } - public String getUserSessionId() { return userSessionId; } @@ -114,20 +104,27 @@ public class PersistentClientSessionEntity { public static class Key implements Serializable { - protected String clientSessionId; + protected String userSessionId; + + protected String clientId; protected String offline; public Key() { } - public Key(String clientSessionId, String offline) { - this.clientSessionId = clientSessionId; + public Key(String userSessionId, String clientId, String offline) { + this.userSessionId = userSessionId; + this.clientId = clientId; this.offline = offline; } - public String getClientSessionId() { - return clientSessionId; + public String getUserSessionId() { + return userSessionId; + } + + public String getClientId() { + return clientId; } public String getOffline() { @@ -141,7 +138,8 @@ public class PersistentClientSessionEntity { Key key = (Key) o; - if (this.clientSessionId != null ? !this.clientSessionId.equals(key.clientSessionId) : key.clientSessionId != null) return false; + if (this.userSessionId != null ? !this.userSessionId.equals(key.userSessionId) : key.userSessionId != null) return false; + if (this.clientId != null ? !this.clientId.equals(key.clientId) : key.clientId != null) return false; if (this.offline != null ? !this.offline.equals(key.offline) : key.offline != null) return false; return true; @@ -149,7 +147,8 @@ public class PersistentClientSessionEntity { @Override public int hashCode() { - int result = this.clientSessionId != null ? this.clientSessionId.hashCode() : 0; + int result = this.userSessionId != null ? this.userSessionId.hashCode() : 0; + result = 37 * result + (this.clientId != null ? this.clientId.hashCode() : 0); result = 31 * result + (this.offline != null ? this.offline.hashCode() : 0); return result; } diff --git a/model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml b/model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml new file mode 100644 index 0000000000..c453a2e627 --- /dev/null +++ b/model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml @@ -0,0 +1,27 @@ + + + + + + + + + + + + \ No newline at end of file diff --git a/model/jpa/src/main/resources/META-INF/jpa-changelog-master.xml b/model/jpa/src/main/resources/META-INF/jpa-changelog-master.xml index 59855ec614..ae7d98b4e4 100755 --- a/model/jpa/src/main/resources/META-INF/jpa-changelog-master.xml +++ b/model/jpa/src/main/resources/META-INF/jpa-changelog-master.xml @@ -47,4 +47,5 @@ + diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java index 9d71b78202..0320299c83 100755 --- a/server-spi-private/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java @@ -17,7 +17,6 @@ package org.keycloak.broker.provider; import org.keycloak.events.EventBuilder; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.IdentityProviderModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java index 7affd99944..ba8276f497 100644 --- a/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java +++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/AuthenticationRequest.java @@ -17,7 +17,6 @@ package org.keycloak.broker.provider; import org.jboss.resteasy.spi.HttpRequest; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.sessions.AuthenticationSessionModel; diff --git a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java index f94e5881d8..32195ef4db 100755 --- a/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java @@ -78,8 +78,6 @@ public interface LoginFormsProvider extends Provider { public LoginFormsProvider setClientSessionCode(String accessCode); - public LoginFormsProvider setAuthenticationSession(AuthenticationSessionModel authenticationSession); - public LoginFormsProvider setAccessRequest(List realmRolesRequested, MultivaluedMap resourceRolesRequested, List protocolMappers); public LoginFormsProvider setAccessRequest(String message); diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java b/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java index 51efc238ad..10b28a28ba 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/DisabledUserSessionPersisterProvider.java @@ -70,7 +70,7 @@ public class DisabledUserSessionPersisterProvider implements UserSessionPersiste } @Override - public void createClientSession(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession, boolean offline) { + public void createClientSession(AuthenticatedClientSessionModel clientSession, boolean offline) { } @@ -85,7 +85,7 @@ public class DisabledUserSessionPersisterProvider implements UserSessionPersiste } @Override - public void removeClientSession(String clientSessionId, boolean offline) { + public void removeClientSession(String userSessionId, String clientUUID, boolean offline) { } diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java index d410aba2be..20c3cb6a4d 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java @@ -20,7 +20,6 @@ package org.keycloak.models.session; import com.fasterxml.jackson.annotation.JsonProperty; import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ModelException; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; @@ -55,10 +54,7 @@ public class PersistentAuthenticatedClientSessionAdapter implements Authenticate model = new PersistentClientSessionModel(); model.setClientId(clientSession.getClient().getId()); - model.setClientSessionId(clientSession.getId()); - if (clientSession.getUserSession() != null) { - model.setUserId(clientSession.getUserSession().getUser().getId()); - } + model.setUserId(clientSession.getUserSession().getUser().getId()); model.setUserSessionId(clientSession.getUserSession().getId()); model.setTimestamp(clientSession.getTimestamp()); @@ -101,7 +97,7 @@ public class PersistentAuthenticatedClientSessionAdapter implements Authenticate @Override public String getId() { - return model.getClientSessionId(); + return null; } @Override @@ -194,7 +190,7 @@ public class PersistentAuthenticatedClientSessionAdapter implements Authenticate public void setNote(String name, String value) { PersistentClientSessionData entity = getData(); if (entity.getNotes() == null) { - entity.setNotes(new HashMap()); + entity.setNotes(new HashMap<>()); } entity.getNotes().put(name, value); } @@ -214,13 +210,12 @@ public class PersistentAuthenticatedClientSessionAdapter implements Authenticate return entity.getNotes(); } - @Override public boolean equals(Object o) { if (this == o) return true; - if (o == null || !(o instanceof ClientSessionModel)) return false; + if (o == null || !(o instanceof AuthenticatedClientSessionModel)) return false; - ClientSessionModel that = (ClientSessionModel) o; + AuthenticatedClientSessionModel that = (AuthenticatedClientSessionModel) o; return that.getId().equals(getId()); } diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionModel.java b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionModel.java index 5990eeafe1..ee33fedf03 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionModel.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentClientSessionModel.java @@ -22,20 +22,12 @@ package org.keycloak.models.session; */ public class PersistentClientSessionModel { - private String clientSessionId; private String userSessionId; private String clientId; private String userId; private int timestamp; private String data; - public String getClientSessionId() { - return clientSessionId; - } - - public void setClientSessionId(String clientSessionId) { - this.clientSessionId = clientSessionId; - } public String getUserSessionId() { return userSessionId; diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java index 7ba4bc49d1..170d381c49 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java @@ -19,7 +19,6 @@ package org.keycloak.models.session; import com.fasterxml.jackson.annotation.JsonProperty; import org.keycloak.models.AuthenticatedClientSessionModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ModelException; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; @@ -28,7 +27,6 @@ import org.keycloak.util.JsonSerialization; import java.io.IOException; import java.util.HashMap; -import java.util.List; import java.util.Map; /** @@ -39,7 +37,7 @@ public class PersistentUserSessionAdapter implements UserSessionModel { private final PersistentUserSessionModel model; private final UserModel user; private final RealmModel realm; - private final List clientSessions; + private final Map authenticatedClientSessions; private PersistentUserSessionData data; @@ -60,14 +58,14 @@ public class PersistentUserSessionAdapter implements UserSessionModel { this.user = other.getUser(); this.realm = other.getRealm(); - this.clientSessions = other.getClientSessions(); + this.authenticatedClientSessions = other.getAuthenticatedClientSessions(); } - public PersistentUserSessionAdapter(PersistentUserSessionModel model, RealmModel realm, UserModel user, List clientSessions) { + public PersistentUserSessionAdapter(PersistentUserSessionModel model, RealmModel realm, UserModel user, Map clientSessions) { this.model = model; this.realm = realm; this.user = user; - this.clientSessions = clientSessions; + this.authenticatedClientSessions = clientSessions; } // Lazily init data @@ -160,15 +158,9 @@ public class PersistentUserSessionAdapter implements UserSessionModel { model.setLastSessionRefresh(seconds); } - @Override - public List getClientSessions() { - return clientSessions; - } - - // TODO:mposolda @Override public Map getAuthenticatedClientSessions() { - return null; + return authenticatedClientSessions; } @Override @@ -208,6 +200,11 @@ public class PersistentUserSessionAdapter implements UserSessionModel { getData().setState(state); } + @Override + public void restartSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId) { + throw new IllegalStateException("Not supported"); + } + @Override public boolean equals(Object o) { if (this == o) return true; diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java b/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java index c5370edec7..ba5a595f76 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/UserSessionPersisterProvider.java @@ -35,7 +35,7 @@ public interface UserSessionPersisterProvider extends Provider { void createUserSession(UserSessionModel userSession, boolean offline); // Assuming that corresponding userSession is already persisted - void createClientSession(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession, boolean offline); + void createClientSession(AuthenticatedClientSessionModel clientSession, boolean offline); void updateUserSession(UserSessionModel userSession, boolean offline); @@ -43,7 +43,7 @@ public interface UserSessionPersisterProvider extends Provider { void removeUserSession(String userSessionId, boolean offline); // Called during revoke. It will remove userSession too if this was last clientSession attached to it - void removeClientSession(String clientSessionId, boolean offline); + void removeClientSession(String userSessionId, String clientUUID, boolean offline); void onRealmRemoved(RealmModel realm); void onClientRemoved(RealmModel realm, ClientModel client); diff --git a/server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java b/server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java index 15dc57f89e..099a39c467 100644 --- a/server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/models/AuthenticatedClientSessionModel.java @@ -30,8 +30,8 @@ public interface AuthenticatedClientSessionModel extends CommonClientSessionMode void setUserSession(UserSessionModel userSession); UserSessionModel getUserSession(); - public String getNote(String name); - public void setNote(String name, String value); - public void removeNote(String name); - public Map getNotes(); + String getNote(String name); + void setNote(String name, String value); + void removeNote(String name); + Map getNotes(); } diff --git a/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java b/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java index 0dc2f5c3c7..28a31457c1 100755 --- a/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java +++ b/server-spi/src/main/java/org/keycloak/models/UserSessionModel.java @@ -17,7 +17,6 @@ package org.keycloak.models; -import java.util.List; import java.util.Map; /** @@ -55,9 +54,6 @@ public interface UserSessionModel { Map getAuthenticatedClientSessions(); - // TODO: Remove - List getClientSessions(); - public String getNote(String name); public void setNote(String name, String value); public void removeNote(String name); @@ -68,8 +64,10 @@ public interface UserSessionModel { void setUser(UserModel user); + // Will completely restart whole state of user session. It will just keep same ID. + void restartSession(RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId); + public static enum State { - LOGGING_IN, // TODO:mposolda Maybe state "LOGGING_IN" is useless now once userSession is attached after requiredActions LOGGED_IN, LOGGING_OUT, LOGGED_OUT diff --git a/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java b/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java index 1afbcbaad3..d474e89a71 100755 --- a/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java +++ b/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java @@ -27,10 +27,7 @@ import java.util.List; */ public interface UserSessionProvider extends Provider { - ClientSessionModel createClientSession(RealmModel realm, ClientModel client); AuthenticatedClientSessionModel createClientSession(RealmModel realm, ClientModel client, UserSessionModel userSession); - ClientSessionModel getClientSession(RealmModel realm, String id); - ClientSessionModel getClientSession(String id); UserSessionModel createUserSession(String id, RealmModel realm, UserModel user, String loginUsername, String ipAddress, String authMethod, boolean rememberMe, String brokerSessionId, String brokerUserId); UserSessionModel getUserSession(RealmModel realm, String id); @@ -42,14 +39,13 @@ public interface UserSessionProvider extends Provider { long getActiveUserSessions(RealmModel realm, ClientModel client); - // This will remove attached ClientLoginSessionModels too + /** This will remove attached ClientLoginSessionModels too **/ void removeUserSession(RealmModel realm, UserSessionModel session); void removeUserSessions(RealmModel realm, UserModel user); - // Implementation should propagate removal of expired userSessions to userSessionPersister too + /** Implementation should propagate removal of expired userSessions to userSessionPersister too **/ void removeExpired(RealmModel realm); void removeUserSessions(RealmModel realm); - void removeClientSession(RealmModel realm, ClientSessionModel clientSession); UserLoginFailureModel getUserLoginFailure(RealmModel realm, String userId); UserLoginFailureModel addUserLoginFailure(RealmModel realm, String userId); @@ -59,25 +55,22 @@ public interface UserSessionProvider extends Provider { void onRealmRemoved(RealmModel realm); void onClientRemoved(RealmModel realm, ClientModel client); + /** Newly created userSession won't contain attached AuthenticatedClientSessions **/ UserSessionModel createOfflineUserSession(UserSessionModel userSession); UserSessionModel getOfflineUserSession(RealmModel realm, String userSessionId); - // Removes the attached clientSessions as well + /** Removes the attached clientSessions as well **/ void removeOfflineUserSession(RealmModel realm, UserSessionModel userSession); - AuthenticatedClientSessionModel createOfflineClientSession(AuthenticatedClientSessionModel clientSession); - ClientSessionModel getOfflineClientSession(RealmModel realm, String clientSessionId); + /** Will automatically attach newly created offline client session to the offlineUserSession **/ + AuthenticatedClientSessionModel createOfflineClientSession(AuthenticatedClientSessionModel clientSession, UserSessionModel offlineUserSession); List getOfflineUserSessions(RealmModel realm, UserModel user); - // Don't remove userSession even if it's last userSession - void removeOfflineClientSession(RealmModel realm, String clientSessionId); - long getOfflineSessionsCount(RealmModel realm, ClientModel client); List getOfflineUserSessions(RealmModel realm, ClientModel client, int first, int max); - // Triggered by persister during pre-load - UserSessionModel importUserSession(UserSessionModel persistentUserSession, boolean offline); - ClientSessionModel importClientSession(ClientSessionModel persistentClientSession, boolean offline); + /** Triggered by persister during pre-load. It optionally imports authenticatedClientSessions too if requested. Otherwise the imported UserSession will have empty list of AuthenticationSessionModel **/ + UserSessionModel importUserSession(UserSessionModel persistentUserSession, boolean offline, boolean importAuthenticatedClientSessions); ClientInitialAccessModel createClientInitialAccessModel(RealmModel realm, int expiration, int count); ClientInitialAccessModel getClientInitialAccessModel(RealmModel realm, String id); diff --git a/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java index 42884cc5e2..f284d934ff 100644 --- a/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java +++ b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java @@ -35,7 +35,6 @@ public interface AuthenticationSessionProvider extends Provider { void removeAuthenticationSession(RealmModel realm, AuthenticationSessionModel authenticationSession); - // TODO: test and add to scheduler void removeExpired(RealmModel realm); void onRealmRemoved(RealmModel realm); void onClientRemoved(RealmModel realm, ClientModel client); diff --git a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java index 0daec9ac5e..242709195f 100755 --- a/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java +++ b/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java @@ -33,7 +33,6 @@ import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.AuthenticatorConfigModel; import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; @@ -53,11 +52,11 @@ import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.util.CacheControlUtil; -import org.keycloak.services.util.PageExpiredRedirect; +import org.keycloak.services.util.AuthenticationFlowURLHelper; import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.CommonClientSessionModel; import javax.ws.rs.core.Response; -import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import java.net.URI; import java.util.HashMap; @@ -73,7 +72,6 @@ public class AuthenticationProcessor { public static final String LAST_PROCESSED_EXECUTION = "last.processed.execution"; public static final String CURRENT_FLOW_PATH = "current.flow.path"; public static final String FORKED_FROM = "forked.from"; - public static final String FORWARDED_ERROR_MESSAGE_NOTE = "forwardedErrorMessage"; public static final String BROKER_SESSION_ID = "broker.session.id"; public static final String BROKER_USER_ID = "broker.user.id"; @@ -595,9 +593,9 @@ public class AuthenticationProcessor { } public boolean isSuccessful(AuthenticationExecutionModel model) { - ClientSessionModel.ExecutionStatus status = authenticationSession.getExecutionStatus().get(model.getId()); + AuthenticationSessionModel.ExecutionStatus status = authenticationSession.getExecutionStatus().get(model.getId()); if (status == null) return false; - return status == ClientSessionModel.ExecutionStatus.SUCCESS; + return status == AuthenticationSessionModel.ExecutionStatus.SUCCESS; } public Response handleBrowserException(Exception failure) { @@ -629,7 +627,7 @@ public class AuthenticationProcessor { } else if (e.getError() == AuthenticationFlowError.FORK_FLOW) { ForkFlowException reset = (ForkFlowException)e; AuthenticationSessionModel clone = clone(session, authenticationSession); - clone.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + clone.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name()); setAuthenticationSession(clone); AuthenticationProcessor processor = new AuthenticationProcessor(); @@ -726,9 +724,9 @@ public class AuthenticationProcessor { public Response redirectToFlow() { - URI redirect = new PageExpiredRedirect(session, realm, uriInfo).getLastExecutionUrl(authenticationSession); + URI redirect = new AuthenticationFlowURLHelper(session, realm, uriInfo).getLastExecutionUrl(authenticationSession); - logger.info("Redirecting to URL: " + redirect.toString()); + logger.debug("Redirecting to URL: " + redirect.toString()); return Response.status(302).location(redirect).build(); @@ -750,6 +748,8 @@ public class AuthenticationProcessor { authSession.clearUserSessionNotes(); authSession.clearAuthNotes(); + authSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name()); + authSession.setAuthNote(CURRENT_FLOW_PATH, flowPath); } @@ -766,7 +766,7 @@ public class AuthenticationProcessor { clone.setTimestamp(Time.currentTime()); clone.setAuthNote(FORKED_FROM, authSession.getId()); - logger.infof("Forked authSession %s from authSession %s", clone.getId(), authSession.getId()); + logger.debugf("Forked authSession %s from authSession %s", clone.getId(), authSession.getId()); return clone; @@ -777,10 +777,9 @@ public class AuthenticationProcessor { logger.debug("authenticationAction"); checkClientSession(true); String current = authenticationSession.getAuthNote(CURRENT_AUTHENTICATION_EXECUTION); - if (!execution.equals(current)) { - // TODO:mposolda debug - logger.info("Current execution does not equal executed execution. Might be a page refresh"); - return new PageExpiredRedirect(session, realm, uriInfo).showPageExpired(authenticationSession); + if (execution == null || !execution.equals(current)) { + logger.debug("Current execution does not equal executed execution. Might be a page refresh"); + return new AuthenticationFlowURLHelper(session, realm, uriInfo).showPageExpired(authenticationSession); } UserModel authUser = authenticationSession.getAuthenticatedUser(); validateUser(authUser); @@ -812,7 +811,7 @@ public class AuthenticationProcessor { ClientSessionCode code = new ClientSessionCode(session, realm, authenticationSession); if (checkAction) { - String action = ClientSessionModel.Action.AUTHENTICATE.name(); + String action = AuthenticationSessionModel.Action.AUTHENTICATE.name(); if (!code.isValidAction(action)) { throw new AuthenticationFlowException(AuthenticationFlowError.INVALID_CLIENT_SESSION); } @@ -862,26 +861,29 @@ public class AuthenticationProcessor { if (attemptedUsername != null) username = attemptedUsername; String rememberMe = authSession.getAuthNote(Details.REMEMBER_ME); boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("true"); + String brokerSessionId = authSession.getAuthNote(BROKER_SESSION_ID); + String brokerUserId = authSession.getAuthNote(BROKER_USER_ID); if (userSession == null) { // if no authenticator attached a usersession userSession = session.sessions().getUserSession(realm, authSession.getId()); if (userSession == null) { - String brokerSessionId = authSession.getAuthNote(BROKER_SESSION_ID); - String brokerUserId = authSession.getAuthNote(BROKER_USER_ID); userSession = session.sessions().createUserSession(authSession.getId(), realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol() , remember, brokerSessionId, brokerUserId); + } else if (userSession.getUser() == null || !AuthenticationManager.isSessionValid(realm, userSession)) { + userSession.restartSession(realm, authSession.getAuthenticatedUser(), username, connection.getRemoteAddr(), authSession.getProtocol() + , remember, brokerSessionId, brokerUserId); } else { // We have existing userSession even if it wasn't attached to authenticator. Could happen if SSO authentication was ignored (eg. prompt=login) and in some other cases. - // We need to handle case when different user was used and update that (TODO:mposolda evaluate this again and corner cases like token refresh etc. AND ROLES!!! LIKELY ERROR SHOULD BE SHOWN IF ATTEMPT TO AUTHENTICATE AS DIFFERENT USER) - logger.info("No SSO login, but found existing userSession with ID '%s' after finished authentication."); + // We need to handle case when different user was used + logger.debugf("No SSO login, but found existing userSession with ID '%s' after finished authentication.", userSession.getId()); if (!authSession.getAuthenticatedUser().equals(userSession.getUser())) { event.detail(Details.EXISTING_USER, userSession.getUser().getId()); event.error(Errors.DIFFERENT_USER_AUTHENTICATED); throw new ErrorPageException(session, Messages.DIFFERENT_USER_AUTHENTICATED, userSession.getUser().getUsername()); } } - userSession.setState(UserSessionModel.State.LOGGING_IN); + userSession.setState(UserSessionModel.State.LOGGED_IN); } if (remember) { diff --git a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java index dfa1afa6e9..3a9c53cf2a 100755 --- a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java +++ b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java @@ -20,9 +20,9 @@ package org.keycloak.authentication; import org.jboss.logging.Logger; import org.keycloak.models.AuthenticationExecutionModel; import org.keycloak.models.AuthenticationFlowModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.UserModel; import org.keycloak.services.ServicesLogger; +import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Response; import java.util.Iterator; @@ -51,11 +51,11 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { protected boolean isProcessed(AuthenticationExecutionModel model) { if (model.isDisabled()) return true; - ClientSessionModel.ExecutionStatus status = processor.getAuthenticationSession().getExecutionStatus().get(model.getId()); + AuthenticationSessionModel.ExecutionStatus status = processor.getAuthenticationSession().getExecutionStatus().get(model.getId()); if (status == null) return false; - return status == ClientSessionModel.ExecutionStatus.SUCCESS || status == ClientSessionModel.ExecutionStatus.SKIPPED - || status == ClientSessionModel.ExecutionStatus.ATTEMPTED - || status == ClientSessionModel.ExecutionStatus.SETUP_REQUIRED; + return status == AuthenticationSessionModel.ExecutionStatus.SUCCESS || status == AuthenticationSessionModel.ExecutionStatus.SKIPPED + || status == AuthenticationSessionModel.ExecutionStatus.ATTEMPTED + || status == AuthenticationSessionModel.ExecutionStatus.SETUP_REQUIRED; } @@ -75,7 +75,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { AuthenticationFlow authenticationFlow = processor.createFlowExecution(model.getFlowId(), model); Response flowChallenge = authenticationFlow.processAction(actionExecution); if (flowChallenge == null) { - processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.SUCCESS); if (model.isAlternative()) alternativeSuccessful = true; return processFlow(); } else { @@ -115,7 +115,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { } if (model.isAlternative() && alternativeSuccessful) { logger.debug("Skip alternative execution"); - processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.SKIPPED); continue; } if (model.isAuthenticatorFlow()) { @@ -123,7 +123,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { AuthenticationFlow authenticationFlow = processor.createFlowExecution(model.getFlowId(), model); Response flowChallenge = authenticationFlow.processFlow(); if (flowChallenge == null) { - processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.SUCCESS); if (model.isAlternative()) alternativeSuccessful = true; continue; } else { @@ -131,13 +131,13 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { alternativeChallenge = flowChallenge; challengedAlternativeExecution = model; } else if (model.isRequired()) { - processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.CHALLENGED); return flowChallenge; } else if (model.isOptional()) { - processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.SKIPPED); continue; } else { - processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.SKIPPED); continue; } return flowChallenge; @@ -154,7 +154,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { if (authenticator.requiresUser() && authUser == null) { if (alternativeChallenge != null) { - processor.getAuthenticationSession().setExecutionStatus(challengedAlternativeExecution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(challengedAlternativeExecution.getId(), AuthenticationSessionModel.ExecutionStatus.CHALLENGED); return alternativeChallenge; } throw new AuthenticationFlowException("authenticator: " + factory.getId(), AuthenticationFlowError.UNKNOWN_USER); @@ -166,14 +166,14 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { if (model.isRequired()) { if (factory.isUserSetupAllowed()) { logger.debugv("authenticator SETUP_REQUIRED: {0}", factory.getId()); - processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SETUP_REQUIRED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.SETUP_REQUIRED); authenticator.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getAuthenticationSession().getAuthenticatedUser()); continue; } else { throw new AuthenticationFlowException(AuthenticationFlowError.CREDENTIAL_SETUP_REQUIRED); } } else if (model.isOptional()) { - processor.getAuthenticationSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getAuthenticationSession().setExecutionStatus(model.getId(), AuthenticationSessionModel.ExecutionStatus.SKIPPED); continue; } } @@ -198,13 +198,13 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { switch (status) { case SUCCESS: logger.debugv("authenticator SUCCESS: {0}", execution.getAuthenticator()); - processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), AuthenticationSessionModel.ExecutionStatus.SUCCESS); if (execution.isAlternative()) alternativeSuccessful = true; return null; case FAILED: logger.debugv("authenticator FAILED: {0}", execution.getAuthenticator()); processor.logFailure(); - processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.FAILED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), AuthenticationSessionModel.ExecutionStatus.FAILED); if (result.getChallenge() != null) { return sendChallenge(result, execution); } @@ -214,37 +214,37 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow { processor.getAuthenticationSession().setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution.getId()); throw new ForkFlowException(result.getSuccessMessage(), result.getErrorMessage()); case FORCE_CHALLENGE: - processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), AuthenticationSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); case CHALLENGE: logger.debugv("authenticator CHALLENGE: {0}", execution.getAuthenticator()); if (execution.isRequired()) { - processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), AuthenticationSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); } UserModel authenticatedUser = processor.getAuthenticationSession().getAuthenticatedUser(); if (execution.isOptional() && authenticatedUser != null && result.getAuthenticator().configuredFor(processor.getSession(), processor.getRealm(), authenticatedUser)) { - processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), AuthenticationSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); } if (execution.isAlternative()) { alternativeChallenge = result.getChallenge(); challengedAlternativeExecution = execution; } else { - processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), AuthenticationSessionModel.ExecutionStatus.SKIPPED); } return null; case FAILURE_CHALLENGE: logger.debugv("authenticator FAILURE_CHALLENGE: {0}", execution.getAuthenticator()); processor.logFailure(); - processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), AuthenticationSessionModel.ExecutionStatus.CHALLENGED); return sendChallenge(result, execution); case ATTEMPTED: logger.debugv("authenticator ATTEMPTED: {0}", execution.getAuthenticator()); if (execution.getRequirement() == AuthenticationExecutionModel.Requirement.REQUIRED) { throw new AuthenticationFlowException(AuthenticationFlowError.INVALID_CREDENTIALS); } - processor.getAuthenticationSession().setExecutionStatus(execution.getId(), ClientSessionModel.ExecutionStatus.ATTEMPTED); + processor.getAuthenticationSession().setExecutionStatus(execution.getId(), AuthenticationSessionModel.ExecutionStatus.ATTEMPTED); return null; case FLOW_RESET: processor.resetFlow(); diff --git a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java index 0e121dd5b5..955879f8ac 100755 --- a/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java +++ b/services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java @@ -24,7 +24,6 @@ import org.keycloak.events.EventBuilder; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AuthenticationExecutionModel; import org.keycloak.models.AuthenticatorConfigModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; @@ -167,13 +166,13 @@ public class FormAuthenticationFlow implements AuthenticationFlow { if (!actionExecution.equals(formExecution.getId())) { throw new AuthenticationFlowException("action is not current execution", AuthenticationFlowError.INTERNAL_ERROR); } - Map executionStatus = new HashMap<>(); + Map executionStatus = new HashMap<>(); List requiredActions = new LinkedList<>(); List successes = new LinkedList<>(); List errors = new LinkedList<>(); for (AuthenticationExecutionModel formActionExecution : formActionExecutions) { if (!formActionExecution.isEnabled()) { - executionStatus.put(formActionExecution.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + executionStatus.put(formActionExecution.getId(), AuthenticationSessionModel.ExecutionStatus.SKIPPED); continue; } FormActionFactory factory = (FormActionFactory)processor.getSession().getKeycloakSessionFactory().getProviderFactory(FormAction.class, formActionExecution.getAuthenticator()); @@ -190,14 +189,14 @@ public class FormAuthenticationFlow implements AuthenticationFlow { if (formActionExecution.isRequired()) { if (factory.isUserSetupAllowed()) { AuthenticationProcessor.logger.debugv("authenticator SETUP_REQUIRED: {0}", formExecution.getAuthenticator()); - executionStatus.put(formActionExecution.getId(), ClientSessionModel.ExecutionStatus.SETUP_REQUIRED); + executionStatus.put(formActionExecution.getId(), AuthenticationSessionModel.ExecutionStatus.SETUP_REQUIRED); requiredActions.add(action); continue; } else { throw new AuthenticationFlowException(AuthenticationFlowError.CREDENTIAL_SETUP_REQUIRED); } } else if (formActionExecution.isOptional()) { - executionStatus.put(formActionExecution.getId(), ClientSessionModel.ExecutionStatus.SKIPPED); + executionStatus.put(formActionExecution.getId(), AuthenticationSessionModel.ExecutionStatus.SKIPPED); continue; } } @@ -206,10 +205,10 @@ public class FormAuthenticationFlow implements AuthenticationFlow { ValidationContextImpl result = new ValidationContextImpl(formActionExecution, action); action.validate(result); if (result.success) { - executionStatus.put(formActionExecution.getId(), ClientSessionModel.ExecutionStatus.SUCCESS); + executionStatus.put(formActionExecution.getId(), AuthenticationSessionModel.ExecutionStatus.SUCCESS); successes.add(result); } else { - executionStatus.put(formActionExecution.getId(), ClientSessionModel.ExecutionStatus.CHALLENGED); + executionStatus.put(formActionExecution.getId(), AuthenticationSessionModel.ExecutionStatus.CHALLENGED); errors.add(result); } } @@ -235,14 +234,14 @@ public class FormAuthenticationFlow implements AuthenticationFlow { context.action.success(context); } // set status and required actions only if form is fully successful - for (Map.Entry entry : executionStatus.entrySet()) { + for (Map.Entry entry : executionStatus.entrySet()) { processor.getAuthenticationSession().setExecutionStatus(entry.getKey(), entry.getValue()); } for (FormAction action : requiredActions) { action.setRequiredActions(processor.getSession(), processor.getRealm(), processor.getAuthenticationSession().getAuthenticatedUser()); } - processor.getAuthenticationSession().setExecutionStatus(actionExecution, ClientSessionModel.ExecutionStatus.SUCCESS); + processor.getAuthenticationSession().setExecutionStatus(actionExecution, AuthenticationSessionModel.ExecutionStatus.SUCCESS); processor.getAuthenticationSession().removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); return null; } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java index fd87a6e41f..c6f834b347 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java @@ -20,12 +20,14 @@ import org.keycloak.TokenVerifier.Predicate; import org.keycloak.authentication.AuthenticationProcessor; import org.keycloak.authentication.actiontoken.*; import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator; +import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; import org.keycloak.events.Errors; import org.keycloak.events.EventType; import org.keycloak.models.UserModel; import org.keycloak.services.ErrorPage; import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.messages.Messages; +import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.resources.LoginActionsServiceChecks.IsActionRequired; import org.keycloak.sessions.CommonClientSessionModel.Action; import javax.ws.rs.core.Response; @@ -61,7 +63,7 @@ public class ResetCredentialsActionTokenHandler extends AbstractActionTokenHande @Override public Response handleToken(ResetCredentialsActionToken token, ActionTokenContext tokenContext, ProcessFlow processFlow) { - AuthenticationProcessor authProcessor = new ResetCredsAuthenticationProcessor(tokenContext); + AuthenticationProcessor authProcessor = new ResetCredsAuthenticationProcessor(); return processFlow.processFlow( false, @@ -87,34 +89,31 @@ public class ResetCredentialsActionTokenHandler extends AbstractActionTokenHande public static class ResetCredsAuthenticationProcessor extends AuthenticationProcessor { - private final ActionTokenContext tokenContext; - - public ResetCredsAuthenticationProcessor(ActionTokenContext tokenContext) { - this.tokenContext = tokenContext; - } - @Override protected Response authenticationComplete() { - boolean firstBrokerLoginInProgress = (tokenContext.getAuthenticationSession().getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); + boolean firstBrokerLoginInProgress = (authenticationSession.getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); if (firstBrokerLoginInProgress) { - UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, tokenContext.getRealm(), tokenContext.getAuthenticationSession()); - if (!linkingUser.getId().equals(tokenContext.getAuthenticationSession().getAuthenticatedUser().getId())) { + UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realm, authenticationSession); + if (!linkingUser.getId().equals(authenticationSession.getAuthenticatedUser().getId())) { return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, - tokenContext.getAuthenticationSession().getAuthenticatedUser().getUsername(), + authenticationSession.getAuthenticatedUser().getUsername(), linkingUser.getUsername() ); } - logger.debugf("Forget-password flow finished when authenticated user '%s' after first broker login.", linkingUser.getUsername()); + SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); + authenticationSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, serializedCtx.getIdentityProviderId()); - // TODO:mposolda Isn't this a bug that we redirect to 'afterBrokerLoginEndpoint' without rather continue with firstBrokerLogin and other authenticators like OTP? - //return redirectToAfterBrokerLoginEndpoint(authSession, true); - return null; + logger.debugf("Forget-password flow finished when authenticated user '%s' after first broker login with identity provider '%s'.", + linkingUser.getUsername(), serializedCtx.getIdentityProviderId()); + + return LoginActionsService.redirectToAfterBrokerLoginEndpoint(session, realm, uriInfo, authenticationSession, true); } else { return super.authenticationComplete(); } } + } } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java index 5e0851a05e..af639744b7 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ScriptBasedAuthenticator.java @@ -47,7 +47,7 @@ import java.util.Map; *
  • {@code realm} the {@link RealmModel}
    • *
  • {@code user} the current {@link UserModel}
    • *
  • {@code session} the active {@link KeycloakSession}
    • - *
  • {@code clientSession} the current {@link org.keycloak.models.ClientSessionModel}
    • + *
  • {@code clientSession} the current {@link org.keycloak.sessions.AuthenticationSessionModel}
    • *
  • {@code httpRequest} the current {@link org.jboss.resteasy.spi.HttpRequest}
    • *
  • {@code LOG} a {@link org.jboss.logging.Logger} scoped to {@link ScriptBasedAuthenticator}/li> * diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java index fd3ce48018..f3ea22fd8d 100755 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java @@ -69,17 +69,14 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor return; } - LoginFormsProvider loginFormsProvider = context.getSession().getProvider(LoginFormsProvider.class) - .setClientSessionCode(context.generateCode()) - .setAuthenticationSession(authSession) - .setUser(context.getUser()); + LoginFormsProvider loginFormsProvider = context.form(); Response challenge; // Do not allow resending e-mail by simple page refresh, i.e. when e-mail sent, it should be resent properly via email-verification endpoint if (! Objects.equals(authSession.getAuthNote(Constants.VERIFY_EMAIL_KEY), email)) { authSession.setAuthNote(Constants.VERIFY_EMAIL_KEY, email); context.getEvent().clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, email).success(); - challenge = sendVerifyEmail(context.getSession(), context.generateCode(), context.getUser(), context.getAuthenticationSession()); + challenge = sendVerifyEmail(context.getSession(), loginFormsProvider, context.getUser(), context.getAuthenticationSession()); } else { challenge = loginFormsProvider.createResponse(UserModel.RequiredAction.VERIFY_EMAIL); } @@ -87,9 +84,15 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor context.challenge(challenge); } + @Override public void processAction(RequiredActionContext context) { - context.failure(); + logger.infof("Re-sending email requested for user: %s", context.getUser().getUsername()); + + // This will allow user to re-send email again + context.getAuthenticationSession().removeAuthNote(Constants.VERIFY_EMAIL_KEY); + + requiredActionChallenge(context); } @@ -124,15 +127,10 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor return UserModel.RequiredAction.VERIFY_EMAIL.name(); } - public static Response sendVerifyEmail(KeycloakSession session, String clientCode, UserModel user, AuthenticationSessionModel authSession) throws UriBuilderException, IllegalArgumentException { + private Response sendVerifyEmail(KeycloakSession session, LoginFormsProvider forms, UserModel user, AuthenticationSessionModel authSession) throws UriBuilderException, IllegalArgumentException { RealmModel realm = session.getContext().getRealm(); UriInfo uriInfo = session.getContext().getUri(); - LoginFormsProvider forms = session.getProvider(LoginFormsProvider.class) - .setClientSessionCode(clientCode) - .setAuthenticationSession(authSession) - .setUser(authSession.getAuthenticatedUser()); - int validityInSecs = realm.getAccessCodeLifespanUserAction(); int absoluteExpirationInSecs = Time.currentTime() + validityInSecs; // ExecuteActionsActionToken token = new ExecuteActionsActionToken(user.getId(), absoluteExpirationInSecs, null, diff --git a/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java b/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java index 6b5b0275ab..9ea53e2d9f 100644 --- a/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java +++ b/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java @@ -23,7 +23,6 @@ import org.keycloak.authorization.attribute.Attributes; import org.keycloak.authorization.identity.Identity; import org.keycloak.authorization.util.Tokens; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; @@ -118,8 +117,8 @@ public class KeycloakIdentity implements Identity { @Override public String getId() { if (isResourceServer()) { - ClientSessionModel clientSession = this.keycloakSession.sessions().getClientSession(this.accessToken.getClientSession()); - return clientSession.getClient().getId(); + ClientModel client = getTargetClient(); + return client==null ? null : client.getId(); } return this.accessToken.getSubject(); @@ -137,20 +136,10 @@ public class KeycloakIdentity implements Identity { private boolean isResourceServer() { UserModel clientUser = null; - if (this.accessToken.getClientSession() != null) { - ClientSessionModel clientSession = this.keycloakSession.sessions().getClientSession(this.accessToken.getClientSession()); + ClientModel clientModel = getTargetClient(); - if (clientSession != null) { - clientUser = this.keycloakSession.users().getServiceAccount(clientSession.getClient()); - } - } - - if (this.accessToken.getIssuedFor() != null) { - ClientModel clientModel = this.keycloakSession.realms().getClientById(this.accessToken.getIssuedFor(), this.realm); - - if (clientModel != null) { - clientUser = this.keycloakSession.users().getServiceAccount(clientModel); - } + if (clientModel != null) { + clientUser = this.keycloakSession.users().getServiceAccount(clientModel); } if (clientUser == null) { @@ -159,4 +148,17 @@ public class KeycloakIdentity implements Identity { return this.accessToken.getSubject().equals(clientUser.getId()); } + + private ClientModel getTargetClient() { + if (this.accessToken.getIssuedFor() != null) { + return realm.getClientByClientId(accessToken.getIssuedFor()); + } + + if (this.accessToken.getAudience() != null && this.accessToken.getAudience().length > 0) { + String audience = this.accessToken.getAudience()[0]; + return realm.getClientByClientId(audience); + } + + return null; + } } diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java index 4f24373f49..45183c3658 100755 --- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java +++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java @@ -32,7 +32,6 @@ import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInputException; import org.keycloak.jose.jws.crypto.RSAProvider; import org.keycloak.keys.loader.PublicKeyStorageManager; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; diff --git a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java index 5f02b8e413..51d6eb8ec6 100755 --- a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java +++ b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java @@ -31,7 +31,6 @@ import org.keycloak.dom.saml.v2.assertion.SubjectType; import org.keycloak.dom.saml.v2.protocol.ResponseType; import org.keycloak.events.EventBuilder; import org.keycloak.keys.RsaKeyMetadata; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.FederatedIdentityModel; import org.keycloak.models.KeyManager; import org.keycloak.models.KeycloakSession; diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/SessionsBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/SessionsBean.java index a474f4f138..f597d5c227 100755 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/SessionsBean.java +++ b/services/src/main/java/org/keycloak/forms/account/freemarker/model/SessionsBean.java @@ -19,7 +19,6 @@ package org.keycloak.forms.account.freemarker.model; import org.keycloak.common.util.Time; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; @@ -79,8 +78,8 @@ public class SessionsBean { public Set getClients() { Set clients = new HashSet(); - for (ClientSessionModel clientSession : session.getClientSessions()) { - ClientModel client = clientSession.getClient(); + for (String clientUUID : session.getAuthenticatedClientSessions().keySet()) { + ClientModel client = realm.getClientById(clientUUID); clients.add(client.getClientId()); } return clients; diff --git a/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java b/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java index e93df33cf6..625406c33f 100755 --- a/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java +++ b/services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java @@ -90,7 +90,6 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { private UserModel user; - private AuthenticationSessionModel authenticationSession; private final Map attributes = new HashMap(); public FreeMarkerLoginFormsProvider(KeycloakSession session, FreeMarkerUtil freeMarker) { @@ -156,6 +155,13 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { uriBuilder.replaceQuery(null); } + URI baseUri = uriBuilder.build(); + + if (accessCode != null) { + uriBuilder.queryParam(OAuth2Constants.CODE, accessCode); + } + URI baseUriWithCode = uriBuilder.build(); + for (String k : queryParameterMap.keySet()) { Object[] objects = queryParameterMap.get(k).toArray(); @@ -163,13 +169,6 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { uriBuilder.replaceQueryParam(k, objects); } - // TODO:hmlnarik Why was the following removed in https://github.com/hmlnarik/keycloak/commit/6df8f13109d6ea77b455e04d884994e5831ea52b#diff-d795b851c2db89d5198c897aba4c40c9 - if (accessCode != null) { - uriBuilder.replaceQueryParam(OAuth2Constants.CODE, accessCode); - } - - URI baseUri = uriBuilder.build(); - ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending"); Theme theme; try { @@ -221,7 +220,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { List identityProviders = realm.getIdentityProviders(); identityProviders = LoginFormsUtil.filterIdentityProviders(identityProviders, session, realm, attributes, formData); - attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUri)); + attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUriWithCode)); attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri)); @@ -313,9 +312,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { if (objects.length == 1 && objects[0] == null) continue; // uriBuilder.replaceQueryParam(k, objects); } - if (accessCode != null) { - uriBuilder.replaceQueryParam(OAuth2Constants.CODE, accessCode); - } + URI baseUri = uriBuilder.build(); if (accessCode != null) { @@ -572,12 +569,6 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider { return this; } - @Override - public LoginFormsProvider setAuthenticationSession(AuthenticationSessionModel authSession) { - this.authenticationSession = authSession; - return this; - } - @Override public LoginFormsProvider setAccessRequest(List realmRolesRequested, MultivaluedMap resourceRolesRequested, List protocolMappersRequested) { this.realmRolesRequested = realmRolesRequested; diff --git a/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java b/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java index 9b3a9f3c30..0c574c1887 100755 --- a/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java +++ b/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java @@ -85,10 +85,6 @@ public class UrlBean { return Urls.loginUsernameReminder(baseURI, realm).toString(); } - public String getLoginEmailVerificationUrl() { - return Urls.loginActionEmailVerification(baseURI, realm).toString(); - } - public String getFirstBrokerLoginUrl() { return Urls.firstBrokerLoginProcessor(baseURI, realm).toString(); } diff --git a/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java b/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java index 89680bb890..9c1e5a5e8e 100755 --- a/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java +++ b/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java @@ -21,7 +21,6 @@ import org.jboss.logging.Logger; import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.authentication.AuthenticationProcessor; import org.keycloak.common.ClientConnection; -import org.keycloak.common.util.ObjectUtil; import org.keycloak.events.Details; import org.keycloak.events.EventBuilder; import org.keycloak.models.AuthenticationFlowModel; @@ -35,7 +34,7 @@ import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.util.CacheControlUtil; -import org.keycloak.services.util.PageExpiredRedirect; +import org.keycloak.services.util.AuthenticationFlowURLHelper; import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Context; @@ -159,7 +158,7 @@ public abstract class AuthorizationEndpointBase { ClientSessionCode check = new ClientSessionCode<>(session, realm, authSession); if (!check.isActionActive(ClientSessionCode.ActionType.LOGIN)) { - logger.infof("Authentication session '%s' exists, but is expired. Restart existing authentication session", authSession.getId()); + logger.debugf("Authentication session '%s' exists, but is expired. Restart existing authentication session", authSession.getId()); authSession.restartSession(realm, client); return new AuthorizationEndpointChecks(authSession); @@ -167,10 +166,10 @@ public abstract class AuthorizationEndpointBase { // Check if we have lastProcessedExecution and restart the session just if yes. Otherwise update just client information from the AuthorizationEndpoint request. // This difference is needed, because of logout from JS applications in multiple browser tabs. if (hasProcessedExecution(authSession)) { - logger.info("New request from application received, but authentication session already exists. Restart existing authentication session"); + logger.debug("New request from application received, but authentication session already exists. Restart existing authentication session"); authSession.restartSession(realm, client); } else { - logger.info("New request from application received, but authentication session already exists. Update client information in existing authentication session"); + logger.debug("New request from application received, but authentication session already exists. Update client information in existing authentication session"); authSession.clearClientNotes(); // update client data authSession.updateClient(client); } @@ -178,7 +177,7 @@ public abstract class AuthorizationEndpointBase { return new AuthorizationEndpointChecks(authSession); } else { - logger.info("Re-sent some previous request to Authorization endpoint. Likely browser 'back' or 'refresh' button."); + logger.debug("Re-sent some previous request to Authorization endpoint. Likely browser 'back' or 'refresh' button."); // See if we have lastProcessedExecution note. If yes, we are expired. Also if we are in different flow than initial one. Otherwise it is browser refresh of initial username/password form if (!shouldShowExpirePage(authSession)) { @@ -186,7 +185,7 @@ public abstract class AuthorizationEndpointBase { } else { CacheControlUtil.noBackButtonCacheControlHeader(); - Response response = new PageExpiredRedirect(session, realm, uriInfo) + Response response = new AuthenticationFlowURLHelper(session, realm, uriInfo) .showPageExpired(authSession); return new AuthorizationEndpointChecks(response); } @@ -196,11 +195,11 @@ public abstract class AuthorizationEndpointBase { UserSessionModel userSession = authSessionId==null ? null : session.sessions().getUserSession(realm, authSessionId); if (userSession != null) { - logger.infof("Sent request to authz endpoint. We don't have authentication session with ID '%s' but we have userSession. Will re-create authentication session with same ID", authSessionId); + logger.debugf("Sent request to authz endpoint. We don't have authentication session with ID '%s' but we have userSession. Will re-create authentication session with same ID", authSessionId); authSession = session.authenticationSessions().createAuthenticationSession(authSessionId, realm, client); } else { authSession = manager.createAuthenticationSession(realm, client, true); - logger.infof("Sent request to authz endpoint. Created new authentication session with ID '%s'", authSession.getId()); + logger.debugf("Sent request to authz endpoint. Created new authentication session with ID '%s'", authSession.getId()); } return new AuthorizationEndpointChecks(authSession); @@ -224,17 +223,13 @@ public abstract class AuthorizationEndpointBase { } String lastFlow = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); - // Check if we transitted between flows (eg. clicking "register" on login screen) - if (!initialFlow.equals(lastFlow)) { - logger.infof("Transition between flows! Current flow: %s, Previous flow: %s", initialFlow, lastFlow); + // Check if we transitted between flows (eg. clicking "register" on login screen and then clicking browser 'back', which showed this page) + if (!initialFlow.equals(lastFlow) && AuthenticationSessionModel.Action.AUTHENTICATE.toString().equals(authSession.getAction())) { + logger.debugf("Transition between flows! Current flow: %s, Previous flow: %s", initialFlow, lastFlow); - if (lastFlow == null || LoginActionsService.isFlowTransitionAllowed(initialFlow, lastFlow)) { - authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, initialFlow); - authSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); - return false; - } else { - return true; - } + authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, initialFlow); + authSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + return false; } return false; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java index 93df9b0d69..e7c147d966 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java @@ -575,7 +575,6 @@ public class TokenManager { protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, AuthenticatedClientSessionModel clientSession, UriInfo uriInfo) { AccessToken token = new AccessToken(); - token.clientSession(clientSession.getId()); token.id(KeycloakModelUtils.generateId()); token.type(TokenUtil.TOKEN_TYPE_BEARER); token.subject(user.getId()); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java index 0cd0219a00..26d012b0e1 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java @@ -28,7 +28,6 @@ import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.RealmModel; import org.keycloak.protocol.AuthorizationEndpointBase; import org.keycloak.protocol.oidc.OIDCLoginProtocol; @@ -41,7 +40,6 @@ import org.keycloak.protocol.oidc.utils.RedirectUtils; import org.keycloak.services.ErrorPageException; import org.keycloak.services.ServicesLogger; import org.keycloak.services.Urls; -import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.util.CacheControlUtil; @@ -387,7 +385,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase { private void updateAuthenticationSession() { authenticationSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); authenticationSession.setRedirectUri(redirectUri); - authenticationSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + authenticationSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name()); authenticationSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, request.getResponseType()); authenticationSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, request.getRedirectUriParam()); authenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java index d564840dce..83570efd75 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java @@ -210,12 +210,13 @@ public class TokenEndpoint { throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Missing parameter: " + OAuth2Constants.CODE, Response.Status.BAD_REQUEST); } + String[] parts = code.split("\\."); + if (parts.length == 4) { + event.detail(Details.CODE_ID, parts[2]); + } + ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class); if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) { - String[] parts = code.split("\\."); - if (parts.length == 2) { - event.detail(Details.CODE_ID, parts[1]); - } event.error(Errors.INVALID_CODE); // Attempt to use same code twice should invalidate existing clientSession @@ -228,17 +229,16 @@ public class TokenEndpoint { } AuthenticatedClientSessionModel clientSession = parseResult.getClientSession(); - event.detail(Details.CODE_ID, clientSession.getId()); if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) { event.error(Errors.INVALID_CODE); throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Code is expired", Response.Status.BAD_REQUEST); } - // TODO: This shouldn't be needed to write into the clientLoginSessionModel itself + // TODO: This shouldn't be needed to write into the AuthenticatedClientSessionModel itself parseResult.getCode().setAction(null); - // TODO: Maybe rather create userSession even at this stage? Not sure... + // TODO: Maybe rather create userSession even at this stage? UserSessionModel userSession = clientSession.getUserSession(); if (userSession == null) { diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractUserRoleMappingMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractUserRoleMappingMapper.java index f4ef89dfc0..d239951bf9 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractUserRoleMappingMapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AbstractUserRoleMappingMapper.java @@ -93,9 +93,9 @@ abstract class AbstractUserRoleMappingMapper extends AbstractOIDCProtocolMapper // get a set of all realm roles assigned to the user or its group Stream clientUserRoles = getAllUserRolesStream(user).filter(restriction); - boolean dontLimitScope = userSession.getClientSessions().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed()); + boolean dontLimitScope = userSession.getAuthenticatedClientSessions().values().stream().anyMatch(cs -> cs.getClient().isFullScopeAllowed()); if (! dontLimitScope) { - Set clientRoles = userSession.getClientSessions().stream() + Set clientRoles = userSession.getAuthenticatedClientSessions().values().stream() .flatMap(cs -> cs.getClient().getScopeMappings().stream()) .collect(Collectors.toSet()); diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java b/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java index 10e45a23fd..a8218c17ac 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java @@ -376,8 +376,12 @@ public class SamlProtocol implements LoginProtocol { clientSession.setNote(SAML_NAME_ID_FORMAT, nameIdFormat); SAML2LoginResponseBuilder builder = new SAML2LoginResponseBuilder(); - builder.requestID(requestID).destination(redirectUri).issuer(responseIssuer).assertionExpiration(realm.getAccessCodeLifespan()).subjectExpiration(realm.getAccessTokenLifespan()).sessionIndex(clientSession.getId()) + builder.requestID(requestID).destination(redirectUri).issuer(responseIssuer).assertionExpiration(realm.getAccessCodeLifespan()).subjectExpiration(realm.getAccessTokenLifespan()) .requestIssuer(clientSession.getClient().getClientId()).nameIdentifier(nameIdFormat, nameId).authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get()); + + String sessionIndex = SamlSessionUtils.getSessionIndex(clientSession); + builder.sessionIndex(sessionIndex); + if (!samlClient.includeAuthnStatement()) { builder.disableAuthnStatement(true); } @@ -682,8 +686,12 @@ public class SamlProtocol implements LoginProtocol { protected SAML2LogoutRequestBuilder createLogoutRequest(String logoutUrl, AuthenticatedClientSessionModel clientSession, ClientModel client) { // build userPrincipal with subject used at login - SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder().assertionExpiration(realm.getAccessCodeLifespan()).issuer(getResponseIssuer(realm)).sessionIndex(clientSession.getId()) + SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder().assertionExpiration(realm.getAccessCodeLifespan()).issuer(getResponseIssuer(realm)) .userPrincipal(clientSession.getNote(SAML_NAME_ID), clientSession.getNote(SAML_NAME_ID_FORMAT)).destination(logoutUrl); + + String sessionIndex = SamlSessionUtils.getSessionIndex(clientSession); + logoutBuilder.sessionIndex(sessionIndex); + return logoutBuilder; } diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java index f81d25dad6..9a6790ba4a 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java @@ -37,8 +37,8 @@ import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.keys.RsaKeyMetadata; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeyManager; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; @@ -55,7 +55,6 @@ import org.keycloak.saml.common.constants.JBossSAMLURIConstants; import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder; import org.keycloak.services.ErrorPage; import org.keycloak.services.managers.AuthenticationManager; -import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.RealmsResource; import org.keycloak.services.util.CacheControlUtil; @@ -99,11 +98,6 @@ public class SamlService extends AuthorizationEndpointBase { protected static final Logger logger = Logger.getLogger(SamlService.class); - @Context - protected KeycloakSession session; - - private String requestRelayState; - public SamlService(RealmModel realm, EventBuilder event) { super(realm, event); } @@ -283,7 +277,7 @@ public class SamlService extends AuthorizationEndpointBase { authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL); authSession.setRedirectUri(redirect); - authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + authSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name()); authSession.setClientNote(SamlProtocol.SAML_BINDING, bindingType); authSession.setClientNote(GeneralConstants.RELAY_STATE, relayState); authSession.setClientNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID()); @@ -378,31 +372,22 @@ public class SamlService extends AuthorizationEndpointBase { userSession.setNote(SamlProtocol.SAML_LOGOUT_CANONICALIZATION, samlClient.getCanonicalizationMethod()); userSession.setNote(AuthenticationManager.KEYCLOAK_LOGOUT_PROTOCOL, SamlProtocol.LOGIN_PROTOCOL); // remove client from logout requests - for (ClientSessionModel clientSession : userSession.getClientSessions()) { - if (clientSession.getClient().getId().equals(client.getId())) { - clientSession.setAction(ClientSessionModel.Action.LOGGED_OUT.name()); - } + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(client.getId()); + if (clientSession != null) { + clientSession.setAction(AuthenticationSessionModel.Action.LOGGED_OUT.name()); } logger.debug("browser Logout"); return authManager.browserLogout(session, realm, userSession, uriInfo, clientConnection, headers); } else if (logoutRequest.getSessionIndex() != null) { for (String sessionIndex : logoutRequest.getSessionIndex()) { - ClientSessionModel clientSession = session.sessions().getClientSession(realm, sessionIndex); + + AuthenticatedClientSessionModel clientSession = SamlSessionUtils.getClientSession(session, realm, sessionIndex); if (clientSession == null) continue; UserSessionModel userSession = clientSession.getUserSession(); if (clientSession.getClient().getClientId().equals(client.getClientId())) { // remove requesting client from logout - clientSession.setAction(ClientSessionModel.Action.LOGGED_OUT.name()); - - // Remove also other clientSessions of this client as there could be more in this UserSession - if (userSession != null) { - for (ClientSessionModel clientSession2 : userSession.getClientSessions()) { - if (clientSession2.getClient().getId().equals(client.getId())) { - clientSession2.setAction(ClientSessionModel.Action.LOGGED_OUT.name()); - } - } - } + clientSession.setAction(AuthenticationSessionModel.Action.LOGGED_OUT.name()); } try { @@ -609,6 +594,10 @@ public class SamlService extends AuthorizationEndpointBase { event.error(Errors.CLIENT_NOT_FOUND); return ErrorPage.error(session, Messages.CLIENT_NOT_FOUND); } + if (!client.isEnabled()) { + event.error(Errors.CLIENT_DISABLED); + return ErrorPage.error(session, Messages.CLIENT_DISABLED); + } if (client.getManagementUrl() == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) == null) { logger.error("SAML assertion consumer url not set up"); event.error(Errors.INVALID_REDIRECT_URI); @@ -654,7 +643,7 @@ public class SamlService extends AuthorizationEndpointBase { AuthenticationSessionModel authSession = checks.authSession; authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL); - authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); + authSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name()); authSession.setClientNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING); authSession.setClientNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true"); authSession.setRedirectUri(redirect); diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlSessionUtils.java b/services/src/main/java/org/keycloak/protocol/saml/SamlSessionUtils.java new file mode 100644 index 0000000000..0083fdc0dd --- /dev/null +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlSessionUtils.java @@ -0,0 +1,65 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.protocol.saml; + +import java.util.regex.Pattern; + +import org.keycloak.models.AuthenticatedClientSessionModel; +import org.keycloak.models.ClientModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import org.keycloak.models.UserSessionModel; + +/** + * @author Marek Posolda + */ +public class SamlSessionUtils { + + private static final String DELIMITER = "::"; + + // Just perf optimization + private static final Pattern PATTERN = Pattern.compile(DELIMITER); + + + public static String getSessionIndex(AuthenticatedClientSessionModel clientSession) { + UserSessionModel userSession = clientSession.getUserSession(); + ClientModel client = clientSession.getClient(); + + return userSession.getId() + DELIMITER + client.getId(); + } + + + public static AuthenticatedClientSessionModel getClientSession(KeycloakSession session, RealmModel realm, String sessionIndex) { + if (sessionIndex == null) { + return null; + } + + String[] parts = PATTERN.split(sessionIndex); + if (parts.length != 2) { + return null; + } + + UserSessionModel userSession = session.sessions().getUserSession(realm, parts[0]); + if (userSession == null) { + return null; + } + + return userSession.getAuthenticatedClientSessions().get(parts[1]); + } + +} diff --git a/services/src/main/java/org/keycloak/services/ErrorPageException.java b/services/src/main/java/org/keycloak/services/ErrorPageException.java index 4bcbbc8499..51ee9c84dc 100644 --- a/services/src/main/java/org/keycloak/services/ErrorPageException.java +++ b/services/src/main/java/org/keycloak/services/ErrorPageException.java @@ -37,6 +37,8 @@ public class ErrorPageException extends WebApplicationException { this.parameters = parameters; } + + @Override public Response getResponse() { return ErrorPage.error(session, errorMessage, parameters); diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 0ba5d77ced..6e7a91735f 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -537,7 +537,7 @@ public class AuthenticationManager { .createInfoPage(); return response; - // TODO:mposolda doublecheck if restart-cookie and authentication session are cleared in this flow + // Don't remove authentication session for now, to ensure that browser buttons (back/refresh) will still work fine. } RealmModel realm = authSession.getRealm(); diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java index 04271f1c24..0297f13e9d 100644 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java @@ -74,20 +74,17 @@ public class AuthenticationSessionManager { boolean sslRequired = realm.getSslRequired().isRequired(session.getContext().getConnection()); CookieHelper.addCookie(AUTH_SESSION_ID, authSessionId, cookiePath, null, null, -1, sslRequired, true); - // TODO trace with isTraceEnabled - log.infof("Set AUTH_SESSION_ID cookie with value %s", authSessionId); + log.debugf("Set AUTH_SESSION_ID cookie with value %s", authSessionId); } public String getAuthSessionCookie() { String cookieVal = CookieHelper.getCookieValue(AUTH_SESSION_ID); - if (log.isTraceEnabled()) { - if (cookieVal != null) { - log.tracef("Found AUTH_SESSION_ID cookie with value %s", cookieVal); - } else { - log.tracef("Not found AUTH_SESSION_ID cookie"); - } + if (cookieVal != null) { + log.debugf("Found AUTH_SESSION_ID cookie with value %s", cookieVal); + } else { + log.debugf("Not found AUTH_SESSION_ID cookie"); } return cookieVal; @@ -95,7 +92,7 @@ public class AuthenticationSessionManager { public void removeAuthenticationSession(RealmModel realm, AuthenticationSessionModel authSession, boolean expireRestartCookie) { - log.infof("Removing authSession '%s'. Expire restart cookie: %b", authSession.getId(), expireRestartCookie); + log.debugf("Removing authSession '%s'. Expire restart cookie: %b", authSession.getId(), expireRestartCookie); session.authenticationSessions().removeAuthenticationSession(realm, authSession); // expire restart cookie diff --git a/services/src/main/java/org/keycloak/services/managers/ClientManager.java b/services/src/main/java/org/keycloak/services/managers/ClientManager.java index fec49c92c5..1bcfaf5add 100644 --- a/services/src/main/java/org/keycloak/services/managers/ClientManager.java +++ b/services/src/main/java/org/keycloak/services/managers/ClientManager.java @@ -39,6 +39,7 @@ import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper; import org.keycloak.representations.adapters.config.BaseRealmConfig; import org.keycloak.representations.adapters.config.PolicyEnforcerConfig; import org.keycloak.representations.idm.ClientRepresentation; +import org.keycloak.sessions.AuthenticationSessionProvider; import java.net.URI; import java.util.Collections; @@ -104,6 +105,11 @@ public class ClientManager { sessionsPersister.onClientRemoved(realm, client); } + AuthenticationSessionProvider authSessions = realmManager.getSession().authenticationSessions(); + if (authSessions != null) { + authSessions.onClientRemoved(realm, client); + } + UserModel serviceAccountUser = realmManager.getSession().users().getServiceAccount(client); if (serviceAccountUser != null) { new UserManager(realmManager.getSession()).removeUser(realm, serviceAccountUser); diff --git a/services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java b/services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java index ce7a8a1c48..59158e6c31 100755 --- a/services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java +++ b/services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java @@ -112,11 +112,6 @@ public class ClientSessionCode CommonClientSessionModel clientSessionn = CodeGenerateUtil.getParser(sessionClass).parseSession(code, session, realm);; CLIENT_SESSION clientSession = sessionClass.cast(clientSessionn); - // TODO:mposolda Move this to somewhere else? Maybe LoginActionsService.sessionCodeChecks should be somehow even for non-action URLs... - if (clientSession != null) { - session.getContext().setClient(clientSession.getClient()); - } - return clientSession; } @@ -168,8 +163,12 @@ public class ClientSessionCode public Set getRequestedRoles() { + return getRequestedRoles(commonLoginSession, realm); + } + + public static Set getRequestedRoles(CommonClientSessionModel clientSession, RealmModel realm) { Set requestedRoles = new HashSet<>(); - for (String roleId : commonLoginSession.getRoles()) { + for (String roleId : clientSession.getRoles()) { RoleModel role = realm.getRoleById(roleId); if (role != null) { requestedRoles.add(role); diff --git a/services/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java b/services/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java index eac0e642c9..a975aa5cd7 100644 --- a/services/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java +++ b/services/src/main/java/org/keycloak/services/managers/CodeGenerateUtil.java @@ -23,7 +23,6 @@ import java.util.Map; import org.jboss.logging.Logger; import org.keycloak.OAuth2Constants; import org.keycloak.models.AuthenticatedClientSessionModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserSessionModel; @@ -41,7 +40,6 @@ class CodeGenerateUtil { private static final Map, ClientSessionParser> PARSERS = new HashMap<>(); static { - PARSERS.put(ClientSessionModel.class, new ClientSessionModelParser()); PARSERS.put(AuthenticationSessionModel.class, new AuthenticationSessionModelParser()); PARSERS.put(AuthenticatedClientSessionModel.class, new AuthenticatedClientSessionModelParser()); } @@ -78,54 +76,6 @@ class CodeGenerateUtil { // IMPLEMENTATIONS - // TODO: remove - private static class ClientSessionModelParser implements ClientSessionParser { - - - @Override - public ClientSessionModel parseSession(String code, KeycloakSession session, RealmModel realm) { - try { - String[] parts = code.split("\\."); - String id = parts[2]; - return session.sessions().getClientSession(realm, id); - } catch (ArrayIndexOutOfBoundsException e) { - return null; - } - } - - @Override - public String generateCode(ClientSessionModel clientSession, String actionId) { - StringBuilder sb = new StringBuilder(); - sb.append("cls."); - sb.append(actionId); - sb.append('.'); - sb.append(clientSession.getId()); - - return sb.toString(); - } - - @Override - public void removeExpiredSession(KeycloakSession session, ClientSessionModel clientSession) { - session.sessions().removeClientSession(clientSession.getRealm(), clientSession); - } - - @Override - public String getNote(ClientSessionModel clientSession, String name) { - return clientSession.getNote(name); - } - - @Override - public void removeNote(ClientSessionModel clientSession, String name) { - clientSession.removeNote(name); - } - - @Override - public void setNote(ClientSessionModel clientSession, String name, String value) { - clientSession.setNote(name, value); - } - } - - private static class AuthenticationSessionModelParser implements ClientSessionParser { @Override @@ -193,20 +143,6 @@ class CodeGenerateUtil { sb.append('.'); sb.append(clientUUID); - // TODO:mposolda codeChallengeMethod is not used anywhere. Not sure if it's bug of PKCE contribution. Doublecheck the PKCE specification what should be done regarding code - // https://tools.ietf.org/html/rfc7636#section-4 - String codeChallenge = clientSession.getNote(OAuth2Constants.CODE_CHALLENGE); - String codeChallengeMethod = clientSession.getNote(OAuth2Constants.CODE_CHALLENGE_METHOD); - if (codeChallenge != null) { - logger.debugf("PKCE received codeChallenge = %s", codeChallenge); - if (codeChallengeMethod == null) { - logger.debug("PKCE not received codeChallengeMethod, treating plain"); - codeChallengeMethod = OAuth2Constants.PKCE_METHOD_PLAIN; - } else { - logger.debugf("PKCE received codeChallengeMethod = %s", codeChallengeMethod); - } - } - return sb.toString(); } diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java index 3306bcdedb..e94ff3c00f 100755 --- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java +++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java @@ -47,6 +47,7 @@ import org.keycloak.representations.idm.OAuthClientRepresentation; import org.keycloak.representations.idm.RealmEventsConfigRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RoleRepresentation; +import org.keycloak.sessions.AuthenticationSessionProvider; import org.keycloak.storage.UserStorageProviderModel; import org.keycloak.services.clientregistration.policy.DefaultClientRegistrationPolicies; @@ -248,6 +249,11 @@ public class RealmManager { sessionsPersister.onRealmRemoved(realm); } + AuthenticationSessionProvider authSessions = session.authenticationSessions(); + if (authSessions != null) { + authSessions.onRealmRemoved(realm); + } + // Refresh periodic sync tasks for configured storageProviders List storageProviders = realm.getUserStorageProviders(); UserStorageSyncManager storageSync = new UserStorageSyncManager(); diff --git a/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java b/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java index 4528575d4e..f347d4ce69 100644 --- a/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java +++ b/services/src/main/java/org/keycloak/services/managers/UserSessionManager.java @@ -104,8 +104,8 @@ public class UserSessionManager { user.getUsername(), client.getClientId()); } - userSession.getAuthenticatedClientSessions().remove(client.getClientId()); - persister.removeClientSession(clientSession.getId(), true); + clientSession.setUserSession(null); + persister.removeClientSession(userSession.getId(), client.getId(), true); checkOfflineUserSessionHasClientSessions(realm, user, userSession); anyRemoved = true; } @@ -148,9 +148,8 @@ public class UserSessionManager { clientSession.getId(), offlineUserSession.getId(), user.getUsername(), clientSession.getClient().getClientId()); } - AuthenticatedClientSessionModel offlineClientSession = kcSession.sessions().createOfflineClientSession(clientSession); - offlineUserSession.getAuthenticatedClientSessions().put(clientSession.getClient().getId(), offlineClientSession); - persister.createClientSession(offlineUserSession, clientSession, true); + kcSession.sessions().createOfflineClientSession(clientSession, offlineUserSession); + persister.createClientSession(clientSession, true); } // Check if userSession has any offline clientSessions attached to it. Remove userSession if not diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java index ded189d1cd..1810ed077f 100755 --- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java +++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java @@ -75,6 +75,7 @@ import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.BruteForceProtector; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; +import org.keycloak.services.util.BrowserHistoryHelper; import org.keycloak.services.util.CacheControlUtil; import org.keycloak.services.validation.Validation; import org.keycloak.sessions.AuthenticationSessionModel; @@ -210,6 +211,8 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal throw new ErrorPageException(session, Messages.INVALID_REQUEST); } + event.detail(Details.REDIRECT_URI, redirectUri); + if (nonce == null || hash == null) { event.error(Errors.INVALID_REDIRECT_URI); throw new ErrorPageException(session, Messages.INVALID_REQUEST); @@ -239,7 +242,10 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal return Response.status(302).location(builder.build()).build(); } - + cookieResult.getSession(); + event.session(cookieResult.getSession()); + event.user(cookieResult.getUser()); + event.detail(Details.USERNAME, cookieResult.getUser().getUsername()); AuthenticatedClientSessionModel clientSession = null; for (AuthenticatedClientSessionModel cs : cookieResult.getSession().getAuthenticatedClientSessions().values()) { @@ -264,7 +270,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal throw new ErrorPageException(session, Messages.INVALID_REQUEST); } - + event.detail(Details.IDENTITY_PROVIDER, providerId); ClientModel accountService = this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); if (!accountService.getId().equals(client.getId())) { @@ -307,6 +313,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal authSession.setClientNote(OIDCLoginProtocol.STATE_PARAM, UUID.randomUUID().toString()); authSession.setAuthNote(LINKING_IDENTITY_PROVIDER, cookieResult.getSession().getId() + clientId + providerId); + event.detail(Details.CODE_ID, userSession.getId()); event.success(); try { @@ -508,6 +515,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal this.event.event(EventType.IDENTITY_PROVIDER_LOGIN) .detail(Details.REDIRECT_URI, authenticationSession.getRedirectUri()) + .detail(Details.IDENTITY_PROVIDER, providerId) .detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); UserModel federatedUser = this.session.users().getUserByFederatedIdentity(federatedIdentityModel, this.realmModel); @@ -786,6 +794,9 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal authSession.setUserSessionNote(Details.IDENTITY_PROVIDER, providerId); authSession.setUserSessionNote(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); + event.detail(Details.IDENTITY_PROVIDER, providerId) + .detail(Details.IDENTITY_PROVIDER_USERNAME, context.getUsername()); + if (isDebugEnabled()) { logger.debugf("Performing local authentication for user [%s].", federatedUser); } @@ -961,43 +972,39 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal } private ParsedCodeContext parseClientSessionCode(String code) { - ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(code, this.session, this.realmModel, AuthenticationSessionModel.class); - ClientSessionCode clientCode = parseResult.getCode(); - - if (clientCode != null) { - AuthenticationSessionModel authenticationSession = clientCode.getClientSession(); - - ClientModel client = authenticationSession.getClient(); - - if (client != null) { - - logger.debugf("Got authorization code from client [%s].", client.getClientId()); - this.event.client(client); - this.session.getContext().setClient(client); - - if (!clientCode.isValid(AuthenticationSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { - logger.debugf("Authorization code is not valid. Client session ID: %s, Client session's action: %s", authenticationSession.getId(), authenticationSession.getAction()); - - // Check if error happened during login or during linking from account management - Response accountManagementFailedLinking = checkAccountManagementFailedLinking(clientCode.getClientSession(), Messages.STALE_CODE_ACCOUNT); - Response staleCodeError = (accountManagementFailedLinking != null) ? accountManagementFailedLinking : redirectToErrorPage(Messages.STALE_CODE); - - - return ParsedCodeContext.response(staleCodeError); - } - - if (isDebugEnabled()) { - logger.debugf("Authorization code is valid."); - } - - return ParsedCodeContext.clientSessionCode(clientCode); - } + if (code == null) { + logger.debugf("Invalid request. Authorization code was null"); + Response staleCodeError = redirectToErrorPage(Messages.INVALID_REQUEST); + return ParsedCodeContext.response(staleCodeError); } - // TODO:mposolda rather some different page? Maybe "PageExpired" page? - logger.debugf("Authorization code is not valid. Code: %s", code); - Response staleCodeError = redirectToErrorPage(Messages.STALE_CODE); - return ParsedCodeContext.response(staleCodeError); + SessionCodeChecks checks = new SessionCodeChecks(realmModel, uriInfo, clientConnection, session, event, code, null, LoginActionsService.AUTHENTICATE_PATH); + checks.initialVerify(); + if (!checks.verifyActiveAndValidAction(AuthenticationSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + + AuthenticationSessionModel authSession = checks.getAuthenticationSession(); + if (authSession != null) { + // Check if error happened during login or during linking from account management + Response accountManagementFailedLinking = checkAccountManagementFailedLinking(authSession, Messages.STALE_CODE_ACCOUNT); + if (accountManagementFailedLinking != null) { + return ParsedCodeContext.response(accountManagementFailedLinking); + } else { + Response errorResponse = checks.getResponse(); + + // Remove "code" from browser history + errorResponse = BrowserHistoryHelper.getInstance().saveResponseAndRedirect(session, authSession, errorResponse, true); + return ParsedCodeContext.response(errorResponse); + } + } else { + return ParsedCodeContext.response(checks.getResponse()); + } + } else { + if (isDebugEnabled()) { + logger.debugf("Authorization code is valid."); + } + + return ParsedCodeContext.clientSessionCode(checks.getClientCode()); + } } /** @@ -1022,6 +1029,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal } SamlService samlService = new SamlService(realmModel, event); + ResteasyProviderFactory.getInstance().injectProperties(samlService); AuthenticationSessionModel authSession = samlService.getOrCreateLoginSessionForIdpInitiatedSso(session, realmModel, oClient.get(), null); return ParsedCodeContext.clientSessionCode(new ClientSessionCode<>(session, this.realmModel, authSession)); @@ -1091,16 +1099,6 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal return Response.status(302).location(UriBuilder.fromUri(authSession.getRedirectUri()).build()).build(); } - private Response redirectToLoginPage(Throwable t, ClientSessionCode clientCode) { - String message = t.getMessage(); - - if (message == null) { - message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR; - } - - fireErrorEvent(message); - return browserAuthentication(clientCode.getClientSession(), message); - } protected Response browserAuthentication(AuthenticationSessionModel authSession, String errorMessage) { this.event.event(EventType.LOGIN); diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 0338964212..5dcb621b66 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -28,22 +28,20 @@ import org.keycloak.authentication.RequiredActionFactory; import org.keycloak.authentication.RequiredActionProvider; import org.keycloak.TokenVerifier; import org.keycloak.authentication.actiontoken.*; +import org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionTokenHandler; import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator; import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants; import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; -import org.keycloak.authentication.requiredactions.VerifyEmail; import org.keycloak.broker.provider.BrokeredIdentityContext; import org.keycloak.common.ClientConnection; import org.keycloak.common.VerificationException; -import org.keycloak.common.util.ObjectUtil; import org.keycloak.common.util.Time; import org.keycloak.events.Details; import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.exceptions.TokenNotActiveException; -import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; @@ -55,13 +53,10 @@ import org.keycloak.models.RealmModel; import org.keycloak.models.RoleModel; import org.keycloak.models.UserConsentModel; import org.keycloak.models.UserModel; -import org.keycloak.models.UserModel.RequiredAction; -import org.keycloak.models.UserSessionModel; import org.keycloak.models.utils.FormMessage; import org.keycloak.protocol.AuthorizationEndpointBase; import org.keycloak.protocol.LoginProtocol; import org.keycloak.protocol.LoginProtocol.Error; -import org.keycloak.protocol.RestartLoginCookie; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.utils.OIDCResponseMode; import org.keycloak.protocol.oidc.utils.OIDCResponseType; @@ -74,10 +69,9 @@ import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsServiceChecks.RestartFlowException; import org.keycloak.services.util.CacheControlUtil; -import org.keycloak.services.util.PageExpiredRedirect; +import org.keycloak.services.util.AuthenticationFlowURLHelper; import org.keycloak.services.util.BrowserHistoryHelper; import org.keycloak.sessions.AuthenticationSessionModel; -import org.keycloak.sessions.CommonClientSessionModel; import javax.ws.rs.Consumes; import javax.ws.rs.GET; @@ -94,6 +88,8 @@ import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import javax.ws.rs.ext.Providers; import java.net.URI; +import java.util.Map; + import javax.ws.rs.core.*; import static org.keycloak.authentication.actiontoken.DefaultActionToken.ACTION_TOKEN_BASIC_CHECKS; @@ -185,333 +181,14 @@ public class LoginActionsService { } private SessionCodeChecks checksForCode(String code, String execution, String flowPath) { - SessionCodeChecks res = new SessionCodeChecks(code, execution, flowPath); + SessionCodeChecks res = new SessionCodeChecks(realm, uriInfo, clientConnection, session, event, code, execution, flowPath); res.initialVerify(); return res; } - private SessionCodeChecks checksForCodeRefreshNotAllowed(String code, String execution, String flowPath) { - SessionCodeChecks res = new SessionCodeChecks(code, execution, flowPath); - res.setAllowRefresh(false); - res.initialVerify(); - return res; - } - - - - private class SessionCodeChecks { - ClientSessionCode clientCode; - Response response; - ClientSessionCode.ParseResult result; - private boolean actionRequest; - private boolean allowRefresh = true; - - private final String code; - private final String execution; - private final String flowPath; - - public SessionCodeChecks(String code, String execution, String flowPath) { - this.code = code; - this.execution = execution; - this.flowPath = flowPath; - } - - public AuthenticationSessionModel getAuthenticationSession() { - return clientCode == null ? null : clientCode.getClientSession(); - } - - public boolean passed() { - return response == null; - } - - public boolean failed() { - return response != null; - } - - public boolean isAllowRefresh() { - return allowRefresh; - } - - public void setAllowRefresh(boolean allowRefresh) { - this.allowRefresh = allowRefresh; - } - - - boolean verifyCode(String expectedAction, ClientSessionCode.ActionType actionType) { - if (failed()) { - return false; - } - - if (!isActionActive(actionType)) { - return false; - } - - if (!clientCode.isValidAction(expectedAction)) { - AuthenticationSessionModel authSession = getAuthenticationSession(); - if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(authSession.getAction())) { - // TODO:mposolda debug or trace - logger.info("Incorrect flow '%s' . User authenticated already. Redirecting to requiredActions now."); - response = redirectToRequiredActions(null); - return false; - } else { - // TODO:mposolda could this happen? Doublecheck if we use other AuthenticationSession.Action besides AUTHENTICATE and REQUIRED_ACTIONS - logger.errorf("Bad action. Expected action '%s', current action '%s'", expectedAction, authSession.getAction()); - response = ErrorPage.error(session, Messages.EXPIRED_CODE); - return false; - } - } - - return true; - } - - - private boolean isActionActive(ClientSessionCode.ActionType actionType) { - if (!clientCode.isActionActive(actionType)) { - event.client(getAuthenticationSession().getClient()); - event.clone().error(Errors.EXPIRED_CODE); - - AuthenticationSessionModel authSession = getAuthenticationSession(); - AuthenticationProcessor.resetFlow(authSession, AUTHENTICATE_PATH); - response = processAuthentication(false, null, authSession, Messages.LOGIN_TIMEOUT); - return false; - } - return true; - } - - - private AuthenticationSessionModel initialVerifyAuthSession() { - // Basic realm checks - if (!checkSsl()) { - event.error(Errors.SSL_REQUIRED); - response = ErrorPage.error(session, Messages.HTTPS_REQUIRED); - return null; - } - if (!realm.isEnabled()) { - event.error(Errors.REALM_DISABLED); - response = ErrorPage.error(session, Messages.REALM_NOT_ENABLED); - return null; - } - - // object retrieve - AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(code, session, realm, AuthenticationSessionModel.class); - if (authSession != null) { - return authSession; - } - - // See if we are already authenticated and userSession with same ID exists. - String sessionId = new AuthenticationSessionManager(session).getCurrentAuthenticationSessionId(realm); - if (sessionId != null) { - UserSessionModel userSession = session.sessions().getUserSession(realm, sessionId); - if (userSession != null) { - - LoginFormsProvider loginForm = session.getProvider(LoginFormsProvider.class) - .setSuccess(Messages.ALREADY_LOGGED_IN); - - ClientModel client = null; - String lastClientUuid = userSession.getNote(AuthenticationManager.LAST_AUTHENTICATED_CLIENT); - if (lastClientUuid != null) { - client = realm.getClientById(lastClientUuid); - } - - if (client != null) { - session.getContext().setClient(client); - } else { - loginForm.setAttribute("skipLink", true); - } - - response = loginForm.createInfoPage(); - return null; - } - } - - // Otherwise just try to restart from the cookie - response = restartAuthenticationSessionFromCookie(); - return null; - } - - - private boolean initialVerify() { - // Basic realm checks and authenticationSession retrieve - AuthenticationSessionModel authSession = initialVerifyAuthSession(); - if (authSession == null) { - return false; - } - - // Check cached response from previous action request - response = BrowserHistoryHelper.getInstance().loadSavedResponse(session, authSession); - if (response != null) { - return false; - } - - // Client checks - event.detail(Details.CODE_ID, authSession.getId()); - ClientModel client = authSession.getClient(); - if (client == null) { - event.error(Errors.CLIENT_NOT_FOUND); - response = ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); - clientCode.removeExpiredClientSession(); - return false; - } - if (!client.isEnabled()) { - event.error(Errors.CLIENT_DISABLED); - response = ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); - clientCode.removeExpiredClientSession(); - return false; - } - session.getContext().setClient(client); - - - // Check if it's action or not - if (code == null) { - String lastExecFromSession = authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); - String lastFlow = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); - - // Check if we transitted between flows (eg. clicking "register" on login screen) - if (execution==null && !flowPath.equals(lastFlow)) { - logger.infof("Transition between flows! Current flow: %s, Previous flow: %s", flowPath, lastFlow); - - if (lastFlow == null || isFlowTransitionAllowed(flowPath, lastFlow)) { - authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, flowPath); - authSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); - lastExecFromSession = null; - } - } - - if (ObjectUtil.isEqualOrBothNull(execution, lastExecFromSession)) { - // Allow refresh of previous page - clientCode = new ClientSessionCode<>(session, realm, authSession); - actionRequest = false; - return true; - } else { - response = showPageExpired(authSession); - return false; - } - } else { - result = ClientSessionCode.parseResult(code, session, realm, AuthenticationSessionModel.class); - clientCode = result.getCode(); - if (clientCode == null) { - - // In case that is replayed action, but sent to the same FORM like actual FORM, we just re-render the page - if (allowRefresh && ObjectUtil.isEqualOrBothNull(execution, authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION))) { - String latestFlowPath = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); - URI redirectUri = getLastExecutionUrl(latestFlowPath, execution); - - logger.infof("Invalid action code, but execution matches. So just redirecting to %s", redirectUri); - authSession.setAuthNote(FORWARDED_ERROR_MESSAGE_NOTE, Messages.EXPIRED_ACTION); - response = Response.status(Response.Status.FOUND).location(redirectUri).build(); - } else { - response = showPageExpired(authSession); - } - return false; - } - - - actionRequest = execution != null; - authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, execution); - return true; - } - } - - - public boolean verifyRequiredAction(String executedAction) { - if (failed()) { - return false; - } - - if (!clientCode.isValidAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name())) { - // TODO:mposolda debug or trace - logger.infof("Expected required action, but session action is '%s' . Showing expired page now.", getAuthenticationSession().getAction()); - event.client(getAuthenticationSession().getClient()); - event.error(Errors.INVALID_CODE); - - response = showPageExpired(getAuthenticationSession()); - - return false; - } - - if (!isActionActive(ClientSessionCode.ActionType.USER)) return false; - - final AuthenticationSessionModel authSession = getAuthenticationSession(); - - if (actionRequest) { - String currentRequiredAction = authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); - if (executedAction == null || !executedAction.equals(currentRequiredAction)) { - logger.debug("required action doesn't match current required action"); - response = redirectToRequiredActions(currentRequiredAction); - return false; - } - } - return true; - } - } - - - public static boolean isFlowTransitionAllowed(String currentFlow, String previousFlow) { - if (currentFlow.equals(AUTHENTICATE_PATH) && (previousFlow.equals(REGISTRATION_PATH) || previousFlow.equals(RESET_CREDENTIALS_PATH))) { - return true; - } - - if (currentFlow.equals(REGISTRATION_PATH) && (previousFlow.equals(AUTHENTICATE_PATH))) { - return true; - } - - if (currentFlow.equals(RESET_CREDENTIALS_PATH) && (previousFlow.equals(AUTHENTICATE_PATH) || previousFlow.equals(FIRST_BROKER_LOGIN_PATH))) { - return true; - } - - if (currentFlow.equals(FIRST_BROKER_LOGIN_PATH) && (previousFlow.equals(AUTHENTICATE_PATH) || previousFlow.equals(POST_BROKER_LOGIN_PATH))) { - return true; - } - - if (currentFlow.equals(POST_BROKER_LOGIN_PATH) && (previousFlow.equals(AUTHENTICATE_PATH) || previousFlow.equals(FIRST_BROKER_LOGIN_PATH))) { - return true; - } - - return false; - } - - - protected Response restartAuthenticationSessionFromCookie() { - logger.info("Authentication session not found. Trying to restart from cookie."); - AuthenticationSessionModel authSession = null; - try { - authSession = RestartLoginCookie.restartSession(session, realm); - } catch (Exception e) { - ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e); - } - - if (authSession != null) { - - event.clone(); - event.detail(Details.RESTART_AFTER_TIMEOUT, "true"); - event.error(Errors.EXPIRED_CODE); - - String warningMessage = Messages.LOGIN_TIMEOUT; - authSession.setAuthNote(FORWARDED_ERROR_MESSAGE_NOTE, warningMessage); - - String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW); - if (flowPath == null) { - flowPath = AUTHENTICATE_PATH; - } - - URI redirectUri = getLastExecutionUrl(flowPath, null); - logger.infof("Authentication session restart from cookie succeeded. Redirecting to %s", redirectUri); - return Response.status(Response.Status.FOUND).location(redirectUri).build(); - } else { - event.error(Errors.INVALID_CODE); - return ErrorPage.error(session, Messages.INVALID_CODE); - } - } - - - protected Response showPageExpired(AuthenticationSessionModel authSession) { - return new PageExpiredRedirect(session, realm, uriInfo) - .showPageExpired(authSession); - } - protected URI getLastExecutionUrl(String flowPath, String executionId) { - return new PageExpiredRedirect(session, realm, uriInfo) + return new AuthenticationFlowURLHelper(session, realm, uriInfo) .getLastExecutionUrl(flowPath, executionId); } @@ -525,11 +202,11 @@ public class LoginActionsService { @GET public Response restartSession() { event.event(EventType.RESTART_AUTHENTICATION); - SessionCodeChecks checks = new SessionCodeChecks(null, null, null); + SessionCodeChecks checks = new SessionCodeChecks(realm, uriInfo, clientConnection, session, event, null, null, null); AuthenticationSessionModel authSession = checks.initialVerifyAuthSession(); if (authSession == null) { - return checks.response; + return checks.getResponse(); } String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW); @@ -539,11 +216,8 @@ public class LoginActionsService { AuthenticationProcessor.resetFlow(authSession, flowPath); - // TODO:mposolda Check it's better to put it to AuthenticationProcessor.resetFlow (with consider of brokering) - authSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name()); - URI redirectUri = getLastExecutionUrl(flowPath, null); - logger.infof("Flow restart requested. Redirecting to %s", redirectUri); + logger.debugf("Flow restart requested. Redirecting to %s", redirectUri); return Response.status(Response.Status.FOUND).location(redirectUri).build(); } @@ -561,12 +235,12 @@ public class LoginActionsService { event.event(EventType.LOGIN); SessionCodeChecks checks = checksForCode(code, execution, AUTHENTICATE_PATH); - if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { - return checks.response; + if (!checks.verifyActiveAndValidAction(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + return checks.getResponse(); } AuthenticationSessionModel authSession = checks.getAuthenticationSession(); - boolean actionRequest = checks.actionRequest; + boolean actionRequest = checks.isActionRequest(); return processAuthentication(actionRequest, execution, authSession, null); } @@ -605,6 +279,9 @@ public class LoginActionsService { } else { response = processor.authenticate(); } + } catch (WebApplicationException e) { + response = e.getResponse(); + authSession = processor.getAuthenticationSession(); } catch (Exception e) { response = processor.handleBrowserException(e); authSession = processor.getAuthenticationSession(); // Could be changed (eg. Forked flow) @@ -696,30 +373,26 @@ public class LoginActionsService { */ protected Response resetCredentials(String code, String execution) { SessionCodeChecks checks = checksForCode(code, execution, RESET_CREDENTIALS_PATH); - if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) { - return checks.response; + if (!checks.verifyActiveAndValidAction(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) { + return checks.getResponse(); } final AuthenticationSessionModel authSession = checks.getAuthenticationSession(); if (!realm.isResetPasswordAllowed()) { - if (authSession != null) { - event.client(authSession.getClient()); - } event.error(Errors.NOT_ALLOWED); return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } - return processResetCredentials(checks.actionRequest, execution, authSession); + return processResetCredentials(checks.isActionRequest(), execution, authSession); } /** * Handles a given token using the given token handler. If there is any {@link VerificationException} thrown * in the handler, it is handled automatically here to reduce boilerplate code. * - * @param tokenString Original token string - * @param eventError - * @param defaultErrorMessage + * @param key + * @param execution * @return */ @Path("action-token") @@ -888,30 +561,7 @@ public class LoginActionsService { } protected Response processResetCredentials(boolean actionRequest, String execution, AuthenticationSessionModel authSession) { - AuthenticationProcessor authProcessor = new AuthenticationProcessor() { - - @Override - protected Response authenticationComplete() { - boolean firstBrokerLoginInProgress = (authenticationSession.getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); - if (firstBrokerLoginInProgress) { - - UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realm, authenticationSession); - if (!linkingUser.getId().equals(authenticationSession.getAuthenticatedUser().getId())) { - return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, authenticationSession.getAuthenticatedUser().getUsername(), linkingUser.getUsername()); - } - - SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); - authSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, serializedCtx.getIdentityProviderId()); - - logger.debugf("Forget-password flow finished when authenticated user '%s' after first broker login with identity provider '%s'.", - linkingUser.getUsername(), serializedCtx.getIdentityProviderId()); - - return redirectToAfterBrokerLoginEndpoint(authSession, true); - } else { - return super.authenticationComplete(); - } - } - }; + AuthenticationProcessor authProcessor = new ResetCredentialsActionTokenHandler.ResetCredsAuthenticationProcessor(); return processFlow(actionRequest, execution, authSession, RESET_CREDENTIALS_PATH, realm.getResetCredentialsFlow(), null, authProcessor); } @@ -958,19 +608,15 @@ public class LoginActionsService { } SessionCodeChecks checks = checksForCode(code, execution, REGISTRATION_PATH); - if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { - return checks.response; + if (!checks.verifyActiveAndValidAction(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + return checks.getResponse(); } - ClientSessionCode clientSessionCode = checks.clientCode; - AuthenticationSessionModel clientSession = clientSessionCode.getClientSession(); + AuthenticationSessionModel authSession = checks.getAuthenticationSession(); - // TODO:mposolda any consequences to do this for POST request too? - if (!isPostRequest) { - AuthenticationManager.expireIdentityCookie(realm, uriInfo, clientConnection); - } + AuthenticationManager.expireIdentityCookie(realm, uriInfo, clientConnection); - return processRegistration(checks.actionRequest, execution, clientSession, null); + return processRegistration(checks.isActionRequest(), execution, authSession, null); } @@ -1010,8 +656,8 @@ public class LoginActionsService { event.event(eventType); SessionCodeChecks checks = checksForCode(code, execution, flowPath); - if (!checks.verifyCode(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { - return checks.response; + if (!checks.verifyActiveAndValidAction(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) { + return checks.getResponse(); } event.detail(Details.CODE_ID, code); final AuthenticationSessionModel authSession = checks.getAuthenticationSession(); @@ -1056,10 +702,14 @@ public class LoginActionsService { }; - return processFlow(checks.actionRequest, execution, authSession, flowPath, brokerLoginFlow, null, processor); + return processFlow(checks.isActionRequest(), execution, authSession, flowPath, brokerLoginFlow, null, processor); } private Response redirectToAfterBrokerLoginEndpoint(AuthenticationSessionModel authSession, boolean firstBrokerLogin) { + return redirectToAfterBrokerLoginEndpoint(session, realm, uriInfo, authSession, firstBrokerLogin); + } + + public static Response redirectToAfterBrokerLoginEndpoint(KeycloakSession session, RealmModel realm, UriInfo uriInfo, AuthenticationSessionModel authSession, boolean firstBrokerLogin) { ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, authSession); authSession.setTimestamp(Time.currentTime()); @@ -1085,11 +735,10 @@ public class LoginActionsService { String code = formData.getFirst("code"); SessionCodeChecks checks = checksForCode(code, null, REQUIRED_ACTION); if (!checks.verifyRequiredAction(ClientSessionModel.Action.OAUTH_GRANT.name())) { - return checks.response; + return checks.getResponse(); } - ClientSessionCode accessCode = checks.clientCode; - AuthenticationSessionModel authSession = accessCode.getClientSession(); + AuthenticationSessionModel authSession = checks.getAuthenticationSession(); initLoginEvent(authSession); @@ -1113,10 +762,10 @@ public class LoginActionsService { grantedConsent = new UserConsentModel(client); session.users().addConsent(realm, user.getId(), grantedConsent); } - for (RoleModel role : accessCode.getRequestedRoles()) { + for (RoleModel role : ClientSessionCode.getRequestedRoles(authSession, realm)) { grantedConsent.addGrantedRole(role); } - for (ProtocolMapperModel protocolMapper : accessCode.getRequestedProtocolMappers()) { + for (ProtocolMapperModel protocolMapper : ClientSessionCode.getRequestedProtocolMappers(authSession.getProtocolMappers(), client)) { if (protocolMapper.isConsentRequired() && protocolMapper.getConsentText() != null) { grantedConsent.addGrantedProtocolMapper(protocolMapper); } @@ -1130,23 +779,6 @@ public class LoginActionsService { return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, clientSession.getUserSession(), clientSession, request, uriInfo, clientConnection, event, authSession.getProtocol()); } - @Path("email-verification") - @GET - public Response emailVerification(@QueryParam("code") String code, @QueryParam("execution") String execution) { - event.event(EventType.SEND_VERIFY_EMAIL); - - SessionCodeChecks checks = checksForCodeRefreshNotAllowed(code, execution, REQUIRED_ACTION); - if (!checks.verifyCode(ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { - return checks.response; - } - ClientSessionCode accessCode = checks.clientCode; - AuthenticationSessionModel authSession = checks.getAuthenticationSession(); - initLoginEvent(authSession); - - event.clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, authSession.getAuthenticatedUser().getEmail()).success(); - - return VerifyEmail.sendVerifyEmail(session, accessCode.getCode(), authSession.getAuthenticatedUser(), authSession); - } /** * Initiated by admin, not the user on login @@ -1210,11 +842,12 @@ public class LoginActionsService { } event.detail(Details.REMEMBER_ME, rememberMe); - // TODO:mposolda Fix if this is called at firstBroker or postBroker login - /* - .detail(Details.IDENTITY_PROVIDER, userSession.getNote(Details.IDENTITY_PROVIDER)) - .detail(Details.IDENTITY_PROVIDER_USERNAME, userSession.getNote(Details.IDENTITY_PROVIDER_USERNAME)); - */ + Map userSessionNotes = authSession.getUserSessionNotes(); + String identityProvider = userSessionNotes.get(Details.IDENTITY_PROVIDER); + if (identityProvider != null) { + event.detail(Details.IDENTITY_PROVIDER, identityProvider) + .detail(Details.IDENTITY_PROVIDER_USERNAME, userSessionNotes.get(Details.IDENTITY_PROVIDER_USERNAME)); + } } @Path(REQUIRED_ACTION) @@ -1236,11 +869,11 @@ public class LoginActionsService { SessionCodeChecks checks = checksForCode(code, action, REQUIRED_ACTION); if (!checks.verifyRequiredAction(action)) { - return checks.response; + return checks.getResponse(); } AuthenticationSessionModel authSession = checks.getAuthenticationSession(); - if (!checks.actionRequest) { + if (!checks.isActionRequest()) { initLoginEvent(authSession); event.event(EventType.CUSTOM_REQUIRED_ACTION); return AuthenticationManager.nextActionAfterAuthentication(session, authSession, clientConnection, request, uriInfo, event); @@ -1268,7 +901,9 @@ public class LoginActionsService { Response response; provider.processAction(context); - authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, action); + if (action != null) { + authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, action); + } if (context.getStatus() == RequiredActionContext.Status.SUCCESS) { event.clone().success(); @@ -1298,15 +933,4 @@ public class LoginActionsService { return BrowserHistoryHelper.getInstance().saveResponseAndRedirect(session, authSession, response, true); } - private Response redirectToRequiredActions(String action) { - UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo) - .path(LoginActionsService.REQUIRED_ACTION); - - if (action != null) { - uriBuilder.queryParam("execution", action); - } - URI redirect = uriBuilder.build(realm.getName()); - return Response.status(302).location(redirect).build(); - } - } diff --git a/services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java b/services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java new file mode 100644 index 0000000000..978ad6f26e --- /dev/null +++ b/services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java @@ -0,0 +1,388 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.services.resources; + +import java.net.URI; + +import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; +import javax.ws.rs.core.UriInfo; + +import org.jboss.logging.Logger; +import org.keycloak.authentication.AuthenticationProcessor; +import org.keycloak.common.ClientConnection; +import org.keycloak.common.util.ObjectUtil; +import org.keycloak.events.Details; +import org.keycloak.events.Errors; +import org.keycloak.events.EventBuilder; +import org.keycloak.forms.login.LoginFormsProvider; +import org.keycloak.models.ClientModel; +import org.keycloak.models.ClientSessionModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; +import org.keycloak.models.UserSessionModel; +import org.keycloak.protocol.AuthorizationEndpointBase; +import org.keycloak.protocol.RestartLoginCookie; +import org.keycloak.services.ErrorPage; +import org.keycloak.services.ServicesLogger; +import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.services.managers.AuthenticationSessionManager; +import org.keycloak.services.managers.ClientSessionCode; +import org.keycloak.services.messages.Messages; +import org.keycloak.services.util.BrowserHistoryHelper; +import org.keycloak.services.util.AuthenticationFlowURLHelper; +import org.keycloak.sessions.AuthenticationSessionModel; + + +public class SessionCodeChecks { + + private static final Logger logger = Logger.getLogger(SessionCodeChecks.class); + + private AuthenticationSessionModel authSession; + private ClientSessionCode clientCode; + private Response response; + private boolean actionRequest; + + private final RealmModel realm; + private final UriInfo uriInfo; + private final ClientConnection clientConnection; + private final KeycloakSession session; + private final EventBuilder event; + + private final String code; + private final String execution; + private final String flowPath; + + + public SessionCodeChecks(RealmModel realm, UriInfo uriInfo, ClientConnection clientConnection, KeycloakSession session, EventBuilder event, String code, String execution, String flowPath) { + this.realm = realm; + this.uriInfo = uriInfo; + this.clientConnection = clientConnection; + this.session = session; + this.event = event; + + this.code = code; + this.execution = execution; + this.flowPath = flowPath; + } + + + public AuthenticationSessionModel getAuthenticationSession() { + return authSession; + } + + + private boolean failed() { + return response != null; + } + + + public Response getResponse() { + return response; + } + + + public ClientSessionCode getClientCode() { + return clientCode; + } + + public boolean isActionRequest() { + return actionRequest; + } + + + private boolean checkSsl() { + if (uriInfo.getBaseUri().getScheme().equals("https")) { + return true; + } else { + return !realm.getSslRequired().isRequired(clientConnection); + } + } + + + public AuthenticationSessionModel initialVerifyAuthSession() { + // Basic realm checks + if (!checkSsl()) { + event.error(Errors.SSL_REQUIRED); + response = ErrorPage.error(session, Messages.HTTPS_REQUIRED); + return null; + } + if (!realm.isEnabled()) { + event.error(Errors.REALM_DISABLED); + response = ErrorPage.error(session, Messages.REALM_NOT_ENABLED); + return null; + } + + // object retrieve + AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(code, session, realm, AuthenticationSessionModel.class); + if (authSession != null) { + return authSession; + } + + // See if we are already authenticated and userSession with same ID exists. + String sessionId = new AuthenticationSessionManager(session).getCurrentAuthenticationSessionId(realm); + if (sessionId != null) { + UserSessionModel userSession = session.sessions().getUserSession(realm, sessionId); + if (userSession != null) { + + LoginFormsProvider loginForm = session.getProvider(LoginFormsProvider.class) + .setSuccess(Messages.ALREADY_LOGGED_IN); + + ClientModel client = null; + String lastClientUuid = userSession.getNote(AuthenticationManager.LAST_AUTHENTICATED_CLIENT); + if (lastClientUuid != null) { + client = realm.getClientById(lastClientUuid); + } + + if (client != null) { + session.getContext().setClient(client); + } else { + loginForm.setAttribute("skipLink", true); + } + + response = loginForm.createInfoPage(); + return null; + } + } + + // Otherwise just try to restart from the cookie + response = restartAuthenticationSessionFromCookie(); + return null; + } + + + public boolean initialVerify() { + // Basic realm checks and authenticationSession retrieve + authSession = initialVerifyAuthSession(); + if (authSession == null) { + return false; + } + + // Check cached response from previous action request + response = BrowserHistoryHelper.getInstance().loadSavedResponse(session, authSession); + if (response != null) { + return false; + } + + // Client checks + event.detail(Details.CODE_ID, authSession.getId()); + ClientModel client = authSession.getClient(); + if (client == null) { + event.error(Errors.CLIENT_NOT_FOUND); + response = ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); + clientCode.removeExpiredClientSession(); + return false; + } + + event.client(client); + session.getContext().setClient(client); + + if (!client.isEnabled()) { + event.error(Errors.CLIENT_DISABLED); + response = ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); + clientCode.removeExpiredClientSession(); + return false; + } + + + // Check if it's action or not + if (code == null) { + String lastExecFromSession = authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + String lastFlow = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); + + // Check if we transitted between flows (eg. clicking "register" on login screen) + if (execution==null && !flowPath.equals(lastFlow)) { + logger.debugf("Transition between flows! Current flow: %s, Previous flow: %s", flowPath, lastFlow); + + // Don't allow moving to different flow if I am on requiredActions already + if (ClientSessionModel.Action.AUTHENTICATE.name().equals(authSession.getAction())) { + authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, flowPath); + authSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + lastExecFromSession = null; + } + } + + if (ObjectUtil.isEqualOrBothNull(execution, lastExecFromSession)) { + // Allow refresh of previous page + clientCode = new ClientSessionCode<>(session, realm, authSession); + actionRequest = false; + return true; + } else { + response = showPageExpired(authSession); + return false; + } + } else { + ClientSessionCode.ParseResult result = ClientSessionCode.parseResult(code, session, realm, AuthenticationSessionModel.class); + clientCode = result.getCode(); + if (clientCode == null) { + + // In case that is replayed action, but sent to the same FORM like actual FORM, we just re-render the page + if (ObjectUtil.isEqualOrBothNull(execution, authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION))) { + String latestFlowPath = authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH); + URI redirectUri = getLastExecutionUrl(latestFlowPath, execution); + + logger.debugf("Invalid action code, but execution matches. So just redirecting to %s", redirectUri); + authSession.setAuthNote(LoginActionsService.FORWARDED_ERROR_MESSAGE_NOTE, Messages.EXPIRED_ACTION); + response = Response.status(Response.Status.FOUND).location(redirectUri).build(); + } else { + response = showPageExpired(authSession); + } + return false; + } + + + actionRequest = true; + if (execution != null) { + authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, execution); + } + return true; + } + } + + + public boolean verifyActiveAndValidAction(String expectedAction, ClientSessionCode.ActionType actionType) { + if (failed()) { + return false; + } + + if (!isActionActive(actionType)) { + return false; + } + + if (!clientCode.isValidAction(expectedAction)) { + AuthenticationSessionModel authSession = getAuthenticationSession(); + if (ClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(authSession.getAction())) { + logger.debugf("Incorrect action '%s' . User authenticated already.", authSession.getAction()); + response = showPageExpired(authSession); + return false; + } else { + logger.errorf("Bad action. Expected action '%s', current action '%s'", expectedAction, authSession.getAction()); + response = ErrorPage.error(session, Messages.EXPIRED_CODE); + return false; + } + } + + return true; + } + + + private boolean isActionActive(ClientSessionCode.ActionType actionType) { + if (!clientCode.isActionActive(actionType)) { + event.clone().error(Errors.EXPIRED_CODE); + + AuthenticationProcessor.resetFlow(authSession, LoginActionsService.AUTHENTICATE_PATH); + + authSession.setAuthNote(LoginActionsService.FORWARDED_ERROR_MESSAGE_NOTE, Messages.LOGIN_TIMEOUT); + + URI redirectUri = getLastExecutionUrl(LoginActionsService.AUTHENTICATE_PATH, null); + logger.debugf("Flow restart after timeout. Redirecting to %s", redirectUri); + response = Response.status(Response.Status.FOUND).location(redirectUri).build(); + return false; + } + return true; + } + + + public boolean verifyRequiredAction(String executedAction) { + if (failed()) { + return false; + } + + if (!clientCode.isValidAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name())) { + logger.debugf("Expected required action, but session action is '%s' . Showing expired page now.", authSession.getAction()); + event.error(Errors.INVALID_CODE); + + response = showPageExpired(authSession); + + return false; + } + + if (!isActionActive(ClientSessionCode.ActionType.USER)) { + return false; + } + + if (actionRequest) { + String currentRequiredAction = authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION); + if (executedAction == null || !executedAction.equals(currentRequiredAction)) { + logger.debug("required action doesn't match current required action"); + response = redirectToRequiredActions(currentRequiredAction); + return false; + } + } + return true; + } + + + private Response restartAuthenticationSessionFromCookie() { + logger.debug("Authentication session not found. Trying to restart from cookie."); + AuthenticationSessionModel authSession = null; + try { + authSession = RestartLoginCookie.restartSession(session, realm); + } catch (Exception e) { + ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e); + } + + if (authSession != null) { + + event.clone(); + event.detail(Details.RESTART_AFTER_TIMEOUT, "true"); + event.error(Errors.EXPIRED_CODE); + + String warningMessage = Messages.LOGIN_TIMEOUT; + authSession.setAuthNote(LoginActionsService.FORWARDED_ERROR_MESSAGE_NOTE, warningMessage); + + String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW); + if (flowPath == null) { + flowPath = LoginActionsService.AUTHENTICATE_PATH; + } + + URI redirectUri = getLastExecutionUrl(flowPath, null); + logger.debugf("Authentication session restart from cookie succeeded. Redirecting to %s", redirectUri); + return Response.status(Response.Status.FOUND).location(redirectUri).build(); + } else { + // Finally need to show error as all the fallbacks failed + event.error(Errors.INVALID_CODE); + return ErrorPage.error(session, Messages.INVALID_CODE); + } + } + + + private Response redirectToRequiredActions(String action) { + UriBuilder uriBuilder = LoginActionsService.loginActionsBaseUrl(uriInfo) + .path(LoginActionsService.REQUIRED_ACTION); + + if (action != null) { + uriBuilder.queryParam("execution", action); + } + URI redirect = uriBuilder.build(realm.getName()); + return Response.status(302).location(redirect).build(); + } + + + private URI getLastExecutionUrl(String flowPath, String executionId) { + return new AuthenticationFlowURLHelper(session, realm, uriInfo) + .getLastExecutionUrl(flowPath, executionId); + } + + + private Response showPageExpired(AuthenticationSessionModel authSession) { + return new AuthenticationFlowURLHelper(session, realm, uriInfo) + .showPageExpired(authSession); + } + +} diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java index 89b0a3317c..a92729e2b4 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java @@ -25,8 +25,8 @@ import org.keycloak.common.Profile; import org.keycloak.common.util.Time; import org.keycloak.events.admin.OperationType; import org.keycloak.events.admin.ResourceType; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.Constants; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ModelDuplicateException; @@ -492,8 +492,11 @@ public class ClientResource { UserSessionRepresentation rep = ModelToRepresentation.toRepresentation(userSession); // Update lastSessionRefresh with the timestamp from clientSession - for (ClientSessionModel clientSession : userSession.getClientSessions()) { - if (client.getId().equals(clientSession.getClient().getId())) { + for (Map.Entry csEntry : userSession.getAuthenticatedClientSessions().entrySet()) { + String clientUuid = csEntry.getKey(); + AuthenticatedClientSessionModel clientSession = csEntry.getValue(); + + if (client.getId().equals(clientUuid)) { rep.setLastAccess(Time.toMillis(clientSession.getTimestamp())); break; } diff --git a/services/src/main/java/org/keycloak/services/scheduled/ClearExpiredUserSessions.java b/services/src/main/java/org/keycloak/services/scheduled/ClearExpiredUserSessions.java index 5935eb08cb..5315be4add 100755 --- a/services/src/main/java/org/keycloak/services/scheduled/ClearExpiredUserSessions.java +++ b/services/src/main/java/org/keycloak/services/scheduled/ClearExpiredUserSessions.java @@ -32,6 +32,7 @@ public class ClearExpiredUserSessions implements ScheduledTask { UserSessionProvider sessions = session.sessions(); for (RealmModel realm : session.realms().getRealms()) { sessions.removeExpired(realm); + session.authenticationSessions().removeExpired(realm); } } diff --git a/services/src/main/java/org/keycloak/services/util/PageExpiredRedirect.java b/services/src/main/java/org/keycloak/services/util/AuthenticationFlowURLHelper.java similarity index 89% rename from services/src/main/java/org/keycloak/services/util/PageExpiredRedirect.java rename to services/src/main/java/org/keycloak/services/util/AuthenticationFlowURLHelper.java index 83f0ce52ad..b97963e009 100644 --- a/services/src/main/java/org/keycloak/services/util/PageExpiredRedirect.java +++ b/services/src/main/java/org/keycloak/services/util/AuthenticationFlowURLHelper.java @@ -35,15 +35,15 @@ import org.keycloak.sessions.AuthenticationSessionModel; /** * @author Marek Posolda */ -public class PageExpiredRedirect { +public class AuthenticationFlowURLHelper { - protected static final Logger logger = Logger.getLogger(PageExpiredRedirect.class); + protected static final Logger logger = Logger.getLogger(AuthenticationFlowURLHelper.class); private final KeycloakSession session; private final RealmModel realm; private final UriInfo uriInfo; - public PageExpiredRedirect(KeycloakSession session, RealmModel realm, UriInfo uriInfo) { + public AuthenticationFlowURLHelper(KeycloakSession session, RealmModel realm, UriInfo uriInfo) { this.session = session; this.realm = realm; this.uriInfo = uriInfo; @@ -53,7 +53,7 @@ public class PageExpiredRedirect { public Response showPageExpired(AuthenticationSessionModel authSession) { URI lastStepUrl = getLastExecutionUrl(authSession); - logger.infof("Redirecting to 'page expired' now. Will use last step URL: %s", lastStepUrl); + logger.debugf("Redirecting to 'page expired' now. Will use last step URL: %s", lastStepUrl); return session.getProvider(LoginFormsProvider.class) .setActionUri(lastStepUrl) diff --git a/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java b/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java index 89cda2c6fe..890d21cf85 100644 --- a/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java +++ b/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java @@ -77,7 +77,7 @@ public abstract class BrowserHistoryHelper { if (entity instanceof String) { String responseString = (String) entity; - URI lastExecutionURL = new PageExpiredRedirect(session, session.getContext().getRealm(), session.getContext().getUri()).getLastExecutionUrl(authSession); + URI lastExecutionURL = new AuthenticationFlowURLHelper(session, session.getContext().getRealm(), session.getContext().getUri()).getLastExecutionUrl(authSession); // Inject javascript for history "replaceState" String responseWithJavascript = responseWithJavascript(responseString, lastExecutionURL.toString()); @@ -124,6 +124,7 @@ public abstract class BrowserHistoryHelper { } + // This impl is limited ATM. Saved request doesn't save response HTTP headers, so they may not be fully restored.. private static class RedirectAfterPostHelper extends BrowserHistoryHelper { private static final String CACHED_RESPONSE = "cached.response"; @@ -141,10 +142,11 @@ public abstract class BrowserHistoryHelper { String responseString = (String) entity; authSession.setAuthNote(CACHED_RESPONSE, responseString); - URI lastExecutionURL = new PageExpiredRedirect(session, session.getContext().getRealm(), session.getContext().getUri()).getLastExecutionUrl(authSession); + URI lastExecutionURL = new AuthenticationFlowURLHelper(session, session.getContext().getRealm(), session.getContext().getUri()).getLastExecutionUrl(authSession); - // TODO:mposolda trace - logger.infof("Saved response challenge and redirect to %s", lastExecutionURL); + if (logger.isTraceEnabled()) { + logger.tracef("Saved response challenge and redirect to %s", lastExecutionURL); + } return Response.status(302).location(lastExecutionURL).build(); } @@ -160,11 +162,12 @@ public abstract class BrowserHistoryHelper { if (savedResponse != null) { authSession.removeAuthNote(CACHED_RESPONSE); - // TODO:mposolda trace - logger.infof("Restored previously saved request"); + if (logger.isTraceEnabled()) { + logger.tracef("Restored previously saved request"); + } Response.ResponseBuilder builder = Response.status(200).type(MediaType.TEXT_HTML_UTF_8).entity(savedResponse); - BrowserSecurityHeaderSetup.headers(builder, session.getContext().getRealm()); // TODO:mposolda cRather all the headers from the saved response should be added here. + BrowserSecurityHeaderSetup.headers(builder, session.getContext().getRealm()); // TODO rather all the headers from the saved response should be added here. return builder.build(); } diff --git a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java index a8c42b1726..00be27c8b4 100755 --- a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java +++ b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java @@ -119,6 +119,8 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider { + return KeycloakModelUtils.generateId(); + }; scope = null; uiLocales = null; clientSessionState = null; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java index 38662d1d4c..098c05a4a1 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java @@ -122,9 +122,9 @@ public class AssertEvents implements TestRule { .session(isUUID()); } - // TODO:mposolda codeId is not needed anymore public ExpectedEvent expectCodeToToken(String codeId, String sessionId) { return expect(EventType.CODE_TO_TOKEN) + .detail(Details.CODE_ID, codeId) .detail(Details.TOKEN_ID, isUUID()) .detail(Details.REFRESH_TOKEN_ID, isUUID()) .detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_REFRESH) diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionMultipleActionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionMultipleActionsTest.java index 433b0b124d..124620a9df 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionMultipleActionsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionMultipleActionsTest.java @@ -63,46 +63,50 @@ public class RequiredActionMultipleActionsTest extends AbstractTestRealmKeycloak loginPage.open(); loginPage.login("test-user@localhost", "password"); - String sessionId = null; + String codeId = null; if (changePasswordPage.isCurrent()) { - sessionId = updatePassword(sessionId); + codeId = updatePassword(codeId); updateProfilePage.assertCurrent(); - updateProfile(sessionId); + updateProfile(codeId); } else if (updateProfilePage.isCurrent()) { - sessionId = updateProfile(sessionId); + codeId = updateProfile(codeId); changePasswordPage.assertCurrent(); - updatePassword(sessionId); + updatePassword(codeId); } else { Assert.fail("Expected to update password and profile before login"); } Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - events.expectLogin().session(sessionId).assertEvent(); + events.expectLogin().session(codeId).assertEvent(); } - public String updatePassword(String sessionId) { + public String updatePassword(String codeId) { changePasswordPage.changePassword("new-password", "new-password"); AssertEvents.ExpectedEvent expectedEvent = events.expectRequiredAction(EventType.UPDATE_PASSWORD); - if (sessionId != null) { - expectedEvent.session(sessionId); + if (codeId != null) { + expectedEvent.detail(Details.CODE_ID, codeId); } - return expectedEvent.assertEvent().getSessionId(); + return expectedEvent.assertEvent().getDetails().get(Details.CODE_ID); } - public String updateProfile(String sessionId) { + public String updateProfile(String codeId) { updateProfilePage.update("New first", "New last", "new@email.com", "test-user@localhost"); - AssertEvents.ExpectedEvent expectedEvent = events.expectRequiredAction(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, "test-user@localhost").detail(Details.UPDATED_EMAIL, "new@email.com"); - if (sessionId != null) { - expectedEvent.session(sessionId); + AssertEvents.ExpectedEvent expectedEvent = events.expectRequiredAction(EventType.UPDATE_EMAIL) + .detail(Details.PREVIOUS_EMAIL, "test-user@localhost") + .detail(Details.UPDATED_EMAIL, "new@email.com"); + if (codeId != null) { + expectedEvent.detail(Details.CODE_ID, codeId); } - sessionId = expectedEvent.assertEvent().getSessionId(); - events.expectRequiredAction(EventType.UPDATE_PROFILE).session(sessionId).assertEvent(); - return sessionId; + codeId = expectedEvent.assertEvent().getDetails().get(Details.CODE_ID); + events.expectRequiredAction(EventType.UPDATE_PROFILE) + .detail(Details.CODE_ID, codeId) + .assertEvent(); + return codeId; } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionTotpSetupTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionTotpSetupTest.java index f613087706..a06079c0bc 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionTotpSetupTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionTotpSetupTest.java @@ -127,11 +127,12 @@ public class RequiredActionTotpSetupTest extends AbstractTestRealmKeycloakTest { totpPage.configure(totp.generateTOTP(totpPage.getTotpSecret())); - String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).user(userId).detail(Details.USERNAME, "setuptotp").assertEvent().getSessionId(); + String authSessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).user(userId).detail(Details.USERNAME, "setuptotp").assertEvent() + .getDetails().get(Details.CODE_ID); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - events.expectLogin().user(userId).session(sessionId).detail(Details.USERNAME, "setuptotp").assertEvent(); + events.expectLogin().user(userId).session(authSessionId).detail(Details.USERNAME, "setuptotp").assertEvent(); } @Test @@ -145,15 +146,16 @@ public class RequiredActionTotpSetupTest extends AbstractTestRealmKeycloakTest { totpPage.configure(totp.generateTOTP(totpSecret)); - String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).assertEvent().getSessionId(); + String authSessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).assertEvent() + .getDetails().get(Details.CODE_ID); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - EventRepresentation loginEvent = events.expectLogin().session(sessionId).assertEvent(); + EventRepresentation loginEvent = events.expectLogin().session(authSessionId).assertEvent(); oauth.openLogout(); - events.expectLogout(loginEvent.getSessionId()).assertEvent(); + events.expectLogout(authSessionId).assertEvent(); loginPage.open(); loginPage.login("test-user@localhost", "password"); @@ -229,7 +231,8 @@ public class RequiredActionTotpSetupTest extends AbstractTestRealmKeycloakTest { totpPage.assertCurrent(); totpPage.configure(totp.generateTOTP(totpPage.getTotpSecret())); - String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).user(userId).detail(Details.USERNAME, "setupTotp2").assertEvent().getSessionId(); + String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).user(userId).detail(Details.USERNAME, "setupTotp2").assertEvent() + .getDetails().get(Details.CODE_ID); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); @@ -260,7 +263,8 @@ public class RequiredActionTotpSetupTest extends AbstractTestRealmKeycloakTest { TimeBasedOTP timeBased = new TimeBasedOTP(HmacOTP.HMAC_SHA1, 8, 30, 1); totpPage.configure(timeBased.generateTOTP(totpSecret)); - String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).assertEvent().getSessionId(); + String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).assertEvent() + .getDetails().get(Details.CODE_ID); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); @@ -311,7 +315,8 @@ public class RequiredActionTotpSetupTest extends AbstractTestRealmKeycloakTest { HmacOTP otpgen = new HmacOTP(6, HmacOTP.HMAC_SHA1, 1); totpPage.configure(otpgen.generateHOTP(totpSecret, 0)); String uri = driver.getCurrentUrl(); - String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).assertEvent().getSessionId(); + String sessionId = events.expectRequiredAction(EventType.UPDATE_TOTP).assertEvent() + .getDetails().get(Details.CODE_ID); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateProfileTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateProfileTest.java index 80ee0fee84..9c18070672 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateProfileTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateProfileTest.java @@ -16,6 +16,7 @@ */ package org.keycloak.testsuite.actions; +import org.hamcrest.Matchers; import org.jboss.arquillian.graphene.page.Page; import org.junit.Assert; import org.junit.Before; @@ -89,12 +90,12 @@ public class RequiredActionUpdateProfileTest extends AbstractTestRealmKeycloakTe updateProfilePage.update("New first", "New last", "new@email.com", "test-user@localhost"); - String sessionId = events.expectRequiredAction(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, "test-user@localhost").detail(Details.UPDATED_EMAIL, "new@email.com").assertEvent().getSessionId(); - events.expectRequiredAction(EventType.UPDATE_PROFILE).session(sessionId).assertEvent(); + events.expectRequiredAction(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, "test-user@localhost").detail(Details.UPDATED_EMAIL, "new@email.com").assertEvent(); + events.expectRequiredAction(EventType.UPDATE_PROFILE).assertEvent(); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - events.expectLogin().session(sessionId).assertEvent(); + events.expectLogin().assertEvent(); // assert user is really updated in persistent store UserRepresentation user = ActionUtil.findUserWithAdminClient(adminClient, "test-user@localhost"); @@ -116,19 +117,17 @@ public class RequiredActionUpdateProfileTest extends AbstractTestRealmKeycloakTe updateProfilePage.update("New first", "New last", "john-doh@localhost", "new"); - String sessionId = events - .expectLogin() + events.expectLogin() .event(EventType.UPDATE_PROFILE) .detail(Details.USERNAME, "john-doh@localhost") .user(userId) - .session(AssertEvents.isUUID()) + .session(Matchers.nullValue(String.class)) .removeDetail(Details.CONSENT) - .assertEvent() - .getSessionId(); + .assertEvent(); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - events.expectLogin().detail(Details.USERNAME, "john-doh@localhost").user(userId).session(sessionId).assertEvent(); + events.expectLogin().detail(Details.USERNAME, "john-doh@localhost").user(userId).assertEvent(); // assert user is really updated in persistent store UserRepresentation user = ActionUtil.findUserWithAdminClient(adminClient, "new"); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/TermsAndConditionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/TermsAndConditionsTest.java index ab5229482b..86066e8ac7 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/TermsAndConditionsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/TermsAndConditionsTest.java @@ -16,6 +16,7 @@ */ package org.keycloak.testsuite.actions; +import org.hamcrest.Matchers; import org.jboss.arquillian.graphene.page.Page; import org.junit.Assert; import org.junit.Before; @@ -86,11 +87,11 @@ public class TermsAndConditionsTest extends AbstractTestRealmKeycloakTest { termsPage.acceptTerms(); - String sessionId = events.expectRequiredAction(EventType.CUSTOM_REQUIRED_ACTION).removeDetail(Details.REDIRECT_URI).detail(Details.CUSTOM_REQUIRED_ACTION, TermsAndConditions.PROVIDER_ID).assertEvent().getSessionId(); + events.expectRequiredAction(EventType.CUSTOM_REQUIRED_ACTION).removeDetail(Details.REDIRECT_URI).detail(Details.CUSTOM_REQUIRED_ACTION, TermsAndConditions.PROVIDER_ID).assertEvent(); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); - events.expectLogin().session(sessionId).assertEvent(); + events.expectLogin().assertEvent(); // assert user attribute is properly set UserRepresentation user = ActionUtil.findUserWithAdminClient(adminClient, "test-user@localhost"); @@ -123,6 +124,7 @@ public class TermsAndConditionsTest extends AbstractTestRealmKeycloakTest { events.expectLogin().event(EventType.CUSTOM_REQUIRED_ACTION_ERROR).detail(Details.CUSTOM_REQUIRED_ACTION, TermsAndConditions.PROVIDER_ID) .error(Errors.REJECTED_BY_USER) .removeDetail(Details.CONSENT) + .session(Matchers.nullValue(String.class)) .assertEvent(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java index abda821e1d..37b9d72059 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java @@ -40,6 +40,7 @@ import org.apache.http.auth.AuthScope; import org.apache.http.auth.Credentials; import org.apache.http.client.params.AuthPolicy; import org.apache.http.client.utils.URLEncodedUtils; +import org.apache.http.impl.client.AbstractHttpClient; import org.apache.http.impl.client.DefaultHttpClient; import org.ietf.jgss.GSSCredential; import org.jboss.arquillian.graphene.page.Page; @@ -347,7 +348,10 @@ public abstract class AbstractKerberosTest extends AbstractAuthTest { cleanupApacheHttpClient(); } - DefaultHttpClient httpClient = (DefaultHttpClient) new HttpClientBuilder().build(); + DefaultHttpClient httpClient = (DefaultHttpClient) new HttpClientBuilder() + .disableCookieCache(false) + .build(); + httpClient.getAuthSchemes().register(AuthPolicy.SPNEGO, spnegoSchemeFactory); if (useSpnego) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosStandaloneTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosStandaloneTest.java index 65e5a3e52e..2d6d3afb5f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosStandaloneTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosStandaloneTest.java @@ -17,18 +17,23 @@ package org.keycloak.testsuite.federation.kerberos; +import java.net.URI; +import java.net.URL; import java.util.List; import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; +import javax.ws.rs.client.Entity; +import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; import org.junit.Assert; import org.junit.ClassRule; import org.junit.Test; import org.keycloak.common.constants.KerberosConstants; +import org.keycloak.common.util.KeycloakUriBuilder; import org.keycloak.common.util.MultivaluedHashMap; import org.keycloak.federation.kerberos.CommonKerberosConfig; import org.keycloak.federation.kerberos.KerberosConfig; @@ -148,15 +153,24 @@ public class KerberosStandaloneTest extends AbstractKerberosTest { Response spnegoResponse = spnegoLogin("hnelson", "secret"); String context = spnegoResponse.readEntity(String.class); spnegoResponse.close(); + + Assert.assertTrue(context.contains("Log in to test")); + Pattern pattern = Pattern.compile("action=\"([^\"]+)\""); Matcher m = pattern.matcher(context); Assert.assertTrue(m.find()); String url = m.group(1); - driver.navigate().to(url); - Assert.assertTrue(loginPage.isCurrent()); - loginPage.login("test-user@localhost", "password"); - String pageSource = driver.getPageSource(); - assertAuthenticationSuccess(driver.getCurrentUrl()); + + + // Follow login with HttpClient. Improve if needed + MultivaluedMap params = new javax.ws.rs.core.MultivaluedHashMap<>(); + params.putSingle("username", "test-user@localhost"); + params.putSingle("password", "password"); + Response response = client.target(url).request() + .post(Entity.form(params)); + + URI redirectUri = response.getLocation(); + assertAuthenticationSuccess(redirectUri.toString()); events.clear(); testRealmResource().components().add(kerberosProvider); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java index 6cbe92f39e..08d826522e 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java @@ -254,7 +254,7 @@ public class BrowserButtonsTest extends AbstractTestRealmKeycloakTest { // KEYCLOAK-4670 - Flow 5 @Test - public void clickBackButtonAfterReturnFromRegister() { + public void clickBackButtonAfterReturnFromRegister() throws Exception { loginPage.open(); loginPage.clickRegister(); registerPage.assertCurrent(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java index cec079d674..24a70fd6f8 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java @@ -21,6 +21,8 @@ import org.jboss.arquillian.graphene.page.Page; import org.junit.Before; import org.junit.Rule; import org.junit.Test; +import org.keycloak.events.Details; +import org.keycloak.models.Constants; import org.keycloak.models.UserModel; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.UserRepresentation; @@ -28,6 +30,7 @@ import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; import org.keycloak.testsuite.Assert; import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.admin.ApiUtil; +import org.keycloak.testsuite.arquillian.AuthServerTestEnricher; import org.keycloak.testsuite.pages.AppPage; import org.keycloak.testsuite.pages.ErrorPage; import org.keycloak.testsuite.pages.InfoPage; @@ -43,7 +46,7 @@ import org.keycloak.testsuite.util.GreenMailRule; import org.keycloak.testsuite.util.UserBuilder; /** - * Tries to test multiple browser tabs + * Tries to simulate testing with multiple browser tabs * * @author Marek Posolda */ @@ -245,4 +248,43 @@ public class MultipleTabsLoginTest extends AbstractTestRealmKeycloakTest { } + @Test + public void loginActionWithoutExecution() throws Exception { + oauth.openLoginForm(); + + // Manually remove execution from the URL and try to simulate the request just with "code" parameter + String actionUrl = driver.getPageSource().split("action=\"")[1].split("\"")[0].replaceAll("&", "&"); + actionUrl = actionUrl.replaceFirst("&execution=.*", ""); + + driver.navigate().to(actionUrl); + + loginExpiredPage.assertCurrent(); + } + + + // Same like "loginActionWithoutExecution", but AuthenticationSession is in REQUIRED_ACTIONS action + @Test + public void loginActionWithoutExecutionInRequiredActions() throws Exception { + oauth.openLoginForm(); + loginPage.assertCurrent(); + + loginPage.login("login-test", "password"); + updatePasswordPage.assertCurrent(); + + // Manually remove execution from the URL and try to simulate the request just with "code" parameter + String actionUrl = driver.getPageSource().split("action=\"")[1].split("\"")[0].replaceAll("&", "&"); + actionUrl = actionUrl.replaceFirst("&execution=.*", ""); + + driver.navigate().to(actionUrl); + + // Back on updatePasswordPage now + updatePasswordPage.assertCurrent(); + + updatePasswordPage.changePassword("password", "password"); + updateProfilePage.update("John", "Doe3", "john@doe3.com"); + appPage.assertCurrent(); + } + + + } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java index 92e68cb046..ecf540cc30 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java @@ -210,12 +210,7 @@ public class AccessTokenTest extends AbstractKeycloakTest { oauth.redirectUri(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/admin/test/console/nosuch.html"); oauth.openLoginForm(); - String actionUrl = driver.getPageSource().split("action=\"")[1].split("\"")[0].replaceAll("&", "&"); - actionUrl = actionUrl.replaceFirst("&execution=.*", ""); - - String loginPageCode = actionUrl.split("code=")[1].split("&")[0]; - - driver.navigate().to(actionUrl); + String loginPageCode = driver.getPageSource().split("code=")[1].split("&")[0].split("\"")[0]; oauth.fillLoginForm("test-user@localhost", "password"); @@ -452,7 +447,7 @@ public class AccessTokenTest extends AbstractKeycloakTest { Assert.assertEquals(400, response.getStatusCode()); EventRepresentation event = events.poll(); - assertNotNull(event.getDetails().get(Details.CODE_ID)); + assertNull(event.getDetails().get(Details.CODE_ID)); UserManager.realm(adminClient.realm("test")).user(user).removeRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE.toString()); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java index 0ca77853b1..757799046c 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java @@ -155,7 +155,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { } private void assertCode(String expectedCodeId, String actualCode) { - assertEquals(expectedCodeId, actualCode.split("\\.")[1]); + assertEquals(expectedCodeId, actualCode.split("\\.")[2]); } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java index e244f9a379..c5304ff61c 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java @@ -16,8 +16,8 @@ */ package org.keycloak.testsuite.oauth; +import org.hamcrest.Matchers; import org.jboss.arquillian.graphene.page.Page; -import org.junit.After; import org.junit.Assert; import org.junit.Rule; import org.junit.Test; @@ -155,6 +155,7 @@ public class OAuthGrantTest extends AbstractKeycloakTest { .client(THIRD_PARTY_APP) .error("rejected_by_user") .removeDetail(Details.CONSENT) + .session(Matchers.nullValue(String.class)) .assertEvent(); } @@ -309,6 +310,7 @@ public class OAuthGrantTest extends AbstractKeycloakTest { .client(THIRD_PARTY_APP) .error("rejected_by_user") .removeDetail(Details.CONSENT) + .session(Matchers.nullValue(String.class)) .assertEvent(); oauth.scope("foo-role third-party/bar-role"); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java index ac8e3592cf..03522d66fd 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java @@ -304,6 +304,31 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest } + + @Test + public void promptLoginDifferentUser() throws Exception { + String sss = oauth.getLoginFormUrl(); + System.out.println(sss); + + // Login user + loginPage.open(); + loginPage.login("test-user@localhost", "password"); + Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); + + EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent(); + IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent); + + // Assert need to re-authenticate with prompt=login + driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login"); + + // Authenticate as different user + loginPage.assertCurrent(); + loginPage.login("john-doh@localhost", "password"); + + errorPage.assertCurrent(); + Assert.assertTrue(errorPage.getError().startsWith("You are already authenticated as different user")); + } + // DISPLAY & OTHERS @Test diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/scripts/client-session-test.js b/testsuite/integration-arquillian/tests/base/src/test/resources/scripts/client-session-test.js index 07a07a13c6..0fd70d518c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/scripts/client-session-test.js +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/scripts/client-session-test.js @@ -12,7 +12,7 @@ function authenticate(context) { return; } - if (clientSession.getAuthMethod() != "${authMethod}") { + if (clientSession.getProtocol() != "${authMethod}") { context.failure(AuthenticationFlowError.INVALID_CLIENT_SESSION); return; } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java index 46d62b83c2..2da679ec3d 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java @@ -35,6 +35,7 @@ import org.keycloak.common.util.PemUtils; import org.keycloak.constants.AdapterConstants; import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.crypto.RSAProvider; +import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.oidc.OIDCLoginProtocolService; import org.keycloak.representations.AccessToken; import org.keycloak.representations.RefreshToken; @@ -69,7 +70,9 @@ public class OAuthClient { private String redirectUri = "http://localhost:8081/app/auth"; - private String state = "mystate"; + private StateParamProvider state = () -> { + return KeycloakModelUtils.generateId(); + }; private String scope; @@ -438,7 +441,7 @@ public class OAuthClient { b.queryParam(OAuth2Constants.REDIRECT_URI, redirectUri); } if (state != null) { - b.queryParam(OAuth2Constants.STATE, state); + b.queryParam(OAuth2Constants.STATE, state.getState()); } if(uiLocales != null){ b.queryParam(OAuth2Constants.UI_LOCALES_PARAM, uiLocales); @@ -509,8 +512,17 @@ public class OAuthClient { return this; } - public OAuthClient state(String state) { - this.state = state; + public OAuthClient stateParamHardcoded(String value) { + this.state = () -> { + return value; + }; + return this; + } + + public OAuthClient stateParamRandom() { + this.state = () -> { + return KeycloakModelUtils.generateId(); + }; return this; } @@ -639,4 +651,10 @@ public class OAuthClient { } } + private interface StateParamProvider { + + String getState(); + + } + } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java index 474417c218..f2dffaf016 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java @@ -33,12 +33,16 @@ import org.keycloak.representations.idm.IdentityProviderRepresentation; import org.keycloak.services.managers.RealmManager; import org.keycloak.testsuite.pages.IdpConfirmLinkPage; import org.keycloak.testsuite.pages.IdpLinkEmailPage; +import org.keycloak.testsuite.pages.InfoPage; +import org.keycloak.testsuite.pages.LoginExpiredPage; import org.keycloak.testsuite.pages.LoginPasswordUpdatePage; import org.keycloak.testsuite.pages.LoginUpdateProfileEditUsernameAllowedPage; import org.keycloak.testsuite.rule.KeycloakRule; import org.keycloak.testsuite.rule.WebResource; +import org.keycloak.testsuite.rule.WebRule; import org.openqa.selenium.By; import org.openqa.selenium.NoSuchElementException; +import org.openqa.selenium.WebDriver; import org.openqa.selenium.WebElement; import javax.mail.internet.MimeMessage; @@ -71,6 +75,9 @@ public abstract class AbstractFirstBrokerLoginTest extends AbstractIdentityProvi @WebResource protected LoginPasswordUpdatePage passwordUpdatePage; + @WebResource + protected LoginExpiredPage loginExpiredPage; + /** @@ -360,6 +367,101 @@ public abstract class AbstractFirstBrokerLoginTest extends AbstractIdentityProvi } + /** + * Variation of previous test, which uses browser buttons (back, refresh etc) + */ + @Test + public void testLinkAccountByReauthenticationWithPassword_browserButtons() throws Exception { + // Remove smtp config. The reauthentication by username+password screen will be automatically used then + final Map smtpConfig = new HashMap<>(); + brokerServerRule.update(new KeycloakRule.KeycloakSetup() { + + @Override + public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel realmWithBroker) { + setUpdateProfileFirstLogin(realmWithBroker, IdentityProviderRepresentation.UPFLM_OFF); + smtpConfig.putAll(realmWithBroker.getSmtpConfig()); + realmWithBroker.setSmtpConfig(Collections.emptyMap()); + } + + }, APP_REALM_ID); + + + // Use invalid username for the first time + loginIDP("foo"); + assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8082/auth/")); + this.loginPage.login("pedroigor", "password"); + + + this.idpConfirmLinkPage.assertCurrent(); + Assert.assertEquals("User with email psilva@redhat.com already exists. How do you want to continue?", this.idpConfirmLinkPage.getMessage()); + + // Click browser 'back' and then 'forward' and then continue + driver.navigate().back(); + Assert.assertTrue(driver.getPageSource().contains("You are already logged in.")); + driver.navigate().forward(); + this.loginExpiredPage.assertCurrent(); + this.loginExpiredPage.clickLoginContinueLink(); + this.idpConfirmLinkPage.assertCurrent(); + + // Click browser 'back' on review profile page + this.idpConfirmLinkPage.clickReviewProfile(); + this.updateProfilePage.assertCurrent(); + driver.navigate().back(); + this.loginExpiredPage.assertCurrent(); + this.loginExpiredPage.clickLoginContinueLink(); + this.updateProfilePage.assertCurrent(); + this.updateProfilePage.update("Pedro", "Igor", "psilva@redhat.com"); + + this.idpConfirmLinkPage.assertCurrent(); + this.idpConfirmLinkPage.clickLinkAccount(); + + // Login screen shown. Username is prefilled and disabled. Registration link and social buttons are not shown + Assert.assertEquals("Log in to " + APP_REALM_ID, this.driver.getTitle()); + Assert.assertEquals("pedroigor", this.loginPage.getUsername()); + Assert.assertFalse(this.loginPage.isUsernameInputEnabled()); + + Assert.assertEquals("Authenticate as pedroigor to link your account with " + getProviderId(), this.loginPage.getInfoMessage()); + + try { + this.loginPage.findSocialButton(getProviderId()); + Assert.fail("Not expected to see social button with " + getProviderId()); + } catch (NoSuchElementException expected) { + } + + try { + this.loginPage.clickRegister(); + Assert.fail("Not expected to see register link"); + } catch (NoSuchElementException expected) { + } + + // Use bad password first + this.loginPage.login("password1"); + Assert.assertEquals("Invalid username or password.", this.loginPage.getError()); + + // Click browser 'back' and then continue + this.driver.navigate().back(); + this.loginExpiredPage.assertCurrent(); + this.loginExpiredPage.clickLoginContinueLink(); + + // Use correct password now + this.loginPage.login("password"); + + // authenticated and redirected to app. User is linked with identity provider + assertFederatedUser("pedroigor", "psilva@redhat.com", "pedroigor"); + + + // Restore smtp config + brokerServerRule.update(new KeycloakRule.KeycloakSetup() { + + @Override + public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel realmWithBroker) { + realmWithBroker.setSmtpConfig(smtpConfig); + } + + }, APP_REALM_ID); + } + + /** * Tests that duplication is detected and user wants to link federatedIdentity with existing account. He will confirm link by reauthentication (confirm password on login screen) * and additionally he goes through "forget password" @@ -418,6 +520,93 @@ public abstract class AbstractFirstBrokerLoginTest extends AbstractIdentityProvi } + /** + * Same like above, but "forget password" link is opened in different browser + */ + @Test + public void testLinkAccountByReauthentication_forgetPassword_differentBrowser() throws Throwable { + brokerServerRule.update(new KeycloakRule.KeycloakSetup() { + + @Override + public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel realmWithBroker) { + setExecutionRequirement(realmWithBroker, DefaultAuthenticationFlows.FIRST_BROKER_LOGIN_HANDLE_EXISTING_SUBFLOW, + IdpEmailVerificationAuthenticatorFactory.PROVIDER_ID, AuthenticationExecutionModel.Requirement.DISABLED); + + setUpdateProfileFirstLogin(realmWithBroker, IdentityProviderRepresentation.UPFLM_OFF); + } + + }, APP_REALM_ID); + + loginIDP("pedroigor"); + + this.idpConfirmLinkPage.assertCurrent(); + Assert.assertEquals("User with email psilva@redhat.com already exists. How do you want to continue?", this.idpConfirmLinkPage.getMessage()); + this.idpConfirmLinkPage.clickLinkAccount(); + + // Click "Forget password" on login page. Email sent directly because username is known + Assert.assertEquals("Log in to " + APP_REALM_ID, this.driver.getTitle()); + this.loginPage.resetPassword(); + + Assert.assertEquals("Log in to " + APP_REALM_ID, this.driver.getTitle()); + Assert.assertEquals("You should receive an email shortly with further instructions.", this.loginPage.getSuccessMessage()); + + // Click on link from email + Assert.assertEquals(1, greenMail.getReceivedMessages().length); + MimeMessage message = greenMail.getReceivedMessages()[0]; + String linkFromMail = getVerificationEmailLink(message); + + // Simulate 2nd browser + WebRule webRule2 = new WebRule(this); + webRule2.before(); + + WebDriver driver2 = webRule2.getDriver(); + LoginPasswordUpdatePage passwordUpdatePage2 = webRule2.getPage(LoginPasswordUpdatePage.class); + InfoPage infoPage2 = webRule2.getPage(InfoPage.class); + + driver2.navigate().to(linkFromMail.trim()); + + // Need to update password now + passwordUpdatePage2.assertCurrent(); + passwordUpdatePage2.changePassword("password", "password"); + + // authenticated, but not redirected to app. Just seeing info page. + infoPage2.assertCurrent(); + Assert.assertEquals("Your account has been updated.", infoPage2.getInfo()); + + // User is not yet linked with identity provider. He needs to authenticate again in 1st browser + RealmModel realmWithBroker = getRealm(); + Set federatedIdentities = this.session.users().getFederatedIdentities(this.session.users().getUserByUsername("pedroigor", realmWithBroker), realmWithBroker); + assertEquals(0, federatedIdentities.size()); + + // Continue with 1st browser + loginIDP("pedroigor"); + + this.idpConfirmLinkPage.assertCurrent(); + Assert.assertEquals("User with email psilva@redhat.com already exists. How do you want to continue?", this.idpConfirmLinkPage.getMessage()); + this.idpConfirmLinkPage.clickLinkAccount(); + + Assert.assertEquals("Log in to " + APP_REALM_ID, this.driver.getTitle()); + this.loginPage.login("password"); + + // authenticated and redirected to app. User is linked with identity provider + assertFederatedUser("pedroigor", "psilva@redhat.com", "pedroigor"); + + // Revert everything + webRule2.after(); + + brokerServerRule.update(new KeycloakRule.KeycloakSetup() { + + @Override + public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel realmWithBroker) { + setExecutionRequirement(realmWithBroker, DefaultAuthenticationFlows.FIRST_BROKER_LOGIN_HANDLE_EXISTING_SUBFLOW, + IdpEmailVerificationAuthenticatorFactory.PROVIDER_ID, AuthenticationExecutionModel.Requirement.ALTERNATIVE); + + } + + }, APP_REALM_ID); + } + + protected void assertFederatedUser(String expectedUsername, String expectedEmail, String expectedFederatedUsername) { assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/test-app")); UserModel federatedUser = getFederatedUser(); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java index 14c98dd759..781714aa76 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java @@ -74,8 +74,6 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent setUpdateProfileFirstLogin(session.realms().getRealmByName("realm-with-broker"), IdentityProviderRepresentation.UPFLM_OFF); brokerServerRule.stopSession(session, true); - Thread.sleep(10000000); - driver.navigate().to("http://localhost:8081/test-app"); loginPage.clickSocial(getProviderId()); loginPage.login("test-user", "password"); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithConsentTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithConsentTest.java index b576cbf866..b2ecd4145b 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithConsentTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithConsentTest.java @@ -117,11 +117,9 @@ public class OIDCKeycloakServerBrokerWithConsentTest extends AbstractIdentityPro grantPage.assertCurrent(); grantPage.cancel(); - // Assert error page with backToApplication link displayed - errorPage.assertCurrent(); - errorPage.clickBackToApplication(); - - assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth")); + // Assert login page with "You took too long to login..." message + assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/realm-with-broker/login-actions/authenticate")); + Assert.assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError()); } finally { Time.setOffset(0); @@ -152,14 +150,9 @@ public class OIDCKeycloakServerBrokerWithConsentTest extends AbstractIdentityPro grantPage.assertCurrent(); grantPage.cancel(); - // Assert error page without backToApplication link (clientSession expired and was removed on the server) - errorPage.assertCurrent(); - try { - errorPage.clickBackToApplication(); - fail("Not expected to have link backToApplication available"); - } catch (NoSuchElementException nsee) { - // Expected; - } + // Assert login page with "You took too long to login..." message + assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/realm-with-broker/login-actions/authenticate")); + Assert.assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError()); } finally { Time.setOffset(0); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java index 8ee397a69f..db08e810b9 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AuthenticationSessionProviderTest.java @@ -22,15 +22,21 @@ import org.junit.Assert; import org.junit.Before; import org.junit.ClassRule; import org.junit.Test; +import org.keycloak.common.util.Time; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserManager; import org.keycloak.models.UserModel; +import org.keycloak.services.managers.ClientManager; +import org.keycloak.services.managers.RealmManager; import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.sessions.CommonClientSessionModel; import org.keycloak.testsuite.rule.KeycloakRule; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; + /** * @author Marek Posolda */ @@ -53,7 +59,6 @@ public class AuthenticationSessionProviderTest { @After public void after() { resetSession(); - session.sessions().removeUserSessions(realm); UserModel user1 = session.users().getUserByUsername("user1", realm); UserModel user2 = session.users().getUserByUsername("user2", realm); @@ -87,7 +92,7 @@ public class AuthenticationSessionProviderTest { // Ensure session is here authSession = session.authenticationSessions().getAuthenticationSession(realm, authSession.getId()); - testLoginSession(authSession, client1.getId(), null, "foo"); + testAuthenticationSession(authSession, client1.getId(), null, "foo"); Assert.assertEquals(100, authSession.getTimestamp()); // Update and commit @@ -99,7 +104,7 @@ public class AuthenticationSessionProviderTest { // Ensure session was updated authSession = session.authenticationSessions().getAuthenticationSession(realm, authSession.getId()); - testLoginSession(authSession, client1.getId(), user1.getId(), "foo-updated"); + testAuthenticationSession(authSession, client1.getId(), user1.getId(), "foo-updated"); Assert.assertEquals(200, authSession.getTimestamp()); // Remove and commit @@ -113,7 +118,7 @@ public class AuthenticationSessionProviderTest { } @Test - public void testLoginSessionRestart() { + public void testAuthenticationSessionRestart() { ClientModel client1 = realm.getClientByClientId("test-app"); UserModel user1 = session.users().getUserByUsername("user1", realm); @@ -136,7 +141,7 @@ public class AuthenticationSessionProviderTest { resetSession(); authSession = session.authenticationSessions().getAuthenticationSession(realm, authSession.getId()); - testLoginSession(authSession, client1.getId(), null, null); + testAuthenticationSession(authSession, client1.getId(), null, null); Assert.assertTrue(authSession.getTimestamp() > 0); Assert.assertTrue(authSession.getClientNotes().isEmpty()); @@ -145,7 +150,120 @@ public class AuthenticationSessionProviderTest { } - private void testLoginSession(AuthenticationSessionModel authSession, String expectedClientId, String expectedUserId, String expectedAction) { + + @Test + public void testExpiredAuthSessions() { + try { + realm.setAccessCodeLifespan(10); + realm.setAccessCodeLifespanUserAction(10); + realm.setAccessCodeLifespanLogin(30); + + // Login lifespan is largest + String authSessionId = session.authenticationSessions().createAuthenticationSession(realm, realm.getClientByClientId("test-app")).getId(); + resetSession(); + + Time.setOffset(25); + session.authenticationSessions().removeExpired(realm); + resetSession(); + + assertNotNull(session.authenticationSessions().getAuthenticationSession(realm, authSessionId)); + + Time.setOffset(35); + session.authenticationSessions().removeExpired(realm); + resetSession(); + + assertNull(session.authenticationSessions().getAuthenticationSession(realm, authSessionId)); + + // User action is largest + realm.setAccessCodeLifespanUserAction(40); + + Time.setOffset(0); + authSessionId = session.authenticationSessions().createAuthenticationSession(realm, realm.getClientByClientId("test-app")).getId(); + resetSession(); + + Time.setOffset(35); + session.authenticationSessions().removeExpired(realm); + resetSession(); + + assertNotNull(session.authenticationSessions().getAuthenticationSession(realm, authSessionId)); + + Time.setOffset(45); + session.authenticationSessions().removeExpired(realm); + resetSession(); + + assertNull(session.authenticationSessions().getAuthenticationSession(realm, authSessionId)); + + // Access code is largest + realm.setAccessCodeLifespan(50); + + Time.setOffset(0); + authSessionId = session.authenticationSessions().createAuthenticationSession(realm, realm.getClientByClientId("test-app")).getId(); + resetSession(); + + Time.setOffset(45); + session.authenticationSessions().removeExpired(realm); + resetSession(); + + assertNotNull(session.authenticationSessions().getAuthenticationSession(realm, authSessionId)); + + Time.setOffset(55); + session.authenticationSessions().removeExpired(realm); + resetSession(); + + assertNull(session.authenticationSessions().getAuthenticationSession(realm, authSessionId)); + } finally { + Time.setOffset(0); + + realm.setAccessCodeLifespan(60); + realm.setAccessCodeLifespanUserAction(300); + realm.setAccessCodeLifespanLogin(1800); + + } + } + + + @Test + public void testOnRealmRemoved() { + RealmModel fooRealm = session.realms().createRealm("foo-realm"); + ClientModel fooClient = fooRealm.addClient("foo-client"); + + String authSessionId = session.authenticationSessions().createAuthenticationSession(realm, realm.getClientByClientId("test-app")).getId(); + String authSessionId2 = session.authenticationSessions().createAuthenticationSession(fooRealm, fooClient).getId(); + + resetSession(); + + new RealmManager(session).removeRealm(session.realms().getRealmByName("foo-realm")); + + resetSession(); + + AuthenticationSessionModel authSession = session.authenticationSessions().getAuthenticationSession(realm, authSessionId); + testAuthenticationSession(authSession, realm.getClientByClientId("test-app").getId(), null, null); + Assert.assertNull(session.authenticationSessions().getAuthenticationSession(realm, authSessionId2)); + } + + @Test + public void testOnClientRemoved() { + String authSessionId = session.authenticationSessions().createAuthenticationSession(realm, realm.getClientByClientId("test-app")).getId(); + String authSessionId2 = session.authenticationSessions().createAuthenticationSession(realm, realm.getClientByClientId("third-party")).getId(); + + String testAppClientUUID = realm.getClientByClientId("test-app").getId(); + + resetSession(); + + new ClientManager(new RealmManager(session)).removeClient(realm, realm.getClientByClientId("third-party")); + + resetSession(); + + AuthenticationSessionModel authSession = session.authenticationSessions().getAuthenticationSession(realm, authSessionId); + testAuthenticationSession(authSession, testAppClientUUID, null, null); + Assert.assertNull(session.authenticationSessions().getAuthenticationSession(realm, authSessionId2)); + + // Revert client + realm.addClient("third-party"); + } + + + private void testAuthenticationSession(AuthenticationSessionModel authSession, String expectedClientId, String expectedUserId, String expectedAction) { Assert.assertEquals(expectedClientId, authSession.getClient().getId()); if (expectedUserId == null) { diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionInitializerTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionInitializerTest.java index bc71a094be..8c01e2ceaf 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionInitializerTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionInitializerTest.java @@ -25,14 +25,15 @@ import org.junit.Test; import org.keycloak.cluster.ClusterProvider; import org.keycloak.common.util.Time; import org.keycloak.connections.infinispan.InfinispanConnectionProvider; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionProvider; import org.keycloak.models.UserSessionProviderFactory; +import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.models.UserManager; import org.keycloak.services.managers.UserSessionManager; @@ -47,129 +48,129 @@ import java.util.Set; */ public class UserSessionInitializerTest { - // TODO:mposolda -// @ClassRule -// public static KeycloakRule kc = new KeycloakRule(); -// -// private KeycloakSession session; -// private RealmModel realm; -// private UserSessionManager sessionManager; -// -// @Before -// public void before() { -// session = kc.startSession(); -// realm = session.realms().getRealm("test"); -// session.users().addUser(realm, "user1").setEmail("user1@localhost"); -// session.users().addUser(realm, "user2").setEmail("user2@localhost"); -// sessionManager = new UserSessionManager(session); -// } -// -// @After -// public void after() { -// resetSession(); -// session.sessions().removeUserSessions(realm); -// UserModel user1 = session.users().getUserByUsername("user1", realm); -// UserModel user2 = session.users().getUserByUsername("user2", realm); -// -// UserManager um = new UserManager(session); -// um.removeUser(realm, user1); -// um.removeUser(realm, user2); -// kc.stopSession(session, true); -// } -// -// @Test -// public void testUserSessionInitializer() { -// UserSessionModel[] origSessions = createSessions(); -// -// resetSession(); -// -// // Create and persist offline sessions -// int started = Time.currentTime(); -// int serverStartTime = session.getProvider(ClusterProvider.class).getClusterStartupTime(); -// -// for (UserSessionModel origSession : origSessions) { -// UserSessionModel userSession = session.sessions().getUserSession(realm, origSession.getId()); -// for (ClientSessionModel clientSession : userSession.getClientSessions()) { -// sessionManager.createOrUpdateOfflineSession(clientSession, userSession); -// } -// } -// -// resetSession(); -// -// // Delete cache (persisted sessions are still kept) -// session.sessions().onRealmRemoved(realm); -// -// // Clear ispn cache to ensure initializerState is removed as well -// InfinispanConnectionProvider infinispan = session.getProvider(InfinispanConnectionProvider.class); -// infinispan.getCache(InfinispanConnectionProvider.WORK_CACHE_NAME).clear(); -// -// resetSession(); -// -// ClientModel testApp = realm.getClientByClientId("test-app"); -// ClientModel thirdparty = realm.getClientByClientId("third-party"); -// Assert.assertEquals(0, session.sessions().getOfflineSessionsCount(realm, testApp)); -// Assert.assertEquals(0, session.sessions().getOfflineSessionsCount(realm, thirdparty)); -// -// // Load sessions from persister into infinispan/memory -// UserSessionProviderFactory userSessionFactory = (UserSessionProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(UserSessionProvider.class); -// userSessionFactory.loadPersistentSessions(session.getKeycloakSessionFactory(), 1, 2); -// -// resetSession(); -// -// // Assert sessions are in -// testApp = realm.getClientByClientId("test-app"); -// Assert.assertEquals(3, session.sessions().getOfflineSessionsCount(realm, testApp)); -// Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); -// -// List loadedSessions = session.sessions().getOfflineUserSessions(realm, testApp, 0, 10); -// UserSessionProviderTest.assertSessions(loadedSessions, origSessions); -// -// UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[0].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, serverStartTime, "test-app", "third-party"); -// UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[1].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, serverStartTime, "test-app"); -// UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[2].getId(), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, serverStartTime, "test-app"); -// } -// -// private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { -// ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); -// if (userSession != null) clientSession.setUserSession(userSession); -// clientSession.setRedirectUri(redirect); -// if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); -// if (roles != null) clientSession.setRoles(roles); -// if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); -// return clientSession; -// } -// -// private UserSessionModel[] createSessions() { -// UserSessionModel[] sessions = new UserSessionModel[3]; -// sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); -// -// Set roles = new HashSet(); -// roles.add("one"); -// roles.add("two"); -// -// Set protocolMappers = new HashSet(); -// protocolMappers.add("mapper-one"); -// protocolMappers.add("mapper-two"); -// -// createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); -// createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); -// -// sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); -// createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); -// -// sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); -// createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); -// -// resetSession(); -// -// return sessions; -// } -// -// private void resetSession() { -// kc.stopSession(session, true); -// session = kc.startSession(); -// realm = session.realms().getRealm("test"); -// sessionManager = new UserSessionManager(session); -// } + + @ClassRule + public static KeycloakRule kc = new KeycloakRule(); + + private KeycloakSession session; + private RealmModel realm; + private UserSessionManager sessionManager; + + @Before + public void before() { + session = kc.startSession(); + realm = session.realms().getRealm("test"); + session.users().addUser(realm, "user1").setEmail("user1@localhost"); + session.users().addUser(realm, "user2").setEmail("user2@localhost"); + sessionManager = new UserSessionManager(session); + } + + @After + public void after() { + resetSession(); + session.sessions().removeUserSessions(realm); + UserModel user1 = session.users().getUserByUsername("user1", realm); + UserModel user2 = session.users().getUserByUsername("user2", realm); + + UserManager um = new UserManager(session); + um.removeUser(realm, user1); + um.removeUser(realm, user2); + kc.stopSession(session, true); + } + + @Test + public void testUserSessionInitializer() { + UserSessionModel[] origSessions = createSessions(); + + resetSession(); + + // Create and persist offline sessions + int started = Time.currentTime(); + int serverStartTime = session.getProvider(ClusterProvider.class).getClusterStartupTime(); + + for (UserSessionModel origSession : origSessions) { + UserSessionModel userSession = session.sessions().getUserSession(realm, origSession.getId()); + for (AuthenticatedClientSessionModel clientSession : userSession.getAuthenticatedClientSessions().values()) { + sessionManager.createOrUpdateOfflineSession(clientSession, userSession); + } + } + + resetSession(); + + // Delete cache (persisted sessions are still kept) + session.sessions().onRealmRemoved(realm); + + // Clear ispn cache to ensure initializerState is removed as well + InfinispanConnectionProvider infinispan = session.getProvider(InfinispanConnectionProvider.class); + infinispan.getCache(InfinispanConnectionProvider.WORK_CACHE_NAME).clear(); + + resetSession(); + + ClientModel testApp = realm.getClientByClientId("test-app"); + ClientModel thirdparty = realm.getClientByClientId("third-party"); + Assert.assertEquals(0, session.sessions().getOfflineSessionsCount(realm, testApp)); + Assert.assertEquals(0, session.sessions().getOfflineSessionsCount(realm, thirdparty)); + + // Load sessions from persister into infinispan/memory + UserSessionProviderFactory userSessionFactory = (UserSessionProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(UserSessionProvider.class); + userSessionFactory.loadPersistentSessions(session.getKeycloakSessionFactory(), 1, 2); + + resetSession(); + + // Assert sessions are in + testApp = realm.getClientByClientId("test-app"); + Assert.assertEquals(3, session.sessions().getOfflineSessionsCount(realm, testApp)); + Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); + + List loadedSessions = session.sessions().getOfflineUserSessions(realm, testApp, 0, 10); + UserSessionProviderTest.assertSessions(loadedSessions, origSessions); + + UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[0].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, serverStartTime, "test-app", "third-party"); + UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[1].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, serverStartTime, "test-app"); + UserSessionPersisterProviderTest.assertSessionLoaded(loadedSessions, origSessions[2].getId(), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, serverStartTime, "test-app"); + } + + private AuthenticatedClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { + AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(realm, client, userSession); + if (userSession != null) clientSession.setUserSession(userSession); + clientSession.setRedirectUri(redirect); + if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); + if (roles != null) clientSession.setRoles(roles); + if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); + return clientSession; + } + + private UserSessionModel[] createSessions() { + UserSessionModel[] sessions = new UserSessionModel[3]; + sessions[0] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); + + Set roles = new HashSet(); + roles.add("one"); + roles.add("two"); + + Set protocolMappers = new HashSet(); + protocolMappers.add("mapper-one"); + protocolMappers.add("mapper-two"); + + createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); + createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); + + sessions[1] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); + + sessions[2] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); + createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); + + resetSession(); + + return sessions; + } + + private void resetSession() { + kc.stopSession(session, true); + session = kc.startSession(); + realm = session.realms().getRealm("test"); + sessionManager = new UserSessionManager(session); + } } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionPersisterProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionPersisterProviderTest.java index 9e46ec6a1a..8c89046eb2 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionPersisterProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionPersisterProviderTest.java @@ -23,13 +23,14 @@ import org.junit.Before; import org.junit.ClassRule; import org.junit.Test; import org.keycloak.common.util.Time; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.models.session.UserSessionPersisterProvider; +import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.services.managers.ClientManager; import org.keycloak.services.managers.RealmManager; @@ -45,398 +46,398 @@ import java.util.Set; * @author Marek Posolda */ public class UserSessionPersisterProviderTest { -// TODO:mposolda -// @ClassRule -// public static KeycloakRule kc = new KeycloakRule(); -// -// private KeycloakSession session; -// private RealmModel realm; -// private UserSessionPersisterProvider persister; -// -// @Before -// public void before() { -// session = kc.startSession(); -// realm = session.realms().getRealm("test"); -// session.users().addUser(realm, "user1").setEmail("user1@localhost"); -// session.users().addUser(realm, "user2").setEmail("user2@localhost"); -// persister = session.getProvider(UserSessionPersisterProvider.class); -// } -// -// @After -// public void after() { -// resetSession(); -// session.sessions().removeUserSessions(realm); -// UserModel user1 = session.users().getUserByUsername("user1", realm); -// UserModel user2 = session.users().getUserByUsername("user2", realm); -// -// UserManager um = new UserManager(session); -// if (user1 != null) { -// um.removeUser(realm, user1); -// } -// if (user2 != null) { -// um.removeUser(realm, user2); -// } -// kc.stopSession(session, true); -// } -// -// @Test -// public void testPersistenceWithLoad() { -// // Create some sessions in infinispan -// int started = Time.currentTime(); -// UserSessionModel[] origSessions = createSessions(); -// -// resetSession(); -// -// // Persist 3 created userSessions and clientSessions as offline -// ClientModel testApp = realm.getClientByClientId("test-app"); -// List userSessions = session.sessions().getUserSessions(realm, testApp); -// for (UserSessionModel userSession : userSessions) { -// persistUserSession(userSession, true); -// } -// -// // Persist 1 online session -// UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[0].getId()); -// persistUserSession(userSession, false); -// -// resetSession(); -// -// // Assert online session -// List loadedSessions = loadPersistedSessionsPaginated(false, 1, 1, 1); -// UserSessionProviderTest.assertSession(loadedSessions.get(0), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); -// -// // Assert offline sessions -// loadedSessions = loadPersistedSessionsPaginated(true, 2, 2, 3); -// UserSessionProviderTest.assertSessions(loadedSessions, origSessions); -// -// assertSessionLoaded(loadedSessions, origSessions[0].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); -// assertSessionLoaded(loadedSessions, origSessions[1].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); -// assertSessionLoaded(loadedSessions, origSessions[2].getId(), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); -// } -// -// @Test -// public void testUpdateTimestamps() { -// // Create some sessions in infinispan -// int started = Time.currentTime(); -// UserSessionModel[] origSessions = createSessions(); -// -// resetSession(); -// -// // Persist 3 created userSessions and clientSessions as offline -// ClientModel testApp = realm.getClientByClientId("test-app"); -// List userSessions = session.sessions().getUserSessions(realm, testApp); -// for (UserSessionModel userSession : userSessions) { -// persistUserSession(userSession, true); -// } -// -// // Persist 1 online session -// UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[0].getId()); -// persistUserSession(userSession, false); -// -// resetSession(); -// -// // update timestamps -// int newTime = started + 50; -// persister.updateAllTimestamps(newTime); -// -// // Assert online session -// List loadedSessions = loadPersistedSessionsPaginated(false, 1, 1, 1); -// Assert.assertEquals(2, assertTimestampsUpdated(loadedSessions, newTime)); -// -// // Assert offline sessions -// loadedSessions = loadPersistedSessionsPaginated(true, 2, 2, 3); -// Assert.assertEquals(4, assertTimestampsUpdated(loadedSessions, newTime)); -// } -// -// private int assertTimestampsUpdated(List loadedSessions, int expectedTime) { -// int clientSessionsCount = 0; -// for (UserSessionModel loadedSession : loadedSessions) { -// Assert.assertEquals(expectedTime, loadedSession.getLastSessionRefresh()); -// for (ClientSessionModel clientSession : loadedSession.getClientSessions()) { -// Assert.assertEquals(expectedTime, clientSession.getTimestamp()); -// clientSessionsCount++; -// } -// } -// return clientSessionsCount; -// } -// -// @Test -// public void testUpdateAndRemove() { -// // Create some sessions in infinispan -// int started = Time.currentTime(); -// UserSessionModel[] origSessions = createSessions(); -// -// resetSession(); -// -// // Persist 1 offline session -// UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[1].getId()); -// persistUserSession(userSession, true); -// -// resetSession(); -// -// // Load offline session -// List loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); -// UserSessionModel persistedSession = loadedSessions.get(0); -// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); -// -// // Update userSession -// Time.setOffset(10); -// try { -// persistedSession.setLastSessionRefresh(Time.currentTime()); -// persistedSession.setNote("foo", "bar"); -// persistedSession.setState(UserSessionModel.State.LOGGING_IN); -// persister.updateUserSession(persistedSession, true); -// -// // create new clientSession -// ClientSessionModel clientSession = createClientSession(realm.getClientByClientId("third-party"), session.sessions().getUserSession(realm, persistedSession.getId()), -// "http://redirect", "state", new HashSet(), new HashSet()); -// persister.createClientSession(clientSession, true); -// -// resetSession(); -// -// // Assert session updated -// loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); -// persistedSession = loadedSessions.get(0); -// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started+10, "test-app", "third-party"); -// Assert.assertEquals("bar", persistedSession.getNote("foo")); -// Assert.assertEquals(UserSessionModel.State.LOGGING_IN, persistedSession.getState()); -// -// // Remove clientSession -// persister.removeClientSession(clientSession.getId(), true); -// -// resetSession(); -// -// // Assert clientSession removed -// loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); -// persistedSession = loadedSessions.get(0); -// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started + 10, "test-app"); -// -// // Remove userSession -// persister.removeUserSession(persistedSession.getId(), true); -// -// resetSession(); -// -// // Assert nothing found -// loadPersistedSessionsPaginated(true, 10, 0, 0); -// } finally { -// Time.setOffset(0); -// } -// } -// -// @Test -// public void testOnRealmRemoved() { -// RealmModel fooRealm = session.realms().createRealm("foo", "foo"); -// fooRealm.addClient("foo-app"); -// session.users().addUser(fooRealm, "user3"); -// -// UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); -// createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); -// -// resetSession(); -// -// // Persist offline session -// fooRealm = session.realms().getRealm("foo"); -// userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); -// persistUserSession(userSession, true); -// -// resetSession(); -// -// // Assert session was persisted -// loadPersistedSessionsPaginated(true, 10, 1, 1); -// -// // Remove realm -// RealmManager realmMgr = new RealmManager(session); -// realmMgr.removeRealm(realmMgr.getRealm("foo")); -// -// resetSession(); -// -// // Assert nothing loaded -// loadPersistedSessionsPaginated(true, 10, 0, 0); -// } -// -// @Test -// public void testOnClientRemoved() { -// int started = Time.currentTime(); -// -// RealmModel fooRealm = session.realms().createRealm("foo", "foo"); -// fooRealm.addClient("foo-app"); -// fooRealm.addClient("bar-app"); -// session.users().addUser(fooRealm, "user3"); -// -// UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); -// createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); -// createClientSession(fooRealm.getClientByClientId("bar-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); -// -// resetSession(); -// -// // Persist offline session -// fooRealm = session.realms().getRealm("foo"); -// userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); -// persistUserSession(userSession, true); -// -// resetSession(); -// -// RealmManager realmMgr = new RealmManager(session); -// ClientManager clientMgr = new ClientManager(realmMgr); -// fooRealm = realmMgr.getRealm("foo"); -// -// // Assert session was persisted with both clientSessions -// UserSessionModel persistedSession = loadPersistedSessionsPaginated(true, 10, 1, 1).get(0); -// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "foo-app", "bar-app"); -// -// // Remove foo-app client -// ClientModel client = fooRealm.getClientByClientId("foo-app"); -// clientMgr.removeClient(fooRealm, client); -// -// resetSession(); -// -// realmMgr = new RealmManager(session); -// clientMgr = new ClientManager(realmMgr); -// fooRealm = realmMgr.getRealm("foo"); -// -// // Assert just one bar-app clientSession persisted now -// persistedSession = loadPersistedSessionsPaginated(true, 10, 1, 1).get(0); -// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "bar-app"); -// -// // Remove bar-app client -// client = fooRealm.getClientByClientId("bar-app"); -// clientMgr.removeClient(fooRealm, client); -// -// resetSession(); -// -// // Assert nothing loaded - userSession was removed as well because it was last userSession -// loadPersistedSessionsPaginated(true, 10, 0, 0); -// -// // Cleanup -// realmMgr = new RealmManager(session); -// realmMgr.removeRealm(realmMgr.getRealm("foo")); -// } -// -// @Test -// public void testOnUserRemoved() { -// // Create some sessions in infinispan -// int started = Time.currentTime(); -// UserSessionModel[] origSessions = createSessions(); -// -// resetSession(); -// -// // Persist 2 offline sessions of 2 users -// UserSessionModel userSession1 = session.sessions().getUserSession(realm, origSessions[1].getId()); -// UserSessionModel userSession2 = session.sessions().getUserSession(realm, origSessions[2].getId()); -// persistUserSession(userSession1, true); -// persistUserSession(userSession2, true); -// -// resetSession(); -// -// // Load offline sessions -// List loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 2); -// -// // Properly delete user and assert his offlineSession removed -// UserModel user1 = session.users().getUserByUsername("user1", realm); -// new UserManager(session).removeUser(realm, user1); -// -// resetSession(); -// -// Assert.assertEquals(1, persister.getUserSessionsCount(true)); -// loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); -// UserSessionModel persistedSession = loadedSessions.get(0); -// UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); -// -// // KEYCLOAK-2431 Assert that userSessionPersister is resistent even to situation, when users are deleted "directly" -// UserModel user2 = session.users().getUserByUsername("user2", realm); -// session.users().removeUser(realm, user2); -// -// loadedSessions = loadPersistedSessionsPaginated(true, 10, 0, 0); -// -// } -// -// // KEYCLOAK-1999 -// @Test -// public void testNoSessions() { -// UserSessionPersisterProvider persister = session.getProvider(UserSessionPersisterProvider.class); -// List sessions = persister.loadUserSessions(0, 1, true); -// Assert.assertEquals(0, sessions.size()); -// } -// -// -// private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { -// ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); -// if (userSession != null) clientSession.setUserSession(userSession); -// clientSession.setRedirectUri(redirect); -// if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); -// if (roles != null) clientSession.setRoles(roles); -// if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); -// return clientSession; -// } -// -// private UserSessionModel[] createSessions() { -// UserSessionModel[] sessions = new UserSessionModel[3]; -// sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); -// -// Set roles = new HashSet(); -// roles.add("one"); -// roles.add("two"); -// -// Set protocolMappers = new HashSet(); -// protocolMappers.add("mapper-one"); -// protocolMappers.add("mapper-two"); -// -// createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); -// createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); -// -// sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); -// createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); -// -// sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); -// createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); -// -// return sessions; -// } -// -// private void persistUserSession(UserSessionModel userSession, boolean offline) { -// persister.createUserSession(userSession, offline); -// for (ClientSessionModel clientSession : userSession.getClientSessions()) { -// persister.createClientSession(clientSession, offline); -// } -// } -// -// private void resetSession() { -// kc.stopSession(session, true); -// session = kc.startSession(); -// realm = session.realms().getRealm("test"); -// persister = session.getProvider(UserSessionPersisterProvider.class); -// } -// -// public static void assertSessionLoaded(List sessions, String id, UserModel user, String ipAddress, int started, int lastRefresh, String... clients) { -// for (UserSessionModel session : sessions) { -// if (session.getId().equals(id)) { -// UserSessionProviderTest.assertSession(session, user, ipAddress, started, lastRefresh, clients); -// return; -// } -// } -// Assert.fail("Session with ID " + id + " not found in the list"); -// } -// -// private List loadPersistedSessionsPaginated(boolean offline, int sessionsPerPage, int expectedPageCount, int expectedSessionsCount) { -// int count = persister.getUserSessionsCount(offline); -// -// int start = 0; -// int pageCount = 0; -// boolean next = true; -// List result = new ArrayList<>(); -// while (next && start < count) { -// List sess = persister.loadUserSessions(start, sessionsPerPage, offline); -// if (sess.size() == 0) { -// next = false; -// } else { -// pageCount++; -// start += sess.size(); -// result.addAll(sess); -// } -// } -// -// Assert.assertEquals(pageCount, expectedPageCount); -// Assert.assertEquals(result.size(), expectedSessionsCount); -// return result; -// } + + @ClassRule + public static KeycloakRule kc = new KeycloakRule(); + + private KeycloakSession session; + private RealmModel realm; + private UserSessionPersisterProvider persister; + + @Before + public void before() { + session = kc.startSession(); + realm = session.realms().getRealm("test"); + session.users().addUser(realm, "user1").setEmail("user1@localhost"); + session.users().addUser(realm, "user2").setEmail("user2@localhost"); + persister = session.getProvider(UserSessionPersisterProvider.class); + } + + @After + public void after() { + resetSession(); + session.sessions().removeUserSessions(realm); + UserModel user1 = session.users().getUserByUsername("user1", realm); + UserModel user2 = session.users().getUserByUsername("user2", realm); + + UserManager um = new UserManager(session); + if (user1 != null) { + um.removeUser(realm, user1); + } + if (user2 != null) { + um.removeUser(realm, user2); + } + kc.stopSession(session, true); + } + + @Test + public void testPersistenceWithLoad() { + // Create some sessions in infinispan + int started = Time.currentTime(); + UserSessionModel[] origSessions = createSessions(); + + resetSession(); + + // Persist 3 created userSessions and clientSessions as offline + ClientModel testApp = realm.getClientByClientId("test-app"); + List userSessions = session.sessions().getUserSessions(realm, testApp); + for (UserSessionModel userSession : userSessions) { + persistUserSession(userSession, true); + } + + // Persist 1 online session + UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[0].getId()); + persistUserSession(userSession, false); + + resetSession(); + + // Assert online session + List loadedSessions = loadPersistedSessionsPaginated(false, 1, 1, 1); + UserSessionProviderTest.assertSession(loadedSessions.get(0), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); + + // Assert offline sessions + loadedSessions = loadPersistedSessionsPaginated(true, 2, 2, 3); + UserSessionProviderTest.assertSessions(loadedSessions, origSessions); + + assertSessionLoaded(loadedSessions, origSessions[0].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); + assertSessionLoaded(loadedSessions, origSessions[1].getId(), session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); + assertSessionLoaded(loadedSessions, origSessions[2].getId(), session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); + } + + @Test + public void testUpdateTimestamps() { + // Create some sessions in infinispan + int started = Time.currentTime(); + UserSessionModel[] origSessions = createSessions(); + + resetSession(); + + // Persist 3 created userSessions and clientSessions as offline + ClientModel testApp = realm.getClientByClientId("test-app"); + List userSessions = session.sessions().getUserSessions(realm, testApp); + for (UserSessionModel userSession : userSessions) { + persistUserSession(userSession, true); + } + + // Persist 1 online session + UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[0].getId()); + persistUserSession(userSession, false); + + resetSession(); + + // update timestamps + int newTime = started + 50; + persister.updateAllTimestamps(newTime); + + // Assert online session + List loadedSessions = loadPersistedSessionsPaginated(false, 1, 1, 1); + Assert.assertEquals(2, assertTimestampsUpdated(loadedSessions, newTime)); + + // Assert offline sessions + loadedSessions = loadPersistedSessionsPaginated(true, 2, 2, 3); + Assert.assertEquals(4, assertTimestampsUpdated(loadedSessions, newTime)); + } + + private int assertTimestampsUpdated(List loadedSessions, int expectedTime) { + int clientSessionsCount = 0; + for (UserSessionModel loadedSession : loadedSessions) { + Assert.assertEquals(expectedTime, loadedSession.getLastSessionRefresh()); + for (AuthenticatedClientSessionModel clientSession : loadedSession.getAuthenticatedClientSessions().values()) { + Assert.assertEquals(expectedTime, clientSession.getTimestamp()); + clientSessionsCount++; + } + } + return clientSessionsCount; + } + + @Test + public void testUpdateAndRemove() { + // Create some sessions in infinispan + int started = Time.currentTime(); + UserSessionModel[] origSessions = createSessions(); + + resetSession(); + + // Persist 1 offline session + UserSessionModel userSession = session.sessions().getUserSession(realm, origSessions[1].getId()); + persistUserSession(userSession, true); + + resetSession(); + + // Load offline session + List loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); + UserSessionModel persistedSession = loadedSessions.get(0); + UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started, "test-app"); + + // Update userSession + Time.setOffset(10); + try { + persistedSession.setLastSessionRefresh(Time.currentTime()); + persistedSession.setNote("foo", "bar"); + persistedSession.setState(UserSessionModel.State.LOGGED_IN); + persister.updateUserSession(persistedSession, true); + + // create new clientSession + AuthenticatedClientSessionModel clientSession = createClientSession(realm.getClientByClientId("third-party"), session.sessions().getUserSession(realm, persistedSession.getId()), + "http://redirect", "state", new HashSet(), new HashSet()); + persister.createClientSession(clientSession, true); + + resetSession(); + + // Assert session updated + loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); + persistedSession = loadedSessions.get(0); + UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started+10, "test-app", "third-party"); + Assert.assertEquals("bar", persistedSession.getNote("foo")); + Assert.assertEquals(UserSessionModel.State.LOGGED_IN, persistedSession.getState()); + + // Remove clientSession + persister.removeClientSession(userSession.getId(), realm.getClientByClientId("third-party").getId(), true); + + resetSession(); + + // Assert clientSession removed + loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); + persistedSession = loadedSessions.get(0); + UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user1", realm), "127.0.0.2", started, started + 10, "test-app"); + + // Remove userSession + persister.removeUserSession(persistedSession.getId(), true); + + resetSession(); + + // Assert nothing found + loadPersistedSessionsPaginated(true, 10, 0, 0); + } finally { + Time.setOffset(0); + } + } + + @Test + public void testOnRealmRemoved() { + RealmModel fooRealm = session.realms().createRealm("foo", "foo"); + fooRealm.addClient("foo-app"); + session.users().addUser(fooRealm, "user3"); + + UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); + createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); + + resetSession(); + + // Persist offline session + fooRealm = session.realms().getRealm("foo"); + userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); + persistUserSession(userSession, true); + + resetSession(); + + // Assert session was persisted + loadPersistedSessionsPaginated(true, 10, 1, 1); + + // Remove realm + RealmManager realmMgr = new RealmManager(session); + realmMgr.removeRealm(realmMgr.getRealm("foo")); + + resetSession(); + + // Assert nothing loaded + loadPersistedSessionsPaginated(true, 10, 0, 0); + } + + @Test + public void testOnClientRemoved() { + int started = Time.currentTime(); + + RealmModel fooRealm = session.realms().createRealm("foo", "foo"); + fooRealm.addClient("foo-app"); + fooRealm.addClient("bar-app"); + session.users().addUser(fooRealm, "user3"); + + UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); + createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); + createClientSession(fooRealm.getClientByClientId("bar-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); + + resetSession(); + + // Persist offline session + fooRealm = session.realms().getRealm("foo"); + userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); + persistUserSession(userSession, true); + + resetSession(); + + RealmManager realmMgr = new RealmManager(session); + ClientManager clientMgr = new ClientManager(realmMgr); + fooRealm = realmMgr.getRealm("foo"); + + // Assert session was persisted with both clientSessions + UserSessionModel persistedSession = loadPersistedSessionsPaginated(true, 10, 1, 1).get(0); + UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "foo-app", "bar-app"); + + // Remove foo-app client + ClientModel client = fooRealm.getClientByClientId("foo-app"); + clientMgr.removeClient(fooRealm, client); + + resetSession(); + + realmMgr = new RealmManager(session); + clientMgr = new ClientManager(realmMgr); + fooRealm = realmMgr.getRealm("foo"); + + // Assert just one bar-app clientSession persisted now + persistedSession = loadPersistedSessionsPaginated(true, 10, 1, 1).get(0); + UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "bar-app"); + + // Remove bar-app client + client = fooRealm.getClientByClientId("bar-app"); + clientMgr.removeClient(fooRealm, client); + + resetSession(); + + // Assert nothing loaded - userSession was removed as well because it was last userSession + loadPersistedSessionsPaginated(true, 10, 0, 0); + + // Cleanup + realmMgr = new RealmManager(session); + realmMgr.removeRealm(realmMgr.getRealm("foo")); + } + + @Test + public void testOnUserRemoved() { + // Create some sessions in infinispan + int started = Time.currentTime(); + UserSessionModel[] origSessions = createSessions(); + + resetSession(); + + // Persist 2 offline sessions of 2 users + UserSessionModel userSession1 = session.sessions().getUserSession(realm, origSessions[1].getId()); + UserSessionModel userSession2 = session.sessions().getUserSession(realm, origSessions[2].getId()); + persistUserSession(userSession1, true); + persistUserSession(userSession2, true); + + resetSession(); + + // Load offline sessions + List loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 2); + + // Properly delete user and assert his offlineSession removed + UserModel user1 = session.users().getUserByUsername("user1", realm); + new UserManager(session).removeUser(realm, user1); + + resetSession(); + + Assert.assertEquals(1, persister.getUserSessionsCount(true)); + loadedSessions = loadPersistedSessionsPaginated(true, 10, 1, 1); + UserSessionModel persistedSession = loadedSessions.get(0); + UserSessionProviderTest.assertSession(persistedSession, session.users().getUserByUsername("user2", realm), "127.0.0.3", started, started, "test-app"); + + // KEYCLOAK-2431 Assert that userSessionPersister is resistent even to situation, when users are deleted "directly" + UserModel user2 = session.users().getUserByUsername("user2", realm); + session.users().removeUser(realm, user2); + + loadedSessions = loadPersistedSessionsPaginated(true, 10, 0, 0); + + } + + // KEYCLOAK-1999 + @Test + public void testNoSessions() { + UserSessionPersisterProvider persister = session.getProvider(UserSessionPersisterProvider.class); + List sessions = persister.loadUserSessions(0, 1, true); + Assert.assertEquals(0, sessions.size()); + } + + + private AuthenticatedClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { + AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(realm, client, userSession); + if (userSession != null) clientSession.setUserSession(userSession); + clientSession.setRedirectUri(redirect); + if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); + if (roles != null) clientSession.setRoles(roles); + if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); + return clientSession; + } + + private UserSessionModel[] createSessions() { + UserSessionModel[] sessions = new UserSessionModel[3]; + sessions[0] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); + + Set roles = new HashSet(); + roles.add("one"); + roles.add("two"); + + Set protocolMappers = new HashSet(); + protocolMappers.add("mapper-one"); + protocolMappers.add("mapper-two"); + + createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); + createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); + + sessions[1] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); + + sessions[2] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); + createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); + + return sessions; + } + + private void persistUserSession(UserSessionModel userSession, boolean offline) { + persister.createUserSession(userSession, offline); + for (AuthenticatedClientSessionModel clientSession : userSession.getAuthenticatedClientSessions().values()) { + persister.createClientSession(clientSession, offline); + } + } + + private void resetSession() { + kc.stopSession(session, true); + session = kc.startSession(); + realm = session.realms().getRealm("test"); + persister = session.getProvider(UserSessionPersisterProvider.class); + } + + public static void assertSessionLoaded(List sessions, String id, UserModel user, String ipAddress, int started, int lastRefresh, String... clients) { + for (UserSessionModel session : sessions) { + if (session.getId().equals(id)) { + UserSessionProviderTest.assertSession(session, user, ipAddress, started, lastRefresh, clients); + return; + } + } + Assert.fail("Session with ID " + id + " not found in the list"); + } + + private List loadPersistedSessionsPaginated(boolean offline, int sessionsPerPage, int expectedPageCount, int expectedSessionsCount) { + int count = persister.getUserSessionsCount(offline); + + int start = 0; + int pageCount = 0; + boolean next = true; + List result = new ArrayList<>(); + while (next && start < count) { + List sess = persister.loadUserSessions(start, sessionsPerPage, offline); + if (sess.size() == 0) { + next = false; + } else { + pageCount++; + start += sess.size(); + result.addAll(sess); + } + } + + Assert.assertEquals(pageCount, expectedPageCount); + Assert.assertEquals(result.size(), expectedSessionsCount); + return result; + } } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderOfflineTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderOfflineTest.java index c69f8f96bc..106f5258c7 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderOfflineTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderOfflineTest.java @@ -24,13 +24,14 @@ import org.junit.ClassRule; import org.junit.Rule; import org.junit.Test; import org.keycloak.common.util.Time; +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.models.session.UserSessionPersisterProvider; +import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.services.managers.ClientManager; import org.keycloak.services.managers.RealmManager; @@ -41,7 +42,6 @@ import org.keycloak.testsuite.rule.LoggingRule; import java.util.HashMap; import java.util.HashSet; -import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Set; @@ -51,410 +51,380 @@ import java.util.Set; */ public class UserSessionProviderOfflineTest { - // TODO:mposolda -// @ClassRule -// public static KeycloakRule kc = new KeycloakRule(); -// -// @Rule -// public LoggingRule loggingRule = new LoggingRule(this); -// -// private KeycloakSession session; -// private RealmModel realm; -// private UserSessionManager sessionManager; -// private UserSessionPersisterProvider persister; -// -// @Before -// public void before() { -// session = kc.startSession(); -// realm = session.realms().getRealm("test"); -// session.users().addUser(realm, "user1").setEmail("user1@localhost"); -// session.users().addUser(realm, "user2").setEmail("user2@localhost"); -// sessionManager = new UserSessionManager(session); -// persister = session.getProvider(UserSessionPersisterProvider.class); -// } -// -// @After -// public void after() { -// resetSession(); -// session.sessions().removeUserSessions(realm); -// UserModel user1 = session.users().getUserByUsername("user1", realm); -// UserModel user2 = session.users().getUserByUsername("user2", realm); -// -// UserManager um = new UserManager(session); -// um.removeUser(realm, user1); -// um.removeUser(realm, user2); -// kc.stopSession(session, true); -// } -// -// -// @Test -// public void testOfflineSessionsCrud() { -// // Create some online sessions in infinispan -// int started = Time.currentTime(); -// UserSessionModel[] origSessions = createSessions(); -// -// resetSession(); -// -// Map offlineSessions = new HashMap<>(); -// -// // Persist 3 created userSessions and clientSessions as offline -// ClientModel testApp = realm.getClientByClientId("test-app"); -// List userSessions = session.sessions().getUserSessions(realm, testApp); -// for (UserSessionModel userSession : userSessions) { -// offlineSessions.putAll(createOfflineSessionIncludeClientSessions(userSession)); -// } -// -// resetSession(); -// -// // Assert all previously saved offline sessions found -// for (Map.Entry entry : offlineSessions.entrySet()) { -// Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); -// -// UserSessionModel offlineSession = session.sessions().getUserSession(realm, entry.getValue()); -// boolean found = false; -// for (ClientSessionModel clientSession : offlineSession.getClientSessions()) { -// if (clientSession.getId().equals(entry.getKey())) { -// found = true; -// } -// } -// Assert.assertTrue(found); -// } -// -// // Find clients with offline token -// UserModel user1 = session.users().getUserByUsername("user1", realm); -// Set clients = sessionManager.findClientsWithOfflineToken(realm, user1); -// Assert.assertEquals(clients.size(), 2); -// for (ClientModel client : clients) { -// Assert.assertTrue(client.getClientId().equals("test-app") || client.getClientId().equals("third-party")); -// } -// -// UserModel user2 = session.users().getUserByUsername("user2", realm); -// clients = sessionManager.findClientsWithOfflineToken(realm, user2); -// Assert.assertEquals(clients.size(), 1); -// Assert.assertTrue(clients.iterator().next().getClientId().equals("test-app")); -// -// // Test count -// testApp = realm.getClientByClientId("test-app"); -// ClientModel thirdparty = realm.getClientByClientId("third-party"); -// Assert.assertEquals(3, session.sessions().getOfflineSessionsCount(realm, testApp)); -// Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); -// -// // Revoke "test-app" for user1 -// sessionManager.revokeOfflineToken(user1, testApp); -// -// resetSession(); -// -// // Assert userSession revoked -// testApp = realm.getClientByClientId("test-app"); -// thirdparty = realm.getClientByClientId("third-party"); -// Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, testApp)); -// Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); -// -// List testAppSessions = session.sessions().getOfflineUserSessions(realm, testApp, 0, 10); -// List thirdpartySessions = session.sessions().getOfflineUserSessions(realm, thirdparty, 0, 10); -// Assert.assertEquals(1, testAppSessions.size()); -// Assert.assertEquals("127.0.0.3", testAppSessions.get(0).getIpAddress()); -// Assert.assertEquals("user2", testAppSessions.get(0).getUser().getUsername()); -// Assert.assertEquals(1, thirdpartySessions.size()); -// Assert.assertEquals("127.0.0.1", thirdpartySessions.get(0).getIpAddress()); -// Assert.assertEquals("user1", thirdpartySessions.get(0).getUser().getUsername()); -// -// user1 = session.users().getUserByUsername("user1", realm); -// user2 = session.users().getUserByUsername("user2", realm); -// clients = sessionManager.findClientsWithOfflineToken(realm, user1); -// Assert.assertEquals(1, clients.size()); -// Assert.assertEquals("third-party", clients.iterator().next().getClientId()); -// clients = sessionManager.findClientsWithOfflineToken(realm, user2); -// Assert.assertEquals(1, clients.size()); -// Assert.assertEquals("test-app", clients.iterator().next().getClientId()); -// } -// -// @Test -// public void testOnRealmRemoved() { -// RealmModel fooRealm = session.realms().createRealm("foo", "foo"); -// fooRealm.addClient("foo-app"); -// session.users().addUser(fooRealm, "user3"); -// -// UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); -// ClientSessionModel clientSession = createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); -// -// resetSession(); -// -// // Persist offline session -// fooRealm = session.realms().getRealm("foo"); -// userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); -// clientSession = session.sessions().getClientSession(fooRealm, clientSession.getId()); -// sessionManager.createOrUpdateOfflineSession(userSession.getClientSessions().get(0), userSession); -// -// resetSession(); -// -// ClientSessionModel offlineClientSession = sessionManager.findOfflineClientSession(fooRealm, clientSession.getId()); -// Assert.assertEquals("foo-app", offlineClientSession.getClient().getClientId()); -// Assert.assertEquals("user3", offlineClientSession.getUserSession().getUser().getUsername()); -// Assert.assertEquals(offlineClientSession.getId(), offlineClientSession.getUserSession().getClientSessions().get(0).getId()); -// -// // Remove realm -// RealmManager realmMgr = new RealmManager(session); -// realmMgr.removeRealm(realmMgr.getRealm("foo")); -// -// resetSession(); -// -// fooRealm = session.realms().createRealm("foo", "foo"); -// fooRealm.addClient("foo-app"); -// session.users().addUser(fooRealm, "user3"); -// -// resetSession(); -// -// // Assert nothing loaded -// fooRealm = session.realms().getRealm("foo"); -// Assert.assertNull(sessionManager.findOfflineClientSession(fooRealm, clientSession.getId())); -// Assert.assertEquals(0, session.sessions().getOfflineSessionsCount(fooRealm, fooRealm.getClientByClientId("foo-app"))); -// -// // Cleanup -// realmMgr = new RealmManager(session); -// realmMgr.removeRealm(realmMgr.getRealm("foo")); -// } -// -// @Test -// public void testOnClientRemoved() { -// int started = Time.currentTime(); -// -// RealmModel fooRealm = session.realms().createRealm("foo", "foo"); -// fooRealm.addClient("foo-app"); -// fooRealm.addClient("bar-app"); -// session.users().addUser(fooRealm, "user3"); -// -// UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); -// createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); -// createClientSession(fooRealm.getClientByClientId("bar-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); -// -// resetSession(); -// -// // Create offline session -// fooRealm = session.realms().getRealm("foo"); -// userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); -// createOfflineSessionIncludeClientSessions(userSession); -// -// resetSession(); -// -// RealmManager realmMgr = new RealmManager(session); -// ClientManager clientMgr = new ClientManager(realmMgr); -// fooRealm = realmMgr.getRealm("foo"); -// -// // Assert session was persisted with both clientSessions -// UserSessionModel offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); -// UserSessionProviderTest.assertSession(offlineSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "foo-app", "bar-app"); -// -// // Remove foo-app client -// ClientModel client = fooRealm.getClientByClientId("foo-app"); -// clientMgr.removeClient(fooRealm, client); -// -// resetSession(); -// -// realmMgr = new RealmManager(session); -// clientMgr = new ClientManager(realmMgr); -// fooRealm = realmMgr.getRealm("foo"); -// -// // Assert just one bar-app clientSession persisted now -// offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); -// Assert.assertEquals(1, offlineSession.getClientSessions().size()); -// Assert.assertEquals("bar-app", offlineSession.getClientSessions().get(0).getClient().getClientId()); -// -// // Remove bar-app client -// client = fooRealm.getClientByClientId("bar-app"); -// clientMgr.removeClient(fooRealm, client); -// -// resetSession(); -// -// // Assert nothing loaded - userSession was removed as well because it was last userSession -// offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); -// Assert.assertEquals(0, offlineSession.getClientSessions().size()); -// -// // Cleanup -// realmMgr = new RealmManager(session); -// realmMgr.removeRealm(realmMgr.getRealm("foo")); -// } -// -// @Test -// public void testOnUserRemoved() { -// int started = Time.currentTime(); -// -// RealmModel fooRealm = session.realms().createRealm("foo", "foo"); -// fooRealm.addClient("foo-app"); -// session.users().addUser(fooRealm, "user3"); -// -// UserSessionModel userSession = session.sessions().createUserSession(fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); -// ClientSessionModel clientSession = createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); -// -// resetSession(); -// -// // Create offline session -// fooRealm = session.realms().getRealm("foo"); -// userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); -// createOfflineSessionIncludeClientSessions(userSession); -// -// resetSession(); -// -// RealmManager realmMgr = new RealmManager(session); -// fooRealm = realmMgr.getRealm("foo"); -// UserModel user3 = session.users().getUserByUsername("user3", fooRealm); -// -// // Assert session was persisted with both clientSessions -// UserSessionModel offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); -// UserSessionProviderTest.assertSession(offlineSession, user3, "127.0.0.1", started, started, "foo-app"); -// -// // Remove user3 -// new UserManager(session).removeUser(fooRealm, user3); -// -// resetSession(); -// -// // Assert userSession removed as well -// Assert.assertNull(session.sessions().getOfflineUserSession(fooRealm, userSession.getId())); -// Assert.assertNull(session.sessions().getOfflineClientSession(fooRealm, clientSession.getId())); -// -// // Cleanup -// realmMgr = new RealmManager(session); -// realmMgr.removeRealm(realmMgr.getRealm("foo")); -// -// } -// -// @Test -// public void testExpired() { -// // Create some online sessions in infinispan -// int started = Time.currentTime(); -// UserSessionModel[] origSessions = createSessions(); -// -// resetSession(); -// -// Map offlineSessions = new HashMap<>(); -// -// // Persist 3 created userSessions and clientSessions as offline -// ClientModel testApp = realm.getClientByClientId("test-app"); -// List userSessions = session.sessions().getUserSessions(realm, testApp); -// for (UserSessionModel userSession : userSessions) { -// offlineSessions.putAll(createOfflineSessionIncludeClientSessions(userSession)); -// } -// -// resetSession(); -// -// // Assert all previously saved offline sessions found -// for (Map.Entry entry : offlineSessions.entrySet()) { -// Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); -// } -// -// UserSessionModel session0 = session.sessions().getOfflineUserSession(realm, origSessions[0].getId()); -// Assert.assertNotNull(session0); -// List clientSessions = new LinkedList<>(); -// for (ClientSessionModel clientSession : session0.getClientSessions()) { -// clientSessions.add(clientSession.getId()); -// Assert.assertNotNull(session.sessions().getOfflineClientSession(realm, clientSession.getId())); -// } -// -// UserSessionModel session1 = session.sessions().getOfflineUserSession(realm, origSessions[1].getId()); -// Assert.assertEquals(1, session1.getClientSessions().size()); -// ClientSessionModel cls1 = session1.getClientSessions().get(0); -// -// // sessions are in persister too -// Assert.assertEquals(3, persister.getUserSessionsCount(true)); -// -// // Set lastSessionRefresh to session[0] to 0 -// session0.setLastSessionRefresh(0); -// -// // Set timestamp to cls1 to 0 -// cls1.setTimestamp(0); -// -// resetSession(); -// -// session.sessions().removeExpired(realm); -// -// resetSession(); -// -// // assert session0 not found now -// Assert.assertNull(session.sessions().getOfflineUserSession(realm, origSessions[0].getId())); -// for (String clientSession : clientSessions) { -// Assert.assertNull(session.sessions().getOfflineClientSession(realm, origSessions[0].getId())); -// offlineSessions.remove(clientSession); -// } -// -// // Assert cls1 not found too -// for (Map.Entry entry : offlineSessions.entrySet()) { -// String userSessionId = entry.getValue(); -// if (userSessionId.equals(session1.getId())) { -// Assert.assertFalse(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); -// } else { -// Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) != null); -// } -// } -// Assert.assertEquals(1, persister.getUserSessionsCount(true)); -// -// // Expire everything and assert nothing found -// Time.setOffset(3000000); -// try { -// session.sessions().removeExpired(realm); -// -// resetSession(); -// -// for (Map.Entry entry : offlineSessions.entrySet()) { -// Assert.assertTrue(sessionManager.findOfflineClientSession(realm, entry.getKey()) == null); -// } -// Assert.assertEquals(0, persister.getUserSessionsCount(true)); -// -// } finally { -// Time.setOffset(0); -// } -// } -// -// private Map createOfflineSessionIncludeClientSessions(UserSessionModel userSession) { -// Map offlineSessions = new HashMap<>(); -// -// for (ClientSessionModel clientSession : userSession.getClientSessions()) { -// sessionManager.createOrUpdateOfflineSession(clientSession, userSession); -// offlineSessions.put(clientSession.getId(), userSession.getId()); -// } -// return offlineSessions; -// } -// -// -// -// private void resetSession() { -// kc.stopSession(session, true); -// session = kc.startSession(); -// realm = session.realms().getRealm("test"); -// sessionManager = new UserSessionManager(session); -// persister = session.getProvider(UserSessionPersisterProvider.class); -// } -// -// private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { -// ClientSessionModel clientSession = session.sessions().createClientSession(client.getRealm(), client); -// if (userSession != null) clientSession.setUserSession(userSession); -// clientSession.setRedirectUri(redirect); -// if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); -// if (roles != null) clientSession.setRoles(roles); -// if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); -// return clientSession; -// } -// -// private UserSessionModel[] createSessions() { -// UserSessionModel[] sessions = new UserSessionModel[3]; -// sessions[0] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); -// -// Set roles = new HashSet(); -// roles.add("one"); -// roles.add("two"); -// -// Set protocolMappers = new HashSet(); -// protocolMappers.add("mapper-one"); -// protocolMappers.add("mapper-two"); -// -// createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); -// createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); -// -// sessions[1] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); -// createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); -// -// sessions[2] = session.sessions().createUserSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); -// createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); -// -// return sessions; -// } + @ClassRule + public static KeycloakRule kc = new KeycloakRule(); + + @Rule + public LoggingRule loggingRule = new LoggingRule(this); + + private KeycloakSession session; + private RealmModel realm; + private UserSessionManager sessionManager; + private UserSessionPersisterProvider persister; + + @Before + public void before() { + session = kc.startSession(); + realm = session.realms().getRealm("test"); + session.users().addUser(realm, "user1").setEmail("user1@localhost"); + session.users().addUser(realm, "user2").setEmail("user2@localhost"); + sessionManager = new UserSessionManager(session); + persister = session.getProvider(UserSessionPersisterProvider.class); + } + + @After + public void after() { + resetSession(); + session.sessions().removeUserSessions(realm); + UserModel user1 = session.users().getUserByUsername("user1", realm); + UserModel user2 = session.users().getUserByUsername("user2", realm); + + UserManager um = new UserManager(session); + um.removeUser(realm, user1); + um.removeUser(realm, user2); + kc.stopSession(session, true); + } + + + @Test + public void testOfflineSessionsCrud() { + // Create some online sessions in infinispan + int started = Time.currentTime(); + UserSessionModel[] origSessions = createSessions(); + + resetSession(); + + // Key is userSession ID, values are client UUIDS + Map> offlineSessions = new HashMap<>(); + + // Persist 3 created userSessions and clientSessions as offline + ClientModel testApp = realm.getClientByClientId("test-app"); + List userSessions = session.sessions().getUserSessions(realm, testApp); + for (UserSessionModel userSession : userSessions) { + offlineSessions.put(userSession.getId(), createOfflineSessionIncludeClientSessions(userSession)); + } + + resetSession(); + + // Assert all previously saved offline sessions found + for (Map.Entry> entry : offlineSessions.entrySet()) { + UserSessionModel offlineSession = sessionManager.findOfflineUserSession(realm, entry.getKey()); + Assert.assertNotNull(offlineSession); + Assert.assertEquals(offlineSession.getAuthenticatedClientSessions().keySet(), entry.getValue()); + } + + // Find clients with offline token + UserModel user1 = session.users().getUserByUsername("user1", realm); + Set clients = sessionManager.findClientsWithOfflineToken(realm, user1); + Assert.assertEquals(clients.size(), 2); + for (ClientModel client : clients) { + Assert.assertTrue(client.getClientId().equals("test-app") || client.getClientId().equals("third-party")); + } + + UserModel user2 = session.users().getUserByUsername("user2", realm); + clients = sessionManager.findClientsWithOfflineToken(realm, user2); + Assert.assertEquals(clients.size(), 1); + Assert.assertTrue(clients.iterator().next().getClientId().equals("test-app")); + + // Test count + testApp = realm.getClientByClientId("test-app"); + ClientModel thirdparty = realm.getClientByClientId("third-party"); + Assert.assertEquals(3, session.sessions().getOfflineSessionsCount(realm, testApp)); + Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); + + // Revoke "test-app" for user1 + sessionManager.revokeOfflineToken(user1, testApp); + + resetSession(); + + // Assert userSession revoked + testApp = realm.getClientByClientId("test-app"); + thirdparty = realm.getClientByClientId("third-party"); + Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, testApp)); + Assert.assertEquals(1, session.sessions().getOfflineSessionsCount(realm, thirdparty)); + + List testAppSessions = session.sessions().getOfflineUserSessions(realm, testApp, 0, 10); + List thirdpartySessions = session.sessions().getOfflineUserSessions(realm, thirdparty, 0, 10); + Assert.assertEquals(1, testAppSessions.size()); + Assert.assertEquals("127.0.0.3", testAppSessions.get(0).getIpAddress()); + Assert.assertEquals("user2", testAppSessions.get(0).getUser().getUsername()); + Assert.assertEquals(1, thirdpartySessions.size()); + Assert.assertEquals("127.0.0.1", thirdpartySessions.get(0).getIpAddress()); + Assert.assertEquals("user1", thirdpartySessions.get(0).getUser().getUsername()); + + user1 = session.users().getUserByUsername("user1", realm); + user2 = session.users().getUserByUsername("user2", realm); + clients = sessionManager.findClientsWithOfflineToken(realm, user1); + Assert.assertEquals(1, clients.size()); + Assert.assertEquals("third-party", clients.iterator().next().getClientId()); + clients = sessionManager.findClientsWithOfflineToken(realm, user2); + Assert.assertEquals(1, clients.size()); + Assert.assertEquals("test-app", clients.iterator().next().getClientId()); + } + + @Test + public void testOnRealmRemoved() { + RealmModel fooRealm = session.realms().createRealm("foo", "foo"); + fooRealm.addClient("foo-app"); + session.users().addUser(fooRealm, "user3"); + + UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); + AuthenticatedClientSessionModel clientSession = createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); + + resetSession(); + + // Persist offline session + fooRealm = session.realms().getRealm("foo"); + userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); + createOfflineSessionIncludeClientSessions(userSession); + + resetSession(); + + UserSessionModel offlineUserSession = sessionManager.findOfflineUserSession(fooRealm, userSession.getId()); + Assert.assertEquals(offlineUserSession.getAuthenticatedClientSessions().size(), 1); + AuthenticatedClientSessionModel offlineClientSession = offlineUserSession.getAuthenticatedClientSessions().values().iterator().next(); + Assert.assertEquals("foo-app", offlineClientSession.getClient().getClientId()); + Assert.assertEquals("user3", offlineClientSession.getUserSession().getUser().getUsername()); + + // Remove realm + RealmManager realmMgr = new RealmManager(session); + realmMgr.removeRealm(realmMgr.getRealm("foo")); + + resetSession(); + + fooRealm = session.realms().createRealm("foo", "foo"); + fooRealm.addClient("foo-app"); + session.users().addUser(fooRealm, "user3"); + + resetSession(); + + // Assert nothing loaded + fooRealm = session.realms().getRealm("foo"); + Assert.assertNull(sessionManager.findOfflineUserSession(fooRealm, userSession.getId())); + Assert.assertEquals(0, session.sessions().getOfflineSessionsCount(fooRealm, fooRealm.getClientByClientId("foo-app"))); + + // Cleanup + realmMgr = new RealmManager(session); + realmMgr.removeRealm(realmMgr.getRealm("foo")); + } + + @Test + public void testOnClientRemoved() { + int started = Time.currentTime(); + + RealmModel fooRealm = session.realms().createRealm("foo", "foo"); + fooRealm.addClient("foo-app"); + fooRealm.addClient("bar-app"); + session.users().addUser(fooRealm, "user3"); + + UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); + createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); + createClientSession(fooRealm.getClientByClientId("bar-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); + + resetSession(); + + // Create offline session + fooRealm = session.realms().getRealm("foo"); + userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); + createOfflineSessionIncludeClientSessions(userSession); + + resetSession(); + + RealmManager realmMgr = new RealmManager(session); + ClientManager clientMgr = new ClientManager(realmMgr); + fooRealm = realmMgr.getRealm("foo"); + + // Assert session was persisted with both clientSessions + UserSessionModel offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); + UserSessionProviderTest.assertSession(offlineSession, session.users().getUserByUsername("user3", fooRealm), "127.0.0.1", started, started, "foo-app", "bar-app"); + + // Remove foo-app client + ClientModel client = fooRealm.getClientByClientId("foo-app"); + clientMgr.removeClient(fooRealm, client); + + resetSession(); + + realmMgr = new RealmManager(session); + clientMgr = new ClientManager(realmMgr); + fooRealm = realmMgr.getRealm("foo"); + + // Assert just one bar-app clientSession persisted now + offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); + Assert.assertEquals(1, offlineSession.getAuthenticatedClientSessions().size()); + Assert.assertEquals("bar-app", offlineSession.getAuthenticatedClientSessions().values().iterator().next().getClient().getClientId()); + + // Remove bar-app client + client = fooRealm.getClientByClientId("bar-app"); + clientMgr.removeClient(fooRealm, client); + + resetSession(); + + // Assert nothing loaded - userSession was removed as well because it was last userSession + realmMgr = new RealmManager(session); + fooRealm = realmMgr.getRealm("foo"); + offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); + Assert.assertEquals(0, offlineSession.getAuthenticatedClientSessions().size()); + + // Cleanup + realmMgr = new RealmManager(session); + realmMgr.removeRealm(realmMgr.getRealm("foo")); + } + + @Test + public void testOnUserRemoved() { + int started = Time.currentTime(); + + RealmModel fooRealm = session.realms().createRealm("foo", "foo"); + fooRealm.addClient("foo-app"); + session.users().addUser(fooRealm, "user3"); + + UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), fooRealm, session.users().getUserByUsername("user3", fooRealm), "user3", "127.0.0.1", "form", true, null, null); + AuthenticatedClientSessionModel clientSession = createClientSession(fooRealm.getClientByClientId("foo-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); + + resetSession(); + + // Create offline session + fooRealm = session.realms().getRealm("foo"); + userSession = session.sessions().getUserSession(fooRealm, userSession.getId()); + createOfflineSessionIncludeClientSessions(userSession); + + resetSession(); + + RealmManager realmMgr = new RealmManager(session); + fooRealm = realmMgr.getRealm("foo"); + UserModel user3 = session.users().getUserByUsername("user3", fooRealm); + + // Assert session was persisted with both clientSessions + UserSessionModel offlineSession = session.sessions().getOfflineUserSession(fooRealm, userSession.getId()); + UserSessionProviderTest.assertSession(offlineSession, user3, "127.0.0.1", started, started, "foo-app"); + + // Remove user3 + new UserManager(session).removeUser(fooRealm, user3); + + resetSession(); + + // Assert userSession removed as well + Assert.assertNull(session.sessions().getOfflineUserSession(fooRealm, userSession.getId())); + + // Cleanup + realmMgr = new RealmManager(session); + realmMgr.removeRealm(realmMgr.getRealm("foo")); + + } + + @Test + public void testExpired() { + // Create some online sessions in infinispan + int started = Time.currentTime(); + UserSessionModel[] origSessions = createSessions(); + + resetSession(); + + // Key is userSessionId, value is set of client UUIDS + Map> offlineSessions = new HashMap<>(); + + // Persist 3 created userSessions and clientSessions as offline + ClientModel testApp = realm.getClientByClientId("test-app"); + List userSessions = session.sessions().getUserSessions(realm, testApp); + for (UserSessionModel userSession : userSessions) { + offlineSessions.put(userSession.getId(), createOfflineSessionIncludeClientSessions(userSession)); + } + + resetSession(); + + // Assert all previously saved offline sessions found + for (Map.Entry> entry : offlineSessions.entrySet()) { + UserSessionModel foundSession = sessionManager.findOfflineUserSession(realm, entry.getKey()); + Assert.assertEquals(foundSession.getAuthenticatedClientSessions().keySet(), entry.getValue()); + } + + UserSessionModel session0 = session.sessions().getOfflineUserSession(realm, origSessions[0].getId()); + Assert.assertNotNull(session0); + + // sessions are in persister too + Assert.assertEquals(3, persister.getUserSessionsCount(true)); + + // Set lastSessionRefresh to session[0] to 0 + session0.setLastSessionRefresh(0); + + resetSession(); + + session.sessions().removeExpired(realm); + + resetSession(); + + // assert session0 not found now + Assert.assertNull(session.sessions().getOfflineUserSession(realm, origSessions[0].getId())); + + Assert.assertEquals(2, persister.getUserSessionsCount(true)); + + // Expire everything and assert nothing found + Time.setOffset(3000000); + try { + session.sessions().removeExpired(realm); + + resetSession(); + + for (String userSessionId : offlineSessions.keySet()) { + Assert.assertNull(sessionManager.findOfflineUserSession(realm, userSessionId)); + } + Assert.assertEquals(0, persister.getUserSessionsCount(true)); + + } finally { + Time.setOffset(0); + } + } + + private Set createOfflineSessionIncludeClientSessions(UserSessionModel userSession) { + Set offlineSessions = new HashSet<>(); + + for (AuthenticatedClientSessionModel clientSession : userSession.getAuthenticatedClientSessions().values()) { + sessionManager.createOrUpdateOfflineSession(clientSession, userSession); + offlineSessions.add(clientSession.getClient().getId()); + } + return offlineSessions; + } + + + private void resetSession() { + kc.stopSession(session, true); + session = kc.startSession(); + realm = session.realms().getRealm("test"); + sessionManager = new UserSessionManager(session); + persister = session.getProvider(UserSessionPersisterProvider.class); + } + + private AuthenticatedClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { + AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(client.getRealm(), client, userSession); + if (userSession != null) clientSession.setUserSession(userSession); + clientSession.setRedirectUri(redirect); + if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); + if (roles != null) clientSession.setRoles(roles); + if (protocolMappers != null) clientSession.setProtocolMappers(protocolMappers); + return clientSession; + } + + private UserSessionModel[] createSessions() { + UserSessionModel[] sessions = new UserSessionModel[3]; + sessions[0] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); + + Set roles = new HashSet(); + roles.add("one"); + roles.add("two"); + + Set protocolMappers = new HashSet(); + protocolMappers.add("mapper-one"); + protocolMappers.add("mapper-two"); + + createClientSession(realm.getClientByClientId("test-app"), sessions[0], "http://redirect", "state", roles, protocolMappers); + createClientSession(realm.getClientByClientId("third-party"), sessions[0], "http://redirect", "state", new HashSet(), new HashSet()); + + sessions[1] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); + createClientSession(realm.getClientByClientId("test-app"), sessions[1], "http://redirect", "state", new HashSet(), new HashSet()); + + sessions[2] = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.3", "form", true, null, null); + createClientSession(realm.getClientByClientId("test-app"), sessions[2], "http://redirect", "state", new HashSet(), new HashSet()); + + return sessions; + } } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java index 683a490bb6..7d6745e702 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/UserSessionProviderTest.java @@ -25,7 +25,6 @@ import org.junit.Test; import org.keycloak.common.util.Time; import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserLoginFailureModel; @@ -37,8 +36,8 @@ import org.keycloak.models.UserManager; import org.keycloak.testsuite.rule.KeycloakRule; import java.util.Arrays; +import java.util.HashMap; import java.util.HashSet; -import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Set; @@ -106,22 +105,36 @@ public class UserSessionProviderTest { assertEquals(1000, session.sessions().getUserSession(realm, sessions[0].getId()).getLastSessionRefresh()); } + @Test + public void testRestartSession() { + int started = Time.currentTime(); + UserSessionModel[] sessions = createSessions(); + + Time.setOffset(100); + + UserSessionModel userSession = session.sessions().getUserSession(realm, sessions[0].getId()); + assertSession(userSession, session.users().getUserByUsername("user1", realm), "127.0.0.1", started, started, "test-app", "third-party"); + + userSession.restartSession(realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.6", "form", true, null, null); + + resetSession(); + + userSession = session.sessions().getUserSession(realm, sessions[0].getId()); + assertSession(userSession, session.users().getUserByUsername("user2", realm), "127.0.0.6", started + 100, started + 100); + + Time.setOffset(0); + } + @Test public void testCreateClientSession() { UserSessionModel[] sessions = createSessions(); - List clientSessions = session.sessions().getUserSession(realm, sessions[0].getId()).getClientSessions(); + Map clientSessions = session.sessions().getUserSession(realm, sessions[0].getId()).getAuthenticatedClientSessions(); assertEquals(2, clientSessions.size()); - String client1 = realm.getClientByClientId("test-app").getId(); + String clientUUID = realm.getClientByClientId("test-app").getId(); - ClientSessionModel session1; - - if (clientSessions.get(0).getClient().getId().equals(client1)) { - session1 = clientSessions.get(0); - } else { - session1 = clientSessions.get(1); - } + AuthenticatedClientSessionModel session1 = clientSessions.get(clientUUID); assertEquals(null, session1.getAction()); assertEquals(realm.getClientByClientId("test-app").getClientId(), session1.getClient().getClientId()); @@ -140,21 +153,22 @@ public class UserSessionProviderTest { public void testUpdateClientSession() { UserSessionModel[] sessions = createSessions(); - String id = sessions[0].getClientSessions().get(0).getId(); + String userSessionId = sessions[0].getId(); + String clientUUID = realm.getClientByClientId("test-app").getId(); - ClientSessionModel clientSession = session.sessions().getClientSession(realm, id); + AuthenticatedClientSessionModel clientSession = sessions[0].getAuthenticatedClientSessions().get(clientUUID); int time = clientSession.getTimestamp(); assertEquals(null, clientSession.getAction()); - clientSession.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name()); + clientSession.setAction(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name()); clientSession.setTimestamp(time + 10); kc.stopSession(session, true); session = kc.startSession(); - ClientSessionModel updated = session.sessions().getClientSession(realm, id); - assertEquals(ClientSessionModel.Action.CODE_TO_TOKEN.name(), updated.getAction()); + AuthenticatedClientSessionModel updated = session.sessions().getUserSession(realm, userSessionId).getAuthenticatedClientSessions().get(clientUUID); + assertEquals(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), updated.getAction()); assertEquals(time + 10, updated.getTimestamp()); } @@ -170,17 +184,12 @@ public class UserSessionProviderTest { public void testRemoveUserSessionsByUser() { UserSessionModel[] sessions = createSessions(); - List clientSessionsRemoved = new LinkedList(); - List clientSessionsKept = new LinkedList(); + Map clientSessionsKept = new HashMap<>(); for (UserSessionModel s : sessions) { s = session.sessions().getUserSession(realm, s.getId()); - for (ClientSessionModel c : s.getClientSessions()) { - if (c.getUserSession().getUser().getUsername().equals("user1")) { - clientSessionsRemoved.add(c.getId()); - } else { - clientSessionsKept.add(c.getId()); - } + if (!s.getUser().getUsername().equals("user1")) { + clientSessionsKept.put(s.getId(), s.getAuthenticatedClientSessions().keySet().size()); } } @@ -188,13 +197,12 @@ public class UserSessionProviderTest { resetSession(); assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)).isEmpty()); - assertFalse(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); + List userSessions = session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)); + assertFalse(userSessions.isEmpty()); - for (String c : clientSessionsRemoved) { - assertNull(session.sessions().getClientSession(realm, c)); - } - for (String c : clientSessionsKept) { - assertNotNull(session.sessions().getClientSession(realm, c)); + Assert.assertEquals(userSessions.size(), clientSessionsKept.size()); + for (UserSessionModel userSession : userSessions) { + Assert.assertEquals((int) clientSessionsKept.get(userSession.getId()), userSession.getAuthenticatedClientSessions().size()); } } @@ -202,76 +210,47 @@ public class UserSessionProviderTest { public void testRemoveUserSession() { UserSessionModel userSession = createSessions()[0]; - List clientSessionsRemoved = new LinkedList(); - for (ClientSessionModel c : userSession.getClientSessions()) { - clientSessionsRemoved.add(c.getId()); - } - session.sessions().removeUserSession(realm, userSession); resetSession(); assertNull(session.sessions().getUserSession(realm, userSession.getId())); - for (String c : clientSessionsRemoved) { - assertNull(session.sessions().getClientSession(realm, c)); - } } @Test public void testRemoveUserSessionsByRealm() { UserSessionModel[] sessions = createSessions(); - List clientSessions = new LinkedList(); - for (UserSessionModel s : sessions) { - clientSessions.addAll(s.getClientSessions()); - } - session.sessions().removeUserSessions(realm); resetSession(); assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user1", realm)).isEmpty()); assertTrue(session.sessions().getUserSessions(realm, session.users().getUserByUsername("user2", realm)).isEmpty()); - - for (ClientSessionModel c : clientSessions) { - assertNull(session.sessions().getClientSession(realm, c.getId())); - } } @Test public void testOnClientRemoved() { UserSessionModel[] sessions = createSessions(); - List clientSessionsRemoved = new LinkedList(); - List clientSessionsKept = new LinkedList(); + String thirdPartyClientUUID = realm.getClientByClientId("third-party").getId(); + + Map> clientSessionsKept = new HashMap<>(); + for (UserSessionModel s : sessions) { + Set clientUUIDS = new HashSet<>(s.getAuthenticatedClientSessions().keySet()); + clientUUIDS.remove(thirdPartyClientUUID); // This client will be later removed, hence his clientSessions too + clientSessionsKept.put(s.getId(), clientUUIDS); + } + + realm.removeClient(thirdPartyClientUUID); + resetSession(); + for (UserSessionModel s : sessions) { s = session.sessions().getUserSession(realm, s.getId()); - for (ClientSessionModel c : s.getClientSessions()) { - if (c.getClient().getClientId().equals("third-party")) { - clientSessionsRemoved.add(c.getId()); - } else { - clientSessionsKept.add(c.getId()); - } - } + Set clientUUIDS = s.getAuthenticatedClientSessions().keySet(); + assertEquals(clientUUIDS, clientSessionsKept.get(s.getId())); } - session.sessions().onClientRemoved(realm, realm.getClientByClientId("third-party")); - resetSession(); - - for (String c : clientSessionsRemoved) { - assertNull(session.sessions().getClientSession(realm, c)); - } - for (String c : clientSessionsKept) { - assertNotNull(session.sessions().getClientSession(realm, c)); - } - - session.sessions().onClientRemoved(realm, realm.getClientByClientId("test-app")); - resetSession(); - - for (String c : clientSessionsRemoved) { - assertNull(session.sessions().getClientSession(realm, c)); - } - for (String c : clientSessionsKept) { - assertNull(session.sessions().getClientSession(realm, c)); - } + // Revert client + realm.addClient("third-party"); } @Test @@ -281,11 +260,12 @@ public class UserSessionProviderTest { try { Set expired = new HashSet(); - Set expiredClientSessions = new HashSet(); Time.setOffset(-(realm.getSsoSessionMaxLifespan() + 1)); - expired.add(session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); - expiredClientSessions.add(session.sessions().createClientSession(realm, client).getId()); + UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); + expired.add(userSession.getId()); + AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(realm, client, userSession); + Assert.assertEquals(userSession, clientSession.getUserSession()); Time.setOffset(0); UserSessionModel s = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user2", realm), "user2", "127.0.0.1", "form", true, null, null); @@ -293,15 +273,12 @@ public class UserSessionProviderTest { s.setLastSessionRefresh(0); expired.add(s.getId()); - ClientSessionModel clSession = session.sessions().createClientSession(realm, client); - clSession.setUserSession(s); - expiredClientSessions.add(clSession.getId()); - Set valid = new HashSet(); Set validClientSessions = new HashSet(); - valid.add(session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null).getId()); - validClientSessions.add(session.sessions().createClientSession(realm, client).getId()); + userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.1", "form", true, null, null); + valid.add(userSession.getId()); + validClientSessions.add(session.sessions().createClientSession(realm, client, userSession).getId()); resetSession(); @@ -311,91 +288,18 @@ public class UserSessionProviderTest { for (String e : expired) { assertNull(session.sessions().getUserSession(realm, e)); } - for (String e : expiredClientSessions) { - assertNull(session.sessions().getClientSession(realm, e)); - } for (String v : valid) { - assertNotNull(session.sessions().getUserSession(realm, v)); - } - for (String e : validClientSessions) { - assertNotNull(session.sessions().getClientSession(realm, e)); + UserSessionModel userSessionLoaded = session.sessions().getUserSession(realm, v); + assertNotNull(userSessionLoaded); + Assert.assertEquals(1, userSessionLoaded.getAuthenticatedClientSessions().size()); + Assert.assertNotNull(userSessionLoaded.getAuthenticatedClientSessions().get(client.getId())); } } finally { Time.setOffset(0); } } - @Test - public void testExpireDetachedClientSessions() { - try { - realm.setAccessCodeLifespan(10); - realm.setAccessCodeLifespanUserAction(10); - realm.setAccessCodeLifespanLogin(30); - - // Login lifespan is largest - String clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); - resetSession(); - - Time.setOffset(25); - session.sessions().removeExpired(realm); - resetSession(); - - assertNotNull(session.sessions().getClientSession(clientSessionId)); - - Time.setOffset(35); - session.sessions().removeExpired(realm); - resetSession(); - - assertNull(session.sessions().getClientSession(clientSessionId)); - - // User action is largest - realm.setAccessCodeLifespanUserAction(40); - - Time.setOffset(0); - clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); - resetSession(); - - Time.setOffset(35); - session.sessions().removeExpired(realm); - resetSession(); - - assertNotNull(session.sessions().getClientSession(clientSessionId)); - - Time.setOffset(45); - session.sessions().removeExpired(realm); - resetSession(); - - assertNull(session.sessions().getClientSession(clientSessionId)); - - // Access code is largest - realm.setAccessCodeLifespan(50); - - Time.setOffset(0); - clientSessionId = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")).getId(); - resetSession(); - - Time.setOffset(45); - session.sessions().removeExpired(realm); - resetSession(); - - assertNotNull(session.sessions().getClientSession(clientSessionId)); - - Time.setOffset(55); - session.sessions().removeExpired(realm); - resetSession(); - - assertNull(session.sessions().getClientSession(clientSessionId)); - } finally { - Time.setOffset(0); - - realm.setAccessCodeLifespan(60); - realm.setAccessCodeLifespanUserAction(300); - realm.setAccessCodeLifespanLogin(1800); - - } - } - // KEYCLOAK-2508 @Test public void testRemovingExpiredSession() { @@ -429,12 +333,13 @@ public class UserSessionProviderTest { for (int i = 0; i < 25; i++) { Time.setOffset(i); UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0." + i, "form", false, null, null); - ClientSessionModel clientSession = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app")); + AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(realm, realm.getClientByClientId("test-app"), userSession); clientSession.setUserSession(userSession); clientSession.setRedirectUri("http://redirect"); clientSession.setRoles(new HashSet()); clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, "state"); clientSession.setTimestamp(userSession.getStarted()); + userSession.setLastSessionRefresh(userSession.getStarted()); } } finally { Time.setOffset(0); @@ -451,19 +356,21 @@ public class UserSessionProviderTest { @Test public void testCreateAndGetInSameTransaction() { + ClientModel client = realm.getClientByClientId("test-app"); UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); - ClientSessionModel clientSession = createClientSession(realm.getClientByClientId("test-app"), userSession, "http://redirect", "state", new HashSet(), new HashSet()); + AuthenticatedClientSessionModel clientSession = createClientSession(client, userSession, "http://redirect", "state", new HashSet(), new HashSet()); - Assert.assertNotNull(session.sessions().getUserSession(realm, userSession.getId())); - Assert.assertNotNull(session.sessions().getClientSession(realm, clientSession.getId())); + UserSessionModel userSessionLoaded = session.sessions().getUserSession(realm, userSession.getId()); + AuthenticatedClientSessionModel clientSessionLoaded = userSessionLoaded.getAuthenticatedClientSessions().get(client.getId()); + Assert.assertNotNull(userSessionLoaded); + Assert.assertNotNull(clientSessionLoaded); - Assert.assertEquals(userSession.getId(), clientSession.getUserSession().getId()); - Assert.assertEquals(1, userSession.getClientSessions().size()); - Assert.assertEquals(clientSession.getId(), userSession.getClientSessions().get(0).getId()); + Assert.assertEquals(userSession.getId(), clientSessionLoaded.getUserSession().getId()); + Assert.assertEquals(1, userSessionLoaded.getAuthenticatedClientSessions().size()); } @Test - public void testClientLoginSessions() { + public void testAuthenticatedClientSessions() { UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, session.users().getUserByUsername("user1", realm), "user1", "127.0.0.2", "form", true, null, null); ClientModel client1 = realm.getClientByClientId("test-app"); @@ -486,8 +393,8 @@ public class UserSessionProviderTest { userSession = session.sessions().getUserSession(realm, userSession.getId()); Map clientSessions = userSession.getAuthenticatedClientSessions(); Assert.assertEquals(2, clientSessions.size()); - testClientLoginSession(clientSessions.get(client1.getId()), "test-app", userSession.getId(), "foo1", 100); - testClientLoginSession(clientSessions.get(client2.getId()), "third-party", userSession.getId(), "foo2", 200); + testAuthenticatedClientSession(clientSessions.get(client1.getId()), "test-app", userSession.getId(), "foo1", 100); + testAuthenticatedClientSession(clientSessions.get(client2.getId()), "third-party", userSession.getId(), "foo2", 200); // Update session1 clientSessions.get(client1.getId()).setAction("foo1-updated"); @@ -498,7 +405,7 @@ public class UserSessionProviderTest { // Ensure updated userSession = session.sessions().getUserSession(realm, userSession.getId()); clientSessions = userSession.getAuthenticatedClientSessions(); - testClientLoginSession(clientSessions.get(client1.getId()), "test-app", userSession.getId(), "foo1-updated", 100); + testAuthenticatedClientSession(clientSessions.get(client1.getId()), "test-app", userSession.getId(), "foo1-updated", 100); // Rewrite session2 clientSession2 = session.sessions().createClientSession(realm, client2, userSession); @@ -512,8 +419,8 @@ public class UserSessionProviderTest { userSession = session.sessions().getUserSession(realm, userSession.getId()); clientSessions = userSession.getAuthenticatedClientSessions(); Assert.assertEquals(2, clientSessions.size()); - testClientLoginSession(clientSessions.get(client1.getId()), "test-app", userSession.getId(), "foo1-updated", 100); - testClientLoginSession(clientSessions.get(client2.getId()), "third-party", userSession.getId(), "foo2-rewrited", 300); + testAuthenticatedClientSession(clientSessions.get(client1.getId()), "test-app", userSession.getId(), "foo1-updated", 100); + testAuthenticatedClientSession(clientSessions.get(client2.getId()), "third-party", userSession.getId(), "foo2-rewrited", 300); // remove session clientSession1 = userSession.getAuthenticatedClientSessions().get(client1.getId()); @@ -549,11 +456,11 @@ public class UserSessionProviderTest { } - private void testClientLoginSession(AuthenticatedClientSessionModel clientLoginSession, String expectedClientId, String expectedUserSessionId, String expectedAction, int expectedTimestamp) { - Assert.assertEquals(expectedClientId, clientLoginSession.getClient().getClientId()); - Assert.assertEquals(expectedUserSessionId, clientLoginSession.getUserSession().getId()); - Assert.assertEquals(expectedAction, clientLoginSession.getAction()); - Assert.assertEquals(expectedTimestamp, clientLoginSession.getTimestamp()); + private void testAuthenticatedClientSession(AuthenticatedClientSessionModel clientSession, String expectedClientId, String expectedUserSessionId, String expectedAction, int expectedTimestamp) { + Assert.assertEquals(expectedClientId, clientSession.getClient().getClientId()); + Assert.assertEquals(expectedUserSessionId, clientSession.getUserSession().getId()); + Assert.assertEquals(expectedAction, clientSession.getAction()); + Assert.assertEquals(expectedTimestamp, clientSession.getTimestamp()); } private void assertPaginatedSession(RealmModel realm, ClientModel client, int start, int max, int expectedSize) { @@ -642,9 +549,8 @@ public class UserSessionProviderTest { assertNotNull(session.sessions().getUserLoginFailure(realm, "user2")); } - private ClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { - ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); - if (userSession != null) clientSession.setUserSession(userSession); + private AuthenticatedClientSessionModel createClientSession(ClientModel client, UserSessionModel userSession, String redirect, String state, Set roles, Set protocolMappers) { + AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(realm, client, userSession); clientSession.setRedirectUri(redirect); if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); if (roles != null) clientSession.setRoles(roles); @@ -710,9 +616,14 @@ public class UserSessionProviderTest { assertTrue(session.getStarted() >= started - 1 && session.getStarted() <= started + 1); assertTrue(session.getLastSessionRefresh() >= lastRefresh - 1 && session.getLastSessionRefresh() <= lastRefresh + 1); - String[] actualClients = new String[session.getClientSessions().size()]; - for (int i = 0; i < actualClients.length; i++) { - actualClients[i] = session.getClientSessions().get(i).getClient().getClientId(); + String[] actualClients = new String[session.getAuthenticatedClientSessions().size()]; + int i = 0; + for (Map.Entry entry : session.getAuthenticatedClientSessions().entrySet()) { + String clientUUID = entry.getKey(); + AuthenticatedClientSessionModel clientSession = entry.getValue(); + Assert.assertEquals(clientUUID, clientSession.getClient().getId()); + actualClients[i] = clientSession.getClient().getClientId(); + i++; } Arrays.sort(clients); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/LoginExpiredPage.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/LoginExpiredPage.java new file mode 100644 index 0000000000..e3ff938b08 --- /dev/null +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/LoginExpiredPage.java @@ -0,0 +1,51 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.pages; + +import org.openqa.selenium.WebElement; +import org.openqa.selenium.support.FindBy; + +/** + * @author Marek Posolda + */ +public class LoginExpiredPage extends AbstractPage { + + @FindBy(id = "loginRestartLink") + private WebElement loginRestartLink; + + @FindBy(id = "loginContinueLink") + private WebElement loginContinueLink; + + + public void clickLoginRestartLink() { + loginRestartLink.click(); + } + + public void clickLoginContinueLink() { + loginContinueLink.click(); + } + + + public boolean isCurrent() { + return driver.getTitle().equals("Page has expired"); + } + + public void open() { + throw new UnsupportedOperationException(); + } +} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/AbstractOfflineCacheCommand.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/AbstractOfflineCacheCommand.java index f94cea05d6..7aea03e5e3 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/AbstractOfflineCacheCommand.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/AbstractOfflineCacheCommand.java @@ -47,9 +47,9 @@ public abstract class AbstractOfflineCacheCommand extends AbstractCommand { } protected String toString(UserSessionEntity userSession) { - int clientSessionsSize = userSession.getClientSessions()==null ? 0 : userSession.getClientSessions().size(); + int clientSessionsSize = userSession.getAuthenticatedClientSessions()==null ? 0 : userSession.getAuthenticatedClientSessions().size(); return "ID: " + userSession.getId() + ", realm: " + userSession.getRealm() + ", lastAccessTime: " + Time.toDate(userSession.getLastSessionRefresh()) + - ", clientSessions: " + clientSessionsSize; + ", authenticatedClientSessions: " + clientSessionsSize; } protected abstract void doRunCacheCommand(KeycloakSession session, Cache cache); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/PersistSessionsCommand.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/PersistSessionsCommand.java index 39b4d48e09..c8b6771049 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/PersistSessionsCommand.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/util/cli/PersistSessionsCommand.java @@ -17,8 +17,11 @@ package org.keycloak.testsuite.util.cli; +import java.util.LinkedList; +import java.util.List; + +import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionTask; import org.keycloak.models.RealmModel; @@ -27,8 +30,6 @@ import org.keycloak.models.UserSessionModel; import org.keycloak.models.session.UserSessionPersisterProvider; import org.keycloak.models.utils.KeycloakModelUtils; -import java.util.LinkedList; -import java.util.List; /** * @author Marek Posolda @@ -65,10 +66,9 @@ public class PersistSessionsCommand extends AbstractCommand { }); } - // TODO:mposolda + private void createSessionsBatch(final int countInThisBatch) { - /*final List userSessionIds = new LinkedList<>(); - final List clientSessionIds = new LinkedList<>(); + final List userSessionIds = new LinkedList<>(); KeycloakModelUtils.runJobInTransaction(sessionFactory, new KeycloakSessionTask() { @@ -80,13 +80,11 @@ public class PersistSessionsCommand extends AbstractCommand { UserSessionPersisterProvider persister = session.getProvider(UserSessionPersisterProvider.class); for (int i = 0; i < countInThisBatch; i++) { - UserSessionModel userSession = session.sessions().createUserSession(realm, john, "john-doh@localhost", "127.0.0.2", "form", true, null, null); - ClientSessionModel clientSession = session.sessions().createClientSession(realm, testApp); - clientSession.setUserSession(userSession); + UserSessionModel userSession = session.sessions().createUserSession(KeycloakModelUtils.generateId(), realm, john, "john-doh@localhost", "127.0.0.2", "form", true, null, null); + AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(realm, testApp, userSession); clientSession.setRedirectUri("http://redirect"); clientSession.setNote("foo", "bar-" + i); userSessionIds.add(userSession.getId()); - clientSessionIds.add(clientSession.getId()); } } @@ -101,6 +99,7 @@ public class PersistSessionsCommand extends AbstractCommand { @Override public void run(KeycloakSession session) { RealmModel realm = session.realms().getRealmByName("master"); + ClientModel testApp = realm.getClientByClientId("security-admin-console"); UserSessionPersisterProvider persister = session.getProvider(UserSessionPersisterProvider.class); int counter = 0; @@ -108,20 +107,15 @@ public class PersistSessionsCommand extends AbstractCommand { counter++; UserSessionModel userSession = session.sessions().getUserSession(realm, userSessionId); persister.createUserSession(userSession, true); + + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(testApp.getId()); + persister.createClientSession(clientSession, true); } log.infof("%d user sessions persisted. Continue", counter); - - counter = 0; - for (String clientSessionId : clientSessionIds) { - counter++; - ClientSessionModel clientSession = session.sessions().getClientSession(realm, clientSessionId); - persister.createClientSession(clientSession, true); - } - log.infof("%d client sessions persisted. Continue", counter); } - });*/ + }); } @Override diff --git a/themes/src/main/resources/theme/base/login/login-verify-email.ftl b/themes/src/main/resources/theme/base/login/login-verify-email.ftl index 13963512fc..53caaa3802 100755 --- a/themes/src/main/resources/theme/base/login/login-verify-email.ftl +++ b/themes/src/main/resources/theme/base/login/login-verify-email.ftl @@ -9,7 +9,7 @@ ${msg("emailVerifyInstruction1")}

    - ${msg("emailVerifyInstruction2")} ${msg("doClickHere")} ${msg("emailVerifyInstruction3")} + ${msg("emailVerifyInstruction2")} ${msg("doClickHere")} ${msg("emailVerifyInstruction3")}

    \ No newline at end of file From c431cc1b01627128cdd525cfa23e0d5be45c76fa Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Tue, 2 May 2017 18:18:32 +0200 Subject: [PATCH 09/30] KEYCLOAK-4627 IdP email account verification + code cleanup. Fix for concurrent access to auth session notes --- ...henticationSessionAuthNoteUpdateEvent.java | 53 ++++++ .../AuthenticationSessionAdapter.java | 50 +++-- ...finispanAuthenticationSessionProvider.java | 16 ++ ...nAuthenticationSessionProviderFactory.java | 57 +++++- .../java/org/keycloak/events/EventType.java | 6 + .../AuthenticationSessionProviderFactory.java | 2 + .../AuthenticationSessionProvider.java | 10 + .../actiontoken/ActionTokenContext.java | 31 ++- .../actiontoken/ActionTokenHandler.java | 40 ++-- .../actiontoken/DefaultActionTokenKey.java | 2 +- .../ExecuteActionsActionTokenHandler.java | 4 +- .../IdpVerifyAccountLinkActionToken.java | 69 +++++++ ...dpVerifyAccountLinkActionTokenHandler.java | 97 ++++++++++ .../ResetCredentialsActionTokenHandler.java | 17 +- .../VerifyEmailActionTokenHandler.java | 2 +- .../IdpEmailVerificationAuthenticator.java | 135 +++++++------ .../requiredactions/VerifyEmail.java | 8 +- .../main/java/org/keycloak/services/Urls.java | 4 - .../resources/LoginActionsService.java | 82 ++------ .../resources/LoginActionsServiceChecks.java | 21 +-- ...tion.actiontoken.ActionTokenHandlerFactory | 1 + .../keycloak/testsuite/admin/UserTest.java | 3 - .../broker/AbstractFirstBrokerLoginTest.java | 178 ++++++++++++++++-- .../broker/AbstractIdentityProviderTest.java | 32 ++-- .../broker/SAMLFirstBrokerLoginTest.java | 1 + .../testsuite/pages/IdpLinkEmailPage.java | 11 ++ .../org/keycloak/testsuite/rule/WebRule.java | 9 +- .../theme/base/login/login-idp-link-email.ftl | 2 +- 28 files changed, 685 insertions(+), 258 deletions(-) create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/events/AuthenticationSessionAuthNoteUpdateEvent.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionToken.java create mode 100644 services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionTokenHandler.java diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/events/AuthenticationSessionAuthNoteUpdateEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/events/AuthenticationSessionAuthNoteUpdateEvent.java new file mode 100644 index 0000000000..d7bdcdfcce --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/events/AuthenticationSessionAuthNoteUpdateEvent.java @@ -0,0 +1,53 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.cache.infinispan.events; + +import org.keycloak.cluster.ClusterEvent; +import java.util.LinkedHashMap; +import java.util.Map; + +/** + * + * @author hmlnarik + */ +public class AuthenticationSessionAuthNoteUpdateEvent implements ClusterEvent { + + private String authSessionId; + + private Map authNotesFragment; + + public static AuthenticationSessionAuthNoteUpdateEvent create(String authSessionId, Map authNotesFragment) { + AuthenticationSessionAuthNoteUpdateEvent event = new AuthenticationSessionAuthNoteUpdateEvent(); + event.authSessionId = authSessionId; + event.authNotesFragment = new LinkedHashMap<>(authNotesFragment); + return event; + } + + public String getAuthSessionId() { + return authSessionId; + } + + public Map getAuthNotesFragment() { + return authNotesFragment; + } + + @Override + public String toString() { + return String.format("AuthenticationSessionAuthNoteUpdateEvent [ authSessionId=%s, authNotesFragment=%s ]", authSessionId, authNotesFragment); + } + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java index 202fe5c99a..05a762b54f 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticationSessionAdapter.java @@ -18,7 +18,7 @@ package org.keycloak.models.sessions.infinispan; import java.util.Collections; -import java.util.HashMap; +import java.util.concurrent.ConcurrentHashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; @@ -144,21 +144,27 @@ public class AuthenticationSessionAdapter implements AuthenticationSessionModel @Override public String getClientNote(String name) { - return entity.getClientNotes() != null ? entity.getClientNotes().get(name) : null; + return (entity.getClientNotes() != null && name != null) ? entity.getClientNotes().get(name) : null; } @Override public void setClientNote(String name, String value) { if (entity.getClientNotes() == null) { - entity.setClientNotes(new HashMap<>()); + entity.setClientNotes(new ConcurrentHashMap<>()); + } + if (name != null) { + if (value == null) { + entity.getClientNotes().remove(name); + } else { + entity.getClientNotes().put(name, value); + } } - entity.getClientNotes().put(name, value); update(); } @Override public void removeClientNote(String name) { - if (entity.getClientNotes() != null) { + if (entity.getClientNotes() != null && name != null) { entity.getClientNotes().remove(name); } update(); @@ -167,34 +173,40 @@ public class AuthenticationSessionAdapter implements AuthenticationSessionModel @Override public Map getClientNotes() { if (entity.getClientNotes() == null || entity.getClientNotes().isEmpty()) return Collections.emptyMap(); - Map copy = new HashMap<>(); + Map copy = new ConcurrentHashMap<>(); copy.putAll(entity.getClientNotes()); return copy; } @Override public void clearClientNotes() { - entity.setClientNotes(new HashMap<>()); + entity.setClientNotes(new ConcurrentHashMap<>()); update(); } @Override public String getAuthNote(String name) { - return entity.getAuthNotes() != null ? entity.getAuthNotes().get(name) : null; + return (entity.getAuthNotes() != null && name != null) ? entity.getAuthNotes().get(name) : null; } @Override public void setAuthNote(String name, String value) { if (entity.getAuthNotes() == null) { - entity.setAuthNotes(new HashMap()); + entity.setAuthNotes(new ConcurrentHashMap<>()); + } + if (name != null) { + if (value == null) { + entity.getAuthNotes().remove(name); + } else { + entity.getAuthNotes().put(name, value); + } } - entity.getAuthNotes().put(name, value); update(); } @Override public void removeAuthNote(String name) { - if (entity.getAuthNotes() != null) { + if (entity.getAuthNotes() != null && name != null) { entity.getAuthNotes().remove(name); } update(); @@ -202,16 +214,22 @@ public class AuthenticationSessionAdapter implements AuthenticationSessionModel @Override public void clearAuthNotes() { - entity.setAuthNotes(new HashMap<>()); + entity.setAuthNotes(new ConcurrentHashMap<>()); update(); } @Override public void setUserSessionNote(String name, String value) { if (entity.getUserSessionNotes() == null) { - entity.setUserSessionNotes(new HashMap()); + entity.setUserSessionNotes(new ConcurrentHashMap<>()); + } + if (name != null) { + if (value == null) { + entity.getUserSessionNotes().remove(name); + } else { + entity.getUserSessionNotes().put(name, value); + } } - entity.getUserSessionNotes().put(name, value); update(); } @@ -221,14 +239,14 @@ public class AuthenticationSessionAdapter implements AuthenticationSessionModel if (entity.getUserSessionNotes() == null) { return Collections.EMPTY_MAP; } - HashMap copy = new HashMap<>(); + ConcurrentHashMap copy = new ConcurrentHashMap<>(); copy.putAll(entity.getUserSessionNotes()); return copy; } @Override public void clearUserSessionNotes() { - entity.setUserSessionNotes(new HashMap()); + entity.setUserSessionNotes(new ConcurrentHashMap<>()); update(); } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java index a802544cf7..5991f98944 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProvider.java @@ -17,6 +17,7 @@ package org.keycloak.models.sessions.infinispan; +import org.keycloak.cluster.ClusterProvider; import java.util.Iterator; import java.util.Map; @@ -27,6 +28,7 @@ import org.keycloak.common.util.Time; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; +import org.keycloak.models.cache.infinispan.events.AuthenticationSessionAuthNoteUpdateEvent; import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEntity; import org.keycloak.models.sessions.infinispan.stream.AuthenticationSessionPredicate; import org.keycloak.models.utils.KeycloakModelUtils; @@ -138,6 +140,20 @@ public class InfinispanAuthenticationSessionProvider implements AuthenticationSe } } + @Override + public void updateNonlocalSessionAuthNotes(String authSessionId, Map authNotesFragment) { + if (authSessionId == null) { + return; + } + + ClusterProvider cluster = session.getProvider(ClusterProvider.class); + cluster.notify( + InfinispanAuthenticationSessionProviderFactory.AUTHENTICATION_SESSION_EVENTS, + AuthenticationSessionAuthNoteUpdateEvent.create(authSessionId, authNotesFragment), + true + ); + } + @Override public void close() { diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java index e6da14ef0c..aa6ede3e9a 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java @@ -19,18 +19,28 @@ package org.keycloak.models.sessions.infinispan; import org.infinispan.Cache; import org.keycloak.Config; +import org.keycloak.cluster.ClusterEvent; +import org.keycloak.cluster.ClusterProvider; import org.keycloak.connections.infinispan.InfinispanConnectionProvider; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; +import org.keycloak.models.cache.infinispan.events.AuthenticationSessionAuthNoteUpdateEvent; import org.keycloak.models.sessions.infinispan.entities.AuthenticationSessionEntity; import org.keycloak.sessions.AuthenticationSessionProvider; import org.keycloak.sessions.AuthenticationSessionProviderFactory; +import java.util.Map; +import java.util.Map.Entry; +import java.util.concurrent.ConcurrentHashMap; +import org.jboss.logging.Logger; /** * @author Marek Posolda */ public class InfinispanAuthenticationSessionProviderFactory implements AuthenticationSessionProviderFactory { + private static final Logger log = Logger.getLogger(InfinispanAuthenticationSessionProviderFactory.class); + + private volatile Cache authSessionsCache; @Override public void init(Config.Scope config) { @@ -39,12 +49,53 @@ public class InfinispanAuthenticationSessionProviderFactory implements Authentic @Override public AuthenticationSessionProvider create(KeycloakSession session) { - InfinispanConnectionProvider connections = session.getProvider(InfinispanConnectionProvider.class); - Cache authSessionsCache = connections.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME); - + lazyInit(session); return new InfinispanAuthenticationSessionProvider(session, authSessionsCache); } + private void updateAuthNotes(ClusterEvent clEvent) { + if (! (clEvent instanceof AuthenticationSessionAuthNoteUpdateEvent)) { + return; + } + + AuthenticationSessionAuthNoteUpdateEvent event = (AuthenticationSessionAuthNoteUpdateEvent) clEvent; + AuthenticationSessionEntity authSession = this.authSessionsCache.get(event.getAuthSessionId()); + updateAuthSession(authSession, event.getAuthNotesFragment()); + } + + private static void updateAuthSession(AuthenticationSessionEntity authSession, Map authNotesFragment) { + if (authSession != null) { + if (authSession.getAuthNotes() == null) { + authSession.setAuthNotes(new ConcurrentHashMap<>()); + } + + for (Entry me : authNotesFragment.entrySet()) { + String value = me.getValue(); + if (value == null) { + authSession.getAuthNotes().remove(me.getKey()); + } else { + authSession.getAuthNotes().put(me.getKey(), value); + } + } + } + } + + private void lazyInit(KeycloakSession session) { + if (authSessionsCache == null) { + synchronized (this) { + if (authSessionsCache == null) { + InfinispanConnectionProvider connections = session.getProvider(InfinispanConnectionProvider.class); + authSessionsCache = connections.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME); + + ClusterProvider cluster = session.getProvider(ClusterProvider.class); + cluster.registerListener(AUTHENTICATION_SESSION_EVENTS, this::updateAuthNotes); + + log.debug("Registered cluster listeners"); + } + } + } + } + @Override public void postInit(KeycloakSessionFactory factory) { } diff --git a/server-spi-private/src/main/java/org/keycloak/events/EventType.java b/server-spi-private/src/main/java/org/keycloak/events/EventType.java index 583b0d4061..920646fa58 100755 --- a/server-spi-private/src/main/java/org/keycloak/events/EventType.java +++ b/server-spi-private/src/main/java/org/keycloak/events/EventType.java @@ -92,6 +92,8 @@ public enum EventType { USER_INFO_REQUEST(false), USER_INFO_REQUEST_ERROR(false), + IDENTITY_PROVIDER_LINK_ACCOUNT(true), + IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR(true), IDENTITY_PROVIDER_LOGIN(false), IDENTITY_PROVIDER_LOGIN_ERROR(false), IDENTITY_PROVIDER_FIRST_LOGIN(true), @@ -129,6 +131,10 @@ public enum EventType { this.saveByDefault = saveByDefault; } + /** + * Determines whether this event is stored when the admin has not set a specific set of event types to save. + * @return + */ public boolean isSaveByDefault() { return saveByDefault; } diff --git a/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java index b182458b5e..c8758cafdd 100644 --- a/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java +++ b/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java @@ -23,4 +23,6 @@ import org.keycloak.provider.ProviderFactory; * @author Marek Posolda */ public interface AuthenticationSessionProviderFactory extends ProviderFactory { + // TODO:hmlnarik: move this constant out of an interface into a more appropriate class + public static final String AUTHENTICATION_SESSION_EVENTS = "AUTHENTICATION_SESSION_EVENTS"; } diff --git a/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java index f284d934ff..99806d45b2 100644 --- a/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java +++ b/server-spi/src/main/java/org/keycloak/sessions/AuthenticationSessionProvider.java @@ -20,6 +20,7 @@ package org.keycloak.sessions; import org.keycloak.models.ClientModel; import org.keycloak.models.RealmModel; import org.keycloak.provider.Provider; +import java.util.Map; /** * @author Marek Posolda @@ -39,5 +40,14 @@ public interface AuthenticationSessionProvider extends Provider { void onRealmRemoved(RealmModel realm); void onClientRemoved(RealmModel realm, ClientModel client); + /** + * Requests update of authNotes of an authentication session that is not owned + * by this instance but might exist somewhere in the cluster. + * + * @param authSessionId + * @param authNotesFragment Map with authNote values. Auth note is removed if the corresponding value in the map is {@code null}. + */ + void updateNonlocalSessionAuthNotes(String authSessionId, Map authNotesFragment); + } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java index 26598c1cee..ce45deb1b8 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java @@ -17,6 +17,7 @@ package org.keycloak.authentication.actiontoken; import org.keycloak.OAuth2Constants; +import org.keycloak.authentication.AuthenticationProcessor; import org.keycloak.common.ClientConnection; import org.keycloak.events.EventBuilder; import org.keycloak.models.*; @@ -25,6 +26,8 @@ import org.keycloak.representations.JsonWebToken; import org.keycloak.services.Urls; import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.sessions.AuthenticationSessionModel; +import java.util.function.Function; +import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilderException; import javax.ws.rs.core.UriInfo; import org.jboss.resteasy.spi.HttpRequest; @@ -35,6 +38,16 @@ import org.jboss.resteasy.spi.HttpRequest; */ public class ActionTokenContext { + @FunctionalInterface + public interface ProcessAuthenticateFlow { + Response processFlow(boolean action, String execution, AuthenticationSessionModel authSession, String flowPath, AuthenticationFlowModel flow, String errorMessage, AuthenticationProcessor processor); + }; + + @FunctionalInterface + public interface ProcessBrokerFlow { + Response brokerLoginFlow(String code, String execution, String flowPath); + }; + private final KeycloakSession session; private final RealmModel realm; private final UriInfo uriInfo; @@ -45,8 +58,13 @@ public class ActionTokenContext { private AuthenticationSessionModel authenticationSession; private boolean authenticationSessionFresh; private String executionId; + private final ProcessAuthenticateFlow processAuthenticateFlow; + private final ProcessBrokerFlow processBrokerFlow; - public ActionTokenContext(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection clientConnection, HttpRequest request, EventBuilder event, ActionTokenHandler handler) { + public ActionTokenContext(KeycloakSession session, RealmModel realm, UriInfo uriInfo, + ClientConnection clientConnection, HttpRequest request, + EventBuilder event, ActionTokenHandler handler, String executionId, + ProcessAuthenticateFlow processFlow, ProcessBrokerFlow processBrokerFlow) { this.session = session; this.realm = realm; this.uriInfo = uriInfo; @@ -54,6 +72,9 @@ public class ActionTokenContext { this.request = request; this.event = event; this.handler = handler; + this.executionId = executionId; + this.processAuthenticateFlow = processFlow; + this.processBrokerFlow = processBrokerFlow; } public EventBuilder getEvent() { @@ -131,4 +152,12 @@ public class ActionTokenContext { public void setExecutionId(String executionId) { this.executionId = executionId; } + + public Response processFlow(boolean action, String flowPath, AuthenticationFlowModel flow, String errorMessage, AuthenticationProcessor processor) { + return processAuthenticateFlow.processFlow(action, getExecutionId(), getAuthenticationSession(), flowPath, flow, errorMessage, processor); + } + + public Response brokerFlow(String code, String flowPath) { + return processBrokerFlow.brokerLoginFlow(code, getExecutionId(), flowPath); + } } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java index e573df4c74..4368a747ff 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java @@ -35,21 +35,6 @@ import javax.ws.rs.core.Response; */ public interface ActionTokenHandler extends Provider { - @FunctionalInterface - public interface ProcessFlow { - Response processFlow(boolean action, String execution, AuthenticationSessionModel authSession, String flowPath, AuthenticationFlowModel flow, String errorMessage, AuthenticationProcessor processor); - }; - - /** - * Returns an array of verifiers that are tested prior to handling the token. All verifiers have to pass successfully - * for token to be handled. The returned array must not be {@code null}. - * @param tokenContext - * @return Verifiers or an empty array - */ - default Predicate[] getVerifiers(ActionTokenContext tokenContext) { - return new Predicate[] {}; - } - /** * Performs the action as per the token details. This method is only called if all verifiers * returned in {@link #handleToken} succeed. @@ -59,7 +44,7 @@ public interface ActionTokenHandler extends Provider { * @return * @throws VerificationException */ - Response handleToken(T token, ActionTokenContext tokenContext, ProcessFlow processFlow); + Response handleToken(T token, ActionTokenContext tokenContext); /** * Returns the Java token class for use with deserialization. @@ -67,6 +52,16 @@ public interface ActionTokenHandler extends Provider { */ Class getTokenClass(); + /** + * Returns an array of verifiers that are tested prior to handling the token. All verifiers have to pass successfully + * for token to be handled. The returned array must not be {@code null}. + * @param tokenContext + * @return Verifiers or an empty array. The returned array must not be {@code null}. + */ + default Predicate[] getVerifiers(ActionTokenContext tokenContext) { + return new Predicate[] {}; + } + /** * Returns an authentication session ID requested from within the given token * @param token Token. Can be {@code null} @@ -95,17 +90,8 @@ public interface ActionTokenHandler extends Provider { String getDefaultErrorMessage(); /** - * Returns a response that restarts a flow that this action token initiates, or {@code null} if - * no special handling is requested. - * - * @return - */ - default Response handleRestartRequest(T token, ActionTokenContext tokenContext, ProcessFlow processFlow) { - return null; - } - - /** - * Creates a fresh authentication session according to the information from the token. + * Creates a fresh authentication session according to the information from the token. The default + * implementation creates a new authentication session that requests termination after required actions. * @param token * @param tokenContext * @return diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java index 117c4659f9..a5440a9b87 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java @@ -25,7 +25,7 @@ import com.fasterxml.jackson.annotation.JsonIgnore; */ public class DefaultActionTokenKey extends JsonWebToken { - // The authenticationSession note with ID of the user authenticated via the action token + /** The authenticationSession note with ID of the user authenticated via the action token */ public static final String ACTION_TOKEN_USER_ID = "ACTION_TOKEN_USER"; public DefaultActionTokenKey(String userId, String actionId) { diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java index 691fff527d..010c5174a9 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java @@ -25,9 +25,7 @@ import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.utils.RedirectUtils; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.messages.Messages; -import org.keycloak.services.resources.LoginActionsServiceChecks; import org.keycloak.sessions.AuthenticationSessionModel; -import org.keycloak.sessions.CommonClientSessionModel.Action; import javax.ws.rs.core.Response; /** @@ -61,7 +59,7 @@ public class ExecuteActionsActionTokenHandler extends AbstractActionTokenHander< } @Override - public Response handleToken(ExecuteActionsActionToken token, ActionTokenContext tokenContext, ProcessFlow processFlow) { + public Response handleToken(ExecuteActionsActionToken token, ActionTokenContext tokenContext) { AuthenticationSessionModel authSession = tokenContext.getAuthenticationSession(); String redirectUri = RedirectUtils.verifyRedirectUri(tokenContext.getUriInfo(), token.getRedirectUri(), diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionToken.java new file mode 100644 index 0000000000..ea705edd66 --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionToken.java @@ -0,0 +1,69 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken.idpverifyemail; + +import org.keycloak.authentication.actiontoken.verifyemail.*; +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.UUID; +import org.keycloak.authentication.actiontoken.DefaultActionToken; + +/** + * Representation of a token that represents a time-limited verify e-mail action. + * + * @author hmlnarik + */ +public class IdpVerifyAccountLinkActionToken extends DefaultActionToken { + + public static final String TOKEN_TYPE = "idp-verify-account-via-email"; + + private static final String JSON_FIELD_IDENTITY_PROVIDER_USERNAME = "idpu"; + private static final String JSON_FIELD_IDENTITY_PROVIDER_ALIAS = "idpa"; + + @JsonProperty(value = JSON_FIELD_IDENTITY_PROVIDER_USERNAME) + private String identityProviderUsername; + + @JsonProperty(value = JSON_FIELD_IDENTITY_PROVIDER_ALIAS) + private String identityProviderAlias; + + public IdpVerifyAccountLinkActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, String authenticationSessionId, + String identityProviderUsername, String identityProviderAlias) { + super(userId, TOKEN_TYPE, absoluteExpirationInSecs, actionVerificationNonce); + setAuthenticationSessionId(authenticationSessionId); + this.identityProviderUsername = identityProviderUsername; + this.identityProviderAlias = identityProviderAlias; + } + + private IdpVerifyAccountLinkActionToken() { + super(null, TOKEN_TYPE, -1, null); + } + + public String getIdentityProviderUsername() { + return identityProviderUsername; + } + + public void setIdentityProviderUsername(String identityProviderUsername) { + this.identityProviderUsername = identityProviderUsername; + } + + public String getIdentityProviderAlias() { + return identityProviderAlias; + } + + public void setIdentityProviderAlias(String identityProviderAlias) { + this.identityProviderAlias = identityProviderAlias; + } +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionTokenHandler.java new file mode 100644 index 0000000000..3aec118260 --- /dev/null +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionTokenHandler.java @@ -0,0 +1,97 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authentication.actiontoken.idpverifyemail; + +import org.keycloak.authentication.actiontoken.AbstractActionTokenHander; +import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.authentication.AuthenticationProcessor; +import org.keycloak.authentication.actiontoken.*; +import org.keycloak.authentication.authenticators.broker.IdpEmailVerificationAuthenticator; +import org.keycloak.events.*; +import org.keycloak.forms.login.LoginFormsProvider; +import org.keycloak.models.UserModel; +import org.keycloak.services.managers.AuthenticationSessionManager; +import org.keycloak.services.messages.Messages; +import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.AuthenticationSessionProvider; +import java.util.Collections; +import javax.ws.rs.core.Response; + +/** + * Action token handler for verification of e-mail address. + * @author hmlnarik + */ +public class IdpVerifyAccountLinkActionTokenHandler extends AbstractActionTokenHander { + + public IdpVerifyAccountLinkActionTokenHandler() { + super( + IdpVerifyAccountLinkActionToken.TOKEN_TYPE, + IdpVerifyAccountLinkActionToken.class, + Messages.STALE_CODE, + EventType.IDENTITY_PROVIDER_LINK_ACCOUNT, + Errors.INVALID_TOKEN + ); + } + + @Override + public Predicate[] getVerifiers(ActionTokenContext tokenContext) { + return TokenUtils.predicates( + ); + } + + @Override + public Response handleToken(IdpVerifyAccountLinkActionToken token, ActionTokenContext tokenContext) { + UserModel user = tokenContext.getAuthenticationSession().getAuthenticatedUser(); + EventBuilder event = tokenContext.getEvent(); + + event.event(EventType.IDENTITY_PROVIDER_LINK_ACCOUNT) + .detail(Details.EMAIL, user.getEmail()) + .detail(Details.IDENTITY_PROVIDER, token.getIdentityProviderAlias()) + .detail(Details.IDENTITY_PROVIDER_USERNAME, token.getIdentityProviderUsername()) + .success(); + + // verify user email as we know it is valid as this entry point would never have gotten here. + user.setEmailVerified(true); + + AuthenticationSessionModel authSession = tokenContext.getAuthenticationSession(); + if (tokenContext.isAuthenticationSessionFresh()) { + AuthenticationSessionManager asm = new AuthenticationSessionManager(tokenContext.getSession()); + asm.removeAuthenticationSession(tokenContext.getRealm(), authSession, true); + + AuthenticationSessionProvider authSessProvider = tokenContext.getSession().authenticationSessions(); + authSession = authSessProvider.getAuthenticationSession(tokenContext.getRealm(), token.getAuthenticationSessionId()); + + if (authSession != null) { + authSession.setAuthNote(IdpEmailVerificationAuthenticator.VERIFY_ACCOUNT_IDP_USERNAME, token.getIdentityProviderUsername()); + } else { + authSessProvider.updateNonlocalSessionAuthNotes( + token.getAuthenticationSessionId(), + Collections.singletonMap(IdpEmailVerificationAuthenticator.VERIFY_ACCOUNT_IDP_USERNAME, token.getIdentityProviderUsername()) + ); + } + + return tokenContext.getSession().getProvider(LoginFormsProvider.class) + .setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, token.getIdentityProviderAlias(), token.getIdentityProviderUsername()) + .createInfoPage(); + } + + authSession.setAuthNote(IdpEmailVerificationAuthenticator.VERIFY_ACCOUNT_IDP_USERNAME, token.getIdentityProviderUsername()); + + return tokenContext.brokerFlow(null, authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH)); + } + +} diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java index c6f834b347..34174311e7 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java @@ -62,13 +62,11 @@ public class ResetCredentialsActionTokenHandler extends AbstractActionTokenHande } @Override - public Response handleToken(ResetCredentialsActionToken token, ActionTokenContext tokenContext, ProcessFlow processFlow) { + public Response handleToken(ResetCredentialsActionToken token, ActionTokenContext tokenContext) { AuthenticationProcessor authProcessor = new ResetCredsAuthenticationProcessor(); - return processFlow.processFlow( + return tokenContext.processFlow( false, - tokenContext.getExecutionId(), - tokenContext.getAuthenticationSession(), RESET_CREDENTIALS_PATH, tokenContext.getRealm().getResetCredentialsFlow(), null, @@ -76,17 +74,6 @@ public class ResetCredentialsActionTokenHandler extends AbstractActionTokenHande ); } - @Override - public Response handleRestartRequest(ResetCredentialsActionToken token, ActionTokenContext tokenContext, ProcessFlow processFlow) { - // In the case restart is requested, the handling is exactly the same as if a token had been - // handled correctly but with a fresh authentication session - AuthenticationSessionManager asm = new AuthenticationSessionManager(tokenContext.getSession()); - asm.removeAuthenticationSession(tokenContext.getRealm(), tokenContext.getAuthenticationSession(), false); - - tokenContext.setAuthenticationSession(tokenContext.createAuthenticationSessionForClient(null), true); - return handleToken(token, tokenContext, processFlow); - } - public static class ResetCredsAuthenticationProcessor extends AuthenticationProcessor { @Override diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java index 1d324c2550..abe2127098 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java @@ -57,7 +57,7 @@ public class VerifyEmailActionTokenHandler extends AbstractActionTokenHander tokenContext, ProcessFlow processFlow) { + public Response handleToken(VerifyEmailActionToken token, ActionTokenContext tokenContext) { UserModel user = tokenContext.getAuthenticationSession().getAuthenticatedUser(); EventBuilder event = tokenContext.getEvent(); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java index b70f69b78d..d8b9b30689 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java @@ -20,9 +20,10 @@ package org.keycloak.authentication.authenticators.broker; import org.jboss.logging.Logger; import org.keycloak.authentication.AuthenticationFlowContext; import org.keycloak.authentication.AuthenticationFlowError; +import org.keycloak.authentication.actiontoken.idpverifyemail.IdpVerifyAccountLinkActionToken; import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext; -import org.keycloak.authentication.requiredactions.VerifyEmail; import org.keycloak.broker.provider.BrokeredIdentityContext; +import org.keycloak.common.util.Time; import org.keycloak.email.EmailException; import org.keycloak.email.EmailTemplateProvider; import org.keycloak.events.Details; @@ -30,20 +31,21 @@ import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.Constants; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; import org.keycloak.services.ServicesLogger; +import org.keycloak.services.Urls; +import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; -import org.keycloak.services.resources.LoginActionsService; import org.keycloak.sessions.AuthenticationSessionModel; -import javax.ws.rs.core.MultivaluedMap; +import java.net.URI; +import java.util.Objects; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import java.util.concurrent.TimeUnit; +import javax.ws.rs.core.*; /** * @author Marek Posolda @@ -52,42 +54,85 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator private static Logger logger = Logger.getLogger(IdpEmailVerificationAuthenticator.class); + public static final String VERIFY_ACCOUNT_IDP_USERNAME = "VERIFY_ACCOUNT_IDP_USERNAME"; + @Override protected void authenticateImpl(AuthenticationFlowContext context, SerializedBrokeredIdentityContext serializedCtx, BrokeredIdentityContext brokerContext) { KeycloakSession session = context.getSession(); RealmModel realm = context.getRealm(); AuthenticationSessionModel authSession = context.getAuthenticationSession(); - if (realm.getSmtpConfig().size() == 0) { + if (realm.getSmtpConfig().isEmpty()) { ServicesLogger.LOGGER.smtpNotConfigured(); context.attempted(); return; } -/* - VerifyEmail.setupKey(clientSession); - UserModel existingUser = getExistingUser(session, realm, clientSession); + if (Objects.equals(authSession.getAuthNote(VERIFY_ACCOUNT_IDP_USERNAME), brokerContext.getUsername())) { + UserModel existingUser = getExistingUser(session, realm, authSession); - String link = UriBuilder.fromUri(context.getActionUrl()) - .queryParam(Constants.KEY, clientSession.getNote(Constants.VERIFY_EMAIL_KEY)) - .build().toString(); + logger.debugf("User '%s' confirmed that wants to link with identity provider '%s' . Identity provider username is '%s' ", existingUser.getUsername(), + brokerContext.getIdpConfig().getAlias(), brokerContext.getUsername()); + + context.setUser(existingUser); + context.success(); + return; + } + + UserModel existingUser = getExistingUser(session, realm, authSession); + + sendVerifyEmail(session, context, existingUser, brokerContext); + } + + @Override + protected void actionImpl(AuthenticationFlowContext context, SerializedBrokeredIdentityContext serializedCtx, BrokeredIdentityContext brokerContext) { + logger.debugf("Re-sending email requested for user, details follow"); + + // This will allow user to re-send email again + context.getAuthenticationSession().removeAuthNote(VERIFY_ACCOUNT_IDP_USERNAME); + authenticateImpl(context, serializedCtx, brokerContext); + } + + @Override + public boolean requiresUser() { + return false; + } + + @Override + public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) { + return false; + } + + private void sendVerifyEmail(KeycloakSession session, AuthenticationFlowContext context, UserModel existingUser, BrokeredIdentityContext brokerContext) throws UriBuilderException, IllegalArgumentException { + RealmModel realm = session.getContext().getRealm(); + UriInfo uriInfo = session.getContext().getUri(); + AuthenticationSessionModel authSession = context.getAuthenticationSession(); + + int validityInSecs = realm.getAccessCodeLifespanUserAction(); + int absoluteExpirationInSecs = Time.currentTime() + validityInSecs; EventBuilder event = context.getEvent().clone().event(EventType.SEND_IDENTITY_PROVIDER_LINK) .user(existingUser) .detail(Details.USERNAME, existingUser.getUsername()) .detail(Details.EMAIL, existingUser.getEmail()) - .detail(Details.CODE_ID, clientSession.getId()) + .detail(Details.CODE_ID, authSession.getId()) .removeDetail(Details.AUTH_METHOD) .removeDetail(Details.AUTH_TYPE); - long expiration = TimeUnit.SECONDS.toMinutes(context.getRealm().getAccessCodeLifespanUserAction()); - try { + IdpVerifyAccountLinkActionToken token = new IdpVerifyAccountLinkActionToken( + existingUser.getId(), absoluteExpirationInSecs, null, authSession.getId(), + brokerContext.getUsername(), brokerContext.getIdpConfig().getAlias() + ); + UriBuilder builder = Urls.actionTokenBuilder(uriInfo.getBaseUri(), token.serialize(session, realm, uriInfo)); + String link = builder.queryParam("execution", context.getExecution().getId()).build(realm.getName()).toString(); + long expirationInMinutes = TimeUnit.SECONDS.toMinutes(validityInSecs); + try { context.getSession().getProvider(EmailTemplateProvider.class) .setRealm(realm) .setUser(existingUser) .setAttribute(EmailTemplateProvider.IDENTITY_PROVIDER_BROKER_CONTEXT, brokerContext) - .sendConfirmIdentityBrokerLink(link, expiration); + .sendConfirmIdentityBrokerLink(link, expirationInMinutes); event.success(); } catch (EmailException e) { @@ -101,62 +146,14 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator return; } + String accessCode = context.generateAccessCode(); + URI action = context.getActionUrl(accessCode); + Response challenge = context.form() .setStatus(Response.Status.OK) .setAttribute(LoginFormsProvider.IDENTITY_PROVIDER_BROKER_CONTEXT, brokerContext) + .setActionUri(action) .createIdpLinkEmailPage(); - context.forceChallenge(challenge);*/ - } - - @Override - protected void actionImpl(AuthenticationFlowContext context, SerializedBrokeredIdentityContext serializedCtx, BrokeredIdentityContext brokerContext) { - /*MultivaluedMap queryParams = context.getSession().getContext().getUri().getQueryParameters(); - String key = queryParams.getFirst(Constants.KEY); - ClientSessionModel clientSession = context.getClientSession(); - RealmModel realm = context.getRealm(); - KeycloakSession session = context.getSession(); - - if (key != null) { - String keyFromSession = clientSession.getNote(Constants.VERIFY_EMAIL_KEY); - clientSession.removeNote(Constants.VERIFY_EMAIL_KEY); - if (key.equals(keyFromSession)) { - UserModel existingUser = getExistingUser(session, realm, clientSession); - - logger.debugf("User '%s' confirmed that wants to link with identity provider '%s' . Identity provider username is '%s' ", existingUser.getUsername(), - brokerContext.getIdpConfig().getAlias(), brokerContext.getUsername()); - - String actionCookieValue = LoginActionsService.getActionCookie(session.getContext().getRequestHeaders(), realm, session.getContext().getUri(), context.getConnection()); - if (actionCookieValue == null || !actionCookieValue.equals(clientSession.getId())) { - clientSession.setNote(IS_DIFFERENT_BROWSER, "true"); - } - - // User successfully confirmed linking by email verification. His email was defacto verified - existingUser.setEmailVerified(true); - - context.setUser(existingUser); - context.success(); - } else { - ServicesLogger.LOGGER.keyParamDoesNotMatch(); - Response challengeResponse = context.form() - .setError(Messages.INVALID_ACCESS_CODE) - .createErrorPage(); - context.failureChallenge(AuthenticationFlowError.IDENTITY_PROVIDER_ERROR, challengeResponse); - } - } else { - Response challengeResponse = context.form() - .setError(Messages.MISSING_PARAMETER, Constants.KEY) - .createErrorPage(); - context.failureChallenge(AuthenticationFlowError.IDENTITY_PROVIDER_ERROR, challengeResponse); - }*/ - } - - @Override - public boolean requiresUser() { - return false; - } - - @Override - public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) { - return false; + context.forceChallenge(challenge); } } diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java index f3ea22fd8d..ad84f9d3b8 100755 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java @@ -31,7 +31,6 @@ import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.*; import org.keycloak.models.UserModel.RequiredAction; -import org.keycloak.models.utils.HmacOTP; import org.keycloak.services.Urls; import org.keycloak.services.validation.Validation; @@ -87,7 +86,7 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor @Override public void processAction(RequiredActionContext context) { - logger.infof("Re-sending email requested for user: %s", context.getUser().getUsername()); + logger.debugf("Re-sending email requested for user: %s", context.getUser().getUsername()); // This will allow user to re-send email again context.getAuthenticationSession().removeAuthNote(Constants.VERIFY_EMAIL_KEY); @@ -152,9 +151,4 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor return forms.createResponse(UserModel.RequiredAction.VERIFY_EMAIL); } - - public static void setupKey(AuthenticationSessionModel session) { - String secret = HmacOTP.generateSecret(10); - session.setAuthNote(Constants.VERIFY_EMAIL_KEY, secret); - } } diff --git a/services/src/main/java/org/keycloak/services/Urls.java b/services/src/main/java/org/keycloak/services/Urls.java index edeac7692a..e92aa05a74 100755 --- a/services/src/main/java/org/keycloak/services/Urls.java +++ b/services/src/main/java/org/keycloak/services/Urls.java @@ -178,10 +178,6 @@ public class Urls { return loginResetCredentialsBuilder(baseUri).build(realmName); } - public static UriBuilder executeActionsBuilder(URI baseUri) { - return loginActionsBase(baseUri).path(LoginActionsService.class, "executeActions"); - } - public static UriBuilder actionTokenBuilder(URI baseUri, String tokenString) { return loginActionsBase(baseUri).path(LoginActionsService.class, "executeActionToken") .queryParam("key", tokenString); diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 5dcb621b66..758b7a1c02 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -67,7 +67,6 @@ import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.messages.Messages; -import org.keycloak.services.resources.LoginActionsServiceChecks.RestartFlowException; import org.keycloak.services.util.CacheControlUtil; import org.keycloak.services.util.AuthenticationFlowURLHelper; import org.keycloak.services.util.BrowserHistoryHelper; @@ -448,7 +447,6 @@ public class LoginActionsService { .secretKey(session.keys().getActiveHmacKey(realm).getSecretKey()) .verify(); - // TODO:hmlnarik Optimize token = TokenVerifier.create(tokenString, handler.getTokenClass()).getToken(); } catch (TokenNotActiveException ex) { if (authSession != null) { @@ -469,40 +467,32 @@ public class LoginActionsService { } // Now proceed with the verification and handle the token - tokenContext = new ActionTokenContext(session, realm, uriInfo, clientConnection, request, event, handler); + tokenContext = new ActionTokenContext(session, realm, uriInfo, clientConnection, request, event, handler, execution, this::processFlow, this::brokerLoginFlow); try { - tokenContext.setExecutionId(execution); - String tokenAuthSessionId = handler.getAuthenticationSessionIdFromToken(token); + + if (tokenAuthSessionId != null) { + // This can happen if the token contains ID but user opens the link in a new browser + LoginActionsServiceChecks.checkNotLoggedInYet(tokenContext, tokenAuthSessionId); + } + if (authSession == null) { - if (tokenAuthSessionId != null) { - // This can happen if the token contains ID but user opens the link in a new browser - LoginActionsServiceChecks.checkNotLoggedInYet(tokenContext, tokenAuthSessionId); - } + authSession = handler.startFreshAuthenticationSession(token, tokenContext); + tokenContext.setAuthenticationSession(authSession, true); + } else if (tokenAuthSessionId == null || + ! LoginActionsServiceChecks.doesAuthenticationSessionFromCookieMatchOneFromToken(tokenContext, tokenAuthSessionId)) { + // There exists an authentication session but no auth session ID was received in the action token + logger.debugf("Authentication session in progress but no authentication session ID was found in action token %s, restarting.", token.getId()); + new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, false); authSession = handler.startFreshAuthenticationSession(token, tokenContext); tokenContext.setAuthenticationSession(authSession, true); - - initLoginEvent(authSession); - event.event(handler.eventType()); - } else { - initLoginEvent(authSession); - event.event(handler.eventType()); - - if (tokenAuthSessionId == null) { - // There exists an authentication session but no auth session ID was received in the action token - logger.debugf("Authentication session exists while reauthentication was requested by using action token %s, restarting.", token.getId()); - new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, false); - - authSession = handler.startFreshAuthenticationSession(token, tokenContext); - tokenContext.setAuthenticationSession(authSession, true); - } else { - LoginActionsServiceChecks.checkNotLoggedInYet(tokenContext, tokenAuthSessionId); - LoginActionsServiceChecks.checkAuthenticationSessionFromCookieMatchesOneFromToken(tokenContext, tokenAuthSessionId); - } } + initLoginEvent(authSession); + event.event(handler.eventType()); + LoginActionsServiceChecks.checkIsUserValid(token, tokenContext); LoginActionsServiceChecks.checkIsClientValid(token, tokenContext); @@ -519,14 +509,9 @@ public class LoginActionsService { authSession.setAuthNote(DefaultActionTokenKey.ACTION_TOKEN_USER_ID, token.getUserId()); - return handler.handleToken(token, tokenContext, this::processFlow); + return handler.handleToken(token, tokenContext); } catch (ExplainedTokenVerificationException ex) { return handleActionTokenVerificationException(tokenContext, ex, ex.getErrorEvent(), ex.getMessage()); - } catch (RestartFlowException ex) { - Response response = handler.handleRestartRequest(token, tokenContext, this::processFlow); - return response == null - ? handleActionTokenVerificationException(tokenContext, ex, eventError, defaultErrorMessage) - : response; } catch (LoginActionsServiceException ex) { Response response = ex.getResponse(); return response == null @@ -779,37 +764,6 @@ public class LoginActionsService { return AuthenticationManager.redirectAfterSuccessfulFlow(session, realm, clientSession.getUserSession(), clientSession, request, uriInfo, clientConnection, event, authSession.getProtocol()); } - - /** - * Initiated by admin, not the user on login - * - * @param key - * @return - */ - @Path("execute-actions") - @GET - public Response executeActions(@QueryParam("key") String key) { - // TODO:mposolda - /* - event.event(EventType.EXECUTE_ACTIONS); - if (key != null) { - SessionCodeChecks checks = checksForCode(key); - if (!checks.verifyCode(ClientSessionModel.Action.EXECUTE_ACTIONS.name(), ClientSessionCode.ActionType.USER)) { - return checks.response; - } - ClientSessionModel clientSession = checks.getClientSession(); - // verify user email as we know it is valid as this entry point would never have gotten here. - clientSession.getUserSession().getUser().setEmailVerified(true); - clientSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); - clientSession.setNote(ClientSessionModel.Action.EXECUTE_ACTIONS.name(), "true"); - return AuthenticationProcessor.redirectToRequiredActions(session, realm, clientSession, uriInfo); - } else { - event.error(Errors.INVALID_CODE); - return ErrorPage.error(session, Messages.INVALID_CODE); - }*/ - return null; - } - private void initLoginEvent(AuthenticationSessionModel authSession) { String responseType = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM); if (responseType == null) { diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java index cabb1b65f4..6d42d255ff 100644 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java @@ -44,11 +44,6 @@ public class LoginActionsServiceChecks { private static final Logger LOG = Logger.getLogger(LoginActionsServiceChecks.class.getName()); - /** - * Exception signalling that flow needs to be restarted because authentication session IDs from cookie and token do not match. - */ - public static class RestartFlowException extends VerificationException { } - /** * This check verifies that user ID (subject) from the token matches * the one from the authentication session. @@ -264,32 +259,32 @@ public class LoginActionsServiceChecks { * * @param */ - public static void checkAuthenticationSessionFromCookieMatchesOneFromToken(ActionTokenContext context, String authSessionIdFromToken) throws VerificationException { + public static boolean doesAuthenticationSessionFromCookieMatchOneFromToken(ActionTokenContext context, String authSessionIdFromToken) throws VerificationException { if (authSessionIdFromToken == null) { - throw new RestartFlowException(); + return false; } AuthenticationSessionManager asm = new AuthenticationSessionManager(context.getSession()); String authSessionIdFromCookie = asm.getCurrentAuthenticationSessionId(context.getRealm()); if (authSessionIdFromCookie == null) { - throw new RestartFlowException(); + return false; } AuthenticationSessionModel authSessionFromCookie = context.getSession() .authenticationSessions().getAuthenticationSession(context.getRealm(), authSessionIdFromCookie); if (authSessionFromCookie == null) { // Cookie contains ID of expired auth session - throw new RestartFlowException(); + return false; } if (Objects.equals(authSessionIdFromCookie, authSessionIdFromToken)) { context.setAuthenticationSession(authSessionFromCookie, false); - return; + return true; } String parentSessionId = authSessionFromCookie.getAuthNote(AuthenticationProcessor.FORKED_FROM); if (parentSessionId == null || ! Objects.equals(authSessionIdFromToken, parentSessionId)) { - throw new RestartFlowException(); + return false; } AuthenticationSessionModel authSessionFromParent = context.getSession() @@ -299,12 +294,14 @@ public class LoginActionsServiceChecks { // from the login form (browser flow) but from the token's flow // Don't expire KC_RESTART cookie at this point asm.removeAuthenticationSession(context.getRealm(), authSessionFromCookie, false); - LOG.infof("Removed forked session: %s", authSessionFromCookie.getId()); + LOG.debugf("Removed forked session: %s", authSessionFromCookie.getId()); // Refresh browser cookie asm.setAuthSessionCookie(parentSessionId, context.getRealm()); context.setAuthenticationSession(authSessionFromParent, false); context.setExecutionId(authSessionFromParent.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION)); + + return true; } } diff --git a/services/src/main/resources/META-INF/services/org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory b/services/src/main/resources/META-INF/services/org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory index 246758dfdb..2a5b9ec3e5 100644 --- a/services/src/main/resources/META-INF/services/org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory +++ b/services/src/main/resources/META-INF/services/org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory @@ -1,3 +1,4 @@ org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionTokenHandler org.keycloak.authentication.actiontoken.execactions.ExecuteActionsActionTokenHandler org.keycloak.authentication.actiontoken.verifyemail.VerifyEmailActionTokenHandler +org.keycloak.authentication.actiontoken.idpverifyemail.IdpVerifyAccountLinkActionTokenHandler \ No newline at end of file diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java index 7f26d742b3..f34c32017f 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java @@ -21,9 +21,7 @@ import org.hamcrest.Matchers; import org.jboss.arquillian.drone.api.annotation.Drone; import org.jboss.arquillian.graphene.page.Page; import org.jboss.arquillian.test.api.ArquillianResource; -import org.junit.After; import org.junit.Assert; -import org.junit.Before; import org.junit.Rule; import org.junit.Test; import org.keycloak.admin.client.resource.IdentityProviderResource; @@ -62,7 +60,6 @@ import org.openqa.selenium.WebDriver; import javax.mail.MessagingException; import javax.mail.internet.MimeMessage; import javax.ws.rs.ClientErrorException; -import javax.ws.rs.NotFoundException; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import java.io.IOException; diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java index f2dffaf016..ba7bb65694 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java @@ -52,6 +52,8 @@ import java.util.List; import java.util.Map; import java.util.Set; +import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.startsWith; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; @@ -298,6 +300,147 @@ public abstract class AbstractFirstBrokerLoginTest extends AbstractIdentityProvi Assert.assertTrue(user.isEmailVerified()); } + /** + * Tests that duplication is detected and user wants to link federatedIdentity with existing account. He will confirm link by email + */ + @Test + public void testLinkAccountByEmailVerificationTwice() throws Exception { + setUpdateProfileFirstLogin(IdentityProviderRepresentation.UPFLM_OFF); + + loginIDP("pedroigor"); + + this.idpConfirmLinkPage.assertCurrent(); + Assert.assertEquals("User with email psilva@redhat.com already exists. How do you want to continue?", this.idpConfirmLinkPage.getMessage()); + this.idpConfirmLinkPage.clickLinkAccount(); + + // Confirm linking account by email + this.idpLinkEmailPage.assertCurrent(); + Assert.assertThat( + this.idpLinkEmailPage.getMessage(), + is("An email with instructions to link " + ObjectUtil.capitalize(getProviderId()) + " account pedroigor with your " + APP_REALM_ID + " account has been sent to you.") + ); + + Assert.assertEquals(1, greenMail.getReceivedMessages().length); + MimeMessage message = greenMail.getReceivedMessages()[0]; + String linkFromMail = getVerificationEmailLink(message); + + driver.navigate().to(linkFromMail.trim()); + + // authenticated and redirected to app. User is linked with identity provider + assertFederatedUser("pedroigor", "psilva@redhat.com", "pedroigor"); + + // Assert user's email is verified now + UserModel user = getFederatedUser(); + Assert.assertTrue(user.isEmailVerified()); + + // Attempt to use the link for the second time + driver.navigate().to(linkFromMail.trim()); + + infoPage.assertCurrent(); + Assert.assertThat(infoPage.getInfo(), is("You are already logged in.")); + + // Log out + driver.navigate().to("http://localhost:8081/test-app/logout"); + + // Go to the same link again + driver.navigate().to(linkFromMail.trim()); + + infoPage.assertCurrent(); + Assert.assertThat(infoPage.getInfo(), startsWith("Your account was successfully linked with " + getProviderId() + " account pedroigor")); + } + + /** + * Tests that duplication is detected and user wants to link federatedIdentity with existing account. He will confirm link by email + */ + @Test + public void testLinkAccountByEmailVerificationDifferentBrowser() throws Exception, Throwable { + setUpdateProfileFirstLogin(IdentityProviderRepresentation.UPFLM_OFF); + + loginIDP("pedroigor"); + + this.idpConfirmLinkPage.assertCurrent(); + Assert.assertEquals("User with email psilva@redhat.com already exists. How do you want to continue?", this.idpConfirmLinkPage.getMessage()); + this.idpConfirmLinkPage.clickLinkAccount(); + + // Confirm linking account by email + this.idpLinkEmailPage.assertCurrent(); + Assert.assertThat( + this.idpLinkEmailPage.getMessage(), + is("An email with instructions to link " + ObjectUtil.capitalize(getProviderId()) + " account pedroigor with your " + APP_REALM_ID + " account has been sent to you.") + ); + + Assert.assertEquals(1, greenMail.getReceivedMessages().length); + MimeMessage message = greenMail.getReceivedMessages()[0]; + String linkFromMail = getVerificationEmailLink(message); + + WebRule webRule2 = new WebRule(this); + try { + webRule2.initProperties(); + + WebDriver driver2 = webRule2.getDriver(); + InfoPage infoPage2 = webRule2.getPage(InfoPage.class); + + driver2.navigate().to(linkFromMail.trim()); + + // authenticated, but not redirected to app. Just seeing info page. + infoPage2.assertCurrent(); + Assert.assertThat(infoPage2.getInfo(), startsWith("Your account was successfully linked with " + getProviderId() + " account pedroigor")); + } finally { + // Revert everything + webRule2.after(); + } + + driver.navigate().refresh(); + this.loginExpiredPage.assertCurrent(); + this.loginExpiredPage.clickLoginContinueLink(); + + // authenticated and redirected to app. User is linked with identity provider + assertFederatedUser("pedroigor", "psilva@redhat.com", "pedroigor"); + + // Assert user's email is verified now + UserModel user = getFederatedUser(); + Assert.assertTrue(user.isEmailVerified()); + } + + @Test + public void testLinkAccountByEmailVerificationResendEmail() throws Exception, Throwable { + setUpdateProfileFirstLogin(IdentityProviderRepresentation.UPFLM_OFF); + + loginIDP("pedroigor"); + + this.idpConfirmLinkPage.assertCurrent(); + Assert.assertEquals("User with email psilva@redhat.com already exists. How do you want to continue?", this.idpConfirmLinkPage.getMessage()); + this.idpConfirmLinkPage.clickLinkAccount(); + + // Confirm linking account by email + this.idpLinkEmailPage.assertCurrent(); + Assert.assertThat( + this.idpLinkEmailPage.getMessage(), + is("An email with instructions to link " + ObjectUtil.capitalize(getProviderId()) + " account pedroigor with your " + APP_REALM_ID + " account has been sent to you.") + ); + + this.idpLinkEmailPage.clickResendEmail(); + + this.idpLinkEmailPage.assertCurrent(); + Assert.assertThat( + this.idpLinkEmailPage.getMessage(), + is("An email with instructions to link " + ObjectUtil.capitalize(getProviderId()) + " account pedroigor with your " + APP_REALM_ID + " account has been sent to you.") + ); + + Assert.assertEquals(2, greenMail.getReceivedMessages().length); + MimeMessage message = greenMail.getReceivedMessages()[0]; + String linkFromMail = getVerificationEmailLink(message); + + driver.navigate().to(linkFromMail.trim()); + + // authenticated and redirected to app. User is linked with identity provider + assertFederatedUser("pedroigor", "psilva@redhat.com", "pedroigor"); + + // Assert user's email is verified now + UserModel user = getFederatedUser(); + Assert.assertTrue(user.isEmailVerified()); + } + /** * Tests that duplication is detected and user wants to link federatedIdentity with existing account. He will confirm link by reauthentication (confirm password on login screen) @@ -557,29 +700,35 @@ public abstract class AbstractFirstBrokerLoginTest extends AbstractIdentityProvi // Simulate 2nd browser WebRule webRule2 = new WebRule(this); - webRule2.before(); + try { + webRule2.initProperties(); - WebDriver driver2 = webRule2.getDriver(); - LoginPasswordUpdatePage passwordUpdatePage2 = webRule2.getPage(LoginPasswordUpdatePage.class); - InfoPage infoPage2 = webRule2.getPage(InfoPage.class); + WebDriver driver2 = webRule2.getDriver(); + LoginPasswordUpdatePage passwordUpdatePage2 = webRule2.getPage(LoginPasswordUpdatePage.class); + InfoPage infoPage2 = webRule2.getPage(InfoPage.class); - driver2.navigate().to(linkFromMail.trim()); + driver2.navigate().to(linkFromMail.trim()); - // Need to update password now - passwordUpdatePage2.assertCurrent(); - passwordUpdatePage2.changePassword("password", "password"); + // Need to update password now + passwordUpdatePage2.assertCurrent(); + passwordUpdatePage2.changePassword("password", "password"); - // authenticated, but not redirected to app. Just seeing info page. - infoPage2.assertCurrent(); - Assert.assertEquals("Your account has been updated.", infoPage2.getInfo()); + // authenticated, but not redirected to app. Just seeing info page. + infoPage2.assertCurrent(); + Assert.assertEquals("Your account has been updated.", infoPage2.getInfo()); + } finally { + // Revert everything + webRule2.after(); + } // User is not yet linked with identity provider. He needs to authenticate again in 1st browser RealmModel realmWithBroker = getRealm(); Set federatedIdentities = this.session.users().getFederatedIdentities(this.session.users().getUserByUsername("pedroigor", realmWithBroker), realmWithBroker); assertEquals(0, federatedIdentities.size()); - // Continue with 1st browser - loginIDP("pedroigor"); + // Continue with 1st browser. Note that the user has already authenticated with brokered IdP in the beginning of this test + // so entering their credentials there is now skipped. + loginToIDPWhenAlreadyLoggedIntoProviderIdP("pedroigor"); this.idpConfirmLinkPage.assertCurrent(); Assert.assertEquals("User with email psilva@redhat.com already exists. How do you want to continue?", this.idpConfirmLinkPage.getMessage()); @@ -591,9 +740,6 @@ public abstract class AbstractFirstBrokerLoginTest extends AbstractIdentityProvi // authenticated and redirected to app. User is linked with identity provider assertFederatedUser("pedroigor", "psilva@redhat.com", "pedroigor"); - // Revert everything - webRule2.after(); - brokerServerRule.update(new KeycloakRule.KeycloakSetup() { @Override diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java index 8efc8c0ba3..297d00a55b 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java @@ -37,14 +37,7 @@ import org.keycloak.testsuite.MailUtil; import org.keycloak.testsuite.OAuthClient; import org.keycloak.testsuite.broker.util.UserSessionStatusServlet; import org.keycloak.testsuite.broker.util.UserSessionStatusServlet.UserSessionStatus; -import org.keycloak.testsuite.pages.AccountFederatedIdentityPage; -import org.keycloak.testsuite.pages.AccountPasswordPage; -import org.keycloak.testsuite.pages.AccountUpdateProfilePage; -import org.keycloak.testsuite.pages.ErrorPage; -import org.keycloak.testsuite.pages.LoginPage; -import org.keycloak.testsuite.pages.LoginUpdateProfilePage; -import org.keycloak.testsuite.pages.OAuthGrantPage; -import org.keycloak.testsuite.pages.VerifyEmailPage; +import org.keycloak.testsuite.pages.*; import org.keycloak.testsuite.rule.GreenMailRule; import org.keycloak.testsuite.rule.LoggingRule; import org.keycloak.testsuite.rule.WebResource; @@ -61,9 +54,8 @@ import java.net.URI; import java.util.List; import java.util.Set; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; +import static org.hamcrest.Matchers.startsWith; +import static org.junit.Assert.*; /** * @author pedroigor @@ -115,6 +107,9 @@ public abstract class AbstractIdentityProviderTest { @WebResource protected ErrorPage errorPage; + @WebResource + protected InfoPage infoPage; + protected KeycloakSession session; protected int logoutTimeOffset = 0; @@ -210,18 +205,29 @@ public abstract class AbstractIdentityProviderTest { protected void loginIDP(String username) { driver.navigate().to("http://localhost:8081/test-app"); - assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth")); + assertThat(this.driver.getCurrentUrl(), startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth")); // choose the identity provider this.loginPage.clickSocial(getProviderId()); String currentUrl = this.driver.getCurrentUrl(); - assertTrue(currentUrl.startsWith("http://localhost:8082/auth/")); + assertThat(currentUrl, startsWith("http://localhost:8082/auth/")); // log in to identity provider this.loginPage.login(username, "password"); doAfterProviderAuthentication(); } + protected void loginToIDPWhenAlreadyLoggedIntoProviderIdP(String username) { + driver.navigate().to("http://localhost:8081/test-app"); + + assertThat(this.driver.getCurrentUrl(), startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth")); + + // choose the identity provider + this.loginPage.clickSocial(getProviderId()); + + doAfterProviderAuthentication(); + } + protected UserModel getFederatedUser() { UserSessionStatus userSessionStatus = retrieveSessionStatus(); IDToken idToken = userSessionStatus.getIdToken(); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLFirstBrokerLoginTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLFirstBrokerLoginTest.java index 200b0a7c60..234617b482 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLFirstBrokerLoginTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLFirstBrokerLoginTest.java @@ -23,6 +23,7 @@ import org.keycloak.models.RealmModel; import org.keycloak.services.managers.RealmManager; import org.keycloak.testsuite.KeycloakServer; import org.keycloak.testsuite.rule.AbstractKeycloakRule; +import org.junit.Test; /** * @author Marek Posolda diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/IdpLinkEmailPage.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/IdpLinkEmailPage.java index 8ed8461070..22eb1560ba 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/IdpLinkEmailPage.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/IdpLinkEmailPage.java @@ -28,11 +28,22 @@ public class IdpLinkEmailPage extends AbstractPage { @FindBy(id = "instruction1") private WebElement message; + @FindBy(linkText = "Click here") + private WebElement resendEmailLink; + @Override public boolean isCurrent() { return driver.getTitle().startsWith("Link "); } + public void clickResendEmail() { + resendEmailLink.click(); + } + + public String getResendEmailLink() { + return resendEmailLink.getAttribute("href"); + } + @Override public void open() throws Exception { throw new UnsupportedOperationException(); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/WebRule.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/WebRule.java index 2cea40a7cd..0d93d19a21 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/WebRule.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/WebRule.java @@ -40,10 +40,14 @@ public class WebRule extends ExternalResource { this.test = test; } - @Override - public void before() throws Throwable { + public void initProperties() { driver = createWebDriver(); oauth = new OAuthClient(driver); + } + + @Override + public void before() throws Throwable { + initProperties(); initWebResources(test); } @@ -58,6 +62,7 @@ public class WebRule extends ExternalResource { HtmlUnitDriver d = new HtmlUnitDriver(); d.getWebClient().getOptions().setJavaScriptEnabled(true); d.getWebClient().getOptions().setCssEnabled(false); + d.getWebClient().getOptions().setTimeout(1000000); driver = d; } else if (browser.equals("chrome")) { driver = new ChromeDriver(); diff --git a/themes/src/main/resources/theme/base/login/login-idp-link-email.ftl b/themes/src/main/resources/theme/base/login/login-idp-link-email.ftl index 5dc29f1c11..9cca544ae7 100644 --- a/themes/src/main/resources/theme/base/login/login-idp-link-email.ftl +++ b/themes/src/main/resources/theme/base/login/login-idp-link-email.ftl @@ -9,7 +9,7 @@ ${msg("emailLinkIdp1", idpAlias, brokerContext.username, realm.displayName)}

    - ${msg("emailLinkIdp2")} ${msg("doClickHere")} ${msg("emailLinkIdp3")} + ${msg("emailLinkIdp2")} ${msg("doClickHere")} ${msg("emailLinkIdp3")}

    \ No newline at end of file From db8b7336104af0c0fb701cfdd80b7985401241f6 Mon Sep 17 00:00:00 2001 From: mposolda Date: Wed, 3 May 2017 16:15:45 +0200 Subject: [PATCH 10/30] KEYCLOAK-4626 Fix TrustStoreEmailTest and PolicyEvaluationCompositeRoleTest. Distribution update --- .../demo-dist/src/main/xslt/standalone.xsl | 1 + .../src/main/cli/keycloak-install-base.cli | 1 + .../src/main/cli/keycloak-install-ha-base.cli | 1 + ...ltInfinispanConnectionProviderFactory.java | 1 + .../AuthenticatedClientSessionEntity.java | 3 +- .../requiredactions/VerifyEmail.java | 11 ++-- .../admin/PolicyEvaluationService.java | 1 + .../account/TrustStoreEmailTest.java | 57 +++++++++++++++++-- .../KeycloakServerDeploymentProcessor.java | 2 +- .../keycloak-infinispan.xml | 2 + .../keycloak-infinispan2.xml | 2 + 11 files changed, 71 insertions(+), 11 deletions(-) diff --git a/distribution/demo-dist/src/main/xslt/standalone.xsl b/distribution/demo-dist/src/main/xslt/standalone.xsl index 882d1b18f5..7c0b3c1387 100755 --- a/distribution/demo-dist/src/main/xslt/standalone.xsl +++ b/distribution/demo-dist/src/main/xslt/standalone.xsl @@ -89,6 +89,7 @@ + diff --git a/distribution/server-overlay/src/main/cli/keycloak-install-base.cli b/distribution/server-overlay/src/main/cli/keycloak-install-base.cli index f24502ae4e..b8a7e89eb6 100644 --- a/distribution/server-overlay/src/main/cli/keycloak-install-base.cli +++ b/distribution/server-overlay/src/main/cli/keycloak-install-base.cli @@ -6,6 +6,7 @@ embed-server --server-config=standalone.xml /subsystem=infinispan/cache-container=keycloak/local-cache=users:add() /subsystem=infinispan/cache-container=keycloak/local-cache=users/eviction=EVICTION:add(max-entries=10000,strategy=LRU) /subsystem=infinispan/cache-container=keycloak/local-cache=sessions:add() +/subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions:add() /subsystem=infinispan/cache-container=keycloak/local-cache=offlineSessions:add() /subsystem=infinispan/cache-container=keycloak/local-cache=loginFailures:add() /subsystem=infinispan/cache-container=keycloak/local-cache=work:add() diff --git a/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli b/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli index ec2b56ff23..e092374611 100644 --- a/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli +++ b/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli @@ -7,6 +7,7 @@ embed-server --server-config=standalone-ha.xml /subsystem=infinispan/cache-container=keycloak/local-cache=users:add() /subsystem=infinispan/cache-container=keycloak/local-cache=users/eviction=EVICTION:add(max-entries=10000,strategy=LRU) /subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:add(mode="SYNC",owners="1") +/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:add(mode="SYNC",owners="1") /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:add(mode="SYNC",owners="1") /subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:add(mode="SYNC",owners="1") /subsystem=infinispan/cache-container=keycloak/local-cache=authorization:add() diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java index 934f0e8c11..0f63129aae 100755 --- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java +++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java @@ -118,6 +118,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, getRevisionCacheConfig(userRevisionsMaxEntries)); cacheManager.getCache(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, true); cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, true); + cacheManager.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME, true); cacheManager.getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME, true); logger.debugv("Using container managed Infinispan cache container, lookup={1}", cacheContainerLookup); diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java index c7839f4377..f89247789c 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java @@ -17,13 +17,14 @@ package org.keycloak.models.sessions.infinispan.entities; +import java.io.Serializable; import java.util.Map; import java.util.Set; /** * @author Marek Posolda */ -public class AuthenticatedClientSessionEntity { +public class AuthenticatedClientSessionEntity implements Serializable { private String id; private String authMethod; diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java index ad84f9d3b8..ae569705d9 100755 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java @@ -27,6 +27,8 @@ import org.keycloak.common.util.Time; import org.keycloak.email.EmailException; import org.keycloak.email.EmailTemplateProvider; import org.keycloak.events.Details; +import org.keycloak.events.Errors; +import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.*; @@ -74,8 +76,8 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor // Do not allow resending e-mail by simple page refresh, i.e. when e-mail sent, it should be resent properly via email-verification endpoint if (! Objects.equals(authSession.getAuthNote(Constants.VERIFY_EMAIL_KEY), email)) { authSession.setAuthNote(Constants.VERIFY_EMAIL_KEY, email); - context.getEvent().clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, email).success(); - challenge = sendVerifyEmail(context.getSession(), loginFormsProvider, context.getUser(), context.getAuthenticationSession()); + EventBuilder event = context.getEvent().clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, email); + challenge = sendVerifyEmail(context.getSession(), loginFormsProvider, context.getUser(), context.getAuthenticationSession(), event); } else { challenge = loginFormsProvider.createResponse(UserModel.RequiredAction.VERIFY_EMAIL); } @@ -126,7 +128,7 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor return UserModel.RequiredAction.VERIFY_EMAIL.name(); } - private Response sendVerifyEmail(KeycloakSession session, LoginFormsProvider forms, UserModel user, AuthenticationSessionModel authSession) throws UriBuilderException, IllegalArgumentException { + private Response sendVerifyEmail(KeycloakSession session, LoginFormsProvider forms, UserModel user, AuthenticationSessionModel authSession, EventBuilder event) throws UriBuilderException, IllegalArgumentException { RealmModel realm = session.getContext().getRealm(); UriInfo uriInfo = session.getContext().getUri(); @@ -144,9 +146,10 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor try { session.getProvider(EmailTemplateProvider.class).setRealm(realm).setUser(user).sendVerifyEmail(link, expirationInMinutes); + event.success(); } catch (EmailException e) { logger.error("Failed to send verification email", e); - return forms.createResponse(RequiredAction.VERIFY_EMAIL); + event.error(Errors.EMAIL_SEND_FAILED); } return forms.createResponse(UserModel.RequiredAction.VERIFY_EMAIL); diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java index 82cbddfcb3..24e1a8943e 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java +++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java @@ -237,6 +237,7 @@ public class PolicyEvaluationService { AuthenticationSessionModel authSession = keycloakSession.authenticationSessions().createAuthenticationSession(id, realm, clientModel); authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + authSession.setAuthenticatedUser(userModel); userSession = keycloakSession.sessions().createUserSession(id, realm, userModel, userModel.getUsername(), "127.0.0.1", "passwd", false, null, null); AuthenticationManager.setRolesAndMappersInSession(authSession); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/TrustStoreEmailTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/TrustStoreEmailTest.java index 59d277c76c..7fb9692961 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/TrustStoreEmailTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/TrustStoreEmailTest.java @@ -18,17 +18,23 @@ package org.keycloak.testsuite.account; import org.jboss.arquillian.graphene.page.Page; import org.junit.After; +import org.junit.Rule; import org.junit.Test; +import org.keycloak.events.Details; +import org.keycloak.events.Errors; +import org.keycloak.events.EventType; +import org.keycloak.representations.idm.EventRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; +import org.keycloak.testsuite.Assert; +import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.auth.page.AuthRealm; import org.keycloak.testsuite.auth.page.account.AccountManagement; import org.keycloak.testsuite.auth.page.login.OIDCLogin; import org.keycloak.testsuite.auth.page.login.VerifyEmail; import org.keycloak.testsuite.util.MailServerConfiguration; -import org.keycloak.testsuite.util.RealmRepUtil; import org.keycloak.testsuite.util.SslMailServer; import static org.junit.Assert.assertEquals; @@ -54,6 +60,9 @@ public class TrustStoreEmailTest extends AbstractTestRealmKeycloakTest { @Page private VerifyEmail testRealmVerifyEmailPage; + @Rule + public AssertEvents events = new AssertEvents(this); + @Override public void configureTestRealm(RealmRepresentation testRealm) { log.info("enable verify email and configure smtp server to run with ssl in test realm"); @@ -86,6 +95,15 @@ public class TrustStoreEmailTest extends AbstractTestRealmKeycloakTest { accountManagement.navigateTo(); testRealmLoginPage.form().login(user.getUsername(), "password"); + EventRepresentation sendEvent = events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL) + .user(user.getId()) + .client("account") + .detail(Details.USERNAME, "test-user@localhost") + .detail(Details.EMAIL, "test-user@localhost") + .removeDetail(Details.REDIRECT_URI) + .assertEvent(); + String mailCodeId = sendEvent.getDetails().get(Details.CODE_ID); + assertEquals("You need to verify your email address to activate your account.", testRealmVerifyEmailPage.getFeedbackText()); @@ -96,6 +114,23 @@ public class TrustStoreEmailTest extends AbstractTestRealmKeycloakTest { driver.navigate().to(verifyEmailUrl); + events.expectRequiredAction(EventType.VERIFY_EMAIL) + .user(user.getId()) + .client("account") + .detail(Details.USERNAME, "test-user@localhost") + .detail(Details.EMAIL, "test-user@localhost") + .detail(Details.CODE_ID, mailCodeId) + .removeDetail(Details.REDIRECT_URI) + .assertEvent(); + + events.expectLogin() + .client("account") + .user(user.getId()) + .session(mailCodeId) + .detail(Details.USERNAME, "test-user@localhost") + .removeDetail(Details.REDIRECT_URI) + .assertEvent(); + assertCurrentUrlStartsWith(accountManagement); accountManagement.signOut(); testRealmLoginPage.form().login(user.getUsername(), "password"); @@ -103,15 +138,27 @@ public class TrustStoreEmailTest extends AbstractTestRealmKeycloakTest { } @Test - public void verifyEmailWithSslWrongCertificate() { + public void verifyEmailWithSslWrongCertificate() throws Exception { UserRepresentation user = ApiUtil.findUserByUsername(testRealm(), "test-user@localhost"); SslMailServer.startWithSsl(this.getClass().getClassLoader().getResource(SslMailServer.INVALID_KEY).getFile()); accountManagement.navigateTo(); loginPage.form().login(user.getUsername(), "password"); - assertEquals("Failed to send email, please try again later.\n" + - "« Back to Application", - testRealmVerifyEmailPage.getErrorMessage()); + events.expectRequiredAction(EventType.SEND_VERIFY_EMAIL_ERROR) + .error(Errors.EMAIL_SEND_FAILED) + .user(user.getId()) + .client("account") + .detail(Details.USERNAME, "test-user@localhost") + .detail(Details.EMAIL, "test-user@localhost") + .removeDetail(Details.REDIRECT_URI) + .assertEvent(); + + // Email wasn't send + Assert.assertNull(SslMailServer.getLastReceivedMessage()); + + // Email wasn't send, but we won't notify end user about that. Admin is aware due to the error in the logs and the SEND_VERIFY_EMAIL_ERROR event. + assertEquals("You need to verify your email address to activate your account.", + testRealmVerifyEmailPage.getFeedbackText()); } } \ No newline at end of file diff --git a/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java b/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java index 96078ffe41..8567376001 100755 --- a/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java +++ b/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java @@ -41,7 +41,7 @@ import java.util.List; public class KeycloakServerDeploymentProcessor implements DeploymentUnitProcessor { private static final String[] CACHES = new String[] { - "realms", "users","sessions","offlineSessions","loginFailures","work","authorization","keys" + "realms", "users","sessions","authenticationSessions","offlineSessions","loginFailures","work","authorization","keys" }; // This param name is defined again in Keycloak Services class diff --git a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml index 205c1f51af..83f76549e7 100755 --- a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml +++ b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml @@ -32,6 +32,7 @@ + @@ -97,6 +98,7 @@ + diff --git a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan2.xml b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan2.xml index 95bcffd9f3..5e706dca8b 100755 --- a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan2.xml +++ b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan2.xml @@ -32,6 +32,7 @@ + @@ -100,6 +101,7 @@ + From b8262a9f0275758ce2d1b4a05c350a465580b24a Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Fri, 5 May 2017 01:20:58 +0200 Subject: [PATCH 11/30] KEYCLOAK-4628 Single-use cache + its functionality incorporated into reset password token. Utilize single-use cache for relevant actions in execute-actions token --- .../idm/RealmRepresentation.java | 18 +++ .../demo-dist/src/main/xslt/standalone.xsl | 1 + .../src/main/cli/keycloak-install-base.cli | 3 + .../src/main/cli/keycloak-install-ha-base.cli | 3 + ...ltInfinispanConnectionProviderFactory.java | 18 +++ .../InfinispanConnectionProvider.java | 5 + .../AddInvalidatedActionTokenEvent.java | 50 +++++++ .../models/cache/infinispan/RealmAdapter.java | 24 ++++ .../RemoveActionTokensSpecificEvent.java | 42 ++++++ .../infinispan/entities/CachedRealm.java | 12 ++ .../InfinispanActionTokenStoreProvider.java | 98 +++++++++++++ ...nispanActionTokenStoreProviderFactory.java | 100 +++++++++++++ ...nAuthenticationSessionProviderFactory.java | 2 + .../InfinispanKeycloakTransaction.java | 136 ++++++++++-------- .../entities/ActionTokenReducedKey.java | 104 ++++++++++++++ .../entities/ActionTokenValueEntity.java | 76 ++++++++++ ...oak.models.ActionTokenStoreProviderFactory | 1 + .../org/keycloak/models/jpa/RealmAdapter.java | 20 +++ .../models/jpa/entities/RealmAttributes.java | 4 + .../authentication/RequiredActionFactory.java | 9 ++ .../models/ActionTokenStoreProvider.java | 54 +++++++ .../ActionTokenStoreProviderFactory.java | 27 ++++ .../keycloak/models/ActionTokenStoreSpi.java | 50 +++++++ .../models/utils/ModelToRepresentation.java | 2 + .../models/utils/RepresentationToModel.java | 12 ++ .../AuthenticationSessionProviderFactory.java | 2 - .../services/org.keycloak.provider.Spi | 1 + .../keycloak/models/ActionTokenKeyModel.java | 46 ++++++ .../models/ActionTokenValueModel.java | 39 +++++ .../java/org/keycloak/models/RealmModel.java | 6 + .../AbstractActionTokenHander.java | 17 ++- .../actiontoken/ActionTokenHandler.java | 19 ++- .../actiontoken/DefaultActionToken.java | 39 +++-- .../actiontoken/DefaultActionTokenKey.java | 41 +++++- .../ExecuteActionsActionToken.java | 18 +-- .../ExecuteActionsActionTokenHandler.java | 27 +++- .../IdpVerifyAccountLinkActionToken.java | 8 +- .../ResetCredentialsActionToken.java | 21 +-- .../ResetCredentialsActionTokenHandler.java | 10 +- .../verifyemail/VerifyEmailActionToken.java | 8 +- .../IdpEmailVerificationAuthenticator.java | 4 +- .../resetcred/ResetCredentialEmail.java | 9 +- .../requiredactions/UpdatePassword.java | 5 + .../requiredactions/UpdateTotp.java | 5 + .../requiredactions/VerifyEmail.java | 15 +- .../managers/AuthenticationManager.java | 33 ++--- .../resources/LoginActionsService.java | 6 +- .../resources/LoginActionsServiceChecks.java | 8 ++ .../resources/admin/UsersResource.java | 16 ++- .../RequiredActionEmailVerificationTest.java | 2 - .../keycloak/testsuite/admin/UserTest.java | 61 +++++++- .../testsuite/admin/realm/RealmTest.java | 10 ++ .../testsuite/forms/ResetPasswordTest.java | 30 ++-- .../test/resources/admin-test/testrealm.json | 2 + .../messages/admin-messages_en.properties | 6 + .../admin/resources/js/controllers/realm.js | 4 + .../admin/resources/js/controllers/users.js | 5 +- .../theme/base/admin/resources/js/services.js | 3 +- .../resources/partials/realm-tokens.html | 34 +++++ .../resources/partials/user-credentials.html | 14 ++ .../KeycloakServerDeploymentProcessor.java | 4 +- .../keycloak-infinispan.xml | 8 ++ .../keycloak-infinispan2.xml | 8 ++ 63 files changed, 1243 insertions(+), 222 deletions(-) create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/AddInvalidatedActionTokenEvent.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RemoveActionTokensSpecificEvent.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProvider.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProviderFactory.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenReducedKey.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenValueEntity.java create mode 100644 model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.ActionTokenStoreProviderFactory create mode 100644 server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreProvider.java create mode 100644 server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreProviderFactory.java create mode 100644 server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreSpi.java create mode 100644 server-spi/src/main/java/org/keycloak/models/ActionTokenKeyModel.java create mode 100644 server-spi/src/main/java/org/keycloak/models/ActionTokenValueModel.java diff --git a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java index b14e55bda1..670e1d8bde 100755 --- a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java +++ b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java @@ -46,6 +46,8 @@ public class RealmRepresentation { protected Integer accessCodeLifespan; protected Integer accessCodeLifespanUserAction; protected Integer accessCodeLifespanLogin; + protected Integer actionTokenGeneratedByAdminLifespan; + protected Integer actionTokenGeneratedByUserLifespan; protected Boolean enabled; protected String sslRequired; @Deprecated @@ -338,6 +340,22 @@ public class RealmRepresentation { this.accessCodeLifespanLogin = accessCodeLifespanLogin; } + public Integer getActionTokenGeneratedByAdminLifespan() { + return actionTokenGeneratedByAdminLifespan; + } + + public void setActionTokenGeneratedByAdminLifespan(Integer actionTokenGeneratedByAdminLifespan) { + this.actionTokenGeneratedByAdminLifespan = actionTokenGeneratedByAdminLifespan; + } + + public Integer getActionTokenGeneratedByUserLifespan() { + return actionTokenGeneratedByUserLifespan; + } + + public void setActionTokenGeneratedByUserLifespan(Integer actionTokenGeneratedByUserLifespan) { + this.actionTokenGeneratedByUserLifespan = actionTokenGeneratedByUserLifespan; + } + public List getDefaultRoles() { return defaultRoles; } diff --git a/distribution/demo-dist/src/main/xslt/standalone.xsl b/distribution/demo-dist/src/main/xslt/standalone.xsl index 7c0b3c1387..d78ff753e7 100755 --- a/distribution/demo-dist/src/main/xslt/standalone.xsl +++ b/distribution/demo-dist/src/main/xslt/standalone.xsl @@ -93,6 +93,7 @@ + diff --git a/distribution/server-overlay/src/main/cli/keycloak-install-base.cli b/distribution/server-overlay/src/main/cli/keycloak-install-base.cli index b8a7e89eb6..5ce3122fa8 100644 --- a/distribution/server-overlay/src/main/cli/keycloak-install-base.cli +++ b/distribution/server-overlay/src/main/cli/keycloak-install-base.cli @@ -15,4 +15,7 @@ embed-server --server-config=standalone.xml /subsystem=infinispan/cache-container=keycloak/local-cache=keys:add() /subsystem=infinispan/cache-container=keycloak/local-cache=keys/eviction=EVICTION:add(max-entries=1000,strategy=LRU) /subsystem=infinispan/cache-container=keycloak/local-cache=keys/expiration=EXPIRATION:add(max-idle=3600000) +/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens:add() +/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/eviction=EVICTION:add(max-entries=-1,strategy=NONE) +/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/expiration=EXPIRATION:add(max-idle=-1,interval=300000) /extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem) diff --git a/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli b/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli index e092374611..4710eb8a82 100644 --- a/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli +++ b/distribution/server-overlay/src/main/cli/keycloak-install-ha-base.cli @@ -16,4 +16,7 @@ embed-server --server-config=standalone-ha.xml /subsystem=infinispan/cache-container=keycloak/local-cache=keys:add() /subsystem=infinispan/cache-container=keycloak/local-cache=keys/eviction=EVICTION:add(max-entries=1000,strategy=LRU) /subsystem=infinispan/cache-container=keycloak/local-cache=keys/expiration=EXPIRATION:add(max-idle=3600000) +/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens:add() +/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/eviction=EVICTION:add(max-entries=-1,strategy=NONE) +/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/expiration=EXPIRATION:add(max-idle=-1,interval=300000) /extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem) diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java index 0f63129aae..4bd78017ea 100755 --- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java +++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java @@ -120,6 +120,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, true); cacheManager.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME, true); cacheManager.getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME, true); + cacheManager.getCache(InfinispanConnectionProvider.ACTION_TOKEN_CACHE, true); logger.debugv("Using container managed Infinispan cache container, lookup={1}", cacheContainerLookup); } catch (Exception e) { @@ -220,6 +221,9 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon cacheManager.defineConfiguration(InfinispanConnectionProvider.KEYS_CACHE_NAME, getKeysCacheConfig()); cacheManager.getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME, true); + + cacheManager.defineConfiguration(InfinispanConnectionProvider.ACTION_TOKEN_CACHE, getActionTokenCacheConfig()); + cacheManager.getCache(InfinispanConnectionProvider.ACTION_TOKEN_CACHE, true); } private Configuration getRevisionCacheConfig(long maxEntries) { @@ -270,4 +274,18 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon return cb.build(); } + private Configuration getActionTokenCacheConfig() { + ConfigurationBuilder cb = new ConfigurationBuilder(); + + cb.eviction() + .strategy(EvictionStrategy.NONE) + .type(EvictionType.COUNT) + .size(InfinispanConnectionProvider.ACTION_TOKEN_CACHE_DEFAULT_MAX); + cb.expiration() + .maxIdle(InfinispanConnectionProvider.ACTION_TOKEN_MAX_IDLE_SECONDS, TimeUnit.SECONDS) + .wakeUpInterval(InfinispanConnectionProvider.ACTION_TOKEN_WAKE_UP_INTERVAL_SECONDS, TimeUnit.SECONDS); + + return cb.build(); + } + } diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java index 6d8b7f4be9..ba9a31bd4d 100755 --- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java @@ -40,6 +40,11 @@ public interface InfinispanConnectionProvider extends Provider { String WORK_CACHE_NAME = "work"; String AUTHORIZATION_CACHE_NAME = "authorization"; + String ACTION_TOKEN_CACHE = "actionTokens"; + int ACTION_TOKEN_CACHE_DEFAULT_MAX = -1; + int ACTION_TOKEN_MAX_IDLE_SECONDS = -1; + long ACTION_TOKEN_WAKE_UP_INTERVAL_SECONDS = 5 * 60 * 1000l; + String KEYS_CACHE_NAME = "keys"; int KEYS_CACHE_DEFAULT_MAX = 1000; int KEYS_CACHE_MAX_IDLE_SECONDS = 3600; diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/AddInvalidatedActionTokenEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/AddInvalidatedActionTokenEvent.java new file mode 100644 index 0000000000..37a1a218d5 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/AddInvalidatedActionTokenEvent.java @@ -0,0 +1,50 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.cache.infinispan; + +import org.keycloak.cluster.ClusterEvent; +import org.keycloak.models.sessions.infinispan.entities.ActionTokenReducedKey; +import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity; + +/** + * Event requesting adding of an invalidated action token. + */ +public class AddInvalidatedActionTokenEvent implements ClusterEvent { + + private final ActionTokenReducedKey key; + private final int expirationInSecs; + private final ActionTokenValueEntity tokenValue; + + public AddInvalidatedActionTokenEvent(ActionTokenReducedKey key, int expirationInSecs, ActionTokenValueEntity tokenValue) { + this.key = key; + this.expirationInSecs = expirationInSecs; + this.tokenValue = tokenValue; + } + + public ActionTokenReducedKey getKey() { + return key; + } + + public int getExpirationInSecs() { + return expirationInSecs; + } + + public ActionTokenValueEntity getTokenValue() { + return tokenValue; + } + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java index 8350f0dc30..0bed8262a1 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java @@ -474,6 +474,30 @@ public class RealmAdapter implements CachedRealmModel { updated.setAccessCodeLifespanLogin(seconds); } + @Override + public int getActionTokenGeneratedByAdminLifespan() { + if (isUpdated()) return updated.getActionTokenGeneratedByAdminLifespan(); + return cached.getActionTokenGeneratedByAdminLifespan(); + } + + @Override + public void setActionTokenGeneratedByAdminLifespan(int seconds) { + getDelegateForUpdate(); + updated.setActionTokenGeneratedByAdminLifespan(seconds); + } + + @Override + public int getActionTokenGeneratedByUserLifespan() { + if (isUpdated()) return updated.getActionTokenGeneratedByUserLifespan(); + return cached.getActionTokenGeneratedByUserLifespan(); + } + + @Override + public void setActionTokenGeneratedByUserLifespan(int seconds) { + getDelegateForUpdate(); + updated.setActionTokenGeneratedByUserLifespan(seconds); + } + @Override public List getRequiredCredentials() { if (isUpdated()) return updated.getRequiredCredentials(); diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RemoveActionTokensSpecificEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RemoveActionTokensSpecificEvent.java new file mode 100644 index 0000000000..0a4d858b52 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RemoveActionTokensSpecificEvent.java @@ -0,0 +1,42 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.cache.infinispan; + +import org.keycloak.cluster.ClusterEvent; + +/** + * Event requesting removal of the action tokens with the given user and action regardless of nonce. + */ +public class RemoveActionTokensSpecificEvent implements ClusterEvent { + + private final String userId; + private final String actionId; + + public RemoveActionTokensSpecificEvent(String userId, String actionId) { + this.userId = userId; + this.actionId = actionId; + } + + public String getUserId() { + return userId; + } + + public String getActionId() { + return actionId; + } + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java index fef0486af1..3668d9740e 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java @@ -83,6 +83,8 @@ public class CachedRealm extends AbstractExtendableRevisioned { protected int accessCodeLifespan; protected int accessCodeLifespanUserAction; protected int accessCodeLifespanLogin; + protected int actionTokenGeneratedByAdminLifespan; + protected int actionTokenGeneratedByUserLifespan; protected int notBefore; protected PasswordPolicy passwordPolicy; protected OTPPolicy otpPolicy; @@ -175,6 +177,8 @@ public class CachedRealm extends AbstractExtendableRevisioned { accessCodeLifespan = model.getAccessCodeLifespan(); accessCodeLifespanUserAction = model.getAccessCodeLifespanUserAction(); accessCodeLifespanLogin = model.getAccessCodeLifespanLogin(); + actionTokenGeneratedByAdminLifespan = model.getActionTokenGeneratedByAdminLifespan(); + actionTokenGeneratedByUserLifespan = model.getActionTokenGeneratedByUserLifespan(); notBefore = model.getNotBefore(); passwordPolicy = model.getPasswordPolicy(); otpPolicy = model.getOTPPolicy(); @@ -399,6 +403,14 @@ public class CachedRealm extends AbstractExtendableRevisioned { return accessCodeLifespanLogin; } + public int getActionTokenGeneratedByAdminLifespan() { + return actionTokenGeneratedByAdminLifespan; + } + + public int getActionTokenGeneratedByUserLifespan() { + return actionTokenGeneratedByUserLifespan; + } + public List getRequiredCredentials() { return requiredCredentials; } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProvider.java new file mode 100644 index 0000000000..127879a4d1 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProvider.java @@ -0,0 +1,98 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.sessions.infinispan; + +import org.keycloak.cluster.ClusterProvider; +import org.keycloak.models.*; + +import org.keycloak.models.cache.infinispan.AddInvalidatedActionTokenEvent; +import org.keycloak.models.cache.infinispan.RemoveActionTokensSpecificEvent; +import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity; +import org.keycloak.models.sessions.infinispan.entities.ActionTokenReducedKey; +import java.util.*; +import org.infinispan.Cache; + +/** + * + * @author hmlnarik + */ +public class InfinispanActionTokenStoreProvider implements ActionTokenStoreProvider { + + private final Cache actionKeyCache; + private final InfinispanKeycloakTransaction tx; + private final KeycloakSession session; + + public InfinispanActionTokenStoreProvider(KeycloakSession session, Cache actionKeyCache) { + this.session = session; + this.actionKeyCache = actionKeyCache; + this.tx = new InfinispanKeycloakTransaction(); + + session.getTransactionManager().enlistAfterCompletion(tx); + } + + @Override + public void close() { + } + + @Override + public void put(ActionTokenKeyModel key, Map notes) { + if (key == null || key.getUserId() == null || key.getActionId() == null) { + return; + } + + ActionTokenReducedKey tokenKey = new ActionTokenReducedKey(key.getUserId(), key.getActionId(), key.getActionVerificationNonce()); + ActionTokenValueEntity tokenValue = new ActionTokenValueEntity(notes); + + ClusterProvider cluster = session.getProvider(ClusterProvider.class); + this.tx.notify(cluster, InfinispanActionTokenStoreProviderFactory.ACTION_TOKEN_EVENTS, new AddInvalidatedActionTokenEvent(tokenKey, key.getExpiration(), tokenValue), false); + } + + @Override + public ActionTokenValueModel get(ActionTokenKeyModel actionTokenKey) { + if (actionTokenKey == null || actionTokenKey.getUserId() == null || actionTokenKey.getActionId() == null) { + return null; + } + + ActionTokenReducedKey key = new ActionTokenReducedKey(actionTokenKey.getUserId(), actionTokenKey.getActionId(), actionTokenKey.getActionVerificationNonce()); + return this.actionKeyCache.getAdvancedCache().get(key); + } + + @Override + public ActionTokenValueModel remove(ActionTokenKeyModel actionTokenKey) { + if (actionTokenKey == null || actionTokenKey.getUserId() == null || actionTokenKey.getActionId() == null) { + return null; + } + + ActionTokenReducedKey key = new ActionTokenReducedKey(actionTokenKey.getUserId(), actionTokenKey.getActionId(), actionTokenKey.getActionVerificationNonce()); + ActionTokenValueEntity value = this.actionKeyCache.get(key); + + if (value != null) { + this.tx.remove(actionKeyCache, key); + } + + return value; + } + + public void removeAll(String userId, String actionId) { + if (userId == null || actionId == null) { + return; + } + + ClusterProvider cluster = session.getProvider(ClusterProvider.class); + this.tx.notify(cluster, InfinispanActionTokenStoreProviderFactory.ACTION_TOKEN_EVENTS, new RemoveActionTokensSpecificEvent(userId, actionId), false); + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProviderFactory.java new file mode 100644 index 0000000000..a8c5e3899e --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProviderFactory.java @@ -0,0 +1,100 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.sessions.infinispan; + +import org.keycloak.Config; +import org.keycloak.Config.Scope; +import org.keycloak.cluster.ClusterProvider; +import org.keycloak.common.util.Time; +import org.keycloak.connections.infinispan.InfinispanConnectionProvider; +import org.keycloak.models.*; + +import org.keycloak.models.cache.infinispan.AddInvalidatedActionTokenEvent; +import org.keycloak.models.cache.infinispan.RemoveActionTokensSpecificEvent; +import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity; +import org.keycloak.models.sessions.infinispan.entities.ActionTokenReducedKey; +import java.util.Objects; +import java.util.concurrent.TimeUnit; +import org.infinispan.Cache; +import org.infinispan.context.Flag; + +/** + * + * @author hmlnarik + */ +public class InfinispanActionTokenStoreProviderFactory implements ActionTokenStoreProviderFactory { + + public static final String ACTION_TOKEN_EVENTS = "ACTION_TOKEN_EVENTS"; + + /** + * If expiration is set to this value, no expiration is set on the corresponding cache entry (hence cache default is honored) + */ + private static final int DEFAULT_CACHE_EXPIRATION = 0; + + private Config.Scope config; + + @Override + public ActionTokenStoreProvider create(KeycloakSession session) { + InfinispanConnectionProvider connections = session.getProvider(InfinispanConnectionProvider.class); + Cache actionTokenCache = connections.getCache(InfinispanConnectionProvider.ACTION_TOKEN_CACHE); + + ClusterProvider cluster = session.getProvider(ClusterProvider.class); + + cluster.registerListener(ACTION_TOKEN_EVENTS, event -> { + if (event instanceof RemoveActionTokensSpecificEvent) { + RemoveActionTokensSpecificEvent e = (RemoveActionTokensSpecificEvent) event; + + actionTokenCache + .getAdvancedCache() + .withFlags(Flag.CACHE_MODE_LOCAL, Flag.SKIP_CACHE_LOAD) + .keySet() + .stream() + .filter(k -> Objects.equals(k.getUserId(), e.getUserId()) && Objects.equals(k.getActionId(), e.getActionId())) + .forEach(actionTokenCache::remove); + } else if (event instanceof AddInvalidatedActionTokenEvent) { + AddInvalidatedActionTokenEvent e = (AddInvalidatedActionTokenEvent) event; + + if (e.getExpirationInSecs() == DEFAULT_CACHE_EXPIRATION) { + actionTokenCache.put(e.getKey(), e.getTokenValue()); + } else { + actionTokenCache.put(e.getKey(), e.getTokenValue(), e.getExpirationInSecs() - Time.currentTime(), TimeUnit.SECONDS); + } + } + }); + + return new InfinispanActionTokenStoreProvider(session, actionTokenCache); + } + + @Override + public void init(Scope config) { + this.config = config; + } + + @Override + public void postInit(KeycloakSessionFactory factory) { + } + + @Override + public void close() { + } + + @Override + public String getId() { + return "infinispan"; + } + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java index aa6ede3e9a..83e970ddaa 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanAuthenticationSessionProviderFactory.java @@ -42,6 +42,8 @@ public class InfinispanAuthenticationSessionProviderFactory implements Authentic private volatile Cache authSessionsCache; + public static final String AUTHENTICATION_SESSION_EVENTS = "AUTHENTICATION_SESSION_EVENTS"; + @Override public void init(Config.Scope config) { diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java index 4ac40af7a9..5471184da9 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanKeycloakTransaction.java @@ -16,11 +16,14 @@ */ package org.keycloak.models.sessions.infinispan; +import org.keycloak.cluster.ClusterEvent; +import org.keycloak.cluster.ClusterProvider; import org.infinispan.context.Flag; import org.keycloak.models.KeycloakTransaction; -import java.util.HashMap; +import java.util.LinkedHashMap; import java.util.Map; +import java.util.concurrent.TimeUnit; import org.infinispan.Cache; import org.jboss.logging.Logger; @@ -32,12 +35,12 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { private final static Logger log = Logger.getLogger(InfinispanKeycloakTransaction.class); public enum CacheOperation { - ADD, REMOVE, REPLACE, ADD_IF_ABSENT // ADD_IF_ABSENT throws an exception if there is existing value + ADD, ADD_WITH_LIFESPAN, REMOVE, REPLACE, ADD_IF_ABSENT // ADD_IF_ABSENT throws an exception if there is existing value } private boolean active; private boolean rollback; - private final Map tasks = new HashMap<>(); + private final Map tasks = new LinkedHashMap<>(); @Override public void begin() { @@ -80,7 +83,28 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { if (tasks.containsKey(taskKey)) { throw new IllegalStateException("Can't add session: task in progress for session"); } else { - tasks.put(taskKey, new CacheTask<>(cache, CacheOperation.ADD, key, value)); + tasks.put(taskKey, new CacheTaskWithValue(value) { + @Override + public void execute() { + decorateCache(cache).put(key, value); + } + }); + } + } + + public void put(Cache cache, K key, V value, long lifespan, TimeUnit lifespanUnit) { + log.tracev("Adding cache operation: {0} on {1}", CacheOperation.ADD_WITH_LIFESPAN, key); + + Object taskKey = getTaskKey(cache, key); + if (tasks.containsKey(taskKey)) { + throw new IllegalStateException("Can't add session: task in progress for session"); + } else { + tasks.put(taskKey, new CacheTaskWithValue(value) { + @Override + public void execute() { + decorateCache(cache).put(key, value, lifespan, lifespanUnit); + } + }); } } @@ -91,7 +115,15 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { if (tasks.containsKey(taskKey)) { throw new IllegalStateException("Can't add session: task in progress for session"); } else { - tasks.put(taskKey, new CacheTask<>(cache, CacheOperation.ADD_IF_ABSENT, key, value)); + tasks.put(taskKey, new CacheTaskWithValue(value) { + @Override + public void execute() { + V existing = cache.putIfAbsent(key, value); + if (existing != null) { + throw new IllegalStateException("There is already existing value in cache for key " + key); + } + } + }); } } @@ -101,40 +133,47 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { Object taskKey = getTaskKey(cache, key); CacheTask current = tasks.get(taskKey); if (current != null) { - switch (current.operation) { - case ADD: - case ADD_IF_ABSENT: - case REPLACE: - current.value = value; - return; - case REMOVE: - return; + if (current instanceof CacheTaskWithValue) { + ((CacheTaskWithValue) current).setValue(value); } } else { - tasks.put(taskKey, new CacheTask<>(cache, CacheOperation.REPLACE, key, value)); + tasks.put(taskKey, new CacheTaskWithValue(value) { + @Override + public void execute() { + decorateCache(cache).replace(key, value); + } + }); } } + public void notify(ClusterProvider clusterProvider, String taskKey, ClusterEvent event, boolean ignoreSender) { + log.tracev("Adding cache operation SEND_EVENT: {0}", event); + + String theTaskKey = taskKey; + int i = 1; + while (tasks.containsKey(theTaskKey)) { + theTaskKey = taskKey + "-" + (i++); + } + + tasks.put(taskKey, () -> clusterProvider.notify(taskKey, event, ignoreSender)); + } + public void remove(Cache cache, K key) { log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REMOVE, key); Object taskKey = getTaskKey(cache, key); - tasks.put(taskKey, new CacheTask<>(cache, CacheOperation.REMOVE, key, null)); + tasks.put(taskKey, () -> decorateCache(cache).remove(key)); } // This is for possibility to lookup for session by id, which was created in this transaction public V get(Cache cache, K key) { Object taskKey = getTaskKey(cache, key); - CacheTask current = tasks.get(taskKey); + CacheTask current = tasks.get(taskKey); if (current != null) { - switch (current.operation) { - case ADD: - case ADD_IF_ABSENT: - case REPLACE: - return current.value; - case REMOVE: - return null; + if (current instanceof CacheTaskWithValue) { + return ((CacheTaskWithValue) current).getValue(); } + return null; } // Should we have per-transaction cache for lookups? @@ -151,46 +190,29 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction { } } - public static class CacheTask { - private final Cache cache; - private final CacheOperation operation; - private final K key; - private V value; + public interface CacheTask { + void execute(); + } - public CacheTask(Cache cache, CacheOperation operation, K key, V value) { - this.cache = cache; - this.operation = operation; - this.key = key; + public abstract class CacheTaskWithValue implements CacheTask { + protected V value; + + public CacheTaskWithValue(V value) { this.value = value; } - public void execute() { - log.tracev("Executing cache operation: {0} on {1}", operation, key); - - switch (operation) { - case ADD: - decorateCache().put(key, value); - break; - case REMOVE: - decorateCache().remove(key); - break; - case REPLACE: - decorateCache().replace(key, value); - break; - case ADD_IF_ABSENT: - V existing = cache.putIfAbsent(key, value); - if (existing != null) { - throw new IllegalStateException("IllegalState. There is already existing value in cache for key " + key); - } - break; - } + public V getValue() { + return value; } - - // Ignore return values. Should have better performance within cluster / cross-dc env - private Cache decorateCache() { - return cache.getAdvancedCache() - .withFlags(Flag.IGNORE_RETURN_VALUES, Flag.SKIP_REMOTE_LOOKUP); + public void setValue(V value) { + this.value = value; } } + + // Ignore return values. Should have better performance within cluster / cross-dc env + private static Cache decorateCache(Cache cache) { + return cache.getAdvancedCache() + .withFlags(Flag.IGNORE_RETURN_VALUES, Flag.SKIP_REMOTE_LOOKUP); + } } \ No newline at end of file diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenReducedKey.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenReducedKey.java new file mode 100644 index 0000000000..173c43497d --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenReducedKey.java @@ -0,0 +1,104 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.sessions.infinispan.entities; + +import java.io.*; +import java.util.Objects; +import java.util.UUID; +import org.infinispan.commons.marshall.Externalizer; +import org.infinispan.commons.marshall.SerializeWith; + +/** + * + * @author hmlnarik + */ +@SerializeWith(value = ActionTokenReducedKey.ExternalizerImpl.class) +public class ActionTokenReducedKey implements Serializable { + + private final String userId; + private final String actionId; + + /** + * Nonce that must match. + */ + private final UUID actionVerificationNonce; + + public ActionTokenReducedKey(String userId, String actionId, UUID actionVerificationNonce) { + this.userId = userId; + this.actionId = actionId; + this.actionVerificationNonce = actionVerificationNonce; + } + + public String getUserId() { + return userId; + } + + public String getActionId() { + return actionId; + } + + public UUID getActionVerificationNonce() { + return actionVerificationNonce; + } + + @Override + public int hashCode() { + int hash = 7; + hash = 71 * hash + Objects.hashCode(this.userId); + hash = 71 * hash + Objects.hashCode(this.actionId); + hash = 71 * hash + Objects.hashCode(this.actionVerificationNonce); + return hash; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) { + return true; + } + if (obj == null) { + return false; + } + if (getClass() != obj.getClass()) { + return false; + } + final ActionTokenReducedKey other = (ActionTokenReducedKey) obj; + return Objects.equals(this.userId, other.getUserId()) + && Objects.equals(this.actionId, other.getActionId()) + && Objects.equals(this.actionVerificationNonce, other.getActionVerificationNonce()); + } + + public static class ExternalizerImpl implements Externalizer { + + @Override + public void writeObject(ObjectOutput output, ActionTokenReducedKey t) throws IOException { + output.writeUTF(t.userId); + output.writeUTF(t.actionId); + output.writeLong(t.actionVerificationNonce.getMostSignificantBits()); + output.writeLong(t.actionVerificationNonce.getLeastSignificantBits()); + } + + @Override + public ActionTokenReducedKey readObject(ObjectInput input) throws IOException, ClassNotFoundException { + return new ActionTokenReducedKey( + input.readUTF(), + input.readUTF(), + new UUID(input.readLong(), input.readLong()) + ); + } + } + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenValueEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenValueEntity.java new file mode 100644 index 0000000000..7c0f663da6 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenValueEntity.java @@ -0,0 +1,76 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.sessions.infinispan.entities; + +import org.keycloak.models.ActionTokenValueModel; + +import java.io.*; +import java.util.*; +import org.infinispan.commons.marshall.Externalizer; +import org.infinispan.commons.marshall.SerializeWith; + +/** + * @author hmlnarik + */ +@SerializeWith(ActionTokenValueEntity.ExternalizerImpl.class) +public class ActionTokenValueEntity implements ActionTokenValueModel { + + private final Map notes; + + public ActionTokenValueEntity(Map notes) { + this.notes = notes == null ? Collections.EMPTY_MAP : new HashMap<>(notes); + } + + @Override + public Map getNotes() { + return Collections.unmodifiableMap(notes); + } + + @Override + public String getNote(String name) { + return notes.get(name); + } + + public static class ExternalizerImpl implements Externalizer { + + private static final int VERSION_1 = 1; + + @Override + public void writeObject(ObjectOutput output, ActionTokenValueEntity t) throws IOException { + output.writeByte(VERSION_1); + + output.writeBoolean(! t.notes.isEmpty()); + if (! t.notes.isEmpty()) { + output.writeObject(t.notes); + } + } + + @Override + public ActionTokenValueEntity readObject(ObjectInput input) throws IOException, ClassNotFoundException { + byte version = input.readByte(); + + if (version != VERSION_1) { + throw new IOException("Invalid version: " + version); + } + boolean notesEmpty = input.readBoolean(); + + Map notes = notesEmpty ? Collections.EMPTY_MAP : (Map) input.readObject(); + + return new ActionTokenValueEntity(notes); + } + } +} diff --git a/model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.ActionTokenStoreProviderFactory b/model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.ActionTokenStoreProviderFactory new file mode 100644 index 0000000000..4100eccf23 --- /dev/null +++ b/model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.ActionTokenStoreProviderFactory @@ -0,0 +1 @@ +org.keycloak.models.sessions.infinispan.InfinispanActionTokenStoreProviderFactory diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java index 58aa4246c6..b3b4db2a02 100755 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java @@ -512,6 +512,26 @@ public class RealmAdapter implements RealmModel, JpaModel { em.flush(); } + @Override + public int getActionTokenGeneratedByAdminLifespan() { + return getAttribute(RealmAttributes.ACTION_TOKEN_GENERATED_BY_ADMIN_LIFESPAN, 12 * 60 * 60); + } + + @Override + public void setActionTokenGeneratedByAdminLifespan(int actionTokenGeneratedByAdminLifespan) { + setAttribute(RealmAttributes.ACTION_TOKEN_GENERATED_BY_ADMIN_LIFESPAN, actionTokenGeneratedByAdminLifespan); + } + + @Override + public int getActionTokenGeneratedByUserLifespan() { + return getAttribute(RealmAttributes.ACTION_TOKEN_GENERATED_BY_USER_LIFESPAN, getAccessCodeLifespanUserAction()); + } + + @Override + public void setActionTokenGeneratedByUserLifespan(int actionTokenGeneratedByUserLifespan) { + setAttribute(RealmAttributes.ACTION_TOKEN_GENERATED_BY_USER_LIFESPAN, actionTokenGeneratedByUserLifespan); + } + protected RequiredCredentialModel initRequiredCredentialModel(String type) { RequiredCredentialModel model = RequiredCredentialModel.BUILT_IN.get(type); if (model == null) { diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmAttributes.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmAttributes.java index 499a008647..6ee1074c6c 100644 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmAttributes.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmAttributes.java @@ -26,4 +26,8 @@ public interface RealmAttributes { String DISPLAY_NAME_HTML = "displayNameHtml"; + String ACTION_TOKEN_GENERATED_BY_ADMIN_LIFESPAN = "actionTokenGeneratedByAdminLifespan"; + + String ACTION_TOKEN_GENERATED_BY_USER_LIFESPAN = "actionTokenGeneratedByUserLifespan"; + } diff --git a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionFactory.java b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionFactory.java index 76dc582e0e..517b5f4a4c 100755 --- a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionFactory.java +++ b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionFactory.java @@ -35,4 +35,13 @@ public interface RequiredActionFactory extends ProviderFactory notes); + + /** + * Returns token corresponding to the given key from the internal action token store + * @param key key + * @return {@code null} if no token is found for given key and nonce, value otherwise + */ + ActionTokenValueModel get(ActionTokenKeyModel key); + + /** + * Removes token corresponding to the given key from the internal action token store, and returns the stored value + * @param key key + * @param nonce nonce that must match a given key + * @return {@code null} if no token is found for given key and nonce, value otherwise + */ + ActionTokenValueModel remove(ActionTokenKeyModel key); + + void removeAll(String userId, String actionId); + + +} diff --git a/server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreProviderFactory.java new file mode 100644 index 0000000000..26d086d3a4 --- /dev/null +++ b/server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreProviderFactory.java @@ -0,0 +1,27 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models; + +import org.keycloak.provider.ProviderFactory; + +/** + * + * @author hmlnarik + */ +public interface ActionTokenStoreProviderFactory extends ProviderFactory { + +} diff --git a/server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreSpi.java b/server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreSpi.java new file mode 100644 index 0000000000..66ee518006 --- /dev/null +++ b/server-spi-private/src/main/java/org/keycloak/models/ActionTokenStoreSpi.java @@ -0,0 +1,50 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models; + +import org.keycloak.provider.*; + +/** + * SPI for action tokens. + * + * @author hmlnarik + */ +public class ActionTokenStoreSpi implements Spi { + + public static final String NAME = "actionToken"; + + @Override + public boolean isInternal() { + return true; + } + + @Override + public String getName() { + return NAME; + } + + @Override + public Class getProviderClass() { + return ActionTokenStoreProvider.class; + } + + @Override + public Class getProviderFactoryClass() { + return ActionTokenStoreProviderFactory.class; + } + +} diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java index fb2c727433..43e8ef825d 100755 --- a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java +++ b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java @@ -303,6 +303,8 @@ public class ModelToRepresentation { rep.setAccessCodeLifespan(realm.getAccessCodeLifespan()); rep.setAccessCodeLifespanUserAction(realm.getAccessCodeLifespanUserAction()); rep.setAccessCodeLifespanLogin(realm.getAccessCodeLifespanLogin()); + rep.setActionTokenGeneratedByAdminLifespan(realm.getActionTokenGeneratedByAdminLifespan()); + rep.setActionTokenGeneratedByUserLifespan(realm.getActionTokenGeneratedByUserLifespan()); rep.setSmtpServer(new HashMap<>(realm.getSmtpConfig())); rep.setBrowserSecurityHeaders(realm.getBrowserSecurityHeaders()); rep.setAccountTheme(realm.getAccountTheme()); diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java index b427477846..1c90b0f00c 100755 --- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java +++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java @@ -189,6 +189,14 @@ public class RepresentationToModel { newRealm.setAccessCodeLifespanLogin(rep.getAccessCodeLifespanLogin()); else newRealm.setAccessCodeLifespanLogin(1800); + if (rep.getActionTokenGeneratedByAdminLifespan() != null) + newRealm.setActionTokenGeneratedByAdminLifespan(rep.getActionTokenGeneratedByAdminLifespan()); + else newRealm.setActionTokenGeneratedByAdminLifespan(12 * 60 * 60); + + if (rep.getActionTokenGeneratedByUserLifespan() != null) + newRealm.setActionTokenGeneratedByUserLifespan(rep.getActionTokenGeneratedByUserLifespan()); + else newRealm.setActionTokenGeneratedByUserLifespan(newRealm.getAccessCodeLifespanUserAction()); + if (rep.getSslRequired() != null) newRealm.setSslRequired(SslRequired.valueOf(rep.getSslRequired().toUpperCase())); if (rep.isRegistrationAllowed() != null) newRealm.setRegistrationAllowed(rep.isRegistrationAllowed()); @@ -812,6 +820,10 @@ public class RepresentationToModel { realm.setAccessCodeLifespanUserAction(rep.getAccessCodeLifespanUserAction()); if (rep.getAccessCodeLifespanLogin() != null) realm.setAccessCodeLifespanLogin(rep.getAccessCodeLifespanLogin()); + if (rep.getActionTokenGeneratedByAdminLifespan() != null) + realm.setActionTokenGeneratedByAdminLifespan(rep.getActionTokenGeneratedByAdminLifespan()); + if (rep.getActionTokenGeneratedByUserLifespan() != null) + realm.setActionTokenGeneratedByUserLifespan(rep.getActionTokenGeneratedByUserLifespan()); if (rep.getNotBefore() != null) realm.setNotBefore(rep.getNotBefore()); if (rep.getRevokeRefreshToken() != null) realm.setRevokeRefreshToken(rep.getRevokeRefreshToken()); if (rep.getAccessTokenLifespan() != null) realm.setAccessTokenLifespan(rep.getAccessTokenLifespan()); diff --git a/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java index c8758cafdd..b182458b5e 100644 --- a/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java +++ b/server-spi-private/src/main/java/org/keycloak/sessions/AuthenticationSessionProviderFactory.java @@ -23,6 +23,4 @@ import org.keycloak.provider.ProviderFactory; * @author Marek Posolda */ public interface AuthenticationSessionProviderFactory extends ProviderFactory { - // TODO:hmlnarik: move this constant out of an interface into a more appropriate class - public static final String AUTHENTICATION_SESSION_EVENTS = "AUTHENTICATION_SESSION_EVENTS"; } diff --git a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi index b046e7d5ff..c692d32649 100755 --- a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi +++ b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi @@ -19,6 +19,7 @@ org.keycloak.provider.ExceptionConverterSpi org.keycloak.storage.UserStorageProviderSpi org.keycloak.storage.federated.UserFederatedStorageProviderSpi org.keycloak.models.RealmSpi +org.keycloak.models.ActionTokenStoreSpi org.keycloak.models.UserSessionSpi org.keycloak.models.UserSpi org.keycloak.models.session.UserSessionPersisterSpi diff --git a/server-spi/src/main/java/org/keycloak/models/ActionTokenKeyModel.java b/server-spi/src/main/java/org/keycloak/models/ActionTokenKeyModel.java new file mode 100644 index 0000000000..cf9d7d02e1 --- /dev/null +++ b/server-spi/src/main/java/org/keycloak/models/ActionTokenKeyModel.java @@ -0,0 +1,46 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models; + +import java.util.UUID; + +/** + * + * @author hmlnarik + */ +public interface ActionTokenKeyModel { + + /** + * @return ID of user which this token is for. + */ + String getUserId(); + + /** + * @return Action identifier this token is for. + */ + String getActionId(); + + /** + * Returns absolute number of seconds since the epoch in UTC timezone when the token expires. + */ + int getExpiration(); + + /** + * @return Single-use random value used for verification whether the relevant action is allowed. + */ + UUID getActionVerificationNonce(); +} diff --git a/server-spi/src/main/java/org/keycloak/models/ActionTokenValueModel.java b/server-spi/src/main/java/org/keycloak/models/ActionTokenValueModel.java new file mode 100644 index 0000000000..ba01cb6cbb --- /dev/null +++ b/server-spi/src/main/java/org/keycloak/models/ActionTokenValueModel.java @@ -0,0 +1,39 @@ +/* + * Copyright 2017 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models; + +import java.util.Map; +import java.util.UUID; + +/** + * This model represents contents of an action token shareable among Keycloak instances in the cluster. + * @author hmlnarik + */ +public interface ActionTokenValueModel { + + /** + * Returns unmodifiable map of all notes. + * @return see description. Returns empty map if no note is set, never returns {@code null}. + */ + Map getNotes(); + + /** + * Returns value of the given note (or {@code null} when no note of this name is present) + * @return see description + */ + String getNote(String name); +} diff --git a/server-spi/src/main/java/org/keycloak/models/RealmModel.java b/server-spi/src/main/java/org/keycloak/models/RealmModel.java index dc8bff5333..f6484d6f5b 100755 --- a/server-spi/src/main/java/org/keycloak/models/RealmModel.java +++ b/server-spi/src/main/java/org/keycloak/models/RealmModel.java @@ -191,6 +191,12 @@ public interface RealmModel extends RoleContainerModel { void setAccessCodeLifespanLogin(int seconds); + int getActionTokenGeneratedByAdminLifespan(); + void setActionTokenGeneratedByAdminLifespan(int seconds); + + int getActionTokenGeneratedByUserLifespan(); + void setActionTokenGeneratedByUserLifespan(int seconds); + List getRequiredCredentials(); void addRequiredCredential(String cred); diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/AbstractActionTokenHander.java b/services/src/main/java/org/keycloak/authentication/actiontoken/AbstractActionTokenHander.java index e8a9b0265e..52d94d95f7 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/AbstractActionTokenHander.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/AbstractActionTokenHander.java @@ -17,13 +17,11 @@ package org.keycloak.authentication.actiontoken; import org.keycloak.Config.Scope; -import org.keycloak.authentication.actiontoken.ActionTokenHandler; -import org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory; import org.keycloak.events.EventType; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; -import org.keycloak.representations.JsonWebToken; -import org.keycloak.services.messages.Messages; +import org.keycloak.services.managers.AuthenticationManager; +import org.keycloak.sessions.AuthenticationSessionModel; /** * @@ -92,4 +90,15 @@ public abstract class AbstractActionTokenHander im return token == null ? null : token.getAuthenticationSessionId(); } + @Override + public AuthenticationSessionModel startFreshAuthenticationSession(T token, ActionTokenContext tokenContext) { + AuthenticationSessionModel authSession = tokenContext.createAuthenticationSessionForClient(token.getIssuedFor()); + authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); + return authSession; + } + + @Override + public boolean canUseTokenRepeatedly(T token, ActionTokenContext tokenContext) { + return true; + } } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java index 4368a747ff..f8d02d3468 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java @@ -17,20 +17,18 @@ package org.keycloak.authentication.actiontoken; import org.keycloak.TokenVerifier.Predicate; -import org.keycloak.authentication.AuthenticationProcessor; -import org.keycloak.common.VerificationException; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; -import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.provider.Provider; import org.keycloak.representations.JsonWebToken; -import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.sessions.AuthenticationSessionModel; import javax.ws.rs.core.Response; /** * Handler of the action token. * + * @param Class implementing the action token + * * @author hmlnarik */ public interface ActionTokenHandler extends Provider { @@ -42,7 +40,6 @@ public interface ActionTokenHandler extends Provider { * @param token * @param tokenContext * @return - * @throws VerificationException */ Response handleToken(T token, ActionTokenContext tokenContext); @@ -96,10 +93,12 @@ public interface ActionTokenHandler extends Provider { * @param tokenContext * @return */ - default AuthenticationSessionModel startFreshAuthenticationSession(T token, ActionTokenContext tokenContext) { - AuthenticationSessionModel authSession = tokenContext.createAuthenticationSessionForClient(token.getIssuedFor()); - authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); - return authSession; - } + AuthenticationSessionModel startFreshAuthenticationSession(T token, ActionTokenContext tokenContext); + /** + * Returns {@code true} when the token can be used repeatedly to invoke the action, {@code false} when the token + * is intended to be for single use only. + * @return see above + */ + boolean canUseTokenRepeatedly(T token, ActionTokenContext tokenContext); } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java index 0f21a44df3..ba4488039a 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java @@ -22,9 +22,7 @@ import org.keycloak.common.VerificationException; import org.keycloak.common.util.Time; import org.keycloak.jose.jws.JWSBuilder; -import org.keycloak.models.KeyManager; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.RealmModel; +import org.keycloak.models.*; import org.keycloak.services.Urls; import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.annotation.JsonProperty; @@ -37,12 +35,11 @@ import javax.ws.rs.core.UriInfo; * * @author hmlnarik */ -public class DefaultActionToken extends DefaultActionTokenKey { +public class DefaultActionToken extends DefaultActionTokenKey implements ActionTokenValueModel { - public static final String JSON_FIELD_ACTION_VERIFICATION_NONCE = "nonce"; public static final String JSON_FIELD_AUTHENTICATION_SESSION_ID = "asid"; - public static Predicate ACTION_TOKEN_BASIC_CHECKS = t -> { + public static final Predicate ACTION_TOKEN_BASIC_CHECKS = t -> { if (t.getActionVerificationNonce() == null) { throw new VerificationException("Nonce not present."); } @@ -53,15 +50,8 @@ public class DefaultActionToken extends DefaultActionTokenKey { /** * Single-use random value used for verification whether the relevant action is allowed. */ - @JsonProperty(value = JSON_FIELD_ACTION_VERIFICATION_NONCE, required = true) - private UUID actionVerificationNonce; - public DefaultActionToken() { - super(null, null); - } - - public DefaultActionToken(String userId, String actionId, int expirationInSecs) { - this(userId, actionId, expirationInSecs, UUID.randomUUID()); + super(null, null, 0, null); } /** @@ -72,11 +62,20 @@ public class DefaultActionToken extends DefaultActionTokenKey { * @param actionVerificationNonce */ protected DefaultActionToken(String userId, String actionId, int absoluteExpirationInSecs, UUID actionVerificationNonce) { - super(userId, actionId); - this.actionVerificationNonce = actionVerificationNonce == null ? UUID.randomUUID() : actionVerificationNonce; - expiration = absoluteExpirationInSecs; + super(userId, actionId, absoluteExpirationInSecs, actionVerificationNonce); } + /** + * + * @param userId User ID + * @param actionId Action ID + * @param absoluteExpirationInSecs Absolute expiration time in seconds in timezone of Keycloak. + * @param actionVerificationNonce + */ + protected DefaultActionToken(String userId, String actionId, int absoluteExpirationInSecs, UUID actionVerificationNonce, String authenticationSessionId) { + super(userId, actionId, absoluteExpirationInSecs, actionVerificationNonce); + setAuthenticationSessionId(authenticationSessionId); + } @JsonProperty(value = JSON_FIELD_AUTHENTICATION_SESSION_ID) public String getAuthenticationSessionId() { @@ -88,11 +87,8 @@ public class DefaultActionToken extends DefaultActionTokenKey { setOtherClaims(JSON_FIELD_AUTHENTICATION_SESSION_ID, authenticationSessionId); } - public UUID getActionVerificationNonce() { - return actionVerificationNonce; - } - @JsonIgnore + @Override public Map getNotes() { Map res = new HashMap<>(); if (getAuthenticationSessionId() != null) { @@ -101,6 +97,7 @@ public class DefaultActionToken extends DefaultActionTokenKey { return res; } + @Override public String getNote(String name) { Object res = getOtherClaims().get(name); return res instanceof String ? (String) res : null; diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java index a5440a9b87..b41681f303 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionTokenKey.java @@ -16,31 +16,64 @@ */ package org.keycloak.authentication.actiontoken; +import org.keycloak.models.ActionTokenKeyModel; import org.keycloak.representations.JsonWebToken; import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.UUID; /** * * @author hmlnarik */ -public class DefaultActionTokenKey extends JsonWebToken { +public class DefaultActionTokenKey extends JsonWebToken implements ActionTokenKeyModel { /** The authenticationSession note with ID of the user authenticated via the action token */ public static final String ACTION_TOKEN_USER_ID = "ACTION_TOKEN_USER"; - public DefaultActionTokenKey(String userId, String actionId) { - subject = userId; - type = actionId; + public static final String JSON_FIELD_ACTION_VERIFICATION_NONCE = "nonce"; + + @JsonProperty(value = JSON_FIELD_ACTION_VERIFICATION_NONCE, required = true) + private UUID actionVerificationNonce; + + public DefaultActionTokenKey(String userId, String actionId, int absoluteExpirationInSecs, UUID actionVerificationNonce) { + this.subject = userId; + this.type = actionId; + this.expiration = absoluteExpirationInSecs; + this.actionVerificationNonce = actionVerificationNonce == null ? UUID.randomUUID() : actionVerificationNonce; } @JsonIgnore + @Override public String getUserId() { return getSubject(); } @JsonIgnore + @Override public String getActionId() { return getType(); } + @Override + public UUID getActionVerificationNonce() { + return actionVerificationNonce; + } + + public String serializeKey() { + return String.format("%s.%d.%s.%s", getUserId(), getExpiration(), getActionVerificationNonce(), getActionId()); + } + + public static DefaultActionTokenKey from(String serializedKey) { + if (serializedKey == null) { + return null; + } + String[] parsed = serializedKey.split("\\.", 4); + if (parsed.length != 4) { + return null; + } + + return new DefaultActionTokenKey(parsed[0], parsed[3], Integer.parseInt(parsed[1]), UUID.fromString(parsed[2])); + } + } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionToken.java index 4be6f861a0..7c32e2dce5 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionToken.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionToken.java @@ -16,13 +16,10 @@ */ package org.keycloak.authentication.actiontoken.execactions; -import org.keycloak.TokenVerifier; import org.keycloak.authentication.actiontoken.DefaultActionToken; -import org.keycloak.common.VerificationException; import com.fasterxml.jackson.annotation.JsonProperty; import java.util.LinkedList; import java.util.List; -import java.util.UUID; /** * @@ -34,15 +31,14 @@ public class ExecuteActionsActionToken extends DefaultActionToken { private static final String JSON_FIELD_REQUIRED_ACTIONS = "rqac"; private static final String JSON_FIELD_REDIRECT_URI = "reduri"; - public ExecuteActionsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, List requiredActions, String redirectUri, String clientId) { - super(userId, TOKEN_TYPE, absoluteExpirationInSecs, actionVerificationNonce); + public ExecuteActionsActionToken(String userId, int absoluteExpirationInSecs, List requiredActions, String redirectUri, String clientId) { + super(userId, TOKEN_TYPE, absoluteExpirationInSecs, null); setRequiredActions(requiredActions == null ? new LinkedList<>() : new LinkedList<>(requiredActions)); setRedirectUri(redirectUri); this.issuedFor = clientId; } private ExecuteActionsActionToken() { - super(null, TOKEN_TYPE, -1, null); } @JsonProperty(value = JSON_FIELD_REQUIRED_ACTIONS) @@ -72,14 +68,4 @@ public class ExecuteActionsActionToken extends DefaultActionToken { setOtherClaims(JSON_FIELD_REDIRECT_URI, redirectUri); } } - - /** - * Returns a {@code ExecuteActionsActionToken} instance decoded from the given string. If decoding fails, returns {@code null} - * - * @param actionTokenString - * @return - */ - public static ExecuteActionsActionToken deserialize(String actionTokenString) throws VerificationException { - return TokenVerifier.create(actionTokenString, ExecuteActionsActionToken.class).getToken(); - } } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java index 010c5174a9..9993ab76e8 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java @@ -17,15 +17,18 @@ package org.keycloak.authentication.actiontoken.execactions; import org.keycloak.TokenVerifier.Predicate; +import org.keycloak.authentication.RequiredActionFactory; +import org.keycloak.authentication.RequiredActionProvider; import org.keycloak.authentication.actiontoken.*; import org.keycloak.events.Errors; import org.keycloak.events.EventType; -import org.keycloak.models.UserModel; +import org.keycloak.models.*; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.utils.RedirectUtils; import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.messages.Messages; import org.keycloak.sessions.AuthenticationSessionModel; +import java.util.Objects; import javax.ws.rs.core.Response; /** @@ -48,7 +51,7 @@ public class ExecuteActionsActionTokenHandler extends AbstractActionTokenHander< public Predicate[] getVerifiers(ActionTokenContext tokenContext) { return TokenUtils.predicates( TokenUtils.checkThat( - // either redirect URI is not specified or must be valid for the cllient + // either redirect URI is not specified or must be valid for the client t -> t.getRedirectUri() == null || RedirectUtils.verifyRedirectUri(tokenContext.getUriInfo(), t.getRedirectUri(), tokenContext.getRealm(), tokenContext.getAuthenticationSession().getClient()) != null, @@ -81,4 +84,24 @@ public class ExecuteActionsActionTokenHandler extends AbstractActionTokenHander< String nextAction = AuthenticationManager.nextRequiredAction(tokenContext.getSession(), authSession, tokenContext.getClientConnection(), tokenContext.getRequest(), tokenContext.getUriInfo(), tokenContext.getEvent()); return AuthenticationManager.redirectToRequiredActions(tokenContext.getSession(), tokenContext.getRealm(), authSession, tokenContext.getUriInfo(), nextAction); } + + @Override + public boolean canUseTokenRepeatedly(ExecuteActionsActionToken token, ActionTokenContext tokenContext) { + RealmModel realm = tokenContext.getRealm(); + KeycloakSessionFactory sessionFactory = tokenContext.getSession().getKeycloakSessionFactory(); + + return token.getRequiredActions().stream() + .map(actionName -> realm.getRequiredActionProviderByAlias(actionName)) // get realm-specific model from action name and filter out irrelevant + .filter(Objects::nonNull) + .filter(RequiredActionProviderModel::isEnabled) + + .map(RequiredActionProviderModel::getProviderId) // get provider ID from model + + .map(providerId -> (RequiredActionFactory) sessionFactory.getProviderFactory(RequiredActionProvider.class, providerId)) + .filter(Objects::nonNull) + + .noneMatch(RequiredActionFactory::isOneTimeAction); + } + + } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionToken.java index ea705edd66..7776634193 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionToken.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionToken.java @@ -16,9 +16,7 @@ */ package org.keycloak.authentication.actiontoken.idpverifyemail; -import org.keycloak.authentication.actiontoken.verifyemail.*; import com.fasterxml.jackson.annotation.JsonProperty; -import java.util.UUID; import org.keycloak.authentication.actiontoken.DefaultActionToken; /** @@ -39,16 +37,14 @@ public class IdpVerifyAccountLinkActionToken extends DefaultActionToken { @JsonProperty(value = JSON_FIELD_IDENTITY_PROVIDER_ALIAS) private String identityProviderAlias; - public IdpVerifyAccountLinkActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, String authenticationSessionId, + public IdpVerifyAccountLinkActionToken(String userId, int absoluteExpirationInSecs, String authenticationSessionId, String identityProviderUsername, String identityProviderAlias) { - super(userId, TOKEN_TYPE, absoluteExpirationInSecs, actionVerificationNonce); - setAuthenticationSessionId(authenticationSessionId); + super(userId, TOKEN_TYPE, absoluteExpirationInSecs, null, authenticationSessionId); this.identityProviderUsername = identityProviderUsername; this.identityProviderAlias = identityProviderAlias; } private IdpVerifyAccountLinkActionToken() { - super(null, TOKEN_TYPE, -1, null); } public String getIdentityProviderUsername() { diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken.java index 67fb452658..6cd04589f2 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken.java @@ -16,8 +16,6 @@ */ package org.keycloak.authentication.actiontoken.resetcred; -import com.fasterxml.jackson.annotation.JsonProperty; -import java.util.UUID; import org.keycloak.authentication.actiontoken.DefaultActionToken; /** @@ -28,26 +26,11 @@ import org.keycloak.authentication.actiontoken.DefaultActionToken; public class ResetCredentialsActionToken extends DefaultActionToken { public static final String TOKEN_TYPE = "reset-credentials"; - private static final String JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP = "lcpt"; - @JsonProperty(value = JSON_FIELD_LAST_CHANGE_PASSWORD_TIMESTAMP) - private Long lastChangedPasswordTimestamp; - - public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, String authenticationSessionId, Long lastChangedPasswordTimestamp) { - super(userId, TOKEN_TYPE, absoluteExpirationInSecs, actionVerificationNonce); - setAuthenticationSessionId(authenticationSessionId); - this.lastChangedPasswordTimestamp = lastChangedPasswordTimestamp; + public ResetCredentialsActionToken(String userId, int absoluteExpirationInSecs, String authenticationSessionId) { + super(userId, TOKEN_TYPE, absoluteExpirationInSecs, null, authenticationSessionId); } private ResetCredentialsActionToken() { - super(null, TOKEN_TYPE, -1, null); - } - - public Long getLastChangedPasswordTimestamp() { - return lastChangedPasswordTimestamp; - } - - public final void setLastChangedPasswordTimestamp(Long lastChangedPasswordTimestamp) { - this.lastChangedPasswordTimestamp = lastChangedPasswordTimestamp; } } diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java index 34174311e7..0f08bd39a4 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java @@ -25,7 +25,6 @@ import org.keycloak.events.Errors; import org.keycloak.events.EventType; import org.keycloak.models.UserModel; import org.keycloak.services.ErrorPage; -import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.resources.LoginActionsServiceChecks.IsActionRequired; @@ -55,9 +54,7 @@ public class ResetCredentialsActionTokenHandler extends AbstractActionTokenHande return new Predicate[] { TokenUtils.checkThat(tokenContext.getRealm()::isResetPasswordAllowed, Errors.NOT_ALLOWED, Messages.RESET_CREDENTIAL_NOT_ALLOWED), - new IsActionRequired(tokenContext, Action.AUTHENTICATE), - -// singleUseCheck, // TODO:hmlnarik - fix with single-use cache + new IsActionRequired(tokenContext, Action.AUTHENTICATE) }; } @@ -74,6 +71,11 @@ public class ResetCredentialsActionTokenHandler extends AbstractActionTokenHande ); } + @Override + public boolean canUseTokenRepeatedly(ResetCredentialsActionToken token, ActionTokenContext tokenContext) { + return false; + } + public static class ResetCredsAuthenticationProcessor extends AuthenticationProcessor { @Override diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionToken.java b/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionToken.java index 72e460c6b2..656c518718 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionToken.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionToken.java @@ -17,7 +17,6 @@ package org.keycloak.authentication.actiontoken.verifyemail; import com.fasterxml.jackson.annotation.JsonProperty; -import java.util.UUID; import org.keycloak.authentication.actiontoken.DefaultActionToken; /** @@ -34,15 +33,12 @@ public class VerifyEmailActionToken extends DefaultActionToken { @JsonProperty(value = JSON_FIELD_EMAIL) private String email; - public VerifyEmailActionToken(String userId, int absoluteExpirationInSecs, UUID actionVerificationNonce, String authenticationSessionId, - String email) { - super(userId, TOKEN_TYPE, absoluteExpirationInSecs, actionVerificationNonce); - setAuthenticationSessionId(authenticationSessionId); + public VerifyEmailActionToken(String userId, int absoluteExpirationInSecs, String authenticationSessionId, String email) { + super(userId, TOKEN_TYPE, absoluteExpirationInSecs, null, authenticationSessionId); this.email = email; } private VerifyEmailActionToken() { - super(null, TOKEN_TYPE, -1, null); } public String getEmail() { diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java index d8b9b30689..11d9b913c4 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java @@ -108,7 +108,7 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator UriInfo uriInfo = session.getContext().getUri(); AuthenticationSessionModel authSession = context.getAuthenticationSession(); - int validityInSecs = realm.getAccessCodeLifespanUserAction(); + int validityInSecs = realm.getActionTokenGeneratedByAdminLifespan(); int absoluteExpirationInSecs = Time.currentTime() + validityInSecs; EventBuilder event = context.getEvent().clone().event(EventType.SEND_IDENTITY_PROVIDER_LINK) @@ -120,7 +120,7 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator .removeDetail(Details.AUTH_TYPE); IdpVerifyAccountLinkActionToken token = new IdpVerifyAccountLinkActionToken( - existingUser.getId(), absoluteExpirationInSecs, null, authSession.getId(), + existingUser.getId(), absoluteExpirationInSecs, authSession.getId(), brokerContext.getUsername(), brokerContext.getIdpConfig().getAlias() ); UriBuilder builder = Urls.actionTokenBuilder(uriInfo.getBaseUri(), token.serialize(session, realm, uriInfo)); diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java index 4d9b42ecb3..4ac9bffdaa 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialEmail.java @@ -85,15 +85,11 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory return; } - int validityInSecs = context.getRealm().getAccessCodeLifespanUserAction(); + int validityInSecs = context.getRealm().getActionTokenGeneratedByUserLifespan(); int absoluteExpirationInSecs = Time.currentTime() + validityInSecs; - KeycloakSession keycloakSession = context.getSession(); - Long lastCreatedPassword = getLastChangedTimestamp(keycloakSession, context.getRealm(), user); - // We send the secret in the email in a link as a query param. - ResetCredentialsActionToken token = new ResetCredentialsActionToken(user.getId(), absoluteExpirationInSecs, - null, authenticationSession.getId(), lastCreatedPassword); + ResetCredentialsActionToken token = new ResetCredentialsActionToken(user.getId(), absoluteExpirationInSecs, authenticationSession.getId()); String link = UriBuilder .fromUri(context.getActionTokenUrl(token.serialize(context.getSession(), context.getRealm(), context.getUriInfo()))) .build() @@ -101,6 +97,7 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory long expirationInMinutes = TimeUnit.SECONDS.toMinutes(validityInSecs); try { context.getSession().getProvider(EmailTemplateProvider.class).setRealm(context.getRealm()).setUser(user).sendPasswordReset(link, expirationInMinutes); + event.clone().event(EventType.SEND_RESET_PASSWORD) .user(user) .detail(Details.USERNAME, username) diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java index 5a0e5bf1b5..6c7f7451af 100755 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java @@ -157,4 +157,9 @@ public class UpdatePassword implements RequiredActionProvider, RequiredActionFac public String getId() { return UserModel.RequiredAction.UPDATE_PASSWORD.name(); } + + @Override + public boolean isOneTimeAction() { + return true; + } } diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateTotp.java b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateTotp.java index 829c705f6d..de7a078ccd 100644 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateTotp.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateTotp.java @@ -118,4 +118,9 @@ public class UpdateTotp implements RequiredActionProvider, RequiredActionFactory public String getId() { return UserModel.RequiredAction.CONFIGURE_TOTP.name(); } + + @Override + public boolean isOneTimeAction() { + return true; + } } diff --git a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java index ae569705d9..baa3c4e9b4 100755 --- a/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java +++ b/services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java @@ -32,7 +32,6 @@ import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.*; -import org.keycloak.models.UserModel.RequiredAction; import org.keycloak.services.Urls; import org.keycloak.services.validation.Validation; @@ -132,20 +131,20 @@ public class VerifyEmail implements RequiredActionProvider, RequiredActionFactor RealmModel realm = session.getContext().getRealm(); UriInfo uriInfo = session.getContext().getUri(); - int validityInSecs = realm.getAccessCodeLifespanUserAction(); + int validityInSecs = realm.getActionTokenGeneratedByUserLifespan(); int absoluteExpirationInSecs = Time.currentTime() + validityInSecs; -// ExecuteActionsActionToken token = new ExecuteActionsActionToken(user.getId(), absoluteExpirationInSecs, null, -// Collections.singletonList(UserModel.RequiredAction.VERIFY_EMAIL.name()), -// null, null); -// token.setAuthenticationSessionId(authenticationSession.getId()); - VerifyEmailActionToken token = new VerifyEmailActionToken(user.getId(), absoluteExpirationInSecs, null, authSession.getId(), user.getEmail()); + VerifyEmailActionToken token = new VerifyEmailActionToken(user.getId(), absoluteExpirationInSecs, authSession.getId(), user.getEmail()); UriBuilder builder = Urls.actionTokenBuilder(uriInfo.getBaseUri(), token.serialize(session, realm, uriInfo)); String link = builder.build(realm.getName()).toString(); long expirationInMinutes = TimeUnit.SECONDS.toMinutes(validityInSecs); try { - session.getProvider(EmailTemplateProvider.class).setRealm(realm).setUser(user).sendVerifyEmail(link, expirationInMinutes); + session + .getProvider(EmailTemplateProvider.class) + .setRealm(realm) + .setUser(user) + .sendVerifyEmail(link, expirationInMinutes); event.success(); } catch (EmailException e) { logger.error("Failed to send verification email", e); diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 6e7a91735f..7ac2deec5c 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -26,6 +26,7 @@ import org.keycloak.authentication.RequiredActionContext; import org.keycloak.authentication.RequiredActionContextResult; import org.keycloak.authentication.RequiredActionFactory; import org.keycloak.authentication.RequiredActionProvider; +import org.keycloak.authentication.actiontoken.DefaultActionTokenKey; import org.keycloak.broker.provider.IdentityProvider; import org.keycloak.common.ClientConnection; import org.keycloak.common.VerificationException; @@ -37,23 +38,10 @@ import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.jose.jws.AlgorithmType; import org.keycloak.jose.jws.JWSBuilder; -import org.keycloak.models.AuthenticatedClientSessionModel; -import org.keycloak.models.ClientModel; -import org.keycloak.models.ClientSessionModel; -import org.keycloak.models.ClientTemplateModel; -import org.keycloak.models.KeyManager; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.ProtocolMapperModel; -import org.keycloak.models.RealmModel; -import org.keycloak.models.RequiredActionProviderModel; -import org.keycloak.models.RoleModel; -import org.keycloak.models.UserConsentModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.UserSessionModel; +import org.keycloak.models.*; import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.LoginProtocol; import org.keycloak.protocol.LoginProtocol.Error; -import org.keycloak.protocol.RestartLoginCookie; import org.keycloak.protocol.oidc.TokenManager; import org.keycloak.representations.AccessToken; import org.keycloak.services.ServicesLogger; @@ -77,11 +65,7 @@ import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import java.net.URI; import java.security.PublicKey; -import java.util.Collection; -import java.util.HashSet; -import java.util.LinkedList; -import java.util.List; -import java.util.Set; +import java.util.*; /** * Stateless object that manages authentication @@ -92,6 +76,7 @@ import java.util.Set; public class AuthenticationManager { public static final String SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS= "SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS"; public static final String END_AFTER_REQUIRED_ACTIONS = "END_AFTER_REQUIRED_ACTIONS"; + public static final String INVALIDATE_ACTION_TOKEN = "INVALIDATE_ACTION_TOKEN"; // Last authenticated client in userSession. public static final String LAST_AUTHENTICATED_CLIENT = "LAST_AUTHENTICATED_CLIENT"; @@ -522,6 +507,16 @@ public class AuthenticationManager { public static Response finishedRequiredActions(KeycloakSession session, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientConnection clientConnection, HttpRequest request, UriInfo uriInfo, EventBuilder event) { + String actionTokenKeyToInvalidate = authSession.getAuthNote(INVALIDATE_ACTION_TOKEN); + if (actionTokenKeyToInvalidate != null) { + ActionTokenKeyModel actionTokenKey = DefaultActionTokenKey.from(actionTokenKeyToInvalidate); + + if (actionTokenKey != null) { + ActionTokenStoreProvider actionTokenStore = session.getProvider(ActionTokenStoreProvider.class); + actionTokenStore.put(actionTokenKey, null); + } + } + if (authSession.getAuthNote(END_AFTER_REQUIRED_ACTIONS) != null) { LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class) .setSuccess(Messages.ACCOUNT_UPDATED); diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 758b7a1c02..2a07253598 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -504,8 +504,12 @@ public class LoginActionsService { authSession = tokenContext.getAuthenticationSession(); event = tokenContext.getEvent(); + event.event(handler.eventType()); - initLoginEvent(authSession); + if (! handler.canUseTokenRepeatedly(token, tokenContext)) { + LoginActionsServiceChecks.checkTokenWasNotUsedYet(token, tokenContext); + authSession.setAuthNote(AuthenticationManager.INVALIDATE_ACTION_TOKEN, token.serializeKey()); + } authSession.setAuthNote(DefaultActionTokenKey.ACTION_TOKEN_USER_ID, token.getUserId()); diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java index 6d42d255ff..87eaf20505 100644 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java @@ -304,4 +304,12 @@ public class LoginActionsServiceChecks { return true; } + + public static void checkTokenWasNotUsedYet(T token, ActionTokenContext context) throws VerificationException { + ActionTokenStoreProvider actionTokenStore = context.getSession().getProvider(ActionTokenStoreProvider.class); + if (actionTokenStore.get(token) != null) { + throw new ExplainedTokenVerificationException(token, Errors.EXPIRED_CODE, Messages.EXPIRED_ACTION); + } + } + } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java index 6f9c2c088a..815ee8981b 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java @@ -816,7 +816,7 @@ public class UsersResource { @QueryParam(OIDCLoginProtocol.CLIENT_ID_PARAM) String clientId) { List actions = new LinkedList<>(); actions.add(UserModel.RequiredAction.UPDATE_PASSWORD.name()); - return executeActionsEmail(id, redirectUri, clientId, actions); + return executeActionsEmail(id, redirectUri, clientId, null, actions); } @@ -831,6 +831,7 @@ public class UsersResource { * @param id User is * @param redirectUri Redirect uri * @param clientId Client id + * @param lifespan Number of seconds after which the generated token expires * @param actions required actions the user needs to complete * @return */ @@ -840,6 +841,7 @@ public class UsersResource { public Response executeActionsEmail(@PathParam("id") String id, @QueryParam(OIDCLoginProtocol.REDIRECT_URI_PARAM) String redirectUri, @QueryParam(OIDCLoginProtocol.CLIENT_ID_PARAM) String clientId, + @QueryParam("lifespan") Integer lifespan, List actions) { auth.requireManage(); @@ -881,9 +883,11 @@ public class UsersResource { } } - long relativeExpiration = realm.getAccessCodeLifespanUserAction(); - int expiration = Time.currentTime() + realm.getAccessCodeLifespanUserAction(); - ExecuteActionsActionToken token = new ExecuteActionsActionToken(id, expiration, UUID.randomUUID(), actions, redirectUri, clientId); + if (lifespan == null) { + lifespan = realm.getActionTokenGeneratedByAdminLifespan(); + } + int expiration = Time.currentTime() + lifespan; + ExecuteActionsActionToken token = new ExecuteActionsActionToken(id, expiration, actions, redirectUri, clientId); try { UriBuilder builder = LoginActionsService.actionTokenProcessor(uriInfo); @@ -894,7 +898,7 @@ public class UsersResource { this.session.getProvider(EmailTemplateProvider.class) .setRealm(realm) .setUser(user) - .sendExecuteActions(link, TimeUnit.SECONDS.toMinutes(relativeExpiration)); + .sendExecuteActions(link, TimeUnit.SECONDS.toMinutes(lifespan)); //audit.user(user).detail(Details.EMAIL, user.getEmail()).detail(Details.CODE_ID, accessCode.getCodeId()).success(); @@ -925,7 +929,7 @@ public class UsersResource { public Response sendVerifyEmail(@PathParam("id") String id, @QueryParam(OIDCLoginProtocol.REDIRECT_URI_PARAM) String redirectUri, @QueryParam(OIDCLoginProtocol.CLIENT_ID_PARAM) String clientId) { List actions = new LinkedList<>(); actions.add(UserModel.RequiredAction.VERIFY_EMAIL.name()); - return executeActionsEmail(id, redirectUri, clientId, actions); + return executeActionsEmail(id, redirectUri, clientId, null, actions); } @GET diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java index b31cdfccb5..9fd5c7ac57 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionEmailVerificationTest.java @@ -358,8 +358,6 @@ public class RequiredActionEmailVerificationTest extends AbstractTestRealmKeyclo events.expectRequiredAction(EventType.VERIFY_EMAIL) .user(testUserId) - .detail(Details.USERNAME, "test-user@localhost") - .detail(Details.EMAIL, "test-user@localhost") .detail(Details.CODE_ID, Matchers.not(Matchers.is(mailCodeId))) .client(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID) // as authentication sessions are browser-specific, // the client and redirect_uri is unrelated to diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java index f34c32017f..3d99124fa6 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java @@ -45,6 +45,7 @@ import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.services.resources.RealmsResource; import org.keycloak.testsuite.page.LoginPasswordUpdatePage; +import org.keycloak.testsuite.pages.ErrorPage; import org.keycloak.testsuite.pages.InfoPage; import org.keycloak.testsuite.pages.LoginPage; import org.keycloak.testsuite.util.AdminEventPaths; @@ -68,6 +69,7 @@ import java.util.Collections; import java.util.LinkedList; import java.util.List; +import java.util.concurrent.atomic.AtomicInteger; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; @@ -95,6 +97,9 @@ public class UserTest extends AbstractAdminTest { @Page protected InfoPage infoPage; + @Page + protected ErrorPage errorPage; + @Page protected LoginPage loginPage; @@ -546,8 +551,49 @@ public class UserTest extends AbstractAdminTest { driver.navigate().to(link); -// TODO:hmlnarik - return back once single-use cache would be implemented -// assertEquals("We're sorry...", driver.getTitle()); + assertEquals("We're sorry...", driver.getTitle()); + } + + @Test + public void sendResetPasswordEmailSuccessTokenShortLifespan() throws IOException, MessagingException { + UserRepresentation userRep = new UserRepresentation(); + userRep.setEnabled(true); + userRep.setUsername("user1"); + userRep.setEmail("user1@test.com"); + + String id = createUser(userRep); + + final AtomicInteger originalValue = new AtomicInteger(); + + RealmRepresentation realmRep = realm.toRepresentation(); + originalValue.set(realmRep.getActionTokenGeneratedByAdminLifespan()); + realmRep.setActionTokenGeneratedByAdminLifespan(60); + realm.update(realmRep); + + try { + UserResource user = realm.users().get(id); + List actions = new LinkedList<>(); + actions.add(UserModel.RequiredAction.UPDATE_PASSWORD.name()); + user.executeActionsEmail(actions); + + Assert.assertEquals(1, greenMail.getReceivedMessages().length); + + MimeMessage message = greenMail.getReceivedMessages()[0]; + + String link = MailUtils.getPasswordResetEmailLink(message); + + setTimeOffset(70); + + driver.navigate().to(link); + + errorPage.assertCurrent(); + assertEquals("An error occurred, please login again through your application.", errorPage.getError()); + } finally { + setTimeOffset(0); + + realmRep.setActionTokenGeneratedByAdminLifespan(originalValue.get()); + realm.update(realmRep); + } } @Test @@ -608,8 +654,7 @@ public class UserTest extends AbstractAdminTest { driver.navigate().to(link); -// TODO:hmlnarik - return back once single-use cache would be implemented -// assertEquals("We're sorry...", driver.getTitle()); + assertEquals("We're sorry...", driver.getTitle()); } @Test @@ -674,8 +719,7 @@ public class UserTest extends AbstractAdminTest { driver.navigate().to(link); -// TODO:hmlnarik - return back once single-use cache would be implemented -// assertEquals("We're sorry...", driver.getTitle()); + assertEquals("We're sorry...", driver.getTitle()); } @@ -734,6 +778,11 @@ public class UserTest extends AbstractAdminTest { driver.navigate().to(link); Assert.assertEquals("Your account has been updated.", infoPage.getInfo()); + + driver.navigate().to("about:blank"); + + driver.navigate().to(link); // It should be possible to use the same action token multiple times + Assert.assertEquals("Your account has been updated.", infoPage.getInfo()); } @Test diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java index e5c128745a..ba0b7c9759 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java @@ -255,6 +255,8 @@ public class RealmTest extends AbstractAdminTest { rep.setSsoSessionIdleTimeout(123); rep.setSsoSessionMaxLifespan(12); rep.setAccessCodeLifespanLogin(1234); + rep.setActionTokenGeneratedByAdminLifespan(2345); + rep.setActionTokenGeneratedByUserLifespan(3456); rep.setRegistrationAllowed(true); rep.setRegistrationEmailAsUsername(true); rep.setEditUsernameAllowed(true); @@ -267,6 +269,8 @@ public class RealmTest extends AbstractAdminTest { assertEquals(123, rep.getSsoSessionIdleTimeout().intValue()); assertEquals(12, rep.getSsoSessionMaxLifespan().intValue()); assertEquals(1234, rep.getAccessCodeLifespanLogin().intValue()); + assertEquals(2345, rep.getActionTokenGeneratedByAdminLifespan().intValue()); + assertEquals(3456, rep.getActionTokenGeneratedByUserLifespan().intValue()); assertEquals(Boolean.TRUE, rep.isRegistrationAllowed()); assertEquals(Boolean.TRUE, rep.isRegistrationEmailAsUsername()); assertEquals(Boolean.TRUE, rep.isEditUsernameAllowed()); @@ -443,6 +447,12 @@ public class RealmTest extends AbstractAdminTest { if (realm.getAccessCodeLifespan() != null) assertEquals(realm.getAccessCodeLifespan(), storedRealm.getAccessCodeLifespan()); if (realm.getAccessCodeLifespanUserAction() != null) assertEquals(realm.getAccessCodeLifespanUserAction(), storedRealm.getAccessCodeLifespanUserAction()); + if (realm.getActionTokenGeneratedByAdminLifespan() != null) + assertEquals(realm.getActionTokenGeneratedByAdminLifespan(), storedRealm.getActionTokenGeneratedByAdminLifespan()); + if (realm.getActionTokenGeneratedByUserLifespan() != null) + assertEquals(realm.getActionTokenGeneratedByUserLifespan(), storedRealm.getActionTokenGeneratedByUserLifespan()); + else + assertEquals(realm.getAccessCodeLifespanUserAction(), storedRealm.getActionTokenGeneratedByUserLifespan()); if (realm.getNotBefore() != null) assertEquals(realm.getNotBefore(), storedRealm.getNotBefore()); if (realm.getAccessTokenLifespan() != null) assertEquals(realm.getAccessTokenLifespan(), storedRealm.getAccessTokenLifespan()); if (realm.getAccessTokenLifespanForImplicitFlow() != null) assertEquals(realm.getAccessTokenLifespanForImplicitFlow(), storedRealm.getAccessTokenLifespanForImplicitFlow()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java index f322c529e9..04ee91117f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java @@ -189,19 +189,17 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { } public void assertSecondPasswordResetFails(String changePasswordUrl, String clientId) { - // TODO:hmlnarik uncomment when single-use cache is implemented -// driver.navigate().to(changePasswordUrl.trim()); -// -// errorPage.assertCurrent(); -// assertEquals("An error occurred, please login again through your application.", errorPage.getError()); -// -// events.expect(EventType.RESET_PASSWORD) -// .client((String) null) -// .session((String) null) -// .user(userId) -// .detail(Details.USERNAME, "login-test") -// .error(Errors.EXPIRED_CODE) -// .assertEvent(); + driver.navigate().to(changePasswordUrl.trim()); + + errorPage.assertCurrent(); + assertEquals("Action expired. Please continue with login now.", errorPage.getError()); + + events.expect(EventType.RESET_PASSWORD) + .client("account") + .session((String) null) + .user(userId) + .error(Errors.EXPIRED_CODE) + .assertEvent(); } @Test @@ -386,8 +384,8 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { final AtomicInteger originalValue = new AtomicInteger(); RealmRepresentation realmRep = testRealm().toRepresentation(); - originalValue.set(realmRep.getAccessCodeLifespan()); - realmRep.setAccessCodeLifespanUserAction(60); + originalValue.set(realmRep.getActionTokenGeneratedByUserLifespan()); + realmRep.setActionTokenGeneratedByUserLifespan(60); testRealm().update(realmRep); try { @@ -415,7 +413,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { } finally { setTimeOffset(0); - realmRep.setAccessCodeLifespanUserAction(originalValue.get()); + realmRep.setActionTokenGeneratedByUserLifespan(originalValue.get()); testRealm().update(realmRep); } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/admin-test/testrealm.json b/testsuite/integration-arquillian/tests/base/src/test/resources/admin-test/testrealm.json index b20eb5da1f..ef6f1053f7 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/admin-test/testrealm.json +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/admin-test/testrealm.json @@ -9,6 +9,8 @@ "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "requiredCredentials": [ "password" ], "defaultRoles": [ "user" ], + "actionTokenGeneratedByAdminLifespan": "147", + "actionTokenGeneratedByUserLifespan": "258", "smtpServer": { "from": "auto@keycloak.org", "host": "localhost", diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties index 8b776c6c5f..f129e459e5 100644 --- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties +++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties @@ -108,6 +108,10 @@ access-token-lifespan=Access Token Lifespan access-token-lifespan.tooltip=Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout. access-token-lifespan-for-implicit-flow=Access Token Lifespan For Implicit Flow access-token-lifespan-for-implicit-flow.tooltip=Max time before an access token issued during OpenID Connect Implicit Flow is expired. This value is recommended to be shorter than SSO timeout. There is no possibility to refresh token during implicit flow, that's why there is separate timeout different to 'Access Token Lifespan'. +action-token-generated-by-admin-lifespan=Default Admin Action Token Lifespan +action-token-generated-by-admin-lifespan.tooltip=Max time before an action token generated via admin interface is expired. This value is recommended to be long to allow admins send e-mails for users that are currently offline. The default timeout can be overridden right before issuing the token. +action-token-generated-by-user-lifespan=User Action Token Lifespan +action-token-generated-by-user-lifespan.tooltip=Max time before an action token generated via user action (e.g. e-mail verification) is expired. This value is recommended to be short because it is expected that the user would react to self-created action token quickly. client-login-timeout=Client login timeout client-login-timeout.tooltip=Max time an client has to finish the access token protocol. This should normally be 1 minute. login-timeout=Login timeout @@ -1292,6 +1296,8 @@ credential-types=Credential Types manage-user-password=Manage Password disable-credentials=Disable Credentials credential-reset-actions=Credential Reset +credential-reset-actions-timeout=Token validity +credential-reset-actions-timeout.tooltip=Max time before the action token allowing execution of given actions is expired. ldap-mappers=LDAP Mappers create-ldap-mapper=Create LDAP mapper diff --git a/themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js b/themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js index bcc655fbcc..c658bb548f 100644 --- a/themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js +++ b/themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js @@ -1044,6 +1044,8 @@ module.controller('RealmTokenDetailCtrl', function($scope, Realm, realm, $http, $scope.realm.accessCodeLifespan = TimeUnit2.asUnit(realm.accessCodeLifespan); $scope.realm.accessCodeLifespanLogin = TimeUnit2.asUnit(realm.accessCodeLifespanLogin); $scope.realm.accessCodeLifespanUserAction = TimeUnit2.asUnit(realm.accessCodeLifespanUserAction); + $scope.realm.actionTokenGeneratedByAdminLifespan = TimeUnit2.asUnit(realm.actionTokenGeneratedByAdminLifespan); + $scope.realm.actionTokenGeneratedByUserLifespan = TimeUnit2.asUnit(realm.actionTokenGeneratedByUserLifespan); var oldCopy = angular.copy($scope.realm); $scope.changed = false; @@ -1063,6 +1065,8 @@ module.controller('RealmTokenDetailCtrl', function($scope, Realm, realm, $http, $scope.realm.accessCodeLifespan = $scope.realm.accessCodeLifespan.toSeconds(); $scope.realm.accessCodeLifespanUserAction = $scope.realm.accessCodeLifespanUserAction.toSeconds(); $scope.realm.accessCodeLifespanLogin = $scope.realm.accessCodeLifespanLogin.toSeconds(); + $scope.realm.actionTokenGeneratedByAdminLifespan = $scope.realm.actionTokenGeneratedByAdminLifespan.toSeconds(); + $scope.realm.actionTokenGeneratedByUserLifespan = $scope.realm.actionTokenGeneratedByUserLifespan.toSeconds(); Realm.update($scope.realm, function () { $route.reload(); diff --git a/themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js b/themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js index 13d83436b7..2c3c34f8af 100755 --- a/themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js +++ b/themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js @@ -482,7 +482,7 @@ module.controller('UserDetailCtrl', function($scope, realm, user, BruteForceUser } }); -module.controller('UserCredentialsCtrl', function($scope, realm, user, $route, RequiredActions, User, UserExecuteActionsEmail, UserCredentials, Notifications, Dialog) { +module.controller('UserCredentialsCtrl', function($scope, realm, user, $route, RequiredActions, User, UserExecuteActionsEmail, UserCredentials, Notifications, Dialog, TimeUnit2) { console.log('UserCredentialsCtrl'); $scope.realm = realm; @@ -548,6 +548,7 @@ module.controller('UserCredentialsCtrl', function($scope, realm, user, $route, R }; $scope.emailActions = []; + $scope.emailActionsTimeout = TimeUnit2.asUnit(realm.actionTokenGeneratedByAdminLifespan); $scope.disableableCredentialTypes = []; $scope.sendExecuteActionsEmail = function() { @@ -556,7 +557,7 @@ module.controller('UserCredentialsCtrl', function($scope, realm, user, $route, R return; } Dialog.confirm('Send Email', 'Are you sure you want to send email to user?', function() { - UserExecuteActionsEmail.update({ realm: realm.realm, userId: user.id }, $scope.emailActions, function() { + UserExecuteActionsEmail.update({ realm: realm.realm, userId: user.id, lifespan: $scope.emailActionsLifespan.toSeconds() }, $scope.emailActions, function() { Notifications.success("Email sent to user"); $scope.emailActions = []; }, function() { diff --git a/themes/src/main/resources/theme/base/admin/resources/js/services.js b/themes/src/main/resources/theme/base/admin/resources/js/services.js index fe09ebbe28..e850b3bc4b 100755 --- a/themes/src/main/resources/theme/base/admin/resources/js/services.js +++ b/themes/src/main/resources/theme/base/admin/resources/js/services.js @@ -496,7 +496,8 @@ module.factory('UserCredentials', function($resource) { module.factory('UserExecuteActionsEmail', function($resource) { return $resource(authUrl + '/admin/realms/:realm/users/:userId/execute-actions-email', { realm : '@realm', - userId : '@userId' + userId : '@userId', + lifespan : '@lifespan', }, { update : { method : 'PUT' diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html b/themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html index f0f9e58fb4..f508716538 100755 --- a/themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html +++ b/themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html @@ -141,6 +141,40 @@ +
    + + +
    + + +
    + + {{:: 'action-token-generated-by-user-lifespan.tooltip' | translate}} + +
    + +
    + + +
    + + +
    + + {{:: 'action-token-generated-by-admin-lifespan.tooltip' | translate}} + +
    +
    diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/user-credentials.html b/themes/src/main/resources/theme/base/admin/resources/partials/user-credentials.html index d213fdd442..9f3512ee0a 100755 --- a/themes/src/main/resources/theme/base/admin/resources/partials/user-credentials.html +++ b/themes/src/main/resources/theme/base/admin/resources/partials/user-credentials.html @@ -75,6 +75,20 @@
    {{:: 'credentials.reset-actions.tooltip' | translate}}
    +
    + + +
    + + +
    + {{:: 'credential-reset-actions-timeout.tooltip' | translate}} +
    diff --git a/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java b/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java index 8567376001..d83cd189ea 100755 --- a/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java +++ b/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java @@ -41,12 +41,12 @@ import java.util.List; public class KeycloakServerDeploymentProcessor implements DeploymentUnitProcessor { private static final String[] CACHES = new String[] { - "realms", "users","sessions","authenticationSessions","offlineSessions","loginFailures","work","authorization","keys" + "realms", "users","sessions","authenticationSessions","offlineSessions","loginFailures","work","authorization","keys","actionTokens" }; // This param name is defined again in Keycloak Services class // org.keycloak.services.resources.KeycloakApplication. We have this value in - // two places to avoid dependency between Keycloak Subsystem and Keyclaok Services module. + // two places to avoid dependency between Keycloak Subsystem and Keycloak Services module. public static final String KEYCLOAK_CONFIG_PARAM_NAME = "org.keycloak.server-subsystem.Config"; @Override diff --git a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml index 83f76549e7..0d3b4aad30 100755 --- a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml +++ b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml @@ -43,6 +43,10 @@ + + + + @@ -109,6 +113,10 @@ + + + + diff --git a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan2.xml b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan2.xml index 5e706dca8b..a76162b83a 100755 --- a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan2.xml +++ b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan2.xml @@ -43,6 +43,10 @@ + + + + @@ -112,6 +116,10 @@ + + + + From 7d8796e614be54f47923106ccf312ff219c5dbdc Mon Sep 17 00:00:00 2001 From: mposolda Date: Thu, 4 May 2017 10:42:43 +0200 Subject: [PATCH 12/30] KEYCLOAK-4626 Support for sticky sessions with AUTH_SESSION_ID cookie. Clustering tests with embedded undertow. Last fixes. --- .../keycloak-model-infinispan/main/module.xml | 1 + .../resource/ClientPoliciesResource.java | 1 + misc/Testsuite.md | 6 + ...ltInfinispanConnectionProviderFactory.java | 46 ++- .../InfinispanConnectionProvider.java | 3 + .../AuthenticatedClientSessionAdapter.java | 2 +- ...nfinispanStickySessionEncoderProvider.java | 78 +++++ ...anStickySessionEncoderProviderFactory.java | 58 ++++ .../AuthenticatedClientSessionEntity.java | 9 - ...ssions.StickySessionEncoderProviderFactory | 18 ++ .../StickySessionEncoderProvider.java | 31 ++ .../StickySessionEncoderProviderFactory.java | 26 ++ .../sessions/StickySessionEncoderSpi.java | 48 +++ .../services/org.keycloak.provider.Spi | 1 + .../actiontoken/ActionTokenContext.java | 2 +- ...dpVerifyAccountLinkActionTokenHandler.java | 1 + .../broker/AbstractIdpAuthenticator.java | 3 - .../IdpEmailVerificationAuthenticator.java | 18 +- .../keycloak/protocol/oidc/TokenManager.java | 35 +- .../oidc/endpoints/UserInfoEndpoint.java | 60 ++-- .../managers/AuthenticationManager.java | 2 +- .../AuthenticationSessionManager.java | 32 +- .../resources/IdentityBrokerService.java | 13 +- .../resources/LoginActionsService.java | 8 +- .../services/util/BrowserHistoryHelper.java | 17 +- .../integration-arquillian/HOW-TO-RUN.md | 102 +++++- .../jboss/common/ispn-cache-owners.xsl | 5 + .../undertow/KeycloakOnUndertow.java | 51 ++- ...KeycloakOnUndertowArquillianExtension.java | 2 + .../KeycloakOnUndertowConfiguration.java | 38 ++- .../undertow/SetSystemProperty.java | 53 ++++ .../lb/SimpleUndertowLoadBalancer.java | 298 ++++++++++++++++++ ...mpleUndertowLoadBalancerConfiguration.java | 48 +++ .../SimpleUndertowLoadBalancerContainer.java | 87 +++++ .../arquillian/AuthServerTestEnricher.java | 29 +- .../testsuite/util/AdminClientUtil.java | 7 +- .../testsuite/AbstractKeycloakTest.java | 36 +-- .../AbstractServletAuthzAdapterTest.java | 5 +- ...ractServletAuthzFunctionalAdapterTest.java | 5 +- .../testsuite/admin/PermissionsTest.java | 3 - .../AbstractPolicyManagementTest.java | 13 +- .../ClientPolicyManagementTest.java | 3 + .../authz/ConflictingScopePermissionTest.java | 3 +- .../RequireUmaAuthorizationScopeTest.java | 14 +- .../cluster/AbstractClusterTest.java | 16 +- .../cluster/AbstractFailoverClusterTest.java | 112 +++++++ ...henticationSessionFailoverClusterTest.java | 171 ++++++++++ .../cluster/SessionFailoverClusterTest.java | 86 +---- .../resources/META-INF/keycloak-server.json | 5 +- .../base/src/test/resources/arquillian.xml | 40 ++- .../keycloak/testsuite/KeycloakServer.java | 26 ++ .../broker/AbstractFirstBrokerLoginTest.java | 8 +- .../testsuite/pages/IdpLinkEmailPage.java | 7 +- .../resources/META-INF/keycloak-server.json | 2 +- .../src/test/resources/log4j.properties | 2 + .../theme/base/login/login-idp-link-email.ftl | 3 + .../login/messages/messages_en.properties | 4 +- 57 files changed, 1543 insertions(+), 260 deletions(-) create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProvider.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProviderFactory.java create mode 100644 model/infinispan/src/main/resources/META-INF/services/org.keycloak.sessions.StickySessionEncoderProviderFactory create mode 100644 server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderProvider.java create mode 100644 server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderProviderFactory.java create mode 100644 server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderSpi.java create mode 100644 testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/SetSystemProperty.java create mode 100644 testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancer.java create mode 100644 testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancerConfiguration.java create mode 100644 testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancerContainer.java create mode 100644 testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AbstractFailoverClusterTest.java create mode 100644 testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AuthenticationSessionFailoverClusterTest.java diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-model-infinispan/main/module.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-model-infinispan/main/module.xml index e7fdb8abed..4388f83dfc 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-model-infinispan/main/module.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-model-infinispan/main/module.xml @@ -33,6 +33,7 @@ + diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientPoliciesResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientPoliciesResource.java index 3fd7778c49..ef09dde939 100644 --- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientPoliciesResource.java +++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientPoliciesResource.java @@ -27,6 +27,7 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.cache.NoCache; +import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation; import org.keycloak.representations.idm.authorization.ClientPolicyRepresentation; /** diff --git a/misc/Testsuite.md b/misc/Testsuite.md index 8403806470..cb77ad7a59 100644 --- a/misc/Testsuite.md +++ b/misc/Testsuite.md @@ -132,6 +132,12 @@ kinit hnelson@KEYCLOAK.ORG and provide password `secret` Now when you access `http://localhost:8081/auth/realms/master/account` you should be logged in automatically as user `hnelson` . + +Simple loadbalancer +------------------- + +You can run class `SimpleUndertowLoadBalancer` from IDE. By default, it executes the embedded undertow loadbalancer running on `http://localhost:8180`, which communicates with 2 backend Keycloak nodes +running on `http://localhost:8181` and `http://localhost:8182` . See javadoc for more details. Create many users or offline sessions diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java index 4bd78017ea..1394d80e66 100755 --- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java +++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java @@ -19,6 +19,8 @@ package org.keycloak.connections.infinispan; import java.util.concurrent.TimeUnit; +import org.infinispan.commons.util.FileLookup; +import org.infinispan.commons.util.FileLookupFactory; import org.infinispan.configuration.cache.CacheMode; import org.infinispan.configuration.cache.Configuration; import org.infinispan.configuration.cache.ConfigurationBuilder; @@ -28,10 +30,12 @@ import org.infinispan.eviction.EvictionType; import org.infinispan.manager.DefaultCacheManager; import org.infinispan.manager.EmbeddedCacheManager; import org.infinispan.persistence.remote.configuration.RemoteStoreConfigurationBuilder; +import org.infinispan.remoting.transport.jgroups.JGroupsTransport; import org.infinispan.transaction.LockingMode; import org.infinispan.transaction.TransactionMode; import org.infinispan.transaction.lookup.DummyTransactionManagerLookup; import org.jboss.logging.Logger; +import org.jgroups.JChannel; import org.keycloak.Config; import org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory; import org.keycloak.models.KeycloakSession; @@ -139,7 +143,8 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon boolean allowDuplicateJMXDomains = config.getBoolean("allowDuplicateJMXDomains", true); if (clustered) { - gcb.transport().defaultTransport(); + String nodeName = config.get("nodeName", System.getProperty(InfinispanConnectionProvider.JBOSS_NODE_NAME)); + configureTransport(gcb, nodeName); } gcb.globalJmxStatistics().allowDuplicateDomains(allowDuplicateJMXDomains); @@ -184,6 +189,13 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, sessionCacheConfiguration); cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME, sessionCacheConfiguration); + // Retrieve caches to enforce rebalance + cacheManager.getCache(InfinispanConnectionProvider.SESSION_CACHE_NAME, true); + cacheManager.getCache(InfinispanConnectionProvider.OFFLINE_SESSION_CACHE_NAME, true); + cacheManager.getCache(InfinispanConnectionProvider.LOGIN_FAILURE_CACHE_NAME, true); + cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, true); + cacheManager.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME, true); + ConfigurationBuilder replicationConfigBuilder = new ConfigurationBuilder(); if (clustered) { replicationConfigBuilder.clustering().cacheMode(async ? CacheMode.REPL_ASYNC : CacheMode.REPL_SYNC); @@ -278,14 +290,36 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon ConfigurationBuilder cb = new ConfigurationBuilder(); cb.eviction() - .strategy(EvictionStrategy.NONE) - .type(EvictionType.COUNT) - .size(InfinispanConnectionProvider.ACTION_TOKEN_CACHE_DEFAULT_MAX); + .strategy(EvictionStrategy.NONE) + .type(EvictionType.COUNT) + .size(InfinispanConnectionProvider.ACTION_TOKEN_CACHE_DEFAULT_MAX); cb.expiration() - .maxIdle(InfinispanConnectionProvider.ACTION_TOKEN_MAX_IDLE_SECONDS, TimeUnit.SECONDS) - .wakeUpInterval(InfinispanConnectionProvider.ACTION_TOKEN_WAKE_UP_INTERVAL_SECONDS, TimeUnit.SECONDS); + .maxIdle(InfinispanConnectionProvider.ACTION_TOKEN_MAX_IDLE_SECONDS, TimeUnit.SECONDS) + .wakeUpInterval(InfinispanConnectionProvider.ACTION_TOKEN_WAKE_UP_INTERVAL_SECONDS, TimeUnit.SECONDS); return cb.build(); } + protected void configureTransport(GlobalConfigurationBuilder gcb, String nodeName) { + if (nodeName == null) { + gcb.transport().defaultTransport(); + } else { + FileLookup fileLookup = FileLookupFactory.newInstance(); + + try { + // Compatibility with Wildfly + JChannel channel = new JChannel(fileLookup.lookupFileLocation("default-configs/default-jgroups-udp.xml", this.getClass().getClassLoader())); + channel.setName(nodeName); + JGroupsTransport transport = new JGroupsTransport(channel); + + gcb.transport().nodeName(nodeName); + gcb.transport().transport(transport); + + logger.infof("Configured jgroups transport with the channel name: %s", nodeName); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + } + } diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java index ba9a31bd4d..8e190cdfe7 100755 --- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java @@ -49,6 +49,9 @@ public interface InfinispanConnectionProvider extends Provider { int KEYS_CACHE_DEFAULT_MAX = 1000; int KEYS_CACHE_MAX_IDLE_SECONDS = 3600; + // System property used on Wildfly to identify distributedCache address and sticky session route + String JBOSS_NODE_NAME = "jboss.node.name"; + Cache getCache(String name); diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java index 546e86fafe..13352dfcab 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java @@ -96,7 +96,7 @@ public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSes @Override public String getId() { - return entity.getId(); + return null; } @Override diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProvider.java new file mode 100644 index 0000000000..0aca09f81c --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProvider.java @@ -0,0 +1,78 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.sessions.infinispan; + +import org.infinispan.Cache; +import org.infinispan.distribution.DistributionManager; +import org.infinispan.remoting.transport.Address; +import org.keycloak.connections.infinispan.InfinispanConnectionProvider; +import org.keycloak.models.KeycloakSession; +import org.keycloak.sessions.StickySessionEncoderProvider; + +/** + * @author Marek Posolda + */ +public class InfinispanStickySessionEncoderProvider implements StickySessionEncoderProvider { + + private final KeycloakSession session; + private final String myNodeName; + + public InfinispanStickySessionEncoderProvider(KeycloakSession session, String myNodeName) { + this.session = session; + this.myNodeName = myNodeName; + } + + @Override + public String encodeSessionId(String sessionId) { + String nodeName = getNodeName(sessionId); + if (nodeName != null) { + return sessionId + '.' + nodeName; + } else { + return sessionId; + } + } + + @Override + public String decodeSessionId(String encodedSessionId) { + int index = encodedSessionId.indexOf('.'); + return index == -1 ? encodedSessionId : encodedSessionId.substring(0, index); + } + + @Override + public void close() { + + } + + + private String getNodeName(String sessionId) { + InfinispanConnectionProvider ispnProvider = session.getProvider(InfinispanConnectionProvider.class); + Cache cache = ispnProvider.getCache(InfinispanConnectionProvider.AUTHENTICATION_SESSIONS_CACHE_NAME); + DistributionManager distManager = cache.getAdvancedCache().getDistributionManager(); + + if (distManager != null) { + // Sticky session to the node, who owns this authenticationSession + Address address = distManager.getPrimaryLocation(sessionId); + return address.toString(); + } else { + // Fallback to jbossNodeName if authSession cache is local + return myNodeName; + } + } + + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProviderFactory.java new file mode 100644 index 0000000000..b8e6a7131d --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanStickySessionEncoderProviderFactory.java @@ -0,0 +1,58 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.sessions.infinispan; + +import org.keycloak.Config; +import org.keycloak.connections.infinispan.InfinispanConnectionProvider; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.KeycloakSessionFactory; +import org.keycloak.sessions.StickySessionEncoderProvider; +import org.keycloak.sessions.StickySessionEncoderProviderFactory; + +/** + * @author Marek Posolda + */ +public class InfinispanStickySessionEncoderProviderFactory implements StickySessionEncoderProviderFactory { + + private String myNodeName; + + @Override + public StickySessionEncoderProvider create(KeycloakSession session) { + return new InfinispanStickySessionEncoderProvider(session, myNodeName); + } + + @Override + public void init(Config.Scope config) { + myNodeName = config.get("nodeName", System.getProperty(InfinispanConnectionProvider.JBOSS_NODE_NAME)); + } + + @Override + public void postInit(KeycloakSessionFactory factory) { + + } + + @Override + public void close() { + + } + + @Override + public String getId() { + return "infinispan"; + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java index f89247789c..3641d5f171 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/AuthenticatedClientSessionEntity.java @@ -26,7 +26,6 @@ import java.util.Set; */ public class AuthenticatedClientSessionEntity implements Serializable { - private String id; private String authMethod; private String redirectUri; private int timestamp; @@ -36,14 +35,6 @@ public class AuthenticatedClientSessionEntity implements Serializable { private Set protocolMappers; private Map notes; - public String getId() { - return id; - } - - public void setId(String id) { - this.id = id; - } - public String getAuthMethod() { return authMethod; } diff --git a/model/infinispan/src/main/resources/META-INF/services/org.keycloak.sessions.StickySessionEncoderProviderFactory b/model/infinispan/src/main/resources/META-INF/services/org.keycloak.sessions.StickySessionEncoderProviderFactory new file mode 100644 index 0000000000..0436ddeb48 --- /dev/null +++ b/model/infinispan/src/main/resources/META-INF/services/org.keycloak.sessions.StickySessionEncoderProviderFactory @@ -0,0 +1,18 @@ +# +# Copyright 2016 Red Hat, Inc. and/or its affiliates +# and other contributors as indicated by the @author tags. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +org.keycloak.models.sessions.infinispan.InfinispanStickySessionEncoderProviderFactory \ No newline at end of file diff --git a/server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderProvider.java b/server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderProvider.java new file mode 100644 index 0000000000..69dad56b8f --- /dev/null +++ b/server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderProvider.java @@ -0,0 +1,31 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions; + +import org.keycloak.provider.Provider; + +/** + * @author Marek Posolda + */ +public interface StickySessionEncoderProvider extends Provider { + + String encodeSessionId(String sessionId); + + String decodeSessionId(String encodedSessionId); + +} diff --git a/server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderProviderFactory.java new file mode 100644 index 0000000000..6b8c836994 --- /dev/null +++ b/server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderProviderFactory.java @@ -0,0 +1,26 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions; + +import org.keycloak.provider.ProviderFactory; + +/** + * @author Marek Posolda + */ +public interface StickySessionEncoderProviderFactory extends ProviderFactory { +} diff --git a/server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderSpi.java b/server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderSpi.java new file mode 100644 index 0000000000..4e1fdfff28 --- /dev/null +++ b/server-spi-private/src/main/java/org/keycloak/sessions/StickySessionEncoderSpi.java @@ -0,0 +1,48 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.sessions; + +import org.keycloak.provider.Provider; +import org.keycloak.provider.ProviderFactory; +import org.keycloak.provider.Spi; + +/** + * @author Marek Posolda + */ +public class StickySessionEncoderSpi implements Spi { + + @Override + public boolean isInternal() { + return true; + } + + @Override + public String getName() { + return "stickySessionEncoder"; + } + + @Override + public Class getProviderClass() { + return StickySessionEncoderProvider.class; + } + + @Override + public Class getProviderFactoryClass() { + return StickySessionEncoderProviderFactory.class; + } +} diff --git a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi index c692d32649..543ef256c1 100755 --- a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi +++ b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi @@ -34,6 +34,7 @@ org.keycloak.scripting.ScriptingSpi org.keycloak.services.managers.BruteForceProtectorSpi org.keycloak.services.resource.RealmResourceSPI org.keycloak.sessions.AuthenticationSessionSpi +org.keycloak.sessions.StickySessionEncoderSpi org.keycloak.protocol.ClientInstallationSpi org.keycloak.protocol.LoginProtocolSpi org.keycloak.protocol.ProtocolMapperSpi diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java index ce45deb1b8..a55c5870f7 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenContext.java @@ -115,7 +115,7 @@ public class ActionTokenContext { authSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, client, true); authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); - String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); // TODO:mposolda It seems that this should be taken from client rather then hardcoded to account? + String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); authSession.setRedirectUri(redirectUri); authSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); authSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE); diff --git a/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionTokenHandler.java b/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionTokenHandler.java index 3aec118260..389441ed34 100644 --- a/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionTokenHandler.java +++ b/services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionTokenHandler.java @@ -86,6 +86,7 @@ public class IdpVerifyAccountLinkActionTokenHandler extends AbstractActionTokenH return tokenContext.getSession().getProvider(LoginFormsProvider.class) .setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, token.getIdentityProviderAlias(), token.getIdentityProviderUsername()) + .setAttribute("skipLink", true) .createInfoPage(); } diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java index fc7b9417f6..82475663df 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.java @@ -47,9 +47,6 @@ public abstract class AbstractIdpAuthenticator implements Authenticator { // The clientSession note flag to indicate that email provided by identityProvider was changed on updateProfile page public static final String UPDATE_PROFILE_EMAIL_CHANGED = "UPDATE_PROFILE_EMAIL_CHANGED"; - // The clientSession note flag to indicate if re-authentication after first broker login happened in different browser window. This can happen for example during email verification - public static final String IS_DIFFERENT_BROWSER = "IS_DIFFERENT_BROWSER"; // TODO:mposolda can reuse the END_AFTER_REQUIRED_ACTIONS instead? - // The clientSession note flag to indicate that updateProfile page will be always displayed even if "updateProfileOnFirstLogin" is off public static final String ENFORCE_UPDATE_PROFILE = "ENFORCE_UPDATE_PROFILE"; diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java index 11d9b913c4..a2a9b3a320 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java @@ -31,6 +31,7 @@ import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; import org.keycloak.forms.login.LoginFormsProvider; +import org.keycloak.models.Constants; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.models.UserModel; @@ -81,7 +82,13 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator UserModel existingUser = getExistingUser(session, realm, authSession); - sendVerifyEmail(session, context, existingUser, brokerContext); + // Do not allow resending e-mail by simple page refresh + if (! Objects.equals(authSession.getAuthNote(Constants.VERIFY_EMAIL_KEY), existingUser.getEmail())) { + authSession.setAuthNote(Constants.VERIFY_EMAIL_KEY, existingUser.getEmail()); + sendVerifyEmail(session, context, existingUser, brokerContext); + } else { + showEmailSentPage(context, brokerContext); + } } @Override @@ -89,7 +96,8 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator logger.debugf("Re-sending email requested for user, details follow"); // This will allow user to re-send email again - context.getAuthenticationSession().removeAuthNote(VERIFY_ACCOUNT_IDP_USERNAME); + context.getAuthenticationSession().removeAuthNote(Constants.VERIFY_EMAIL_KEY); + authenticateImpl(context, serializedCtx, brokerContext); } @@ -146,6 +154,11 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator return; } + showEmailSentPage(context, brokerContext); + } + + + protected void showEmailSentPage(AuthenticationFlowContext context, BrokeredIdentityContext brokerContext) { String accessCode = context.generateAccessCode(); URI action = context.getActionUrl(accessCode); @@ -156,4 +169,5 @@ public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator .createIdpLinkEmailPage(); context.forceChallenge(challenge); } + } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java index e7c147d966..9782b48717 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java @@ -197,31 +197,26 @@ public class TokenManager { return false; } - UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState()); - if (AuthenticationManager.isSessionValid(realm, userSession)) { - ClientSessionModel clientSession = session.sessions().getClientSession(realm, token.getClientSession()); - if (clientSession != null) { - return true; - } - } - -<<<<<<< f392e79ad781014387c9fe5724815b24eab7a35f - userSession = session.sessions().getOfflineUserSession(realm, token.getSessionState()); - if (AuthenticationManager.isOfflineSessionValid(realm, userSession)) { - ClientSessionModel clientSession = session.sessions().getOfflineClientSession(realm, token.getClientSession()); - if (clientSession != null) { - return true; - } -======= ClientModel client = realm.getClientByClientId(token.getIssuedFor()); if (client == null || !client.isEnabled()) { return false; } - AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(client.getId()); - if (clientSession == null) { - return false; ->>>>>>> KEYCLOAK-4626 AuthenticationSessions: start + UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState()); + if (AuthenticationManager.isSessionValid(realm, userSession)) { + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(client.getId()); + if (clientSession != null) { + return true; + } + } + + + userSession = session.sessions().getOfflineUserSession(realm, token.getSessionState()); + if (AuthenticationManager.isOfflineSessionValid(realm, userSession)) { + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(client.getId()); + if (clientSession != null) { + return true; + } } return false; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java index f2d6f60d6f..6ee2be3b0b 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java @@ -140,24 +140,7 @@ public class UserInfoEndpoint { throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Token invalid: " + e.getMessage(), Response.Status.UNAUTHORIZED); } - UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState()); - ClientSessionModel clientSession = session.sessions().getClientSession(token.getClientSession()); - if( userSession == null ) { - userSession = session.sessions().getOfflineUserSession(realm, token.getSessionState()); - if( AuthenticationManager.isOfflineSessionValid(realm, userSession)) { - clientSession = session.sessions().getOfflineClientSession(realm, token.getClientSession()); - } else { - userSession = null; - clientSession = null; - } - } - - if (userSession == null) { - event.error(Errors.USER_SESSION_NOT_FOUND); - throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "User session not found", Response.Status.BAD_REQUEST); - } - - event.session(userSession); + UserSessionModel userSession = findValidSession(token, event); UserModel userModel = userSession.getUser(); if (userModel == null) { @@ -169,11 +152,6 @@ public class UserInfoEndpoint { .detail(Details.USERNAME, userModel.getUsername()); - if (clientSession == null || !AuthenticationManager.isSessionValid(realm, userSession)) { - event.error(Errors.SESSION_EXPIRED); - throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Session expired", Response.Status.UNAUTHORIZED); - } - ClientModel clientModel = realm.getClientByClientId(token.getIssuedFor()); if (clientModel == null) { event.error(Errors.CLIENT_NOT_FOUND); @@ -187,6 +165,12 @@ public class UserInfoEndpoint { throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client disabled", Response.Status.BAD_REQUEST); } + AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(clientModel.getId()); + if (clientSession == null) { + event.error(Errors.SESSION_EXPIRED); + throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Session expired", Response.Status.UNAUTHORIZED); + } + AccessToken userInfo = new AccessToken(); tokenManager.transformUserInfoAccessToken(session, userInfo, realm, clientModel, userModel, userSession, clientSession); @@ -225,4 +209,34 @@ public class UserInfoEndpoint { return Cors.add(request, responseBuilder).auth().allowedOrigins(token).build(); } + + private UserSessionModel findValidSession(AccessToken token, EventBuilder event) { + UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState()); + UserSessionModel offlineUserSession = null; + if (AuthenticationManager.isSessionValid(realm, userSession)) { + event.session(userSession); + return userSession; + } else { + offlineUserSession = session.sessions().getOfflineUserSession(realm, token.getSessionState()); + if (AuthenticationManager.isOfflineSessionValid(realm, offlineUserSession)) { + event.session(offlineUserSession); + return offlineUserSession; + } + } + + if (userSession == null && offlineUserSession == null) { + event.error(Errors.USER_SESSION_NOT_FOUND); + throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "User session not found", Response.Status.BAD_REQUEST); + } + + if (userSession != null) { + event.session(userSession); + } else { + event.session(offlineUserSession); + } + + event.error(Errors.SESSION_EXPIRED); + throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Session expired", Response.Status.UNAUTHORIZED); + } + } diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 7ac2deec5c..31217f1eae 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -513,7 +513,7 @@ public class AuthenticationManager { if (actionTokenKey != null) { ActionTokenStoreProvider actionTokenStore = session.getProvider(ActionTokenStoreProvider.class); - actionTokenStore.put(actionTokenKey, null); + actionTokenStore.put(actionTokenKey, null); // Token is invalidated } } diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java index 0297f13e9d..1cba9dcf3a 100644 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java @@ -28,13 +28,14 @@ import org.keycloak.models.UserSessionModel; import org.keycloak.protocol.RestartLoginCookie; import org.keycloak.services.util.CookieHelper; import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.StickySessionEncoderProvider; /** * @author Marek Posolda */ public class AuthenticationSessionManager { - private static final String AUTH_SESSION_ID = "AUTH_SESSION_ID"; + public static final String AUTH_SESSION_ID = "AUTH_SESSION_ID"; private static final Logger log = Logger.getLogger(AuthenticationSessionManager.class); @@ -57,12 +58,12 @@ public class AuthenticationSessionManager { public String getCurrentAuthenticationSessionId(RealmModel realm) { - return getAuthSessionCookie(); + return getAuthSessionCookieDecoded(realm); } public AuthenticationSessionModel getCurrentAuthenticationSession(RealmModel realm) { - String authSessionId = getAuthSessionCookie(); + String authSessionId = getAuthSessionCookieDecoded(realm); return authSessionId==null ? null : session.authenticationSessions().getAuthenticationSession(realm, authSessionId); } @@ -72,22 +73,37 @@ public class AuthenticationSessionManager { String cookiePath = AuthenticationManager.getRealmCookiePath(realm, uriInfo); boolean sslRequired = realm.getSslRequired().isRequired(session.getContext().getConnection()); - CookieHelper.addCookie(AUTH_SESSION_ID, authSessionId, cookiePath, null, null, -1, sslRequired, true); - log.debugf("Set AUTH_SESSION_ID cookie with value %s", authSessionId); + StickySessionEncoderProvider encoder = session.getProvider(StickySessionEncoderProvider.class); + String encodedAuthSessionId = encoder.encodeSessionId(authSessionId); + + CookieHelper.addCookie(AUTH_SESSION_ID, encodedAuthSessionId, cookiePath, null, null, -1, sslRequired, true); + + log.debugf("Set AUTH_SESSION_ID cookie with value %s", encodedAuthSessionId); } - public String getAuthSessionCookie() { + private String getAuthSessionCookieDecoded(RealmModel realm) { String cookieVal = CookieHelper.getCookieValue(AUTH_SESSION_ID); if (cookieVal != null) { log.debugf("Found AUTH_SESSION_ID cookie with value %s", cookieVal); + + StickySessionEncoderProvider encoder = session.getProvider(StickySessionEncoderProvider.class); + String decodedAuthSessionId = encoder.decodeSessionId(cookieVal); + + // Check if owner of this authentication session changed due to re-hashing (usually node failover or addition of new node) + String reencoded = encoder.encodeSessionId(decodedAuthSessionId); + if (!reencoded.equals(cookieVal)) { + log.debugf("Route changed. Will update authentication session cookie"); + setAuthSessionCookie(decodedAuthSessionId, realm); + } + + return decodedAuthSessionId; } else { log.debugf("Not found AUTH_SESSION_ID cookie"); + return null; } - - return cookieVal; } diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java index 1810ed077f..333a1cf029 100755 --- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java +++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java @@ -41,7 +41,6 @@ import org.keycloak.events.Details; import org.keycloak.events.Errors; import org.keycloak.events.EventBuilder; import org.keycloak.events.EventType; -import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.models.AccountRoles; import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.AuthenticationFlowModel; @@ -751,17 +750,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal UserModel federatedUser = authSession.getAuthenticatedUser(); if (wasFirstBrokerLogin) { - - String isDifferentBrowser = authSession.getAuthNote(AbstractIdpAuthenticator.IS_DIFFERENT_BROWSER); - if (Boolean.parseBoolean(isDifferentBrowser)) { - new AuthenticationSessionManager(session).removeAuthenticationSession(realmModel, authSession, true); - return session.getProvider(LoginFormsProvider.class) - .setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, context.getIdpConfig().getAlias(), context.getUsername()) - .createInfoPage(); - } else { - return finishBrokerAuthentication(context, federatedUser, authSession, providerId); - } - + return finishBrokerAuthentication(context, federatedUser, authSession, providerId); } else { boolean firstBrokerLoginInProgress = (authSession.getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null); diff --git a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java index 2a07253598..8f0d39ecce 100755 --- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java @@ -338,7 +338,7 @@ public class LoginActionsService { return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } - authSession = createAuthenticationSessionForClient(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); + authSession = createAuthenticationSessionForClient(); return processResetCredentials(false, null, authSession); } @@ -346,17 +346,17 @@ public class LoginActionsService { return resetCredentials(code, execution); } - AuthenticationSessionModel createAuthenticationSessionForClient(String clientId) + AuthenticationSessionModel createAuthenticationSessionForClient() throws UriBuilderException, IllegalArgumentException { AuthenticationSessionModel authSession; // set up the account service as the endpoint to call. - ClientModel client = realm.getClientByClientId(clientId == null ? Constants.ACCOUNT_MANAGEMENT_CLIENT_ID : clientId); + ClientModel client = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); authSession = new AuthenticationSessionManager(session).createAuthenticationSession(realm, client, true); authSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name()); //authSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true"); authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); - String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); // TODO:mposolda It seems that this should be taken from client rather then hardcoded to account? + String redirectUri = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); authSession.setRedirectUri(redirectUri); authSession.setClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, OAuth2Constants.CODE); authSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri); diff --git a/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java b/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java index 890d21cf85..ef34b16116 100644 --- a/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java +++ b/services/src/main/java/org/keycloak/services/util/BrowserHistoryHelper.java @@ -72,20 +72,19 @@ public abstract class BrowserHistoryHelper { } // For now, handle just status 200 with String body. See if more is needed... - if (response.getStatus() == 200) { - Object entity = response.getEntity(); - if (entity instanceof String) { - String responseString = (String) entity; + Object entity = response.getEntity(); + if (entity != null && entity instanceof String) { + String responseString = (String) entity; - URI lastExecutionURL = new AuthenticationFlowURLHelper(session, session.getContext().getRealm(), session.getContext().getUri()).getLastExecutionUrl(authSession); + URI lastExecutionURL = new AuthenticationFlowURLHelper(session, session.getContext().getRealm(), session.getContext().getUri()).getLastExecutionUrl(authSession); - // Inject javascript for history "replaceState" - String responseWithJavascript = responseWithJavascript(responseString, lastExecutionURL.toString()); + // Inject javascript for history "replaceState" + String responseWithJavascript = responseWithJavascript(responseString, lastExecutionURL.toString()); - return Response.fromResponse(response).entity(responseWithJavascript).build(); - } + return Response.fromResponse(response).entity(responseWithJavascript).build(); } + return response; } diff --git a/testsuite/integration-arquillian/HOW-TO-RUN.md b/testsuite/integration-arquillian/HOW-TO-RUN.md index 35e4be8cb6..10becee3e5 100644 --- a/testsuite/integration-arquillian/HOW-TO-RUN.md +++ b/testsuite/integration-arquillian/HOW-TO-RUN.md @@ -257,20 +257,20 @@ mvn -f testsuite/integration-arquillian/tests/other/console/pom.xml \ ## Welcome Page tests The Welcome Page tests need to be run on WildFly/EAP and with `-Dskip.add.user.json` switch. So that they are disabled by default and are meant to be run separately. -``` -# Prepare servers -mvn -f testsuite/integration-arquillian/servers/pom.xml \ - clean install \ - -Pauth-server-wildfly \ - -Papp-server-wildfly -# Run tests -mvn -f testsuite/integration-arquillian/tests/base/pom.xml \ - clean test \ - -Dtest=WelcomePageTest \ - -Dskip.add.user.json \ - -Pauth-server-wildfly -``` + # Prepare servers + mvn -f testsuite/integration-arquillian/servers/pom.xml \ + clean install \ + -Pauth-server-wildfly \ + -Papp-server-wildfly + + # Run tests + mvn -f testsuite/integration-arquillian/tests/base/pom.xml \ + clean test \ + -Dtest=WelcomePageTest \ + -Dskip.add.user.json \ + -Pauth-server-wildfly + ## Social Login The social login tests require setup of all social networks including an example social user. These details can't be @@ -341,4 +341,80 @@ To run the X.509 client certificate authentication tests: -Dauth.server.ssl.required \ -Dbrowser=phantomjs \ "-Dtest=*.x509.*" + +## Cluster tests + +Cluster tests use 2 backend servers (Keycloak on Wildfly/EAP) and 1 frontend loadbalancer server node. Invalidation tests don't use loadbalancer. +The browser usually communicates directly with the backend node1 and after doing some change here (eg. updating user), it verifies that the change is visible on node2 and user is updated here as well. + +Failover tests use loadbalancer and they require the setup with the distributed infinispan caches switched to have 2 owners (default value is 1 owner). Otherwise failover won't reliably work. + + +The setup includes: + +* a `mod_cluster` load balancer on Wildfly +* two clustered nodes of Keycloak server on Wildfly/EAP + +Clustering tests require MULTICAST to be enabled on machine's `loopback` network interface. +This can be done by running the following commands under root privileges: + + route add -net 224.0.0.0 netmask 240.0.0.0 dev lo + ifconfig lo multicast + +Then after build the sources, distribution and setup of clean shared database (replace command according your DB), you can use this command to setup servers: + + export DB_HOST=localhost + mvn -f testsuite/integration-arquillian/servers/pom.xml \ + -Pauth-server-wildfly,auth-server-cluster,jpa \ + -Dsession.cache.owners=2 \ + -Djdbc.mvn.groupId=mysql \ + -Djdbc.mvn.version=5.1.29 \ + -Djdbc.mvn.artifactId=mysql-connector-java \ + -Dkeycloak.connectionsJpa.url=jdbc:mysql://$DB_HOST/keycloak \ + -Dkeycloak.connectionsJpa.user=keycloak \ + -Dkeycloak.connectionsJpa.password=keycloak \ + clean install + +And then this to run the cluster tests: + + mvn -f testsuite/integration-arquillian/tests/base/pom.xml \ + -Pauth-server-wildfly,auth-server-cluster \ + -Dsession.cache.owners=2 \ + -Dbackends.console.output=true \ + -Dauth.server.log.check=false \ + -Dfrontend.console.output=true \ + -Dtest=org.keycloak.testsuite.cluster.**.*Test clean install + + +### Cluster tests with embedded undertow + +#### Run cluster tests from IDE + +The test uses Undertow loadbalancer on `http://localhost:8180` and two embedded backend Undertow servers with Keycloak on `http://localhost:8181` and `http://localhost:8182` . +You can use any cluster test (eg. AuthenticationSessionFailoverClusterTest) and run from IDE with those system properties (replace with your DB settings): + + -Dauth.server.undertow=false -Dauth.server.undertow.cluster=true -Dauth.server.cluster=true + -Dkeycloak.connectionsJpa.url=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver=com.mysql.jdbc.Driver + -Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsInfinispan.clustered=true -Dresources + -Dkeycloak.connectionsInfinispan.sessionsOwners=2 -Dsession.cache.owners=2 + +Invalidation tests (subclass of `AbstractInvalidationClusterTest`) don't need last two properties. + + +#### Run cluster environment from IDE + +This mode is useful for develop/manual tests of clustering features. You will need to manually run keycloak backend nodes and loadbalancer. + +1) Run KeycloakServer server1 with: + + -Dkeycloak.connectionsJpa.url=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver=com.mysql.jdbc.Driver + -Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsInfinispan.clustered=true + -Dkeycloak.connectionsInfinispan.sessionsOwners=2 -Dresources + +and argument: `-p 8181` + +2) Run KeycloakServer server2 with same parameters but argument: `-p 8182` + +3) Run loadbalancer (class `SimpleUndertowLoadBalancer`) without arguments and system properties. Loadbalancer runs on port 8180, so you can access Keycloak on `http://localhost:8180/auth` + diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/ispn-cache-owners.xsl b/testsuite/integration-arquillian/servers/auth-server/jboss/common/ispn-cache-owners.xsl index 65abfea2d9..46c6f7c66a 100644 --- a/testsuite/integration-arquillian/servers/auth-server/jboss/common/ispn-cache-owners.xsl +++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/ispn-cache-owners.xsl @@ -18,6 +18,11 @@ + + + + + diff --git a/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertow.java b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertow.java index c89467466d..83bb19b828 100644 --- a/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertow.java +++ b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertow.java @@ -41,8 +41,11 @@ import org.jboss.shrinkwrap.api.spec.WebArchive; import org.jboss.shrinkwrap.descriptor.api.Descriptor; import org.jboss.shrinkwrap.undertow.api.UndertowWebArchive; import org.keycloak.common.util.reflections.Reflections; +import org.keycloak.connections.infinispan.InfinispanConnectionProvider; +import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.services.filters.KeycloakSessionServletFilter; +import org.keycloak.services.managers.ApplianceBootstrap; import org.keycloak.services.resources.KeycloakApplication; import javax.servlet.DispatcherType; @@ -106,6 +109,11 @@ public class KeycloakOnUndertow implements DeployableContainer archive) throws DeploymentException { + if (isRemoteMode()) { + log.infof("Skipped deployment of '%s' as we are in remote mode!", archive.getName()); + return new ProtocolMetaData(); + } + DeploymentInfo di = getDeplotymentInfoFromArchive(archive); ClassLoader parentCl = Thread.currentThread().getContextClassLoader(); @@ -152,7 +160,7 @@ public class KeycloakOnUndertow implements DeployableContainer archive) throws DeploymentException { + if (isRemoteMode()) { + log.infof("Skipped undeployment of '%s' as we are in remote mode!", archive.getName()); + return; + } + Field containerField = Reflections.findDeclaredField(UndertowJaxrsServer.class, "container"); Reflections.setAccessible(containerField); ServletContainer container = (ServletContainer) Reflections.getFieldValue(containerField, undertow); diff --git a/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertowArquillianExtension.java b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertowArquillianExtension.java index 14aca1ccab..79666047a4 100644 --- a/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertowArquillianExtension.java +++ b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertowArquillianExtension.java @@ -2,6 +2,7 @@ package org.keycloak.testsuite.arquillian.undertow; import org.jboss.arquillian.container.spi.client.container.DeployableContainer; import org.jboss.arquillian.core.spi.LoadableExtension; +import org.keycloak.testsuite.arquillian.undertow.lb.SimpleUndertowLoadBalancerContainer; /** * @@ -12,6 +13,7 @@ public class KeycloakOnUndertowArquillianExtension implements LoadableExtension @Override public void register(ExtensionBuilder builder) { builder.service(DeployableContainer.class, KeycloakOnUndertow.class); + builder.service(DeployableContainer.class, SimpleUndertowLoadBalancerContainer.class); } } diff --git a/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertowConfiguration.java b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertowConfiguration.java index 0a519efd75..bdf0ff79ec 100644 --- a/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertowConfiguration.java +++ b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertowConfiguration.java @@ -19,11 +19,18 @@ package org.keycloak.testsuite.arquillian.undertow; import org.arquillian.undertow.UndertowContainerConfiguration; import org.jboss.arquillian.container.spi.ConfigurationException; +import org.jboss.logging.Logger; public class KeycloakOnUndertowConfiguration extends UndertowContainerConfiguration { + protected static final Logger log = Logger.getLogger(KeycloakOnUndertowConfiguration.class); + private int workerThreads = Math.max(Runtime.getRuntime().availableProcessors(), 2) * 8; private String resourcesHome; + private boolean remoteMode; + private String route; + + private int bindHttpPortOffset = 0; public int getWorkerThreads() { return workerThreads; @@ -41,10 +48,39 @@ public class KeycloakOnUndertowConfiguration extends UndertowContainerConfigurat this.resourcesHome = resourcesHome; } + public int getBindHttpPortOffset() { + return bindHttpPortOffset; + } + + public void setBindHttpPortOffset(int bindHttpPortOffset) { + this.bindHttpPortOffset = bindHttpPortOffset; + } + + public String getRoute() { + return route; + } + + public void setRoute(String route) { + this.route = route; + } + + public boolean isRemoteMode() { + return remoteMode; + } + + public void setRemoteMode(boolean remoteMode) { + this.remoteMode = remoteMode; + } + @Override public void validate() throws ConfigurationException { super.validate(); - + + int basePort = getBindHttpPort(); + int newPort = basePort + bindHttpPortOffset; + setBindHttpPort(newPort); + log.info("KeycloakOnUndertow will listen on port: " + newPort); + // TODO validate workerThreads } diff --git a/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/SetSystemProperty.java b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/SetSystemProperty.java new file mode 100644 index 0000000000..86a7e2ed10 --- /dev/null +++ b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/SetSystemProperty.java @@ -0,0 +1,53 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.arquillian.undertow; + +/** + * @author Marek Posolda + */ +class SetSystemProperty { + + private String name; + private String oldValue; + + public SetSystemProperty(String name, String value) { + this.name = name; + this.oldValue = System.getProperty(name); + + if (value == null) { + if (oldValue != null) { + System.getProperties().remove(name); + } + } else { + System.setProperty(name, value); + } + } + + public void revert() { + String value = System.getProperty(name); + + if (oldValue == null) { + if (value != null) { + System.getProperties().remove(name); + } + } else { + System.setProperty(name, oldValue); + } + } + +} diff --git a/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancer.java b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancer.java new file mode 100644 index 0000000000..3eda20c8db --- /dev/null +++ b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancer.java @@ -0,0 +1,298 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.arquillian.undertow.lb; + +import java.net.URI; +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.TimeUnit; + +import io.undertow.Undertow; +import io.undertow.server.HttpHandler; +import io.undertow.server.HttpServerExchange; +import io.undertow.server.handlers.ResponseCodeHandler; +import io.undertow.server.handlers.proxy.ExclusivityChecker; +import io.undertow.server.handlers.proxy.LoadBalancingProxyClient; +import io.undertow.server.handlers.proxy.ProxyCallback; +import io.undertow.server.handlers.proxy.ProxyClient; +import io.undertow.server.handlers.proxy.ProxyConnection; +import io.undertow.server.handlers.proxy.ProxyHandler; +import io.undertow.util.AttachmentKey; +import io.undertow.util.Headers; +import org.jboss.logging.Logger; +import org.keycloak.services.managers.AuthenticationSessionManager; + +/** + * Loadbalancer on embedded undertow. Supports sticky session over "AUTH_SESSION_ID" cookie and failover to different node when sticky node not available. + * Status 503 is returned just if all backend nodes are unavailable. + * + * To configure backend nodes, you can use system property like : -Dkeycloak.nodes="node1=http://localhost:8181,node2=http://localhost:8182" + * + * @author Marek Posolda + */ +public class SimpleUndertowLoadBalancer { + + private static final Logger log = Logger.getLogger(SimpleUndertowLoadBalancer.class); + + static final String DEFAULT_NODES = "node1=http://localhost:8181,node2=http://localhost:8182"; + + private final String host; + private final int port; + private final String nodesString; + private Undertow undertow; + + + public static void main(String[] args) throws Exception { + String nodes = System.getProperty("keycloak.nodes", DEFAULT_NODES); + + SimpleUndertowLoadBalancer lb = new SimpleUndertowLoadBalancer("localhost", 8180, nodes); + lb.start(); + + Runtime.getRuntime().addShutdownHook(new Thread() { + + @Override + public void run() { + lb.stop(); + } + + }); + } + + + public SimpleUndertowLoadBalancer(String host, int port, String nodesString) { + this.host = host; + this.port = port; + this.nodesString = nodesString; + log.infof("Keycloak nodes: %s", nodesString); + } + + + public void start() { + Map nodes = parseNodes(nodesString); + try { + HttpHandler proxyHandler = createHandler(nodes); + + undertow = Undertow.builder() + .addHttpListener(port, host) + .setHandler(proxyHandler) + .build(); + undertow.start(); + + log.infof("Loadbalancer started and ready to serve requests on http://%s:%d", host, port); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + + public void stop() { + undertow.stop(); + } + + + static Map parseNodes(String nodes) { + String[] nodesArray = nodes.split(","); + Map result = new HashMap<>(); + + for (String nodeStr : nodesArray) { + String[] node = nodeStr.trim().split("="); + if (node.length != 2) { + throw new IllegalArgumentException("Illegal node format in the configuration: " + nodeStr); + } + result.put(node[0].trim(), node[1].trim()); + } + + return result; + } + + + private HttpHandler createHandler(Map backendNodes) throws Exception { + + // TODO: configurable options if needed + String sessionCookieNames = AuthenticationSessionManager.AUTH_SESSION_ID; + int connectionsPerThread = 20; + int problemServerRetry = 5; // In case of unavailable node, we will try to ping him every 5 seconds to check if it's back + int maxTime = 3600000; // 1 hour for proxy request timeout, so we can debug the backend keycloak servers + int requestQueueSize = 10; + int cachedConnectionsPerThread = 10; + int connectionIdleTimeout = 60; + int maxRetryAttempts = backendNodes.size() - 1; + + final LoadBalancingProxyClient lb = new CustomLoadBalancingClient(new ExclusivityChecker() { + + @Override + public boolean isExclusivityRequired(HttpServerExchange exchange) { + //we always create a new connection for upgrade requests + return exchange.getRequestHeaders().contains(Headers.UPGRADE); + } + + }, maxRetryAttempts) + .setConnectionsPerThread(connectionsPerThread) + .setMaxQueueSize(requestQueueSize) + .setSoftMaxConnectionsPerThread(cachedConnectionsPerThread) + .setTtl(connectionIdleTimeout) + .setProblemServerRetry(problemServerRetry); + String[] sessionIds = sessionCookieNames.split(","); + for (String id : sessionIds) { + lb.addSessionCookieName(id); + } + + for (Map.Entry node : backendNodes.entrySet()) { + String route = node.getKey(); + URI uri = new URI(node.getValue()); + + lb.addHost(uri, route); + log.infof("Added host: %s, route: %s", uri.toString(), route); + } + + ProxyHandler handler = new ProxyHandler(lb, maxTime, ResponseCodeHandler.HANDLE_404); + return handler; + } + + + private class CustomLoadBalancingClient extends LoadBalancingProxyClient { + + private final int maxRetryAttempts; + + public CustomLoadBalancingClient(ExclusivityChecker checker, int maxRetryAttempts) { + super(checker); + this.maxRetryAttempts = maxRetryAttempts; + } + + + @Override + protected Host selectHost(HttpServerExchange exchange) { + Host host = super.selectHost(exchange); + log.debugf("Selected host: %s, host available: %b", host.getUri().toString(), host.isAvailable()); + exchange.putAttachment(SELECTED_HOST, host); + return host; + } + + + @Override + protected Host findStickyHost(HttpServerExchange exchange) { + Host stickyHost = super.findStickyHost(exchange); + + if (stickyHost != null) { + + if (!stickyHost.isAvailable()) { + log.infof("Sticky host %s not available. Trying different hosts", stickyHost.getUri()); + return null; + } else { + log.infof("Sticky host %s found and looks available", stickyHost.getUri()); + } + } + + return stickyHost; + } + + + @Override + public void getConnection(ProxyTarget target, HttpServerExchange exchange, ProxyCallback callback, long timeout, TimeUnit timeUnit) { + long timeoutMs = timeUnit.toMillis(timeout); + + ProxyCallbackDelegate callbackDelegate = new ProxyCallbackDelegate(this, callback, timeoutMs, maxRetryAttempts); + super.getConnection(target, exchange, callbackDelegate, timeout, timeUnit); + } + + } + + + private static final AttachmentKey SELECTED_HOST = AttachmentKey.create(LoadBalancingProxyClient.Host.class); + private static final AttachmentKey REMAINING_RETRY_ATTEMPTS = AttachmentKey.create(Integer.class); + + + private class ProxyCallbackDelegate implements ProxyCallback { + + private final ProxyClient proxyClient; + private final ProxyCallback delegate; + private final long timeoutMs; + private final int maxRetryAttempts; + + + public ProxyCallbackDelegate(ProxyClient proxyClient, ProxyCallback delegate, long timeoutMs, int maxRetryAttempts) { + this.proxyClient = proxyClient; + this.delegate = delegate; + this.timeoutMs = timeoutMs; + this.maxRetryAttempts = maxRetryAttempts; + } + + + @Override + public void completed(HttpServerExchange exchange, ProxyConnection result) { + LoadBalancingProxyClient.Host host = exchange.getAttachment(SELECTED_HOST); + if (host == null) { + // shouldn't happen + log.error("Host is null!!!"); + } else { + // Host was restored + if (!host.isAvailable()) { + log.infof("Host %s available again", host.getUri()); + host.clearError(); + } + } + + delegate.completed(exchange, result); + } + + + @Override + public void failed(HttpServerExchange exchange) { + final long time = System.currentTimeMillis(); + + Integer remainingAttempts = exchange.getAttachment(REMAINING_RETRY_ATTEMPTS); + if (remainingAttempts == null) { + remainingAttempts = maxRetryAttempts; + } else { + remainingAttempts--; + } + + exchange.putAttachment(REMAINING_RETRY_ATTEMPTS, remainingAttempts); + + log.infof("Failed request to selected host. Remaining attempts: %d", remainingAttempts); + if (remainingAttempts > 0) { + if (timeoutMs > 0 && time > timeoutMs) { + delegate.failed(exchange); + } else { + ProxyClient.ProxyTarget target = proxyClient.findTarget(exchange); + if (target != null) { + final long remaining = timeoutMs > 0 ? timeoutMs - time : -1; + proxyClient.getConnection(target, exchange, this, remaining, TimeUnit.MILLISECONDS); + } else { + couldNotResolveBackend(exchange); // The context was registered when we started, so return 503 + } + } + } else { + couldNotResolveBackend(exchange); + } + } + + + @Override + public void couldNotResolveBackend(HttpServerExchange exchange) { + delegate.couldNotResolveBackend(exchange); + } + + + @Override + public void queuedRequestFailed(HttpServerExchange exchange) { + delegate.queuedRequestFailed(exchange); + } + + } +} diff --git a/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancerConfiguration.java b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancerConfiguration.java new file mode 100644 index 0000000000..3a0312c875 --- /dev/null +++ b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancerConfiguration.java @@ -0,0 +1,48 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.arquillian.undertow.lb; + +import org.arquillian.undertow.UndertowContainerConfiguration; +import org.jboss.arquillian.container.spi.ConfigurationException; + +/** + * @author Marek Posolda + */ +public class SimpleUndertowLoadBalancerConfiguration extends UndertowContainerConfiguration { + + private String nodes = SimpleUndertowLoadBalancer.DEFAULT_NODES; + + public String getNodes() { + return nodes; + } + + public void setNodes(String nodes) { + this.nodes = nodes; + } + + @Override + public void validate() throws ConfigurationException { + super.validate(); + + try { + SimpleUndertowLoadBalancer.parseNodes(nodes); + } catch (Exception e) { + throw new ConfigurationException(e); + } + } +} diff --git a/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancerContainer.java b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancerContainer.java new file mode 100644 index 0000000000..4b24c15030 --- /dev/null +++ b/testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancerContainer.java @@ -0,0 +1,87 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.arquillian.undertow.lb; + +import org.jboss.arquillian.container.spi.client.container.DeployableContainer; +import org.jboss.arquillian.container.spi.client.container.DeploymentException; +import org.jboss.arquillian.container.spi.client.container.LifecycleException; +import org.jboss.arquillian.container.spi.client.protocol.ProtocolDescription; +import org.jboss.arquillian.container.spi.client.protocol.metadata.ProtocolMetaData; +import org.jboss.logging.Logger; +import org.jboss.shrinkwrap.api.Archive; +import org.jboss.shrinkwrap.descriptor.api.Descriptor; + +/** + * Arquillian container over {@link SimpleUndertowLoadBalancer} + * + * @author Marek Posolda + */ +public class SimpleUndertowLoadBalancerContainer implements DeployableContainer { + + private static final Logger log = Logger.getLogger(SimpleUndertowLoadBalancerContainer.class); + + private SimpleUndertowLoadBalancerConfiguration configuration; + private SimpleUndertowLoadBalancer container; + + @Override + public Class getConfigurationClass() { + return SimpleUndertowLoadBalancerConfiguration.class; + } + + @Override + public void setup(SimpleUndertowLoadBalancerConfiguration configuration) { + this.configuration = configuration; + } + + @Override + public void start() throws LifecycleException { + this.container = new SimpleUndertowLoadBalancer(configuration.getBindAddress(), configuration.getBindHttpPort(), configuration.getNodes()); + this.container.start(); + } + + @Override + public void stop() throws LifecycleException { + log.info("Going to stop loadbalancer"); + this.container.stop(); + } + + @Override + public ProtocolDescription getDefaultProtocol() { + return new ProtocolDescription("Servlet 3.1"); + } + + @Override + public ProtocolMetaData deploy(Archive archive) throws DeploymentException { + throw new UnsupportedOperationException("Not implemented"); + } + + @Override + public void undeploy(Archive archive) throws DeploymentException { + throw new UnsupportedOperationException("Not implemented"); + } + + @Override + public void deploy(Descriptor descriptor) throws DeploymentException { + throw new UnsupportedOperationException("Not implemented"); + } + + @Override + public void undeploy(Descriptor descriptor) throws DeploymentException { + throw new UnsupportedOperationException("Not implemented"); + } +} diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java index e583608f4d..7e7ee6f92c 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java @@ -71,6 +71,8 @@ public class AuthServerTestEnricher { private static final String AUTH_SERVER_CLUSTER_PROPERTY = "auth.server.cluster"; public static final boolean AUTH_SERVER_CLUSTER = Boolean.parseBoolean(System.getProperty(AUTH_SERVER_CLUSTER_PROPERTY, "false")); + private static final boolean AUTH_SERVER_UNDERTOW_CLUSTER = Boolean.parseBoolean(System.getProperty("auth.server.undertow.cluster", "false")); + private static final Boolean START_MIGRATION_CONTAINER = "auto".equals(System.getProperty("migration.mode")) || "manual".equals(System.getProperty("migration.mode")); @@ -112,9 +114,25 @@ public class AuthServerTestEnricher { suiteContext = new SuiteContext(containers); - String authServerFrontend = AUTH_SERVER_CLUSTER - ? "auth-server-balancer-wildfly" // if cluster mode enabled, load-balancer is the frontend - : AUTH_SERVER_CONTAINER; // single-node mode + String authServerFrontend = null; + + if (AUTH_SERVER_CLUSTER) { + // if cluster mode enabled, load-balancer is the frontend + for (ContainerInfo c : containers) { + if (c.getQualifier().startsWith("auth-server-balancer")) { + authServerFrontend = c.getQualifier(); + } + } + + if (authServerFrontend != null) { + log.info("Using frontend container: " + authServerFrontend); + } else { + throw new IllegalStateException("Not found frontend container"); + } + } else { + authServerFrontend = AUTH_SERVER_CONTAINER; // single-node mode + } + String authServerBackend = AUTH_SERVER_CONTAINER + "-backend"; int backends = 0; for (ContainerInfo container : suiteContext.getContainers()) { @@ -130,6 +148,11 @@ public class AuthServerTestEnricher { } } + // Setup with 2 undertow backend nodes and no loadbalancer. +// if (AUTH_SERVER_UNDERTOW_CLUSTER && suiteContext.getAuthServerInfo() == null && !suiteContext.getAuthServerBackendsInfo().isEmpty()) { +// suiteContext.setAuthServerInfo(suiteContext.getAuthServerBackendsInfo().get(0)); +// } + // validate auth server setup if (suiteContext.getAuthServerInfo() == null) { throw new RuntimeException(String.format("No auth server container matching '%s' found in arquillian.xml.", authServerFrontend)); diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/AdminClientUtil.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/AdminClientUtil.java index c1869d78aa..a6f42c82f2 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/AdminClientUtil.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/AdminClientUtil.java @@ -33,6 +33,7 @@ import org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider; import org.keycloak.admin.client.Keycloak; import org.keycloak.models.Constants; import org.keycloak.testsuite.arquillian.AuthServerTestEnricher; +import org.keycloak.testsuite.arquillian.SuiteContext; import static org.keycloak.testsuite.auth.page.AuthRealm.ADMIN; import static org.keycloak.testsuite.auth.page.AuthRealm.MASTER; @@ -41,7 +42,7 @@ import static org.keycloak.testsuite.util.IOUtil.PROJECT_BUILD_DIRECTORY; public class AdminClientUtil { - public static Keycloak createAdminClient(boolean ignoreUnknownProperties) throws Exception { + public static Keycloak createAdminClient(boolean ignoreUnknownProperties, String authServerContextRoot) throws Exception { SSLContext ssl = null; if ("true".equals(System.getProperty("auth.server.ssl.required"))) { File trustore = new File(PROJECT_BUILD_DIRECTORY, "dependency/keystore/keycloak.truststore"); @@ -61,12 +62,12 @@ public class AdminClientUtil { jacksonProvider.setMapper(objectMapper); } - return Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", + return Keycloak.getInstance(authServerContextRoot + "/auth", MASTER, ADMIN, ADMIN, Constants.ADMIN_CLI_CLIENT_ID, null, ssl, jacksonProvider); } public static Keycloak createAdminClient() throws Exception { - return createAdminClient(false); + return createAdminClient(false, AuthServerTestEnricher.getAuthServerContextRoot()); } private static SSLContext getSSLContextWithTrustore(File file, String password) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java index 22513ac714..1739370891 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java @@ -18,26 +18,19 @@ package org.keycloak.testsuite; import org.apache.commons.configuration.ConfigurationException; import org.apache.commons.configuration.PropertiesConfiguration; -import org.apache.http.ssl.SSLContexts; import org.keycloak.common.util.KeycloakUriBuilder; import org.keycloak.common.util.Time; import org.keycloak.testsuite.arquillian.KcArquillian; import org.keycloak.testsuite.arquillian.TestContext; -import java.io.File; -import java.io.IOException; import java.net.URI; import java.net.URISyntaxException; -import java.security.KeyManagementException; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Map; -import javax.net.ssl.SSLContext; + import javax.ws.rs.NotFoundException; import org.jboss.arquillian.container.test.api.RunAsClient; import org.jboss.arquillian.drone.api.annotation.Drone; @@ -53,7 +46,6 @@ import org.keycloak.admin.client.resource.RealmResource; import org.keycloak.admin.client.resource.RealmsResource; import org.keycloak.admin.client.resource.UserResource; import org.keycloak.admin.client.resource.UsersResource; -import org.keycloak.models.Constants; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RequiredActionProviderRepresentation; import org.keycloak.representations.idm.UserRepresentation; @@ -77,7 +69,6 @@ import org.openqa.selenium.WebDriver; import static org.keycloak.testsuite.admin.Users.setPasswordFor; import static org.keycloak.testsuite.auth.page.AuthRealm.ADMIN; import static org.keycloak.testsuite.auth.page.AuthRealm.MASTER; -import static org.keycloak.testsuite.util.IOUtil.PROJECT_BUILD_DIRECTORY; /** * @@ -135,7 +126,8 @@ public abstract class AbstractKeycloakTest { public void beforeAbstractKeycloakTest() throws Exception { adminClient = testContext.getAdminClient(); if (adminClient == null) { - adminClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting()); + String authServerContextRoot = suiteContext.getAuthServerInfo().getContextRoot().toString(); + adminClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), authServerContextRoot); testContext.setAdminClient(adminClient); } @@ -147,10 +139,9 @@ public abstract class AbstractKeycloakTest { TestEventsLogger.setDriver(driver); - if (!suiteContext.isAdminPasswordUpdated()) { - log.debug("updating admin password"); + // The backend cluster nodes may not be yet started. Password will be updated later for cluster setup. + if (!AuthServerTestEnricher.AUTH_SERVER_CLUSTER) { updateMasterAdminPassword(); - suiteContext.setAdminPasswordUpdated(true); } if (testContext.getTestRealmReps() == null) { @@ -202,10 +193,16 @@ public abstract class AbstractKeycloakTest { return false; } - private void updateMasterAdminPassword() { - welcomePage.navigateTo(); - if (!welcomePage.isPasswordSet()) { - welcomePage.setPassword("admin", "admin"); + protected void updateMasterAdminPassword() { + if (!suiteContext.isAdminPasswordUpdated()) { + log.debug("updating admin password"); + + welcomePage.navigateTo(); + if (!welcomePage.isPasswordSet()) { + welcomePage.setPassword("admin", "admin"); + } + + suiteContext.setAdminPasswordUpdated(true); } } @@ -236,7 +233,8 @@ public abstract class AbstractKeycloakTest { if (testingClient == null) { testingClient = testContext.getTestingClient(); if (testingClient == null) { - testingClient = KeycloakTestingClient.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth"); + String authServerContextRoot = suiteContext.getAuthServerInfo().getContextRoot().toString(); + testingClient = KeycloakTestingClient.getInstance(authServerContextRoot + "/auth"); testContext.setTestingClient(testingClient); } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java index 5c3f1f1e60..f6a8bb247d 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java @@ -28,6 +28,8 @@ import java.net.MalformedURLException; import java.net.URL; import java.util.List; +import javax.ws.rs.core.Response; + import org.jboss.arquillian.container.test.api.Deployer; import org.jboss.arquillian.test.api.ArquillianResource; import org.junit.BeforeClass; @@ -199,7 +201,8 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda assertFalse(policy.getUsers().isEmpty()); - getAuthorizationResource().policies().user().create(policy); + Response response = getAuthorizationResource().policies().user().create(policy); + response.close(); } protected interface ExceptionRunnable { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzFunctionalAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzFunctionalAdapterTest.java index b37e9e60fb..49158faacf 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzFunctionalAdapterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzFunctionalAdapterTest.java @@ -23,6 +23,8 @@ import java.io.IOException; import java.util.Arrays; import java.util.List; +import javax.ws.rs.core.Response; + import org.jboss.arquillian.container.test.api.Deployment; import org.jboss.shrinkwrap.api.spec.WebArchive; import org.junit.Test; @@ -289,7 +291,8 @@ public abstract class AbstractServletAuthzFunctionalAdapterTest extends Abstract policy.addClient("admin-cli"); ClientPoliciesResource policyResource = getAuthorizationResource().policies().client(); - policyResource.create(policy); + Response response = policyResource.create(policy); + response.close(); policy = policyResource.findByName(policy.getName()); updatePermissionPolicies("Protected Resource Permission", policy.getName()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java index d821179048..531157daa3 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java @@ -46,8 +46,6 @@ import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RequiredActionProviderRepresentation; import org.keycloak.representations.idm.RequiredActionProviderSimpleRepresentation; import org.keycloak.representations.idm.RoleRepresentation; -import org.keycloak.representations.idm.UserFederationMapperRepresentation; -import org.keycloak.representations.idm.UserFederationProviderRepresentation; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.representations.idm.authorization.PolicyRepresentation; import org.keycloak.representations.idm.authorization.ResourceRepresentation; @@ -64,7 +62,6 @@ import org.keycloak.testsuite.util.FederatedIdentityBuilder; import org.keycloak.testsuite.util.GreenMailRule; import org.keycloak.testsuite.util.IdentityProviderBuilder; import org.keycloak.testsuite.util.RealmBuilder; -import org.keycloak.testsuite.util.TestCleanup; import org.keycloak.testsuite.util.UserBuilder; import javax.ws.rs.ClientErrorException; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPolicyManagementTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPolicyManagementTest.java index e0a4c53460..41f3890f6c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPolicyManagementTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPolicyManagementTest.java @@ -28,6 +28,8 @@ import java.util.List; import java.util.Set; import java.util.function.Supplier; +import javax.ws.rs.core.Response; + import org.junit.Before; import org.keycloak.admin.client.resource.ClientResource; import org.keycloak.admin.client.resource.ClientsResource; @@ -39,7 +41,6 @@ import org.keycloak.representations.idm.authorization.ResourceRepresentation; import org.keycloak.representations.idm.authorization.ScopeRepresentation; import org.keycloak.representations.idm.authorization.UserPolicyRepresentation; import org.keycloak.testsuite.AbstractKeycloakTest; -import org.keycloak.testsuite.util.AdminClientUtil; import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.RealmBuilder; import org.keycloak.testsuite.util.UserBuilder; @@ -131,7 +132,10 @@ public abstract class AbstractPolicyManagementTest extends AbstractKeycloakTest resources.add(new ResourceRepresentation("Resource B", scopes)); resources.add(new ResourceRepresentation("Resource C", scopes)); - resources.forEach(resource -> getClient().authorization().resources().create(resource)); + resources.forEach(resource -> { + Response response = getClient().authorization().resources().create(resource); + response.close(); + }); } private void createPolicies(RealmResource realm, ClientResource client) throws IOException { @@ -147,7 +151,8 @@ public abstract class AbstractPolicyManagementTest extends AbstractKeycloakTest representation.setName(name); representation.addUser(userId); - client.authorization().policies().user().create(representation); + Response response = client.authorization().policies().user().create(representation); + response.close(); } protected ClientResource getClient() { @@ -161,7 +166,7 @@ public abstract class AbstractPolicyManagementTest extends AbstractKeycloakTest protected RealmResource getRealm() { try { - return AdminClientUtil.createAdminClient().realm("authz-test"); + return adminClient.realm("authz-test"); } catch (Exception cause) { throw new RuntimeException("Failed to create admin client", cause); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ClientPolicyManagementTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ClientPolicyManagementTest.java index 87848d911c..d3613da809 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ClientPolicyManagementTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ClientPolicyManagementTest.java @@ -112,6 +112,7 @@ public class ClientPolicyManagementTest extends AbstractPolicyManagementTest { ClientPoliciesResource policies = authorization.policies().client(); Response response = policies.create(representation); ClientPolicyRepresentation created = response.readEntity(ClientPolicyRepresentation.class); + response.close(); policies.findById(created.getId()).remove(); @@ -136,6 +137,7 @@ public class ClientPolicyManagementTest extends AbstractPolicyManagementTest { ClientPoliciesResource policies = authorization.policies().client(); Response response = policies.create(representation); ClientPolicyRepresentation created = response.readEntity(ClientPolicyRepresentation.class); + response.close(); PolicyResource policy = authorization.policies().policy(created.getId()); PolicyRepresentation genericConfig = policy.toRepresentation(); @@ -152,6 +154,7 @@ public class ClientPolicyManagementTest extends AbstractPolicyManagementTest { ClientPoliciesResource permissions = authorization.policies().client(); Response response = permissions.create(representation); ClientPolicyRepresentation created = response.readEntity(ClientPolicyRepresentation.class); + response.close(); ClientPolicyResource permission = permissions.findById(created.getId()); assertRepresentation(representation, permission); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java index 6db4891238..45a937ce1d 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java @@ -50,7 +50,6 @@ import org.keycloak.representations.idm.authorization.PolicyRepresentation; import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation; import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation; import org.keycloak.testsuite.AbstractKeycloakTest; -import org.keycloak.testsuite.util.AdminClientUtil; import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.RealmBuilder; import org.keycloak.testsuite.util.UserBuilder; @@ -140,7 +139,7 @@ public class ConflictingScopePermissionTest extends AbstractKeycloakTest { } private RealmResource getRealm() throws Exception { - return AdminClientUtil.createAdminClient().realm("authz-test"); + return adminClient.realm("authz-test"); } private ClientResource getClient(RealmResource realm) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/RequireUmaAuthorizationScopeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/RequireUmaAuthorizationScopeTest.java index e2eae3421d..cf54a66a62 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/RequireUmaAuthorizationScopeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/RequireUmaAuthorizationScopeTest.java @@ -24,6 +24,8 @@ import java.io.IOException; import java.util.Arrays; import java.util.List; +import javax.ws.rs.core.Response; + import org.junit.Before; import org.junit.Test; import org.keycloak.admin.client.resource.AuthorizationResource; @@ -43,7 +45,6 @@ import org.keycloak.representations.idm.authorization.JSPolicyRepresentation; import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation; import org.keycloak.representations.idm.authorization.ResourceRepresentation; import org.keycloak.testsuite.AbstractKeycloakTest; -import org.keycloak.testsuite.util.AdminClientUtil; import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.RealmBuilder; import org.keycloak.testsuite.util.RoleBuilder; @@ -77,14 +78,16 @@ public class RequireUmaAuthorizationScopeTest extends AbstractKeycloakTest { AuthorizationResource authorization = client.authorization(); ResourceRepresentation resource = new ResourceRepresentation("Resource A"); - authorization.resources().create(resource); + Response response = authorization.resources().create(resource); + response.close(); JSPolicyRepresentation policy = new JSPolicyRepresentation(); policy.setName("Default Policy"); policy.setCode("$evaluation.grant();"); - authorization.policies().js().create(policy); + response = authorization.policies().js().create(policy); + response.close(); ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation(); @@ -92,7 +95,8 @@ public class RequireUmaAuthorizationScopeTest extends AbstractKeycloakTest { permission.addResource(resource.getName()); permission.addPolicy(policy.getName()); - authorization.permissions().resource().create(permission); + response = authorization.permissions().resource().create(permission); + response.close(); } @Test @@ -140,7 +144,7 @@ public class RequireUmaAuthorizationScopeTest extends AbstractKeycloakTest { } private RealmResource getRealm() throws Exception { - return AdminClientUtil.createAdminClient().realm("authz-test"); + return adminClient.realm("authz-test"); } private ClientResource getClient(RealmResource realm) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AbstractClusterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AbstractClusterTest.java index 25abe65b22..d5c9ff2d3c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AbstractClusterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AbstractClusterTest.java @@ -45,6 +45,12 @@ public abstract class AbstractClusterTest extends AbstractKeycloakTest { logFailoverSetup(); } + // Assume that route like "node6" will have corresponding backend container like "auth-server-wildfly-backend6" + protected void setCurrentFailNodeForRoute(String route) { + String routeNumber = route.substring(route.length() - 1); + currentFailNodeIndex = Integer.parseInt(routeNumber) - 1; + } + protected ContainerInfo getCurrentFailNode() { return backendNode(currentFailNodeIndex); } @@ -111,9 +117,13 @@ public abstract class AbstractClusterTest extends AbstractKeycloakTest { } protected Keycloak getAdminClientFor(ContainerInfo node) { - return node.equals(suiteContext.getAuthServerInfo()) - ? adminClient // frontend client - : backendAdminClients.get(node); + Keycloak adminClient = backendAdminClients.get(node); + + if (adminClient == null && node.equals(suiteContext.getAuthServerInfo())) { + adminClient = this.adminClient; + } + + return adminClient; } @Before diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AbstractFailoverClusterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AbstractFailoverClusterTest.java new file mode 100644 index 0000000000..aa65e79628 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AbstractFailoverClusterTest.java @@ -0,0 +1,112 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.cluster; + + +import java.util.List; + +import org.junit.Before; +import org.junit.Test; +import org.keycloak.representations.idm.RealmRepresentation; +import org.keycloak.testsuite.page.AbstractPage; +import org.keycloak.testsuite.page.PageWithLogOutAction; +import org.openqa.selenium.Cookie; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.keycloak.testsuite.auth.page.AuthRealm.ADMIN; +import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith; +import static org.keycloak.testsuite.util.WaitUtils.pause; + +public abstract class AbstractFailoverClusterTest extends AbstractClusterTest { + + public static final String KEYCLOAK_SESSION_COOKIE = "KEYCLOAK_SESSION"; + + public static final Integer SESSION_CACHE_OWNERS = Integer.parseInt(System.getProperty("session.cache.owners", "1")); + public static final Integer OFFLINE_SESSION_CACHE_OWNERS = Integer.parseInt(System.getProperty("offline.session.cache.owners", "1")); + public static final Integer LOGIN_FAILURES_CACHE_OWNERS = Integer.parseInt(System.getProperty("login.failure.cache.owners", "1")); + + public static final Integer REBALANCE_WAIT = Integer.parseInt(System.getProperty("rebalance.wait", "5000")); + + @Override + public void addTestRealms(List testRealms) { + } + + + /** + * failure --> failback --> failure of next node + */ + protected void switchFailedNode() { + assertFalse(controller.isStarted(getCurrentFailNode().getQualifier())); + + failback(); + pause(REBALANCE_WAIT); + + iterateCurrentFailNode(); + + failure(); + pause(REBALANCE_WAIT); + + assertFalse(controller.isStarted(getCurrentFailNode().getQualifier())); + } + + protected Cookie login(AbstractPage targetPage) { + targetPage.navigateTo(); + assertCurrentUrlStartsWith(loginPage); + loginPage.form().login(ADMIN, ADMIN); + assertCurrentUrlStartsWith(targetPage); + Cookie sessionCookie = driver.manage().getCookieNamed(KEYCLOAK_SESSION_COOKIE); + assertNotNull(sessionCookie); + return sessionCookie; + } + + protected void logout(AbstractPage targetPage) { + if (!(targetPage instanceof PageWithLogOutAction)) { + throw new IllegalArgumentException(targetPage.getClass().getSimpleName() + " must implement PageWithLogOutAction interface"); + } + targetPage.navigateTo(); + assertCurrentUrlStartsWith(targetPage); + ((PageWithLogOutAction) targetPage).logOut(); + } + + protected Cookie verifyLoggedIn(AbstractPage targetPage, Cookie sessionCookieForVerification) { + // verify on realm path + masterRealmPage.navigateTo(); + Cookie sessionCookieOnRealmPath = driver.manage().getCookieNamed(KEYCLOAK_SESSION_COOKIE); + assertNotNull(sessionCookieOnRealmPath); + assertEquals(sessionCookieOnRealmPath.getValue(), sessionCookieForVerification.getValue()); + // verify on target page + targetPage.navigateTo(); + assertCurrentUrlStartsWith(targetPage); + Cookie sessionCookie = driver.manage().getCookieNamed(KEYCLOAK_SESSION_COOKIE); + assertNotNull(sessionCookie); + assertEquals(sessionCookie.getValue(), sessionCookieForVerification.getValue()); + return sessionCookie; + } + + protected void verifyLoggedOut(AbstractPage targetPage) { + // verify on target page + targetPage.navigateTo(); + driver.navigate().refresh(); + assertCurrentUrlStartsWith(loginPage); + Cookie sessionCookie = driver.manage().getCookieNamed(KEYCLOAK_SESSION_COOKIE); + assertNull(sessionCookie); + } +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AuthenticationSessionFailoverClusterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AuthenticationSessionFailoverClusterTest.java new file mode 100644 index 0000000000..c1811f95ff --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/AuthenticationSessionFailoverClusterTest.java @@ -0,0 +1,171 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.cluster; + +import java.io.IOException; +import java.util.List; + +import javax.mail.MessagingException; + +import org.jboss.arquillian.graphene.page.Page; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.keycloak.models.UserModel; +import org.keycloak.representations.idm.RealmRepresentation; +import org.keycloak.representations.idm.UserRepresentation; +import org.keycloak.services.managers.AuthenticationSessionManager; +import org.keycloak.testsuite.AbstractKeycloakTest; +import org.keycloak.testsuite.Assert; +import org.keycloak.testsuite.admin.ApiUtil; +import org.keycloak.testsuite.pages.AppPage; +import org.keycloak.testsuite.pages.LoginPage; +import org.keycloak.testsuite.pages.LoginPasswordUpdatePage; +import org.keycloak.testsuite.pages.LoginUpdateProfilePage; +import org.keycloak.testsuite.util.UserBuilder; +import org.openqa.selenium.Cookie; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; +import static org.keycloak.testsuite.util.WaitUtils.pause; + +/** + * @author Marek Posolda + */ +public class AuthenticationSessionFailoverClusterTest extends AbstractFailoverClusterTest { + + private String userId; + + @Page + protected LoginPage loginPage; + + @Page + protected LoginPasswordUpdatePage updatePasswordPage; + + + @Page + protected LoginUpdateProfilePage updateProfilePage; + + @Page + protected AppPage appPage; + + + @Before + public void setup() { + try { + adminClient.realm("test").remove(); + } catch (Exception ignore) { + } + + RealmRepresentation testRealm = loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class); + adminClient.realms().create(testRealm); + + UserRepresentation user = UserBuilder.create() + .username("login-test") + .email("login@test.com") + .enabled(true) + .requiredAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString()) + .requiredAction(UserModel.RequiredAction.UPDATE_PROFILE.toString()) + .build(); + + userId = ApiUtil.createUserAndResetPasswordWithAdminClient(adminClient.realm("test"), user, "password"); + getCleanup().addUserId(userId); + + oauth.clientId("test-app"); + } + + @After + public void after() { + adminClient.realm("test").remove(); + } + + + @Test + public void failoverDuringAuthentication() throws Exception { + + boolean expectSuccessfulFailover = SESSION_CACHE_OWNERS >= 2; + + log.info("AUTHENTICATION FAILOVER TEST: cluster size = " + getClusterSize() + ", session-cache owners = " + SESSION_CACHE_OWNERS + + " --> Testsing for " + (expectSuccessfulFailover ? "" : "UN") + "SUCCESSFUL session failover."); + + assertEquals(2, getClusterSize()); + + failoverTest(expectSuccessfulFailover); + } + + + protected void failoverTest(boolean expectSuccessfulFailover) throws IOException, MessagingException { + loginPage.open(); + + String cookieValue1 = getAuthSessionCookieValue(); + + // Login and assert on "updatePassword" page + loginPage.login("login-test", "password"); + updatePasswordPage.assertCurrent(); + + // Route didn't change + Assert.assertEquals(cookieValue1, getAuthSessionCookieValue()); + + log.info("Authentication session cookie: " + cookieValue1); + + setCurrentFailNodeForRoute(cookieValue1); + + failure(); + pause(REBALANCE_WAIT); + logFailoverSetup(); + + // Trigger the action now + updatePasswordPage.changePassword("password", "password"); + + if (expectSuccessfulFailover) { + //Action was successful + updateProfilePage.assertCurrent(); + + String cookieValue2 = getAuthSessionCookieValue(); + + log.info("Authentication session cookie after failover: " + cookieValue2); + + // Cookie was moved to the second node + Assert.assertEquals(cookieValue1.substring(0, 36), cookieValue2.substring(0, 36)); + Assert.assertNotEquals(cookieValue1, cookieValue2); + + } else { + loginPage.assertCurrent(); + String error = loginPage.getError(); + log.info("Failover not successful as expected. Error on login page: " + error); + Assert.assertNotNull(error); + + loginPage.login("login-test", "password"); + updatePasswordPage.changePassword("password", "password"); + } + + + updateProfilePage.assertCurrent(); + + // Successfully update profile and assert user logged + updateProfilePage.update("John", "Doe3", "john@doe3.com"); + appPage.assertCurrent(); + } + + private String getAuthSessionCookieValue() { + Cookie authSessionCookie = driver.manage().getCookieNamed(AuthenticationSessionManager.AUTH_SESSION_ID); + Assert.assertNotNull(authSessionCookie); + return authSessionCookie.getValue(); + } +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/SessionFailoverClusterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/SessionFailoverClusterTest.java index ca9417982e..74d9776d2a 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/SessionFailoverClusterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cluster/SessionFailoverClusterTest.java @@ -2,38 +2,16 @@ package org.keycloak.testsuite.cluster; import org.junit.Before; import org.junit.Test; -import org.keycloak.representations.idm.RealmRepresentation; -import org.keycloak.testsuite.page.AbstractPage; -import org.keycloak.testsuite.page.PageWithLogOutAction; import org.openqa.selenium.Cookie; -import java.util.List; - import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; -import static org.keycloak.testsuite.auth.page.AuthRealm.ADMIN; -import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith; import static org.keycloak.testsuite.util.WaitUtils.pause; /** * * @author tkyjovsk */ -public class SessionFailoverClusterTest extends AbstractClusterTest { - - public static final String KEYCLOAK_SESSION_COOKIE = "KEYCLOAK_SESSION"; - - public static final Integer SESSION_CACHE_OWNERS = Integer.parseInt(System.getProperty("session.cache.owners", "1")); - public static final Integer OFFLINE_SESSION_CACHE_OWNERS = Integer.parseInt(System.getProperty("offline.session.cache.owners", "1")); - public static final Integer LOGIN_FAILURES_CACHE_OWNERS = Integer.parseInt(System.getProperty("login.failure.cache.owners", "1")); - - public static final Integer REBALANCE_WAIT = Integer.parseInt(System.getProperty("rebalance.wait", "5000")); - - @Override - public void addTestRealms(List testRealms) { - } +public class SessionFailoverClusterTest extends AbstractFailoverClusterTest { @Before public void beforeSessionFailover() { @@ -45,7 +23,7 @@ public class SessionFailoverClusterTest extends AbstractClusterTest { @Test public void sessionFailover() { - boolean expectSuccessfulFailover = SESSION_CACHE_OWNERS >= getClusterSize(); + boolean expectSuccessfulFailover = SESSION_CACHE_OWNERS >= 2; log.info("SESSION FAILOVER TEST: cluster size = " + getClusterSize() + ", session-cache owners = " + SESSION_CACHE_OWNERS + " --> Testsing for " + (expectSuccessfulFailover ? "" : "UN") + "SUCCESSFUL session failover."); @@ -91,64 +69,4 @@ public class SessionFailoverClusterTest extends AbstractClusterTest { } - /** - * failure --> failback --> failure of next node - */ - protected void switchFailedNode() { - assertFalse(controller.isStarted(getCurrentFailNode().getQualifier())); - - failback(); - pause(REBALANCE_WAIT); - - iterateCurrentFailNode(); - - failure(); - pause(REBALANCE_WAIT); - - assertFalse(controller.isStarted(getCurrentFailNode().getQualifier())); - } - - protected Cookie login(AbstractPage targetPage) { - targetPage.navigateTo(); - assertCurrentUrlStartsWith(loginPage); - loginPage.form().login(ADMIN, ADMIN); - assertCurrentUrlStartsWith(targetPage); - Cookie sessionCookie = driver.manage().getCookieNamed(KEYCLOAK_SESSION_COOKIE); - assertNotNull(sessionCookie); - return sessionCookie; - } - - protected void logout(AbstractPage targetPage) { - if (!(targetPage instanceof PageWithLogOutAction)) { - throw new IllegalArgumentException(targetPage.getClass().getSimpleName() + " must implement PageWithLogOutAction interface"); - } - targetPage.navigateTo(); - assertCurrentUrlStartsWith(targetPage); - ((PageWithLogOutAction) targetPage).logOut(); - } - - protected Cookie verifyLoggedIn(AbstractPage targetPage, Cookie sessionCookieForVerification) { - // verify on realm path - masterRealmPage.navigateTo(); - Cookie sessionCookieOnRealmPath = driver.manage().getCookieNamed(KEYCLOAK_SESSION_COOKIE); - assertNotNull(sessionCookieOnRealmPath); - assertEquals(sessionCookieOnRealmPath.getValue(), sessionCookieForVerification.getValue()); - // verify on target page - targetPage.navigateTo(); - assertCurrentUrlStartsWith(targetPage); - Cookie sessionCookie = driver.manage().getCookieNamed(KEYCLOAK_SESSION_COOKIE); - assertNotNull(sessionCookie); - assertEquals(sessionCookie.getValue(), sessionCookieForVerification.getValue()); - return sessionCookie; - } - - protected void verifyLoggedOut(AbstractPage targetPage) { - // verify on target page - targetPage.navigateTo(); - driver.navigate().refresh(); - assertCurrentUrlStartsWith(loginPage); - Cookie sessionCookie = driver.manage().getCookieNamed(KEYCLOAK_SESSION_COOKIE); - assertNull(sessionCookie); - } - } diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json b/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json index c6da264a53..d0388777c1 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json @@ -108,8 +108,9 @@ "connectionsInfinispan": { "default": { "clustered": "${keycloak.connectionsInfinispan.clustered:false}", - "async": "${keycloak.connectionsInfinispan.async:true}", - "sessionsOwners": "${keycloak.connectionsInfinispan.sessionsOwners:2}", + "async": "${keycloak.connectionsInfinispan.async:false}", + "sessionsOwners": "${keycloak.connectionsInfinispan.sessionsOwners:1}", + "l1Lifespan": "${keycloak.connectionsInfinispan.l1Lifespan:600000}", "remoteStoreEnabled": "${keycloak.connectionsInfinispan.remoteStoreEnabled:false}", "remoteStoreHost": "${keycloak.connectionsInfinispan.remoteStoreHost:localhost}", "remoteStorePort": "${keycloak.connectionsInfinispan.remoteStorePort:11222}" diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml b/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml index e01a4d5fb4..6bc040f683 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml @@ -53,6 +53,7 @@ localhost org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow ${auth.server.http.port} + ${undertow.remote} @@ -90,7 +91,7 @@ ${auth.server.backend1.home} standalone-ha.xml - -Djboss.socket.binding.port-offset=${auth.server.backend1.port.offset} + -Djboss.socket.binding.port-offset=${auth.server.backend1.port.offset} -Djboss.node.name=node1 ${adapter.test.props} ${auth.server.profile} @@ -127,6 +128,43 @@ + + + + + ${auth.server.undertow.cluster} + org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow + localhost + ${auth.server.http.port} + 1 + node1 + ${undertow.remote} + + + + + ${auth.server.undertow.cluster} + org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow + localhost + ${auth.server.http.port} + 2 + node2 + ${undertow.remote} + + + + + + ${auth.server.undertow.cluster} + org.keycloak.testsuite.arquillian.undertow.lb.SimpleUndertowLoadBalancerContainer + localhost + ${auth.server.http.port} + node1=http://localhost:8181,node2=http://localhost:8182 + + + + + ${auth.server.cluster} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/KeycloakServer.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/KeycloakServer.java index 0ebc095802..8c38363db5 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/KeycloakServer.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/KeycloakServer.java @@ -27,6 +27,7 @@ import org.jboss.logging.Logger; import org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher; import org.jboss.resteasy.plugins.server.undertow.UndertowJaxrsServer; import org.jboss.resteasy.spi.ResteasyDeployment; +import org.keycloak.connections.infinispan.InfinispanConnectionProvider; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.RealmModel; @@ -37,12 +38,15 @@ import org.keycloak.services.managers.RealmManager; import org.keycloak.services.resources.KeycloakApplication; import org.keycloak.testsuite.util.cli.TestsuiteCLI; import org.keycloak.util.JsonSerialization; +import org.mvel2.util.Make; import javax.servlet.DispatcherType; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; +import java.util.HashMap; +import java.util.Map; import java.util.Properties; /** @@ -187,6 +191,8 @@ public class KeycloakServer { config.setWorkerThreads(undertowWorkerThreads); } + detectNodeName(config); + final KeycloakServer keycloak = new KeycloakServer(config); keycloak.sysout = true; keycloak.start(); @@ -369,4 +375,24 @@ public class KeycloakServer { return new File(s.toString()); } + + private static void detectNodeName(KeycloakServerConfig config) { + String nodeName = System.getProperty(InfinispanConnectionProvider.JBOSS_NODE_NAME); + if (nodeName == null) { + // Try to autodetect "jboss.node.name" from the port + Map nodesCfg = new HashMap<>(); + nodesCfg.put(8181, "node1"); + nodesCfg.put(8182, "node2"); + + nodeName = nodesCfg.get(config.getPort()); + if (nodeName != null) { + System.setProperty(InfinispanConnectionProvider.JBOSS_NODE_NAME, nodeName); + } + } + + if (nodeName != null) { + log.infof("Node name: %s", nodeName); + } + } + } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java index ba7bb65694..acf775c313 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractFirstBrokerLoginTest.java @@ -346,7 +346,7 @@ public abstract class AbstractFirstBrokerLoginTest extends AbstractIdentityProvi driver.navigate().to(linkFromMail.trim()); infoPage.assertCurrent(); - Assert.assertThat(infoPage.getInfo(), startsWith("Your account was successfully linked with " + getProviderId() + " account pedroigor")); + Assert.assertThat(infoPage.getInfo(), startsWith("You successfully verified your email. Please go back to your original browser and continue there with the login.")); } /** @@ -384,15 +384,13 @@ public abstract class AbstractFirstBrokerLoginTest extends AbstractIdentityProvi // authenticated, but not redirected to app. Just seeing info page. infoPage2.assertCurrent(); - Assert.assertThat(infoPage2.getInfo(), startsWith("Your account was successfully linked with " + getProviderId() + " account pedroigor")); + Assert.assertThat(infoPage2.getInfo(), startsWith("You successfully verified your email. Please go back to your original browser and continue there with the login.")); } finally { // Revert everything webRule2.after(); } - driver.navigate().refresh(); - this.loginExpiredPage.assertCurrent(); - this.loginExpiredPage.clickLoginContinueLink(); + this.idpLinkEmailPage.clickContinueFlowLink(); // authenticated and redirected to app. User is linked with identity provider assertFederatedUser("pedroigor", "psilva@redhat.com", "pedroigor"); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/IdpLinkEmailPage.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/IdpLinkEmailPage.java index 22eb1560ba..e6bb66004b 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/IdpLinkEmailPage.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/IdpLinkEmailPage.java @@ -31,6 +31,9 @@ public class IdpLinkEmailPage extends AbstractPage { @FindBy(linkText = "Click here") private WebElement resendEmailLink; + @FindBy(linkText = "Click here") // Actually same link like "resendEmailLink" + private WebElement continueFlowLink; + @Override public boolean isCurrent() { return driver.getTitle().startsWith("Link "); @@ -40,8 +43,8 @@ public class IdpLinkEmailPage extends AbstractPage { resendEmailLink.click(); } - public String getResendEmailLink() { - return resendEmailLink.getAttribute("href"); + public void clickContinueFlowLink() { + continueFlowLink.click(); } @Override diff --git a/testsuite/integration/src/test/resources/META-INF/keycloak-server.json b/testsuite/integration/src/test/resources/META-INF/keycloak-server.json index c463347de9..fc695d420e 100755 --- a/testsuite/integration/src/test/resources/META-INF/keycloak-server.json +++ b/testsuite/integration/src/test/resources/META-INF/keycloak-server.json @@ -90,7 +90,7 @@ "sessionsOwners": "${keycloak.connectionsInfinispan.sessionsOwners:1}", "l1Lifespan": "${keycloak.connectionsInfinispan.l1Lifespan:600000}", "remoteStoreEnabled": "${keycloak.connectionsInfinispan.remoteStoreEnabled:false}", - "remoteStoreHost": "${keycloak.connectionsInfinispan.remoteStoreHost:localhost}", + "remoteStoreHost": "${keycloak.connectionsjen neInfinispan.remoteStoreHost:localhost}", "remoteStorePort": "${keycloak.connectionsInfinispan.remoteStorePort:11222}" } }, diff --git a/testsuite/integration/src/test/resources/log4j.properties b/testsuite/integration/src/test/resources/log4j.properties index 4ba41afdce..dcff0ec3a0 100755 --- a/testsuite/integration/src/test/resources/log4j.properties +++ b/testsuite/integration/src/test/resources/log4j.properties @@ -83,3 +83,5 @@ log4j.logger.org.apache.directory.server.ldap.LdapProtocolHandler=error log4j.logger.org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator=trace log4j.logger.org.keycloak.services.resources.IdentityBrokerService=trace log4j.logger.org.keycloak.broker=trace + +# log4j.logger.io.undertow=trace diff --git a/themes/src/main/resources/theme/base/login/login-idp-link-email.ftl b/themes/src/main/resources/theme/base/login/login-idp-link-email.ftl index 9cca544ae7..1dbd43d50c 100644 --- a/themes/src/main/resources/theme/base/login/login-idp-link-email.ftl +++ b/themes/src/main/resources/theme/base/login/login-idp-link-email.ftl @@ -11,5 +11,8 @@

    ${msg("emailLinkIdp2")} ${msg("doClickHere")} ${msg("emailLinkIdp3")}

    +

    + ${msg("emailLinkIdp4")} ${msg("doClickHere")} ${msg("emailLinkIdp5")} +

    \ No newline at end of file diff --git a/themes/src/main/resources/theme/base/login/messages/messages_en.properties b/themes/src/main/resources/theme/base/login/messages/messages_en.properties index 3d55559341..cf262361b7 100755 --- a/themes/src/main/resources/theme/base/login/messages/messages_en.properties +++ b/themes/src/main/resources/theme/base/login/messages/messages_en.properties @@ -83,6 +83,8 @@ emailLinkIdpTitle=Link {0} emailLinkIdp1=An email with instructions to link {0} account {1} with your {2} account has been sent to you. emailLinkIdp2=Haven''t received a verification code in your email? emailLinkIdp3=to re-send the email. +emailLinkIdp4=If you already verified the email in different browser +emailLinkIdp5=to continue. backToLogin=« Back to Login @@ -208,7 +210,7 @@ sessionNotActiveMessage=Session not active. invalidCodeMessage=An error occurred, please login again through your application. identityProviderUnexpectedErrorMessage=Unexpected error when authenticating with identity provider identityProviderNotFoundMessage=Could not find an identity provider with the identifier. -identityProviderLinkSuccess=Your account was successfully linked with {0} account {1} . +identityProviderLinkSuccess=You successfully verified your email. Please go back to your original browser and continue there with the login. staleCodeMessage=This page is no longer valid, please go back to your application and login again realmSupportsNoCredentialsMessage=Realm does not support any credential type. identityProviderNotUniqueMessage=Realm supports multiple identity providers. Could not determine which identity provider should be used to authenticate with. From cc6a5419de15f1a1c31ebf2a05f8d6cafccfe3df Mon Sep 17 00:00:00 2001 From: vramik Date: Fri, 12 May 2017 13:22:33 +0200 Subject: [PATCH 13/30] KEYCLOAK-4827 Add tests for concurrent use of user session in cache --- .../concurrency/AbstractConcurrencyTest.java | 104 ++++++++ .../{ => concurrency}/ConcurrencyTest.java | 83 +----- .../concurrency/ConcurrentLoginTest.java | 239 ++++++++++++++++++ 3 files changed, 346 insertions(+), 80 deletions(-) create mode 100644 testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/AbstractConcurrencyTest.java rename testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/{ => concurrency}/ConcurrencyTest.java (74%) create mode 100644 testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/AbstractConcurrencyTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/AbstractConcurrencyTest.java new file mode 100644 index 0000000000..86526b9ac5 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/AbstractConcurrencyTest.java @@ -0,0 +1,104 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.admin.concurrency; + +import org.keycloak.admin.client.Keycloak; +import org.keycloak.admin.client.resource.RealmResource; +import java.util.LinkedList; +import java.util.List; +import java.util.concurrent.CountDownLatch; +import java.util.concurrent.atomic.AtomicReference; +import java.util.concurrent.locks.Lock; +import java.util.concurrent.locks.ReentrantLock; +import org.keycloak.testsuite.admin.AbstractAdminTest; + + +/** + * @author Stian Thorgersen + */ +public abstract class AbstractConcurrencyTest extends AbstractAdminTest { + + private static final int DEFAULT_THREADS = 5; + private static final int DEFAULT_ITERATIONS = 20; + + // If enabled only one request is allowed at the time. Useful for checking that test is working. + private static final boolean SYNCHRONIZED = false; + + protected void run(final KeycloakRunnable runnable) throws Throwable { + run(runnable, DEFAULT_THREADS, DEFAULT_ITERATIONS); + } + + protected void run(final KeycloakRunnable runnable, final int numThreads, final int numIterationsPerThread) throws Throwable { + final CountDownLatch latch = new CountDownLatch(numThreads); + final AtomicReference failed = new AtomicReference(); + final List threads = new LinkedList<>(); + final Lock lock = SYNCHRONIZED ? new ReentrantLock() : null; + + for (int t = 0; t < numThreads; t++) { + final int threadNum = t; + Thread thread = new Thread() { + @Override + public void run() { + Keycloak keycloak = null; + try { + if (lock != null) { + lock.lock(); + } + + keycloak = Keycloak.getInstance(getAuthServerRoot().toString(), "master", "admin", "admin", org.keycloak.models.Constants.ADMIN_CLI_CLIENT_ID); + RealmResource realm = keycloak.realm(REALM_NAME); + for (int i = 0; i < numIterationsPerThread && latch.getCount() > 0; i++) { + log.infov("thread {0}, iteration {1}", threadNum, i); + runnable.run(keycloak, realm, threadNum, i); + } + latch.countDown(); + } catch (Throwable t) { + failed.compareAndSet(null, t); + while (latch.getCount() > 0) { + latch.countDown(); + } + } finally { + keycloak.close(); + if (lock != null) { + lock.unlock(); + } + } + } + }; + thread.start(); + threads.add(thread); + } + + latch.await(); + + for (Thread t : threads) { + t.join(); + } + + if (failed.get() != null) { + throw failed.get(); + } + } + + protected interface KeycloakRunnable { + + void run(Keycloak keycloak, RealmResource realm, int threadNum, int iterationNum); + + } + +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ConcurrencyTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrencyTest.java similarity index 74% rename from testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ConcurrencyTest.java rename to testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrencyTest.java index 583ec1b2e5..a2f440932e 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ConcurrencyTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrencyTest.java @@ -15,9 +15,8 @@ * limitations under the License. */ -package org.keycloak.testsuite.admin; +package org.keycloak.testsuite.admin.concurrency; -import org.jboss.logging.Logger; import org.junit.Assert; import org.junit.Ignore; import org.junit.Test; @@ -30,12 +29,7 @@ import org.keycloak.representations.idm.RoleRepresentation; import javax.ws.rs.NotFoundException; import javax.ws.rs.core.Response; -import java.util.LinkedList; -import java.util.List; -import java.util.concurrent.CountDownLatch; -import java.util.concurrent.atomic.AtomicReference; -import java.util.concurrent.locks.Lock; -import java.util.concurrent.locks.ReentrantLock; +import org.keycloak.testsuite.admin.ApiUtil; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.fail; @@ -43,15 +37,7 @@ import static org.junit.Assert.fail; /** * @author Stian Thorgersen */ -public class ConcurrencyTest extends AbstractAdminTest { - - private static final Logger log = Logger.getLogger(ConcurrencyTest.class); - - private static final int DEFAULT_THREADS = 5; - private static final int DEFAULT_ITERATIONS = 20; - - // If enabled only one request is allowed at the time. Useful for checking that test is working. - private static final boolean SYNCHRONIZED = false; +public class ConcurrencyTest extends AbstractConcurrencyTest { boolean passedCreateClient = false; boolean passedCreateRole = false; @@ -252,67 +238,4 @@ public class ConcurrencyTest extends AbstractAdminTest { System.out.println("*********************************************"); } - - private void run(final KeycloakRunnable runnable) throws Throwable { - run(runnable, DEFAULT_THREADS, DEFAULT_ITERATIONS); - } - - private void run(final KeycloakRunnable runnable, final int numThreads, final int numIterationsPerThread) throws Throwable { - final CountDownLatch latch = new CountDownLatch(numThreads); - final AtomicReference failed = new AtomicReference(); - final List threads = new LinkedList<>(); - final Lock lock = SYNCHRONIZED ? new ReentrantLock() : null; - - for (int t = 0; t < numThreads; t++) { - final int threadNum = t; - Thread thread = new Thread() { - @Override - public void run() { - Keycloak keycloak = null; - try { - if (lock != null) { - lock.lock(); - } - - keycloak = Keycloak.getInstance(getAuthServerRoot().toString(), "master", "admin", "admin", org.keycloak.models.Constants.ADMIN_CLI_CLIENT_ID); - RealmResource realm = keycloak.realm(REALM_NAME); - for (int i = 0; i < numIterationsPerThread && latch.getCount() > 0; i++) { - log.infov("thread {0}, iteration {1}", threadNum, i); - runnable.run(keycloak, realm, threadNum, i); - } - latch.countDown(); - } catch (Throwable t) { - failed.compareAndSet(null, t); - while (latch.getCount() > 0) { - latch.countDown(); - } - } finally { - keycloak.close(); - if (lock != null) { - lock.unlock(); - } - } - } - }; - thread.start(); - threads.add(thread); - } - - latch.await(); - - for (Thread t : threads) { - t.join(); - } - - if (failed.get() != null) { - throw failed.get(); - } - } - - interface KeycloakRunnable { - - void run(Keycloak keycloak, RealmResource realm, int threadNum, int iterationNum); - - } - } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java new file mode 100644 index 0000000000..ade3995369 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java @@ -0,0 +1,239 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.admin.concurrency; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.UnsupportedEncodingException; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import javax.ws.rs.core.Response; +import org.apache.http.NameValuePair; +import org.apache.http.client.entity.UrlEncodedFormEntity; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpGet; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.client.protocol.HttpClientContext; +import org.apache.http.client.utils.URLEncodedUtils; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.impl.client.LaxRedirectStrategy; +import org.apache.http.message.BasicNameValuePair; +import org.apache.http.util.EntityUtils; +import org.jsoup.Jsoup; +import org.jsoup.nodes.Element; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.keycloak.OAuth2Constants; +import org.keycloak.admin.client.Keycloak; +import org.keycloak.admin.client.resource.RealmResource; +import org.keycloak.representations.idm.ClientRepresentation; +import org.keycloak.testsuite.util.OAuthClient; + + + +/** + * @author Vlastislav Ramik + */ +public class ConcurrentLoginTest extends AbstractConcurrencyTest { + + private static final int DEFAULT_THREADS = 10; + private static final int DEFAULT_ITERATIONS = 20; + private static final int CLIENTS_PER_THREAD = 10; + private static final int DEFAULT_CLIENTS_COUNT = CLIENTS_PER_THREAD * DEFAULT_THREADS; + + @Before + public void beforeTest() { + for (int i = 0; i < DEFAULT_CLIENTS_COUNT; i++) { + ClientRepresentation client = new ClientRepresentation(); + client.setClientId("client" + i); + client.setDirectAccessGrantsEnabled(true); + client.setRedirectUris(Arrays.asList("http://localhost:8180/auth/realms/master/app/*")); + client.setWebOrigins(Arrays.asList("http://localhost:8180")); + client.setSecret("password"); + + log.debug("creating " + client.getClientId()); + Response create = adminClient.realm("test").clients().create(client); + Assert.assertEquals(Response.Status.CREATED, create.getStatusInfo()); + create.close(); + } + log.debug("clients created"); + } + + @Override + protected void run(final KeycloakRunnable runnable) throws Throwable { + run(runnable, DEFAULT_THREADS, DEFAULT_ITERATIONS); + } + + @Test + public void concurrentLogin() throws Throwable { + System.out.println("*********************************************"); + long start = System.currentTimeMillis(); + + try (CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(new LaxRedirectStrategy()).build()) { + + HttpUriRequest request = handleLogin(getPageContent(oauth.getLoginFormUrl(), httpClient, null), "test-user@localhost", "password"); + + log.debug("Executing login request"); + + Assert.assertTrue(parseAndCloseResponse(httpClient.execute(request)).contains("AUTH_RESPONSE")); + + run(new KeycloakRunnable() { + @Override + public void run(Keycloak keycloak, RealmResource realm, int threadNum, int iterationNum) { + OAuthClient oauth = new OAuthClient(); + oauth.init(adminClient, driver); + + int startIndex = CLIENTS_PER_THREAD * threadNum; + for (int i = startIndex; i < startIndex + CLIENTS_PER_THREAD; i++) { + oauth.clientId("client" + i); + log.trace("Accessing login page for " + oauth.getClientId() + " threat " + threadNum + " iteration " + iterationNum); + try { + final HttpClientContext context = HttpClientContext.create(); + + String pageContent = getPageContent(oauth.getLoginFormUrl(), httpClient, context); + String currentUrl = context.getRedirectLocations().get(0).toString(); + + Assert.assertTrue(pageContent.contains("AUTH_RESPONSE")); + + String code = getQueryFromUrl(currentUrl).get(OAuth2Constants.CODE); + OAuthClient.AccessTokenResponse accessRes = oauth.doAccessTokenRequest(code, "password"); + Assert.assertEquals("AccessTokenResponse: error: '" + accessRes.getError() + "' desc: '" + accessRes.getErrorDescription() + "'", + 200, accessRes.getStatusCode()); + + OAuthClient.AccessTokenResponse refreshRes = oauth.doRefreshTokenRequest(accessRes.getRefreshToken(), "password"); + Assert.assertEquals("AccessTokenResponse: error: '" + refreshRes.getError() + "' desc: '" + refreshRes.getErrorDescription() + "'", + 200, refreshRes.getStatusCode()); + } catch (Exception ex) { + throw new RuntimeException(ex); + } + } + } + }); + } + + long end = System.currentTimeMillis() - start; + System.out.println("concurrentLogin took " + (end/1000) + "s"); + System.out.println("*********************************************"); + } + + private String getPageContent(String url, CloseableHttpClient httpClient, HttpClientContext context) throws Exception { + + HttpGet request = new HttpGet(url); + + request.setHeader("User-Agent", "Mozilla/5.0"); + request.setHeader("Accept", + "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); + request.setHeader("Accept-Language", "en-US,en;q=0.5"); + + if (context != null) { + return parseAndCloseResponse(httpClient.execute(request, context)); + } else { + return parseAndCloseResponse(httpClient.execute(request)); + } + + } + + private String parseAndCloseResponse(CloseableHttpResponse response) throws UnsupportedOperationException, IOException { + try { + int responseCode = response.getStatusLine().getStatusCode(); + if (responseCode != 200) { + log.debug("Response Code : " + responseCode); + } + BufferedReader rd = new BufferedReader( + new InputStreamReader(response.getEntity().getContent())); + StringBuilder result = new StringBuilder(); + String line; + while ((line = rd.readLine()) != null) { + result.append(line); + } + if (responseCode != 200) { + log.debug(result.toString()); + } + return result.toString(); + } catch (IOException | UnsupportedOperationException ex) { + throw new RuntimeException(ex); + } finally { + if (response != null) { + EntityUtils.consumeQuietly(response.getEntity()); + try { + response.close(); + } catch (IOException ex) { } + } + } + } + + private HttpUriRequest handleLogin(String html, String username, String password) throws UnsupportedEncodingException { + + System.out.println("Extracting form's data..."); + + // Keycloak form id + Element loginform = Jsoup.parse(html).getElementById("kc-form-login"); + String method = loginform.attr("method"); + String action = loginform.attr("action"); + + List paramList = new ArrayList<>(); + + for (Element inputElement : loginform.getElementsByTag("input")) { + String key = inputElement.attr("name"); + + if (key.equals("username")) { + paramList.add(new BasicNameValuePair(key, username)); + } else if (key.equals("password")) { + paramList.add(new BasicNameValuePair(key, password)); + } + } + + boolean isPost = method != null && "post".equalsIgnoreCase(method); + + if (isPost) { + HttpPost req = new HttpPost(action); + + UrlEncodedFormEntity formEntity; + try { + formEntity = new UrlEncodedFormEntity(paramList, "UTF-8"); + } catch (UnsupportedEncodingException e) { + throw new RuntimeException(e); + } + req.setEntity(formEntity); + + return req; + } else { + throw new UnsupportedOperationException("not supported yet!"); + } + } + + private Map getQueryFromUrl(String url) throws URISyntaxException { + Map m = new HashMap<>(); + List pairs = URLEncodedUtils.parse(new URI(url), "UTF-8"); + for (NameValuePair p : pairs) { + m.put(p.getName(), p.getValue()); + } + return m; + } + + +} \ No newline at end of file From c178a2392d6d3b03b1508aa9a53bbc05b5c31d1e Mon Sep 17 00:00:00 2001 From: mposolda Date: Wed, 17 May 2017 14:48:39 +0200 Subject: [PATCH 14/30] KEYCLOAK-4907 Fix postgresql and mssql. Fix migration --- .../content/bin/migrate-domain-clustered.cli | 26 +++++++++++++++ .../content/bin/migrate-domain-standalone.cli | 18 +++++++++++ .../content/bin/migrate-standalone-ha.cli | 27 ++++++++++++++++ .../content/bin/migrate-standalone.cli | 18 +++++++++++ .../META-INF/jpa-changelog-3.2.0.xml | 2 +- ...tentAuthenticatedClientSessionAdapter.java | 32 +++++++++++++++++++ .../session/PersistentUserSessionAdapter.java | 26 +++++++++++---- .../src/test/resources/log4j.properties | 4 ++- 8 files changed, 145 insertions(+), 8 deletions(-) diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli index def555ec91..0f477458de 100644 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli @@ -199,4 +199,30 @@ if ((result.default-provider == undefined) && (result.provider.default.enabled = echo end-if +# Migrate from 3.0.0 to 3.2.0 +if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions/:read-resource + echo Adding distributed-cache=authenticationSessions to keycloak cache container... + /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions/:add(mode=SYNC,owners=1) + echo +end-if + +if (outcome == failed) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:read-resource + echo Adding local-cache=actionTokens to keycloak cache container... + /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:add(indexing=NONE,start=LAZY) + /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=strategy,value=NONE) + /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=max-entries,value=-1) + /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=interval,value=300000) + /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=max-idle,value=-1) + echo +end-if + +if (outcome == success) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource + echo Replacing distributed-cache=authorization with local-cache=authorization + /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:remove + /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authorization/:add + /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:write-attribute(name=strategy,value=LRU) + /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:write-attribute(name=max-entries,value=10000) + echo +end-if + echo *** End Migration of /profile=$clusteredProfile *** \ No newline at end of file diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli index 4547b2ac8b..fc01c29cc1 100644 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli @@ -187,4 +187,22 @@ if ((result.default-provider == undefined) && (result.provider.default.enabled = echo end-if + +# Migrate from 3.0.0 to 3.2.0 +if (outcome == failed) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:read-resource + echo Adding local-cache=authenticationSessions to keycloak cache container... + /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:add(indexing=NONE,start=LAZY) + echo +end-if + +if (outcome == failed) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:read-resource + echo Adding local-cache=actionTokens to keycloak cache container... + /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:add(indexing=NONE,start=LAZY) + /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=strategy,value=NONE) + /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=max-entries,value=-1) + /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=interval,value=300000) + /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=max-idle,value=-1) + echo +end-if + echo *** End Migration of /profile=$standaloneProfile *** \ No newline at end of file diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli index 65b6ef96ec..4d5fac67db 100644 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli @@ -203,4 +203,31 @@ if ((result.default-provider == undefined) && (result.provider.default.enabled = /subsystem=keycloak-server/spi=connectionsInfinispan/:write-attribute(name=default-provider,value=default) echo end-if + +# Migrate from 3.0.0 to 3.2.0 +if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions/:read-resource + echo Adding distributed-cache=authenticationSessions to keycloak cache container... + /subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions/:add(mode=SYNC,owners=1) + echo +end-if + +if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:read-resource + echo Adding local-cache=actionTokens to keycloak cache container... + /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:add(indexing=NONE,start=LAZY) + /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=strategy,value=NONE) + /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=max-entries,value=-1) + /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=interval,value=300000) + /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=max-idle,value=-1) + echo +end-if + +if (outcome == success) of /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:read-resource + echo Replacing distributed-cache=authorization with local-cache=authorization + /subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization/:remove + /subsystem=infinispan/cache-container=keycloak/local-cache=authorization/:add + /subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:write-attribute(name=strategy,value=LRU) + /subsystem=infinispan/cache-container=keycloak/local-cache=authorization/component=eviction/:write-attribute(name=max-entries,value=10000) + echo +end-if + echo *** End Migration *** \ No newline at end of file diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli index 3e0515deed..517759f3bb 100644 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli @@ -195,4 +195,22 @@ if ((result.default-provider == undefined) && (result.provider.default.enabled = echo end-if + +# Migrate from 3.0.0 to 3.2.0 +if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:read-resource + echo Adding local-cache=authenticationSessions to keycloak cache container... + /subsystem=infinispan/cache-container=keycloak/local-cache=authenticationSessions/:add(indexing=NONE,start=LAZY) + echo +end-if + +if (outcome == failed) of /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:read-resource + echo Adding local-cache=actionTokens to keycloak cache container... + /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/:add(indexing=NONE,start=LAZY) + /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=strategy,value=NONE) + /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=eviction/:write-attribute(name=max-entries,value=-1) + /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=interval,value=300000) + /subsystem=infinispan/cache-container=keycloak/local-cache=actionTokens/component=expiration/:write-attribute(name=max-idle,value=-1) + echo +end-if + echo *** End Migration *** \ No newline at end of file diff --git a/model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml b/model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml index c453a2e627..51be2fd18c 100644 --- a/model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml +++ b/model/jpa/src/main/resources/META-INF/jpa-changelog-3.2.0.xml @@ -19,7 +19,7 @@ - + diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java index 20c3cb6a4d..1550d93854 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentAuthenticatedClientSessionAdapter.java @@ -244,6 +244,15 @@ public class PersistentAuthenticatedClientSessionAdapter implements Authenticate @JsonProperty("action") private String action; + // TODO: Keeping those just for backwards compatibility. @JsonIgnoreProperties doesn't work on Wildfly - probably due to classloading issues + @JsonProperty("userSessionNotes") + private Map userSessionNotes; + @JsonProperty("executionStatus") + private Map executionStatus; + @JsonProperty("requiredActions") + private Set requiredActions; + + public String getAuthMethod() { return authMethod; } @@ -292,5 +301,28 @@ public class PersistentAuthenticatedClientSessionAdapter implements Authenticate this.action = action; } + public Map getUserSessionNotes() { + return userSessionNotes; + } + + public void setUserSessionNotes(Map userSessionNotes) { + this.userSessionNotes = userSessionNotes; + } + + public Map getExecutionStatus() { + return executionStatus; + } + + public void setExecutionStatus(Map executionStatus) { + this.executionStatus = executionStatus; + } + + public Set getRequiredActions() { + return requiredActions; + } + + public void setRequiredActions(Set requiredActions) { + this.requiredActions = requiredActions; + } } } diff --git a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java index 170d381c49..23436e05e0 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java +++ b/server-spi-private/src/main/java/org/keycloak/models/session/PersistentUserSessionAdapter.java @@ -50,7 +50,9 @@ public class PersistentUserSessionAdapter implements UserSessionModel { data.setNotes(other.getNotes()); data.setRememberMe(other.isRememberMe()); data.setStarted(other.getStarted()); - data.setState(other.getState()); + if (other.getState() != null) { + data.setState(other.getState().toString()); + } this.model = new PersistentUserSessionModel(); this.model.setUserSessionId(other.getId()); @@ -192,12 +194,24 @@ public class PersistentUserSessionAdapter implements UserSessionModel { @Override public State getState() { - return getData().getState(); + String state = getData().getState(); + + if (state == null) { + return null; + } + + // Migration to Keycloak 3.2 + if (state.equals("LOGGING_IN")) { + return State.LOGGED_IN; + } + + return State.valueOf(state); } @Override public void setState(State state) { - getData().setState(state); + String stateStr = state==null ? null : state.toString(); + getData().setState(stateStr); } @Override @@ -243,7 +257,7 @@ public class PersistentUserSessionAdapter implements UserSessionModel { private Map notes; @JsonProperty("state") - private State state; + private String state; public String getBrokerSessionId() { return brokerSessionId; @@ -301,11 +315,11 @@ public class PersistentUserSessionAdapter implements UserSessionModel { this.notes = notes; } - public State getState() { + public String getState() { return state; } - public void setState(State state) { + public void setState(String state) { this.state = state; } } diff --git a/testsuite/integration/src/test/resources/log4j.properties b/testsuite/integration/src/test/resources/log4j.properties index dcff0ec3a0..2c6e8849ca 100755 --- a/testsuite/integration/src/test/resources/log4j.properties +++ b/testsuite/integration/src/test/resources/log4j.properties @@ -21,7 +21,9 @@ log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=%d{HH:mm:ss,SSS} %-5p %t [%c] %m%n -log4j.logger.org.keycloak=info +# For debug, run KeycloakServer with -Dkeycloak.logging.level=debug +keycloak.logging.level=info +log4j.logger.org.keycloak=${keycloak.logging.level} # Enable to view events From 28acf489a13f2ff3f3f6e969677981b2267181d1 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Thu, 18 May 2017 09:33:30 +0200 Subject: [PATCH 15/30] KEYCLOAK-4921 add-user-keycloak broken --- .../org/keycloak/keycloak-wildfly-adduser/main/module.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-wildfly-adduser/main/module.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-wildfly-adduser/main/module.xml index 178470b42c..88744aca57 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-wildfly-adduser/main/module.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-wildfly-adduser/main/module.xml @@ -29,8 +29,9 @@ - - + + + From f9767ad6cdcc074a89cef1fbdd9733df812f8494 Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Thu, 18 May 2017 09:52:19 +0200 Subject: [PATCH 16/30] KEYCLOAK-4627 Additional tests for action tokens --- .../keycloak/testsuite/admin/UserTest.java | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java index 3d99124fa6..567b2846fa 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java @@ -554,6 +554,125 @@ public class UserTest extends AbstractAdminTest { assertEquals("We're sorry...", driver.getTitle()); } + @Test + public void sendResetPasswordEmailSuccessTwoLinks() throws IOException, MessagingException { + UserRepresentation userRep = new UserRepresentation(); + userRep.setEnabled(true); + userRep.setUsername("user1"); + userRep.setEmail("user1@test.com"); + + String id = createUser(userRep); + + UserResource user = realm.users().get(id); + List actions = new LinkedList<>(); + actions.add(UserModel.RequiredAction.UPDATE_PASSWORD.name()); + user.executeActionsEmail(actions); + user.executeActionsEmail(actions); + assertAdminEvents.assertEvent(realmId, OperationType.ACTION, AdminEventPaths.userResourcePath(id) + "/execute-actions-email", ResourceType.USER); + assertAdminEvents.assertEvent(realmId, OperationType.ACTION, AdminEventPaths.userResourcePath(id) + "/execute-actions-email", ResourceType.USER); + + Assert.assertEquals(2, greenMail.getReceivedMessages().length); + + int i = 1; + for (MimeMessage message : greenMail.getReceivedMessages()) { + String link = MailUtils.getPasswordResetEmailLink(message); + + driver.navigate().to(link); + + passwordUpdatePage.assertCurrent(); + + passwordUpdatePage.changePassword("new-pass" + i, "new-pass" + i); + i++; + + assertEquals("Your account has been updated.", driver.getTitle()); + } + + for (MimeMessage message : greenMail.getReceivedMessages()) { + String link = MailUtils.getPasswordResetEmailLink(message); + driver.navigate().to(link); + errorPage.assertCurrent(); + } + } + + @Test + public void sendResetPasswordEmailSuccessTwoLinksReverse() throws IOException, MessagingException { + UserRepresentation userRep = new UserRepresentation(); + userRep.setEnabled(true); + userRep.setUsername("user1"); + userRep.setEmail("user1@test.com"); + + String id = createUser(userRep); + + UserResource user = realm.users().get(id); + List actions = new LinkedList<>(); + actions.add(UserModel.RequiredAction.UPDATE_PASSWORD.name()); + user.executeActionsEmail(actions); + user.executeActionsEmail(actions); + assertAdminEvents.assertEvent(realmId, OperationType.ACTION, AdminEventPaths.userResourcePath(id) + "/execute-actions-email", ResourceType.USER); + assertAdminEvents.assertEvent(realmId, OperationType.ACTION, AdminEventPaths.userResourcePath(id) + "/execute-actions-email", ResourceType.USER); + + Assert.assertEquals(2, greenMail.getReceivedMessages().length); + + int i = 1; + for (int j = greenMail.getReceivedMessages().length - 1; j >= 0; j--) { + MimeMessage message = greenMail.getReceivedMessages()[j]; + + String link = MailUtils.getPasswordResetEmailLink(message); + + driver.navigate().to(link); + + passwordUpdatePage.assertCurrent(); + + passwordUpdatePage.changePassword("new-pass" + i, "new-pass" + i); + i++; + + assertEquals("Your account has been updated.", driver.getTitle()); + } + + for (MimeMessage message : greenMail.getReceivedMessages()) { + String link = MailUtils.getPasswordResetEmailLink(message); + driver.navigate().to(link); + errorPage.assertCurrent(); + } + } + + @Test + public void sendResetPasswordEmailSuccessLinkOpenDoesNotExpireWhenOpenedOnly() throws IOException, MessagingException { + UserRepresentation userRep = new UserRepresentation(); + userRep.setEnabled(true); + userRep.setUsername("user1"); + userRep.setEmail("user1@test.com"); + + String id = createUser(userRep); + + UserResource user = realm.users().get(id); + List actions = new LinkedList<>(); + actions.add(UserModel.RequiredAction.UPDATE_PASSWORD.name()); + user.executeActionsEmail(actions); + assertAdminEvents.assertEvent(realmId, OperationType.ACTION, AdminEventPaths.userResourcePath(id) + "/execute-actions-email", ResourceType.USER); + + Assert.assertEquals(1, greenMail.getReceivedMessages().length); + + MimeMessage message = greenMail.getReceivedMessages()[0]; + + String link = MailUtils.getPasswordResetEmailLink(message); + + driver.navigate().to(link); + + passwordUpdatePage.assertCurrent(); + + driver.manage().deleteAllCookies(); + driver.navigate().to("about:blank"); + + driver.navigate().to(link); + + passwordUpdatePage.assertCurrent(); + + passwordUpdatePage.changePassword("new-pass", "new-pass"); + + assertEquals("Your account has been updated.", driver.getTitle()); + } + @Test public void sendResetPasswordEmailSuccessTokenShortLifespan() throws IOException, MessagingException { UserRepresentation userRep = new UserRepresentation(); From 355af6d1cf74c55819e8aa79ce49563b1cc68458 Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Thu, 18 May 2017 14:27:53 +0200 Subject: [PATCH 17/30] KEYCLOAK-4627 Action tokens theme typo --- .../theme/base/admin/resources/js/controllers/users.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js b/themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js index 2c3c34f8af..580d66175d 100755 --- a/themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js +++ b/themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js @@ -557,7 +557,7 @@ module.controller('UserCredentialsCtrl', function($scope, realm, user, $route, R return; } Dialog.confirm('Send Email', 'Are you sure you want to send email to user?', function() { - UserExecuteActionsEmail.update({ realm: realm.realm, userId: user.id, lifespan: $scope.emailActionsLifespan.toSeconds() }, $scope.emailActions, function() { + UserExecuteActionsEmail.update({ realm: realm.realm, userId: user.id, lifespan: $scope.emailActionsTimeout.toSeconds() }, $scope.emailActions, function() { Notifications.success("Email sent to user"); $scope.emailActions = []; }, function() { From b68494b3f0090ac8d7257a4d3a126bbb42b0cd38 Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Thu, 18 May 2017 09:57:12 -0300 Subject: [PATCH 18/30] [KEYCLOAK-4927] - Authz client incompatible with client definition --- .../BearerTokenPolicyEnforcer.java | 8 +-- .../KeycloakAdapterPolicyEnforcer.java | 4 +- .../authorization/client/Configuration.java | 53 +++++-------------- .../src/main/webapp/WEB-INF/keycloak.json | 11 ++-- 4 files changed, 23 insertions(+), 53 deletions(-) diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/BearerTokenPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/BearerTokenPolicyEnforcer.java index 0cdfab949c..f2555d4414 100644 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/BearerTokenPolicyEnforcer.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/BearerTokenPolicyEnforcer.java @@ -17,6 +17,8 @@ */ package org.keycloak.adapters.authorization; +import java.util.Set; + import org.jboss.logging.Logger; import org.keycloak.adapters.OIDCHttpFacade; import org.keycloak.adapters.spi.HttpFacade; @@ -26,8 +28,6 @@ import org.keycloak.authorization.client.resource.PermissionResource; import org.keycloak.authorization.client.resource.ProtectionResource; import org.keycloak.representations.adapters.config.PolicyEnforcerConfig.PathConfig; -import java.util.Set; - /** * @author Pedro Igor */ @@ -52,7 +52,7 @@ public class BearerTokenPolicyEnforcer extends AbstractPolicyEnforcer { private void challengeEntitlementAuthentication(OIDCHttpFacade facade) { HttpFacade.Response response = facade.getResponse(); AuthzClient authzClient = getAuthzClient(); - String clientId = authzClient.getConfiguration().getClientId(); + String clientId = authzClient.getConfiguration().getResource(); String authorizationServerUri = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/entitlement"; response.setStatus(401); response.setHeader("WWW-Authenticate", "KC_ETT realm=\"" + clientId + "\",as_uri=\"" + authorizationServerUri + "\""); @@ -65,7 +65,7 @@ public class BearerTokenPolicyEnforcer extends AbstractPolicyEnforcer { HttpFacade.Response response = facade.getResponse(); AuthzClient authzClient = getAuthzClient(); String ticket = getPermissionTicket(pathConfig, requiredScopes, authzClient); - String clientId = authzClient.getConfiguration().getClientId(); + String clientId = authzClient.getConfiguration().getResource(); String authorizationServerUri = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/authorize"; response.setStatus(401); response.setHeader("WWW-Authenticate", "UMA realm=\"" + clientId + "\",as_uri=\"" + authorizationServerUri + "\",ticket=\"" + ticket + "\""); diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java index 316a39d41e..0dbddd4b47 100644 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java @@ -127,7 +127,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer { AccessToken token = httpFacade.getSecurityContext().getToken(); if (token.getAuthorization() == null) { - EntitlementResponse authzResponse = authzClient.entitlement(accessToken).getAll(authzClient.getConfiguration().getClientId()); + EntitlementResponse authzResponse = authzClient.entitlement(accessToken).getAll(authzClient.getConfiguration().getResource()); return AdapterRSATokenVerifier.verifyToken(authzResponse.getRpt(), deployment); } else { EntitlementRequest request = new EntitlementRequest(); @@ -137,7 +137,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer { permissionRequest.setScopes(new HashSet<>(pathConfig.getScopes())); LOGGER.debugf("Sending entitlements request: resource_set_id [%s], resource_set_name [%s], scopes [%s].", permissionRequest.getResourceSetId(), permissionRequest.getResourceSetName(), permissionRequest.getScopes()); request.addPermission(permissionRequest); - EntitlementResponse authzResponse = authzClient.entitlement(accessToken).get(authzClient.getConfiguration().getClientId(), request); + EntitlementResponse authzResponse = authzClient.entitlement(accessToken).get(authzClient.getConfiguration().getResource(), request); return AdapterRSATokenVerifier.verifyToken(authzResponse.getRpt(), deployment); } } diff --git a/authz/client/src/main/java/org/keycloak/authorization/client/Configuration.java b/authz/client/src/main/java/org/keycloak/authorization/client/Configuration.java index 835c830b91..647891ff4a 100644 --- a/authz/client/src/main/java/org/keycloak/authorization/client/Configuration.java +++ b/authz/client/src/main/java/org/keycloak/authorization/client/Configuration.java @@ -17,44 +17,33 @@ */ package org.keycloak.authorization.client; -import com.fasterxml.jackson.annotation.JsonIgnore; -import com.fasterxml.jackson.annotation.JsonProperty; -import org.apache.http.client.HttpClient; -import org.apache.http.impl.client.HttpClients; -import org.keycloak.util.BasicAuthHelper; - import java.util.HashMap; import java.util.Map; +import org.apache.http.client.HttpClient; +import org.apache.http.impl.client.HttpClients; +import org.keycloak.representations.adapters.config.AdapterConfig; +import org.keycloak.util.BasicAuthHelper; +import com.fasterxml.jackson.annotation.JsonIgnore; + /** * @author Pedro Igor */ -public class Configuration { +public class Configuration extends AdapterConfig { @JsonIgnore private HttpClient httpClient; - @JsonProperty("auth-server-url") - protected String authServerUrl; - - @JsonProperty("realm") - protected String realm; - - @JsonProperty("resource") - protected String clientId; - - @JsonProperty("credentials") - protected Map clientCredentials = new HashMap<>(); - public Configuration() { } public Configuration(String authServerUrl, String realm, String clientId, Map clientCredentials, HttpClient httpClient) { this.authServerUrl = authServerUrl; - this.realm = realm; - this.clientId = clientId; - this.clientCredentials = clientCredentials; + setAuthServerUrl(authServerUrl); + setRealm(realm); + setResource(clientId); + setCredentials(clientCredentials); this.httpClient = httpClient; } @@ -62,13 +51,13 @@ public class Configuration { private ClientAuthenticator clientAuthenticator = new ClientAuthenticator() { @Override public void configureClientCredentials(HashMap requestParams, HashMap requestHeaders) { - String secret = (String) clientCredentials.get("secret"); + String secret = (String) getCredentials().get("secret"); if (secret == null) { throw new RuntimeException("Client secret not provided."); } - requestHeaders.put("Authorization", BasicAuthHelper.createHeader(clientId, secret)); + requestHeaders.put("Authorization", BasicAuthHelper.createHeader(getResource(), secret)); } }; @@ -80,23 +69,7 @@ public class Configuration { return httpClient; } - public String getClientId() { - return clientId; - } - - public String getAuthServerUrl() { - return authServerUrl; - } - public ClientAuthenticator getClientAuthenticator() { return this.clientAuthenticator; } - - public Map getClientCredentials() { - return clientCredentials; - } - - public String getRealm() { - return realm; - } } diff --git a/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json b/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json index f6b9c90927..7983fa39f1 100644 --- a/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json +++ b/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json @@ -1,13 +1,10 @@ { "realm": "servlet-authz", - "auth-server-url" : "http://localhost:8080/auth", - "ssl-required" : "external", - "resource" : "servlet-authz-app", - "public-client" : false, + "auth-server-url": "http://localhost:8080/auth", + "ssl-required": "external", + "resource": "servlet-authz-app", "credentials": { "secret": "secret" }, - "policy-enforcer": { - "on-deny-redirect-to" : "/servlet-authz-app/accessDenied.jsp" - } + "policy-enforcer": {} } \ No newline at end of file From c291748f43bf3e0f079c714d86b4c50abc10ade5 Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Thu, 18 May 2017 16:48:04 -0400 Subject: [PATCH 19/30] KEYCLOAK-4929 --- .../client/ClientPolicyProviderFactory.java | 8 +- .../provider/js/JSPolicyProviderFactory.java | 4 +- .../ResourcePolicyProviderFactory.java | 3 +- .../role/RolePolicyProviderFactory.java | 10 +- .../time/TimePolicyProviderFactory.java | 3 +- .../user/UserPolicyProviderFactory.java | 7 +- .../drools/DroolsPolicyProviderFactory.java | 16 +- ...ltInfinispanConnectionProviderFactory.java | 21 +- .../InfinispanConnectionProvider.java | 2 + .../infinispan/AbstractCachedStore.java | 73 -- .../infinispan/CachedPolicyStore.java | 500 ------------- .../infinispan/CachedResourceServerStore.java | 172 ----- .../infinispan/CachedResourceStore.java | 321 --------- .../infinispan/CachedScopeStore.java | 231 ------ .../InfinispanStoreFactoryProvider.java | 166 ----- .../InfinispanStoreProviderFactory.java | 89 --- .../infinispan/StoreFactoryCacheManager.java | 72 -- .../AuthorizationInvalidationEvent.java | 44 -- .../models/cache/infinispan/CacheManager.java | 2 +- ...ispanCacheStoreFactoryProviderFactory.java | 102 +++ .../authorization/PolicyAdapter.java | 280 ++++++++ .../authorization/ResourceAdapter.java | 184 +++++ .../authorization/ResourceServerAdapter.java | 127 ++++ .../authorization/ScopeAdapter.java | 127 ++++ .../StoreFactoryCacheManager.java | 93 +++ .../StoreFactoryCacheSession.java | 667 ++++++++++++++++++ .../authorization}/entities/CachedPolicy.java | 122 +--- .../entities/CachedResource.java | 61 +- .../entities/CachedResourceServer.java | 32 +- .../authorization}/entities/CachedScope.java | 49 +- .../entities/InResourceServer.java | 25 + .../entities/PolicyListQuery.java | 36 + .../entities/ResourceListQuery.java | 36 + .../entities/ResourceServerListQuery.java | 29 + .../entities/ScopeListQuery.java | 36 + .../AuthorizationCacheInvalidationEvent.java} | 23 +- .../events/PolicyRemovedEvent.java | 56 ++ .../events/PolicyUpdatedEvent.java | 56 ++ .../events/ResourceRemovedEvent.java | 56 ++ .../events/ResourceServerRemovedEvent.java | 54 ++ .../events/ResourceServerUpdatedEvent.java | 54 ++ .../events/ResourceUpdatedEvent.java | 56 ++ .../events/ScopeRemovedEvent.java | 56 ++ .../events/ScopeUpdatedEvent.java | 56 ++ .../stream/InResourceServerPredicate.java | 35 + ...e.authorization.CachedStoreProviderFactory | 2 +- .../jpa/entities/PolicyEntity.java | 98 +-- .../jpa/entities/ResourceEntity.java | 75 +- .../jpa/entities/ResourceServerEntity.java | 30 +- .../jpa/entities/ScopeEntity.java | 31 +- .../store/JPAAuthorizationStoreFactory.java | 5 +- .../jpa/store/JPAPolicyStore.java | 112 ++- .../jpa/store/JPAResourceServerStore.java | 52 +- .../jpa/store/JPAResourceStore.java | 114 +-- .../jpa/store/JPAScopeStore.java | 52 +- .../jpa/store/JPAStoreFactory.java | 11 +- .../jpa/store/PolicyAdapter.java | 235 ++++++ .../jpa/store/ResourceAdapter.java | 166 +++++ .../jpa/store/ResourceServerAdapter.java | 106 +++ .../authorization/jpa/store/ScopeAdapter.java | 103 +++ .../authorization/AuthorizationProvider.java | 32 +- .../authorization/model/CachedModel.java | 45 ++ .../keycloak/authorization/model/Policy.java | 14 +- .../authorization/model/Resource.java | 4 +- .../store/AuthorizationStoreFactory.java | 2 + .../authorization/store/ResourceStore.java | 2 +- .../ClientApplicationSynchronizer.java | 6 +- .../migration/migrators/MigrateTo2_1_0.java | 2 +- .../CachedStoreProviderFactory.java | 3 + .../models/utils/RepresentationToModel.java | 6 +- .../DefaultAuthorizationProviderFactory.java | 6 +- .../AuthorizationTokenService.java | 4 + .../entitlement/EntitlementService.java | 5 + .../authorization/util/Permissions.java | 8 +- .../authz/ConflictingScopePermissionTest.java | 2 +- .../keycloak-infinispan.xml | 2 +- 76 files changed, 3340 insertions(+), 2247 deletions(-) delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/AbstractCachedStore.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/StoreFactoryCacheManager.java delete mode 100644 model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/events/AuthorizationInvalidationEvent.java create mode 100755 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/InfinispanCacheStoreFactoryProviderFactory.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PolicyAdapter.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceServerAdapter.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheManager.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java rename model/infinispan/src/main/java/org/keycloak/models/{authorization/infinispan => cache/infinispan/authorization}/entities/CachedPolicy.java (53%) rename model/infinispan/src/main/java/org/keycloak/models/{authorization/infinispan => cache/infinispan/authorization}/entities/CachedResource.java (61%) rename model/infinispan/src/main/java/org/keycloak/models/{authorization/infinispan => cache/infinispan/authorization}/entities/CachedResourceServer.java (64%) rename model/infinispan/src/main/java/org/keycloak/models/{authorization/infinispan => cache/infinispan/authorization}/entities/CachedScope.java (56%) create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/InResourceServer.java create mode 100755 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/PolicyListQuery.java create mode 100755 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ResourceListQuery.java create mode 100755 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ResourceServerListQuery.java create mode 100755 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ScopeListQuery.java rename model/infinispan/src/main/java/org/keycloak/models/{authorization/infinispan/events/ResourceServerRemovedEvent.java => cache/infinispan/authorization/events/AuthorizationCacheInvalidationEvent.java} (58%) create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/PolicyRemovedEvent.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/PolicyUpdatedEvent.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceRemovedEvent.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerRemovedEvent.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerUpdatedEvent.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceUpdatedEvent.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ScopeRemovedEvent.java create mode 100644 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ScopeUpdatedEvent.java create mode 100755 model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/stream/InResourceServerPredicate.java create mode 100644 model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PolicyAdapter.java create mode 100644 model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java create mode 100644 model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceServerAdapter.java create mode 100644 model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ScopeAdapter.java create mode 100644 server-spi-private/src/main/java/org/keycloak/authorization/model/CachedModel.java diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java index d061357218..49a54ebe28 100644 --- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java +++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java @@ -107,7 +107,7 @@ public class ClientPolicyProviderFactory implements PolicyProviderFactory config = policy.getConfig(); - - config.put("clients", JsonSerialization.writeValueAsString(updatedClients)); - - policy.setConfig(config); + policy.putConfig("clients", JsonSerialization.writeValueAsString(updatedClients)); } catch (IOException cause) { throw new RuntimeException("Failed to serialize clients", cause); } diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/JSPolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/JSPolicyProviderFactory.java index 1a1ed34ecc..3e68d7f603 100644 --- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/JSPolicyProviderFactory.java +++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/JSPolicyProviderFactory.java @@ -70,9 +70,7 @@ public class JSPolicyProviderFactory implements PolicyProviderFactory config = policy.getConfig(); - config.put("code", code); - policy.setConfig(config); + policy.putConfig("code", code); } @Override diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java index 6ea7230f58..1de28f53e9 100644 --- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java +++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java @@ -1,5 +1,6 @@ package org.keycloak.authorization.policy.provider.resource; +import java.util.HashMap; import java.util.Map; import org.keycloak.Config; @@ -64,7 +65,7 @@ public class ResourcePolicyProviderFactory implements PolicyProviderFactory config = policy.getConfig(); + Map config = new HashMap(policy.getConfig()); config.compute("defaultResourceType", (key, value) -> { String resourceType = resourcePermission.getResourceType(); diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java index 03ea156798..64bcf4956e 100644 --- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java +++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java @@ -163,11 +163,7 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory config = policy.getConfig(); - - config.put("roles", JsonSerialization.writeValueAsString(updatedRoles)); - - policy.setConfig(config); + policy.putConfig("roles", JsonSerialization.writeValueAsString(updatedRoles)); } catch (IOException cause) { throw new RuntimeException("Failed to serialize roles", cause); } @@ -224,9 +220,7 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory config = policy.getConfig(); - config.put("roles", JsonSerialization.writeValueAsString(roles)); - policy.setConfig(config); + policy.putConfig("roles", JsonSerialization.writeValueAsString(roles)); } } catch (IOException e) { throw new RuntimeException("Error while synchronizing roles with policy [" + policy.getName() + "].", e); diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java index a3958b9202..fc69f3ba70 100644 --- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java +++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java @@ -1,6 +1,7 @@ package org.keycloak.authorization.policy.provider.time; import java.text.SimpleDateFormat; +import java.util.HashMap; import java.util.Map; import org.keycloak.Config; @@ -118,7 +119,7 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory config = policy.getConfig(); + Map config = new HashMap(policy.getConfig()); config.compute("nbf", (s, s2) -> nbf != null ? nbf : null); config.compute("noa", (s, s2) -> noa != null ? noa : null); diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java index e4bbaf9900..a21bf74bf0 100644 --- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java +++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java @@ -138,11 +138,8 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory config = policy.getConfig(); - config.put("users", JsonSerialization.writeValueAsString(updatedUsers)); - - policy.setConfig(config); + policy.putConfig("users", JsonSerialization.writeValueAsString(updatedUsers)); } catch (IOException cause) { throw new RuntimeException("Failed to serialize users", cause); } @@ -181,7 +178,7 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory config = policy.getConfig(); - config.put("mavenArtifactGroupId", representation.getArtifactGroupId()); - config.put("mavenArtifactId", representation.getArtifactId()); - config.put("mavenArtifactVersion", representation.getArtifactVersion()); - config.put("scannerPeriod", representation.getScannerPeriod()); - config.put("scannerPeriodUnit", representation.getScannerPeriodUnit()); - config.put("sessionName", representation.getSessionName()); - config.put("moduleName", representation.getModuleName()); + policy.putConfig("mavenArtifactGroupId", representation.getArtifactGroupId()); + policy.putConfig("mavenArtifactId", representation.getArtifactId()); + policy.putConfig("mavenArtifactVersion", representation.getArtifactVersion()); + policy.putConfig("scannerPeriod", representation.getScannerPeriod()); + policy.putConfig("scannerPeriodUnit", representation.getScannerPeriodUnit()); + policy.putConfig("sessionName", representation.getSessionName()); + policy.putConfig("moduleName", representation.getModuleName()); - policy.setConfig(config); } void update(Policy policy) { diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java index 916db65cc3..5309fc9e70 100755 --- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java +++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java @@ -118,9 +118,18 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, getRevisionCacheConfig(userRevisionsMaxEntries)); cacheManager.getCache(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, true); - cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, true); cacheManager.getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME, true); + long authzRevisionsMaxEntries = cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME).getCacheConfiguration().eviction().maxEntries(); + authzRevisionsMaxEntries = authzRevisionsMaxEntries > 0 + ? 2 * authzRevisionsMaxEntries + : InfinispanConnectionProvider.AUTHORIZATION_REVISIONS_CACHE_DEFAULT_MAX; + + cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHORIZATION_REVISIONS_CACHE_NAME, getRevisionCacheConfig(authzRevisionsMaxEntries)); + cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_REVISIONS_CACHE_NAME, true); + + + logger.debugv("Using container managed Infinispan cache container, lookup={1}", cacheContainerLookup); } catch (Exception e) { throw new RuntimeException("Failed to retrieve cache container", e); @@ -151,6 +160,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon Configuration modelCacheConfiguration = modelCacheConfigBuilder.build(); cacheManager.defineConfiguration(InfinispanConnectionProvider.REALM_CACHE_NAME, modelCacheConfiguration); + cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, modelCacheConfiguration); cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_CACHE_NAME, modelCacheConfiguration); ConfigurationBuilder sessionConfigBuilder = new ConfigurationBuilder(); @@ -180,7 +190,6 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon cacheManager.defineConfiguration(InfinispanConnectionProvider.SESSION_CACHE_NAME, sessionCacheConfiguration); cacheManager.defineConfiguration(InfinispanConnectionProvider.OFFLINE_SESSION_CACHE_NAME, sessionCacheConfiguration); cacheManager.defineConfiguration(InfinispanConnectionProvider.LOGIN_FAILURE_CACHE_NAME, sessionCacheConfiguration); - cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, sessionCacheConfiguration); ConfigurationBuilder replicationConfigBuilder = new ConfigurationBuilder(); if (clustered) { @@ -219,6 +228,14 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon cacheManager.defineConfiguration(InfinispanConnectionProvider.KEYS_CACHE_NAME, getKeysCacheConfig()); cacheManager.getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME, true); + + long authzRevisionsMaxEntries = cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME).getCacheConfiguration().eviction().maxEntries(); + authzRevisionsMaxEntries = authzRevisionsMaxEntries > 0 + ? 2 * authzRevisionsMaxEntries + : InfinispanConnectionProvider.AUTHORIZATION_REVISIONS_CACHE_DEFAULT_MAX; + + cacheManager.defineConfiguration(InfinispanConnectionProvider.AUTHORIZATION_REVISIONS_CACHE_NAME, getRevisionCacheConfig(authzRevisionsMaxEntries)); + cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_REVISIONS_CACHE_NAME, true); } private Configuration getRevisionCacheConfig(long maxEntries) { diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java index 7c255fd0b8..bd57793dfb 100755 --- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java @@ -38,6 +38,8 @@ public interface InfinispanConnectionProvider extends Provider { String LOGIN_FAILURE_CACHE_NAME = "loginFailures"; String WORK_CACHE_NAME = "work"; String AUTHORIZATION_CACHE_NAME = "authorization"; + String AUTHORIZATION_REVISIONS_CACHE_NAME = "authorizationRevisions"; + int AUTHORIZATION_REVISIONS_CACHE_DEFAULT_MAX = 20000; String KEYS_CACHE_NAME = "keys"; int KEYS_CACHE_DEFAULT_MAX = 1000; diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/AbstractCachedStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/AbstractCachedStore.java deleted file mode 100644 index 90fe8b636c..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/AbstractCachedStore.java +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.keycloak.models.authorization.infinispan; - -import java.util.Arrays; -import java.util.List; - -import org.keycloak.authorization.store.StoreFactory; - -/** - * @author Pedro Igor - */ -public abstract class AbstractCachedStore { - - private final InfinispanStoreFactoryProvider cacheStoreFactory; - private final StoreFactory storeFactory; - - AbstractCachedStore(InfinispanStoreFactoryProvider cacheStoreFactory, StoreFactory storeFactory) { - this.cacheStoreFactory = cacheStoreFactory; - this.storeFactory = storeFactory; - } - - protected void addInvalidation(String cacheKeyForPolicy) { - getCachedStoreFactory().addInvalidation(cacheKeyForPolicy); - } - - protected E putCacheEntry(String resourceServerId, String cacheKeyForPolicy, E cachedPolicy) { - cacheStoreFactory.putCacheEntry(resourceServerId, cacheKeyForPolicy, Arrays.asList(cachedPolicy)); - return cachedPolicy; - } - - protected List resolveCacheEntry(String resourceServerId, String cacheKeyForPolicy) { - return cacheStoreFactory.resolveCachedEntry(resourceServerId, cacheKeyForPolicy); - } - - protected void removeCachedEntry(String resourceServerId, String key) { - getCachedStoreFactory().removeCachedEntry(resourceServerId, key); - } - - protected void invalidate(String resourceServerId) { - cacheStoreFactory.invalidate(resourceServerId); - } - - protected StoreFactory getStoreFactory() { - return this.storeFactory; - } - - protected boolean isInvalid(String cacheKey) { - return cacheStoreFactory.isInvalid(cacheKey); - } - - protected InfinispanStoreFactoryProvider.CacheTransaction getTransaction() { - return cacheStoreFactory.getTransaction(); - } - - protected InfinispanStoreFactoryProvider getCachedStoreFactory() { - return cacheStoreFactory; - } -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java deleted file mode 100644 index 73284d705c..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java +++ /dev/null @@ -1,500 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright 2016 Red Hat, Inc., and individual contributors - * as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.authorization.infinispan; - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.function.Function; -import java.util.function.Supplier; -import java.util.stream.Collectors; - -import org.keycloak.authorization.model.Policy; -import org.keycloak.authorization.model.Resource; -import org.keycloak.authorization.model.ResourceServer; -import org.keycloak.authorization.model.Scope; -import org.keycloak.authorization.store.PolicyStore; -import org.keycloak.authorization.store.StoreFactory; -import org.keycloak.models.authorization.infinispan.entities.CachedPolicy; -import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation; -import org.keycloak.representations.idm.authorization.DecisionStrategy; -import org.keycloak.representations.idm.authorization.Logic; - -/** - * @author Pedro Igor - */ -public class CachedPolicyStore extends AbstractCachedStore implements PolicyStore { - - private static final String POLICY_CACHE_PREFIX = "pc-"; - - private PolicyStore delegate; - - public CachedPolicyStore(InfinispanStoreFactoryProvider cacheStoreFactory, StoreFactory storeFactory) { - super(cacheStoreFactory, storeFactory); - this.delegate = storeFactory.getPolicyStore(); - } - - @Override - public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) { - Policy policy = getDelegate().create(representation, getStoreFactory().getResourceServerStore().findById(resourceServer.getId())); - String id = policy.getId(); - - addInvalidation(getCacheKeyForPolicy(policy.getId())); - addInvalidation(getCacheKeyForPolicyName(policy.getName())); - addInvalidation(getCacheKeyForPolicyType(policy.getType())); - - configureTransaction(resourceServer, id); - - return createAdapter(new CachedPolicy(policy)); - } - - @Override - public void delete(String id) { - Policy policy = getDelegate().findById(id, null); - if (policy == null) { - return; - } - - addInvalidation(getCacheKeyForPolicy(policy.getId())); - addInvalidation(getCacheKeyForPolicyName(policy.getName())); - addInvalidation(getCacheKeyForPolicyType(policy.getType())); - - getDelegate().delete(id); - configureTransaction(policy.getResourceServer(), policy.getId()); - } - - @Override - public Policy findById(String id, String resourceServerId) { - if (resourceServerId == null) { - return getDelegate().findById(id, null); - } - - if (isInvalid(getCacheKeyForPolicy(id))) { - return getDelegate().findById(id, resourceServerId); - } - - String cacheKeyForPolicy = getCacheKeyForPolicy(id); - List cached = resolveCacheEntry(resourceServerId, cacheKeyForPolicy); - - if (cached == null) { - Policy policy = getDelegate().findById(id, resourceServerId); - - if (policy != null) { - return createAdapter(putCacheEntry(resourceServerId, cacheKeyForPolicy, new CachedPolicy(policy))); - } - - return null; - } - - return createAdapter(CachedPolicy.class.cast(cached.get(0))); - } - - @Override - public Policy findByName(String name, String resourceServerId) { - String cacheKey = getCacheKeyForPolicyName(name); - - if (isInvalid(cacheKey)) { - return getDelegate().findByName(name, resourceServerId); - } - - return cacheResult(resourceServerId, cacheKey, () -> { - Policy policy = getDelegate().findByName(name, resourceServerId); - - if (policy == null) { - return Collections.emptyList(); - } - - return Arrays.asList(policy); - }).stream().findFirst().orElse(null); - } - - @Override - public List findByResourceServer(String resourceServerId) { - return getDelegate().findByResourceServer(resourceServerId); - } - - @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - return getDelegate().findByResourceServer(attributes, resourceServerId, firstResult, maxResult); - } - - @Override - public List findByResource(String resourceId, String resourceServerId) { - String cacheKey = getCacheKeyForResource(resourceId); - - if (isInvalid(cacheKey)) { - return getDelegate().findByResource(resourceId, resourceServerId); - } - - return cacheResult(resourceServerId, cacheKey, () -> getDelegate().findByResource(resourceId, resourceServerId)); - } - - @Override - public List findByResourceType(String resourceType, String resourceServerId) { - String cacheKey = getCacheKeyForResourceType(resourceType); - - if (isInvalid(cacheKey)) { - return getDelegate().findByResourceType(resourceType, resourceServerId); - } - - return cacheResult(resourceServerId, cacheKey, () -> getDelegate().findByResourceType(resourceType, resourceServerId)); - } - - @Override - public List findByScopeIds(List scopeIds, String resourceServerId) { - List policies = new ArrayList<>(); - - for (String scopeId : scopeIds) { - String cacheKey = getCacheForScope(scopeId); - - if (isInvalid(cacheKey)) { - policies.addAll(getDelegate().findByScopeIds(Arrays.asList(scopeId), resourceServerId)); - } else { - policies.addAll(cacheResult(resourceServerId, cacheKey, () -> getDelegate().findByScopeIds(Arrays.asList(scopeId), resourceServerId))); - } - } - - return policies; - } - - @Override - public List findByType(String type, String resourceServerId) { - String cacheKey = getCacheKeyForPolicyType(type); - - if (isInvalid(cacheKey)) { - return getDelegate().findByType(type, resourceServerId); - } - - return cacheResult(resourceServerId, cacheKey, () -> getDelegate().findByType(type, resourceServerId)); - } - - @Override - public List findDependentPolicies(String id, String resourceServerId) { - return getDelegate().findDependentPolicies(id, resourceServerId); - } - - private String getCacheKeyForPolicy(String id) { - return new StringBuilder().append(POLICY_CACHE_PREFIX).append("id-").append(id).toString(); - } - - private String getCacheKeyForPolicyType(String type) { - return new StringBuilder().append(POLICY_CACHE_PREFIX).append("findByType-").append(type).toString(); - } - - private String getCacheKeyForPolicyName(String name) { - return new StringBuilder().append(POLICY_CACHE_PREFIX).append("findByName-").append(name).toString(); - } - - private String getCacheKeyForResourceType(String resourceType) { - return new StringBuilder().append(POLICY_CACHE_PREFIX).append("findByResourceType-").append(resourceType).toString(); - } - - private String getCacheForScope(String scopeId) { - return new StringBuilder().append(POLICY_CACHE_PREFIX).append("findByScopeIds-").append(scopeId).toString(); - } - - private String getCacheKeyForResource(String resourceId) { - return new StringBuilder().append(POLICY_CACHE_PREFIX).append("findByResource-").append(resourceId).toString(); - } - - private Policy createAdapter(CachedPolicy cached) { - return new Policy() { - - private Set scopes; - private Set resources; - private Set associatedPolicies; - private Policy updated; - - @Override - public String getId() { - return cached.getId(); - } - - @Override - public String getType() { - return cached.getType(); - } - - @Override - public DecisionStrategy getDecisionStrategy() { - return cached.getDecisionStrategy(); - } - - @Override - public void setDecisionStrategy(DecisionStrategy decisionStrategy) { - getDelegateForUpdate().setDecisionStrategy(decisionStrategy); - cached.setDecisionStrategy(decisionStrategy); - } - - @Override - public Logic getLogic() { - return cached.getLogic(); - } - - @Override - public void setLogic(Logic logic) { - getDelegateForUpdate().setLogic(logic); - cached.setLogic(logic); - } - - @Override - public Map getConfig() { - return new HashMap<>(cached.getConfig()); - } - - @Override - public void setConfig(Map config) { - String resourceType = config.get("defaultResourceType"); - - if (resourceType != null) { - addInvalidation(getCacheKeyForResourceType(resourceType)); - String cachedResourceType = cached.getConfig().get("defaultResourceType"); - if (cachedResourceType != null && !resourceType.equals(cachedResourceType)) { - addInvalidation(getCacheKeyForResourceType(cachedResourceType)); - } - } - - getDelegateForUpdate().setConfig(config); - cached.setConfig(config); - } - - @Override - public String getName() { - return cached.getName(); - } - - @Override - public void setName(String name) { - addInvalidation(getCacheKeyForPolicyName(name)); - addInvalidation(getCacheKeyForPolicyName(cached.getName())); - getDelegateForUpdate().setName(name); - cached.setName(name); - } - - @Override - public String getDescription() { - return cached.getDescription(); - } - - @Override - public void setDescription(String description) { - getDelegateForUpdate().setDescription(description); - cached.setDescription(description); - } - - @Override - public ResourceServer getResourceServer() { - return getCachedStoreFactory().getResourceServerStore().findById(cached.getResourceServerId()); - } - - @Override - public void addScope(Scope scope) { - Scope model = getStoreFactory().getScopeStore().findById(scope.getId(), cached.getResourceServerId()); - addInvalidation(getCacheForScope(model.getId())); - getDelegateForUpdate().addScope(model); - cached.addScope(scope); - scopes.add(scope); - } - - @Override - public void removeScope(Scope scope) { - Scope model = getStoreFactory().getScopeStore().findById(scope.getId(), cached.getResourceServerId()); - addInvalidation(getCacheForScope(scope.getId())); - getDelegateForUpdate().removeScope(model); - cached.removeScope(scope); - scopes.remove(scope); - } - - @Override - public void addAssociatedPolicy(Policy associatedPolicy) { - getDelegateForUpdate().addAssociatedPolicy(getStoreFactory().getPolicyStore().findById(associatedPolicy.getId(), cached.getResourceServerId())); - cached.addAssociatedPolicy(associatedPolicy); - } - - @Override - public void removeAssociatedPolicy(Policy associatedPolicy) { - getDelegateForUpdate().removeAssociatedPolicy(getStoreFactory().getPolicyStore().findById(associatedPolicy.getId(), cached.getResourceServerId())); - cached.removeAssociatedPolicy(associatedPolicy); - associatedPolicies.remove(associatedPolicy); - } - - @Override - public void addResource(Resource resource) { - Resource model = getStoreFactory().getResourceStore().findById(resource.getId(), cached.getResourceServerId()); - - addInvalidation(getCacheKeyForResource(model.getId())); - - if (model.getType() != null) { - addInvalidation(getCacheKeyForResourceType(model.getType())); - } - - getDelegateForUpdate().addResource(model); - cached.addResource(resource); - resources.add(resource); - } - - @Override - public void removeResource(Resource resource) { - Resource model = getStoreFactory().getResourceStore().findById(resource.getId(), cached.getResourceServerId()); - - addInvalidation(getCacheKeyForResource(model.getId())); - - if (model.getType() != null) { - addInvalidation(getCacheKeyForResourceType(model.getType())); - } - - getDelegateForUpdate().removeResource(model); - cached.removeResource(resource); - resources.remove(resource); - } - - @Override - public Set getAssociatedPolicies() { - if (associatedPolicies == null || updated != null) { - associatedPolicies = new HashSet<>(); - - for (String id : cached.getAssociatedPoliciesIds()) { - Policy policy = findById(id, cached.getResourceServerId()); - - if (policy != null) { - associatedPolicies.add(policy); - } - } - } - - return associatedPolicies; - } - - @Override - public Set getResources() { - if (resources == null || updated != null) { - resources = new HashSet<>(); - - for (String id : cached.getResourcesIds()) { - Resource resource = getCachedStoreFactory().getResourceStore().findById(id, cached.getResourceServerId()); - - if (resource != null) { - resources.add(resource); - } - } - } - - return resources; - } - - @Override - public Set getScopes() { - if (scopes == null || updated != null) { - scopes = new HashSet<>(); - - for (String id : cached.getScopesIds()) { - Scope scope = getCachedStoreFactory().getScopeStore().findById(id, cached.getResourceServerId()); - - if (scope != null) { - scopes.add(scope); - } - } - } - - return scopes; - } - - @Override - public boolean equals(Object o) { - if (o == this) return true; - - if (getId() == null) return false; - - if (!Policy.class.isInstance(o)) return false; - - Policy that = (Policy) o; - - if (!getId().equals(that.getId())) return false; - - return true; - - } - - @Override - public int hashCode() { - return getId()!=null ? getId().hashCode() : super.hashCode(); - } - - private Policy getDelegateForUpdate() { - if (this.updated == null) { - this.updated = getDelegate().findById(getId(), cached.getResourceServerId()); - if (this.updated == null) throw new IllegalStateException("Not found in database"); - addInvalidation(getCacheKeyForPolicy(updated.getId())); - configureTransaction(updated.getResourceServer(), updated.getId()); - } - - return this.updated; - } - }; - } - - private List cacheResult(String resourceServerId, String key, Supplier> provider) { - List cached = getCachedStoreFactory().computeIfCachedEntryAbsent(resourceServerId, key, (Function>) o -> { - List result = provider.get(); - - if (result.isEmpty()) { - return Collections.emptyList(); - } - - return result.stream().map(policy -> policy.getId()).collect(Collectors.toList()); - }); - - if (cached == null) { - return Collections.emptyList(); - } - - return cached.stream().map(id -> findById(id.toString(), resourceServerId)).collect(Collectors.toList()); - } - - private void configureTransaction(ResourceServer resourceServer, String id) { - getTransaction().whenRollback(() -> removeCachedEntry(resourceServer.getId(), getCacheKeyForPolicy(id))); - getTransaction().whenCommit(() -> invalidate(resourceServer.getId())); - } - - private PolicyStore getDelegate() { - return delegate; - } - - void addInvalidations(Object object) { - if (Resource.class.isInstance(object)) { - Resource resource = (Resource) object; - addInvalidation(getCacheKeyForResource(resource.getId())); - String type = resource.getType(); - - if (type != null) { - addInvalidation(getCacheKeyForResourceType(type)); - } - } else if (Scope.class.isInstance(object)) { - Scope scope = (Scope) object; - addInvalidation(getCacheForScope(scope.getId())); - } else { - throw new RuntimeException("Unexpected notification [" + object + "]"); - } - } -} \ No newline at end of file diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java deleted file mode 100644 index 6322843fb5..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java +++ /dev/null @@ -1,172 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright 2016 Red Hat, Inc., and individual contributors - * as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.authorization.infinispan; - -import java.util.List; - -import org.keycloak.authorization.model.ResourceServer; -import org.keycloak.authorization.store.ResourceServerStore; -import org.keycloak.authorization.store.StoreFactory; -import org.keycloak.models.authorization.infinispan.entities.CachedResourceServer; -import org.keycloak.representations.idm.authorization.PolicyEnforcementMode; - -/** - * @author Pedro Igor - */ -public class CachedResourceServerStore extends AbstractCachedStore implements ResourceServerStore { - - private static final String RS_PREFIX = "rs-"; - - private final ResourceServerStore delegate; - - public CachedResourceServerStore(InfinispanStoreFactoryProvider cachedStoreFactory, StoreFactory storeFactory) { - super(cachedStoreFactory, storeFactory); - this.delegate = storeFactory.getResourceServerStore(); - } - - @Override - public ResourceServer create(String clientId) { - ResourceServer resourceServer = getDelegate().create(clientId); - - getTransaction().whenCommit(() -> getCachedStoreFactory().removeEntries(resourceServer)); - getTransaction().whenRollback(() -> removeCachedEntry(resourceServer.getId(), getCacheKeyForResourceServer(resourceServer.getId()))); - - return createAdapter(new CachedResourceServer(resourceServer)); - } - - @Override - public void delete(String id) { - ResourceServer resourceServer = getDelegate().findById(id); - - if (resourceServer != null) { - getDelegate().delete(id); - getTransaction().whenCommit(() -> getCachedStoreFactory().removeEntries(resourceServer)); - } - } - - @Override - public ResourceServer findById(String id) { - String cacheKey = getCacheKeyForResourceServer(id); - - if (isInvalid(cacheKey)) { - return getDelegate().findById(id); - } - - List cached = resolveCacheEntry(id, cacheKey); - - if (cached == null) { - ResourceServer resourceServer = getDelegate().findById(id); - - if (resourceServer != null) { - return createAdapter(putCacheEntry(id, cacheKey, new CachedResourceServer(resourceServer))); - } - - return null; - } - - return createAdapter(CachedResourceServer.class.cast(cached.get(0))); - } - - @Override - public ResourceServer findByClient(String id) { - String cacheKey = getCacheKeyForResourceServerClientId(id); - - if (isInvalid(cacheKey)) { - return getDelegate().findByClient(id); - } - - List cached = resolveCacheEntry(id, cacheKey); - - if (cached == null) { - ResourceServer resourceServer = getDelegate().findByClient(id); - - if (resourceServer != null) { - return findById(putCacheEntry(id, cacheKey, resourceServer.getId())); - } - - return null; - } - - return findById(cached.get(0).toString()); - } - - private String getCacheKeyForResourceServer(String id) { - return new StringBuilder(RS_PREFIX).append("id-").append(id).toString(); - } - - private String getCacheKeyForResourceServerClientId(String id) { - return new StringBuilder(RS_PREFIX).append("findByClientId-").append(id).toString(); - } - - private ResourceServerStore getDelegate() { - return this.delegate; - } - - private ResourceServer createAdapter(ResourceServer cached) { - return new ResourceServer() { - - private ResourceServer updated; - - @Override - public String getId() { - return cached.getId(); - } - - @Override - public String getClientId() { - return cached.getClientId(); - } - - @Override - public boolean isAllowRemoteResourceManagement() { - return cached.isAllowRemoteResourceManagement(); - } - - @Override - public void setAllowRemoteResourceManagement(boolean allowRemoteResourceManagement) { - getDelegateForUpdate().setAllowRemoteResourceManagement(allowRemoteResourceManagement); - cached.setAllowRemoteResourceManagement(allowRemoteResourceManagement); - } - - @Override - public PolicyEnforcementMode getPolicyEnforcementMode() { - return cached.getPolicyEnforcementMode(); - } - - @Override - public void setPolicyEnforcementMode(PolicyEnforcementMode enforcementMode) { - getDelegateForUpdate().setPolicyEnforcementMode(enforcementMode); - cached.setPolicyEnforcementMode(enforcementMode); - } - - private ResourceServer getDelegateForUpdate() { - if (this.updated == null) { - this.updated = getDelegate().findById(getId()); - if (this.updated == null) throw new IllegalStateException("Not found in database"); - addInvalidation(getCacheKeyForResourceServer(updated.getId())); - getTransaction().whenCommit(() -> { - invalidate(updated.getId()); - }); - } - - return this.updated; - } - }; - } -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java deleted file mode 100644 index bc892d0e51..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java +++ /dev/null @@ -1,321 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright 2016 Red Hat, Inc., and individual contributors - * as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.authorization.infinispan; - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.function.Function; -import java.util.function.Supplier; -import java.util.stream.Collectors; - -import org.keycloak.authorization.model.Resource; -import org.keycloak.authorization.model.ResourceServer; -import org.keycloak.authorization.model.Scope; -import org.keycloak.authorization.store.ResourceStore; -import org.keycloak.authorization.store.StoreFactory; -import org.keycloak.models.authorization.infinispan.entities.CachedResource; - -/** - * @author Pedro Igor - */ -public class CachedResourceStore extends AbstractCachedStore implements ResourceStore { - - private static final String RESOURCE_CACHE_PREFIX = "rs-"; - - private ResourceStore delegate; - - public CachedResourceStore(InfinispanStoreFactoryProvider cacheStoreFactory, StoreFactory storeFactory) { - super(cacheStoreFactory, storeFactory); - delegate = storeFactory.getResourceStore(); - } - - @Override - public Resource create(String name, ResourceServer resourceServer, String owner) { - Resource resource = getDelegate().create(name, getStoreFactory().getResourceServerStore().findById(resourceServer.getId()), owner); - - addInvalidation(getCacheKeyForResource(resource.getId())); - addInvalidation(getCacheKeyForResourceName(resource.getName())); - addInvalidation(getCacheKeyForOwner(owner)); - - getCachedStoreFactory().getPolicyStore().addInvalidations(resource); - - getTransaction().whenRollback(() -> removeCachedEntry(resourceServer.getId(), getCacheKeyForResource(resource.getId()))); - getTransaction().whenCommit(() -> invalidate(resourceServer.getId())); - - return createAdapter(new CachedResource(resource)); - } - - @Override - public void delete(String id) { - Resource resource = getDelegate().findById(id, null); - - if (resource == null) { - return; - } - - ResourceServer resourceServer = resource.getResourceServer(); - - addInvalidation(getCacheKeyForResource(resource.getId())); - addInvalidation(getCacheKeyForResourceName(resource.getName())); - addInvalidation(getCacheKeyForOwner(resource.getOwner())); - addInvalidation(getCacheKeyForUri(resource.getUri())); - getCachedStoreFactory().getPolicyStore().addInvalidations(resource); - - getDelegate().delete(id); - - getTransaction().whenCommit(() -> { - invalidate(resourceServer.getId()); - }); - } - - @Override - public Resource findById(String id, String resourceServerId) { - String cacheKeyForResource = getCacheKeyForResource(id); - - if (isInvalid(cacheKeyForResource)) { - return getDelegate().findById(id, resourceServerId); - } - - List cached = resolveCacheEntry(resourceServerId, cacheKeyForResource); - - if (cached == null) { - Resource resource = getDelegate().findById(id, resourceServerId); - - if (resource != null) { - return createAdapter(putCacheEntry(resourceServerId, cacheKeyForResource, new CachedResource(resource))); - } - - return null; - } - - return createAdapter(CachedResource.class.cast(cached.get(0))); - } - - @Override - public List findByOwner(String ownerId, String resourceServerId) { - String cacheKey = getCacheKeyForOwner(ownerId); - - if (isInvalid(cacheKey)) { - return getDelegate().findByOwner(ownerId, resourceServerId); - } - - return cacheResult(resourceServerId, cacheKey, () -> getDelegate().findByOwner(ownerId, resourceServerId)); - } - - @Override - public List findByUri(String uri, String resourceServerId) { - String cacheKey = getCacheKeyForUri(uri); - - if (isInvalid(cacheKey)) { - return getDelegate().findByUri(uri, resourceServerId); - } - - return cacheResult(resourceServerId, cacheKey, () -> getDelegate().findByUri(uri, resourceServerId)); - } - - @Override - public List findByResourceServer(String resourceServerId) { - return getDelegate().findByResourceServer(resourceServerId); - } - - @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - return getDelegate().findByResourceServer(attributes, resourceServerId, firstResult, maxResult); - } - - @Override - public List findByScope(List id, String resourceServerId) { - return getDelegate().findByScope(id, resourceServerId); - } - - @Override - public Resource findByName(String name, String resourceServerId) { - String cacheKey = getCacheKeyForResourceName(name); - - if (isInvalid(cacheKey)) { - return getDelegate().findByName(name, resourceServerId); - } - - return cacheResult(resourceServerId, cacheKey, () -> { - Resource resource = getDelegate().findByName(name, resourceServerId); - - if (resource == null) { - return Collections.emptyList(); - } - - return Arrays.asList(resource); - }).stream().findFirst().orElse(null); - } - - @Override - public List findByType(String type, String resourceServerId) { - return getDelegate().findByType(type, resourceServerId); - } - - private String getCacheKeyForResource(String id) { - return new StringBuilder(RESOURCE_CACHE_PREFIX).append("id-").append(id).toString(); - } - - private String getCacheKeyForResourceName(String name) { - return new StringBuilder(RESOURCE_CACHE_PREFIX).append("findByName-").append(name).toString(); - } - - private String getCacheKeyForOwner(String name) { - return new StringBuilder(RESOURCE_CACHE_PREFIX).append("findByOwner-").append(name).toString(); - } - - private String getCacheKeyForUri(String uri) { - return new StringBuilder(RESOURCE_CACHE_PREFIX).append("findByUri-").append(uri).toString(); - } - - private ResourceStore getDelegate() { - return this.delegate; - } - - private List cacheResult(String resourceServerId, String key, Supplier> provider) { - List cached = getCachedStoreFactory().computeIfCachedEntryAbsent(resourceServerId, key, (Function>) o -> { - List result = provider.get(); - - if (result.isEmpty()) { - return Collections.emptyList(); - } - - return result.stream().map(policy -> policy.getId()).collect(Collectors.toList()); - }); - - if (cached == null) { - return Collections.emptyList(); - } - - return cached.stream().map(id -> findById(id.toString(), resourceServerId)).collect(Collectors.toList()); - } - - private Resource createAdapter(CachedResource cached) { - return new Resource() { - - private List scopes; - private Resource updated; - - @Override - public String getId() { - return cached.getId(); - } - - @Override - public String getName() { - return cached.getName(); - } - - @Override - public void setName(String name) { - addInvalidation(getCacheKeyForResourceName(name)); - addInvalidation(getCacheKeyForResourceName(cached.getName())); - getDelegateForUpdate().setName(name); - cached.setName(name); - } - - @Override - public String getUri() { - return cached.getUri(); - } - - @Override - public void setUri(String uri) { - addInvalidation(getCacheKeyForUri(uri)); - addInvalidation(getCacheKeyForUri(cached.getUri())); - getDelegateForUpdate().setUri(uri); - cached.setUri(uri); - } - - @Override - public String getType() { - return cached.getType(); - } - - @Override - public void setType(String type) { - getCachedStoreFactory().getPolicyStore().addInvalidations(cached); - getDelegateForUpdate().setType(type); - cached.setType(type); - } - - @Override - public List getScopes() { - if (scopes == null) { - scopes = new ArrayList<>(); - - for (String id : cached.getScopesIds()) { - Scope scope = getCachedStoreFactory().getScopeStore().findById(id, cached.getResourceServerId()); - - if (scope != null) { - scopes.add(scope); - } - } - } - - return scopes; - } - - @Override - public String getIconUri() { - return cached.getIconUri(); - } - - @Override - public void setIconUri(String iconUri) { - getDelegateForUpdate().setIconUri(iconUri); - cached.setIconUri(iconUri); - } - - @Override - public ResourceServer getResourceServer() { - return getCachedStoreFactory().getResourceServerStore().findById(cached.getResourceServerId()); - } - - @Override - public String getOwner() { - return cached.getOwner(); - } - - @Override - public void updateScopes(Set scopes) { - getDelegateForUpdate().updateScopes(scopes.stream().map(scope -> getStoreFactory().getScopeStore().findById(scope.getId(), cached.getResourceServerId())).collect(Collectors.toSet())); - cached.updateScopes(scopes); - } - - private Resource getDelegateForUpdate() { - if (this.updated == null) { - String resourceServerId = cached.getResourceServerId(); - this.updated = getDelegate().findById(getId(), resourceServerId); - if (this.updated == null) throw new IllegalStateException("Not found in database"); - addInvalidation(getCacheKeyForResource(updated.getId())); - getCachedStoreFactory().getPolicyStore().addInvalidations(updated); - getTransaction().whenCommit(() -> invalidate(resourceServerId)); - getTransaction().whenRollback(() -> removeCachedEntry(resourceServerId, getCacheKeyForResource(cached.getId()))); - } - - return this.updated; - } - }; - } -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java deleted file mode 100644 index 741f5f716c..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java +++ /dev/null @@ -1,231 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright 2016 Red Hat, Inc., and individual contributors - * as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.authorization.infinispan; - -import java.util.Arrays; -import java.util.Collections; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import java.util.function.Function; -import java.util.function.Supplier; -import java.util.stream.Collectors; - -import org.keycloak.authorization.model.ResourceServer; -import org.keycloak.authorization.model.Scope; -import org.keycloak.authorization.store.ScopeStore; -import org.keycloak.authorization.store.StoreFactory; -import org.keycloak.models.authorization.infinispan.entities.CachedScope; - -/** - * @author Pedro Igor - */ -public class CachedScopeStore extends AbstractCachedStore implements ScopeStore { - - private static final String SCOPE_CACHE_PREFIX = "scp-"; - - private final ScopeStore delegate; - - public CachedScopeStore(InfinispanStoreFactoryProvider cacheStoreFactory, StoreFactory storeFactory) { - super(cacheStoreFactory, storeFactory); - this.delegate = storeFactory.getScopeStore(); - } - - @Override - public Scope create(String name, ResourceServer resourceServer) { - Scope scope = getDelegate().create(name, getStoreFactory().getResourceServerStore().findById(resourceServer.getId())); - - addInvalidation(getCacheKeyForScope(scope.getId())); - addInvalidation(getCacheKeyForScopeName(scope.getName())); - getCachedStoreFactory().getPolicyStore().addInvalidations(scope); - - getTransaction().whenRollback(() -> removeCachedEntry(resourceServer.getId(), getCacheKeyForScope(scope.getId()))); - getTransaction().whenCommit(() -> invalidate(resourceServer.getId())); - - return createAdapter(new CachedScope(scope)); - } - - @Override - public void delete(String id) { - Scope scope = getDelegate().findById(id, null); - - if (scope == null) { - return; - } - - ResourceServer resourceServer = scope.getResourceServer(); - - addInvalidation(getCacheKeyForScope(scope.getId())); - addInvalidation(getCacheKeyForScopeName(scope.getName())); - getCachedStoreFactory().getPolicyStore().addInvalidations(scope); - - getDelegate().delete(id); - - getTransaction().whenCommit(() -> invalidate(resourceServer.getId())); - } - - @Override - public Scope findById(String id, String resourceServerId) { - String cacheKey = getCacheKeyForScope(id); - - if (isInvalid(cacheKey)) { - return getDelegate().findById(id, resourceServerId); - } - - List cached = resolveCacheEntry(resourceServerId, cacheKey); - - if (cached == null) { - Scope scope = getDelegate().findById(id, resourceServerId); - - if (scope != null) { - return createAdapter(putCacheEntry(resourceServerId, cacheKey, new CachedScope(scope))); - } - - return null; - } - - return createAdapter(CachedScope.class.cast(cached.get(0))); - } - - @Override - public Scope findByName(String name, String resourceServerId) { - String cacheKey = getCacheKeyForScopeName(name); - - if (isInvalid(cacheKey)) { - return getDelegate().findByName(name, resourceServerId); - } - - return cacheResult(resourceServerId, cacheKey, () -> { - Scope scope = getDelegate().findByName(name, resourceServerId); - - if (scope == null) { - return Collections.emptyList(); - } - - return Arrays.asList(scope); - }).stream().findFirst().orElse(null); - } - - @Override - public List findByResourceServer(String id) { - return getDelegate().findByResourceServer(id); - } - - @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - return getDelegate().findByResourceServer(attributes, resourceServerId, firstResult, maxResult); - } - - private String getCacheKeyForScope(String id) { - return new StringBuilder(SCOPE_CACHE_PREFIX).append("id-").append(id).toString(); - } - - private String getCacheKeyForScopeName(String name) { - return new StringBuilder(SCOPE_CACHE_PREFIX).append("findByName-").append(name).toString(); - } - - private ScopeStore getDelegate() { - return this.delegate; - } - - private List cacheResult(String resourceServerId, String key, Supplier> provider) { - List cached = getCachedStoreFactory().computeIfCachedEntryAbsent(resourceServerId, key, (Function>) o -> { - List result = provider.get(); - - if (result.isEmpty()) { - return Collections.emptyList(); - } - - return result.stream().map(policy -> policy.getId()).collect(Collectors.toList()); - }); - - if (cached == null) { - return Collections.emptyList(); - } - - return cached.stream().map(id -> findById(id.toString(), resourceServerId)).collect(Collectors.toList()); - } - - private Scope createAdapter(CachedScope cached) { - return new Scope() { - - private Scope updated; - - @Override - public String getId() { - return cached.getId(); - } - - @Override - public String getName() { - return cached.getName(); - } - - @Override - public void setName(String name) { - addInvalidation(getCacheKeyForScopeName(name)); - addInvalidation(getCacheKeyForScopeName(cached.getName())); - getDelegateForUpdate().setName(name); - cached.setName(name); - } - - @Override - public String getIconUri() { - return cached.getIconUri(); - } - - @Override - public void setIconUri(String iconUri) { - getDelegateForUpdate().setIconUri(iconUri); - cached.setIconUri(iconUri); - } - - @Override - public ResourceServer getResourceServer() { - return getCachedStoreFactory().getResourceServerStore().findById(cached.getResourceServerId()); - } - - private Scope getDelegateForUpdate() { - if (this.updated == null) { - this.updated = getDelegate().findById(getId(), cached.getResourceServerId()); - if (this.updated == null) throw new IllegalStateException("Not found in database"); - addInvalidation(getCacheKeyForScope(updated.getId())); - getCachedStoreFactory().getPolicyStore().addInvalidations(updated); - getTransaction().whenCommit(() -> invalidate(cached.getResourceServerId())); - getTransaction().whenRollback(() -> removeCachedEntry(cached.getResourceServerId(), getCacheKeyForScope(cached.getId()))); - } - - return this.updated; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || !Scope.class.isInstance(o)) return false; - Scope that = (Scope) o; - return Objects.equals(getId(), that.getId()); - } - - @Override - public int hashCode() { - return Objects.hash(getId()); - } - }; - } -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java deleted file mode 100644 index 692173c4cf..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java +++ /dev/null @@ -1,166 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright 2016 Red Hat, Inc., and individual contributors - * as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.authorization.infinispan; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; -import java.util.function.Function; - -import org.keycloak.authorization.model.ResourceServer; -import org.keycloak.authorization.store.ResourceServerStore; -import org.keycloak.authorization.store.ResourceStore; -import org.keycloak.authorization.store.ScopeStore; -import org.keycloak.authorization.store.StoreFactory; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.KeycloakTransaction; -import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider; - -/** - * @author Pedro Igor - */ -public class InfinispanStoreFactoryProvider implements CachedStoreFactoryProvider { - - private final CacheTransaction transaction; - private final CachedResourceStore resourceStore; - private final CachedScopeStore scopeStore; - private final CachedPolicyStore policyStore; - private final KeycloakSession session; - private final StoreFactoryCacheManager cacheManager; - private ResourceServerStore resourceServerStore; - private Set invalidations = new HashSet<>(); - - public InfinispanStoreFactoryProvider(KeycloakSession session, StoreFactoryCacheManager cacheManager) { - this.session = session; - this.cacheManager = cacheManager; - this.transaction = new CacheTransaction(); - session.getTransactionManager().enlistAfterCompletion(transaction); - StoreFactory delegate = session.getProvider(StoreFactory.class); - resourceStore = new CachedResourceStore(this, delegate); - resourceServerStore = new CachedResourceServerStore(this, delegate); - scopeStore = new CachedScopeStore(this, delegate); - policyStore = new CachedPolicyStore(this, delegate); - } - - @Override - public ResourceStore getResourceStore() { - return resourceStore; - } - - @Override - public ResourceServerStore getResourceServerStore() { - return resourceServerStore; - } - - @Override - public ScopeStore getScopeStore() { - return scopeStore; - } - - @Override - public CachedPolicyStore getPolicyStore() { - return policyStore; - } - - @Override - public void close() { - - } - - void addInvalidation(String cacheKey) { - invalidations.add(cacheKey); - } - - boolean isInvalid(String cacheKeyForPolicy) { - return invalidations.contains(cacheKeyForPolicy); - } - - void invalidate(String resourceServerId) { - cacheManager.invalidate(session, resourceServerId, invalidations); - } - - List resolveCachedEntry(String resourceServerId, String cacheKeyForPolicy) { - return cacheManager.resolveResourceServerCache(resourceServerId).get(cacheKeyForPolicy); - } - - void putCacheEntry(String resourceServerId, String key, List entry) { - cacheManager.resolveResourceServerCache(resourceServerId).put(key, entry); - } - - List computeIfCachedEntryAbsent(String resourceServerId, String key, Function> function) { - return cacheManager.resolveResourceServerCache(resourceServerId).computeIfAbsent(key, function); - } - - CacheTransaction getTransaction() { - return transaction; - } - - void removeCachedEntry(String id, String key) { - cacheManager.resolveResourceServerCache(id).remove(key); - } - - void removeEntries(ResourceServer resourceServer) { - cacheManager.removeAll(session, resourceServer); - } - - static class CacheTransaction implements KeycloakTransaction { - - private List completeTasks = new ArrayList<>(); - private List rollbackTasks = new ArrayList<>(); - - @Override - public void begin() { - - } - - @Override - public void commit() { - this.completeTasks.forEach(task -> task.run()); - } - - @Override - public void rollback() { - this.rollbackTasks.forEach(task -> task.run()); - } - - @Override - public void setRollbackOnly() { - - } - - @Override - public boolean getRollbackOnly() { - return false; - } - - @Override - public boolean isActive() { - return false; - } - - protected void whenCommit(Runnable task) { - this.completeTasks.add(task); - } - - protected void whenRollback(Runnable task) { - this.rollbackTasks.add(task); - } - } -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java deleted file mode 100644 index 672b565584..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java +++ /dev/null @@ -1,89 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright 2016 Red Hat, Inc., and individual contributors - * as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.models.authorization.infinispan; - -import java.util.List; -import java.util.Map; - -import org.infinispan.Cache; -import org.keycloak.Config; -import org.keycloak.cluster.ClusterProvider; -import org.keycloak.connections.infinispan.InfinispanConnectionProvider; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.KeycloakSessionFactory; -import org.keycloak.models.authorization.infinispan.events.AuthorizationInvalidationEvent; -import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider; -import org.keycloak.models.cache.authorization.CachedStoreProviderFactory; -import org.keycloak.provider.EnvironmentDependentProviderFactory; - -/** - * @author Pedro Igor - */ -public class InfinispanStoreProviderFactory implements CachedStoreProviderFactory, EnvironmentDependentProviderFactory { - - private StoreFactoryCacheManager cacheManager; - - @Override - public CachedStoreFactoryProvider create(KeycloakSession session) { - return new InfinispanStoreFactoryProvider(session, cacheManager); - } - - @Override - public void init(Config.Scope config) { - - } - - @Override - public void postInit(KeycloakSessionFactory factory) { - KeycloakSession session = factory.create(); - - try { - InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class); - Cache>> cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME); - ClusterProvider clusterProvider = session.getProvider(ClusterProvider.class); - - cacheManager = new StoreFactoryCacheManager(cache); - - clusterProvider.registerListener(ClusterProvider.ALL, event -> { - if (event instanceof AuthorizationInvalidationEvent) { - cacheManager.invalidate(AuthorizationInvalidationEvent.class.cast(event)); - } - }); - } finally { - if (session != null) { - session.close(); - } - } - } - - @Override - public void close() { - - } - - @Override - public String getId() { - return "infinispan-authz-store-factory"; - } - - @Override - public boolean isSupported() { - return true; - } -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/StoreFactoryCacheManager.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/StoreFactoryCacheManager.java deleted file mode 100644 index 4fd5f6f750..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/StoreFactoryCacheManager.java +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.keycloak.models.authorization.infinispan; - -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import org.infinispan.Cache; -import org.keycloak.authorization.model.ResourceServer; -import org.keycloak.cluster.ClusterProvider; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.authorization.infinispan.events.AuthorizationInvalidationEvent; -import org.keycloak.models.authorization.infinispan.events.ResourceServerRemovedEvent; - -/** - * @author Pedro Igor - */ -public class StoreFactoryCacheManager { - - private static final String AUTHORIZATION_UPDATE_TASK_KEY = "authorization-update"; - - private final Cache>> cache; - - StoreFactoryCacheManager(Cache>> cache) { - this.cache = cache; - } - - void invalidate(AuthorizationInvalidationEvent event) { - if (event instanceof ResourceServerRemovedEvent) { - cache.remove(event.getId()); - cache.remove(ResourceServerRemovedEvent.class.cast(event).getClientId()); - } else { - Map> resolveResourceServerCache = resolveResourceServerCache(event.getId()); - - for (String key : event.getInvalidations()) { - resolveResourceServerCache.remove(key); - } - } - } - - public void invalidate(KeycloakSession session, String resourceServerId, Set invalidations) { - getClusterProvider(session).notify(AUTHORIZATION_UPDATE_TASK_KEY, new AuthorizationInvalidationEvent(resourceServerId, invalidations), false); - } - - public Map> resolveResourceServerCache(String id) { - return cache.computeIfAbsent(id, key -> new HashMap<>()); - } - - void removeAll(KeycloakSession session, ResourceServer id) { - getClusterProvider(session).notify(AUTHORIZATION_UPDATE_TASK_KEY, new ResourceServerRemovedEvent(id.getId(), id.getClientId()), false); - } - - private ClusterProvider getClusterProvider(KeycloakSession session) { - return session.getProvider(ClusterProvider.class); - } -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/events/AuthorizationInvalidationEvent.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/events/AuthorizationInvalidationEvent.java deleted file mode 100644 index 1d449235e3..0000000000 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/events/AuthorizationInvalidationEvent.java +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.keycloak.models.authorization.infinispan.events; - -import java.util.Set; - -import org.keycloak.models.cache.infinispan.events.InvalidationEvent; - -/** - * @author Pedro Igor - */ -public class AuthorizationInvalidationEvent extends InvalidationEvent { - - private final String resourceServerId; - private Set invalidations; - - public AuthorizationInvalidationEvent(String resourceServerId, Set invalidations) { - this.resourceServerId = resourceServerId; - this.invalidations = invalidations; - } - - public Set getInvalidations() { - return invalidations; - } - - @Override - public String getId() { - return resourceServerId; - } -} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/CacheManager.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/CacheManager.java index c254ea7164..c9832ff558 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/CacheManager.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/CacheManager.java @@ -215,7 +215,7 @@ public abstract class CacheManager { } - protected void invalidationEventReceived(InvalidationEvent event) { + public void invalidationEventReceived(InvalidationEvent event) { Set invalidations = new HashSet<>(); addInvalidationsFromEvent(event, invalidations); diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/InfinispanCacheStoreFactoryProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/InfinispanCacheStoreFactoryProviderFactory.java new file mode 100755 index 0000000000..c5dc7fc23a --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/InfinispanCacheStoreFactoryProviderFactory.java @@ -0,0 +1,102 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.cache.infinispan.authorization; + +import org.infinispan.Cache; +import org.jboss.logging.Logger; +import org.keycloak.Config; +import org.keycloak.authorization.AuthorizationProvider; +import org.keycloak.cluster.ClusterEvent; +import org.keycloak.cluster.ClusterProvider; +import org.keycloak.connections.infinispan.InfinispanConnectionProvider; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.KeycloakSessionFactory; +import org.keycloak.models.cache.CacheRealmProvider; +import org.keycloak.models.cache.CacheRealmProviderFactory; +import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider; +import org.keycloak.models.cache.authorization.CachedStoreProviderFactory; +import org.keycloak.models.cache.infinispan.RealmCacheManager; +import org.keycloak.models.cache.infinispan.RealmCacheSession; +import org.keycloak.models.cache.infinispan.entities.Revisioned; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; + +/** + * @author Bill Burke + * @author Stian Thorgersen + */ +public class InfinispanCacheStoreFactoryProviderFactory implements CachedStoreProviderFactory { + + private static final Logger log = Logger.getLogger(InfinispanCacheStoreFactoryProviderFactory.class); + public static final String AUTHORIZATION_CLEAR_CACHE_EVENTS = "AUTHORIZATION_CLEAR_CACHE_EVENTS"; + + protected volatile StoreFactoryCacheManager storeCache; + + @Override + public CachedStoreFactoryProvider create(KeycloakSession session) { + lazyInit(session); + return new StoreFactoryCacheSession(storeCache, session); + } + + private void lazyInit(KeycloakSession session) { + if (storeCache == null) { + synchronized (this) { + if (storeCache == null) { + Cache cache = session.getProvider(InfinispanConnectionProvider.class).getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME); + Cache revisions = session.getProvider(InfinispanConnectionProvider.class).getCache(InfinispanConnectionProvider.AUTHORIZATION_REVISIONS_CACHE_NAME); + storeCache = new StoreFactoryCacheManager(cache, revisions); + + ClusterProvider cluster = session.getProvider(ClusterProvider.class); + cluster.registerListener(ClusterProvider.ALL, (ClusterEvent event) -> { + + if (event instanceof InvalidationEvent) { + InvalidationEvent invalidationEvent = (InvalidationEvent) event; + storeCache.invalidationEventReceived(invalidationEvent); + } + }); + + cluster.registerListener(AUTHORIZATION_CLEAR_CACHE_EVENTS, (ClusterEvent event) -> { + + storeCache.clear(); + + }); + + log.debug("Registered cluster listeners"); + } + } + } + } + + @Override + public void init(Config.Scope config) { + } + + @Override + public void postInit(KeycloakSessionFactory factory) { + + } + + @Override + public void close() { + } + + @Override + public String getId() { + return "default"; + } + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PolicyAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PolicyAdapter.java new file mode 100644 index 0000000000..a8cd37994c --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PolicyAdapter.java @@ -0,0 +1,280 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.cache.infinispan.authorization; + +import org.keycloak.authorization.model.CachedModel; +import org.keycloak.authorization.model.Policy; +import org.keycloak.authorization.model.Resource; +import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; +import org.keycloak.models.cache.infinispan.authorization.entities.CachedPolicy; +import org.keycloak.representations.idm.authorization.DecisionStrategy; +import org.keycloak.representations.idm.authorization.Logic; + +import java.util.Collections; +import java.util.HashSet; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; +import java.util.Set; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class PolicyAdapter implements Policy, CachedModel { + protected CachedPolicy cached; + protected StoreFactoryCacheSession cacheSession; + protected Policy updated; + + public PolicyAdapter(CachedPolicy cached, StoreFactoryCacheSession cacheSession) { + this.cached = cached; + this.cacheSession = cacheSession; + } + + @Override + public Policy getDelegateForUpdate() { + if (updated == null) { + cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourceServerId()); + updated = cacheSession.getPolicyStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + if (updated == null) throw new IllegalStateException("Not found in database"); + } + return updated; + } + + protected boolean invalidated; + + protected void invalidateFlag() { + invalidated = true; + + } + + @Override + public void invalidate() { + invalidated = true; + getDelegateForUpdate(); + } + + @Override + public long getCacheTimestamp() { + return cached.getCacheTimestamp(); + } + + protected boolean isUpdated() { + if (updated != null) return true; + if (!invalidated) return false; + updated = cacheSession.getPolicyStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + if (updated == null) throw new IllegalStateException("Not found in database"); + return true; + } + + + @Override + public String getId() { + if (isUpdated()) return updated.getId(); + return cached.getId(); + } + + @Override + public String getName() { + if (isUpdated()) return updated.getName(); + return cached.getName(); + } + + @Override + public void setName(String name) { + getDelegateForUpdate(); + updated.setName(name); + + } + + @Override + public ResourceServer getResourceServer() { + return cacheSession.getResourceServerStore().findById(cached.getResourceServerId()); + } + + @Override + public String getType() { + if (isUpdated()) return updated.getType(); + return cached.getType(); + } + + @Override + public DecisionStrategy getDecisionStrategy() { + if (isUpdated()) return updated.getDecisionStrategy(); + return cached.getDecisionStrategy(); + } + + @Override + public void setDecisionStrategy(DecisionStrategy decisionStrategy) { + getDelegateForUpdate(); + updated.setDecisionStrategy(decisionStrategy); + + } + + @Override + public Logic getLogic() { + if (isUpdated()) return updated.getLogic(); + return cached.getLogic(); + } + + @Override + public void setLogic(Logic logic) { + getDelegateForUpdate(); + updated.setLogic(logic); + + } + + @Override + public Map getConfig() { + if (isUpdated()) return updated.getConfig(); + return cached.getConfig(); + } + + @Override + public void setConfig(Map config) { + getDelegateForUpdate(); + updated.setConfig(config); + + } + + @Override + public void removeConfig(String name) { + getDelegateForUpdate(); + updated.removeConfig(name); + + } + + @Override + public void putConfig(String name, String value) { + getDelegateForUpdate(); + updated.putConfig(name, value); + } + + @Override + public String getDescription() { + if (isUpdated()) return updated.getDescription(); + return cached.getDescription(); + } + + @Override + public void setDescription(String description) { + getDelegateForUpdate(); + updated.setDescription(description); + } + + protected Set associatedPolicies; + + @Override + public Set getAssociatedPolicies() { + if (isUpdated()) return updated.getAssociatedPolicies(); + if (associatedPolicies != null) return associatedPolicies; + associatedPolicies = new HashSet<>(); + for (String scopeId : cached.getAssociatedPoliciesIds()) { + associatedPolicies.add(cacheSession.getPolicyStore().findById(scopeId, cached.getResourceServerId())); + } + associatedPolicies = Collections.unmodifiableSet(associatedPolicies); + return associatedPolicies; + } + + protected Set resources; + @Override + public Set getResources() { + if (isUpdated()) return updated.getResources(); + if (resources != null) return resources; + resources = new HashSet<>(); + for (String resourceId : cached.getResourcesIds()) { + resources.add(cacheSession.getResourceStore().findById(resourceId, cached.getResourceServerId())); + } + resources = Collections.unmodifiableSet(resources); + return resources; + } + + @Override + public void addScope(Scope scope) { + getDelegateForUpdate(); + updated.addScope(scope); + + } + + @Override + public void removeScope(Scope scope) { + getDelegateForUpdate(); + updated.removeScope(scope); + + } + + @Override + public void addAssociatedPolicy(Policy associatedPolicy) { + getDelegateForUpdate(); + updated.addAssociatedPolicy(associatedPolicy); + + } + + @Override + public void removeAssociatedPolicy(Policy associatedPolicy) { + getDelegateForUpdate(); + updated.removeAssociatedPolicy(associatedPolicy); + + } + + @Override + public void addResource(Resource resource) { + getDelegateForUpdate(); + updated.addResource(resource); + + } + + @Override + public void removeResource(Resource resource) { + getDelegateForUpdate(); + updated.removeResource(resource); + + } + + protected Set scopes; + + @Override + public Set getScopes() { + if (isUpdated()) return updated.getScopes(); + if (scopes != null) return scopes; + scopes = new HashSet<>(); + for (String scopeId : cached.getScopesIds()) { + scopes.add(cacheSession.getScopeStore().findById(scopeId, cached.getResourceServerId())); + } + scopes = Collections.unmodifiableSet(scopes); + return scopes; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || !(o instanceof Policy)) return false; + + Policy that = (Policy) o; + return that.getId().equals(getId()); + } + + @Override + public int hashCode() { + return getId().hashCode(); + } + + + + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java new file mode 100644 index 0000000000..d44cc7c58d --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java @@ -0,0 +1,184 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.cache.infinispan.authorization; + +import org.keycloak.authorization.model.CachedModel; +import org.keycloak.authorization.model.Resource; +import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; +import org.keycloak.models.cache.infinispan.authorization.entities.CachedResource; + +import java.util.Collections; +import java.util.LinkedList; +import java.util.List; +import java.util.Set; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class ResourceAdapter implements Resource, CachedModel { + protected CachedResource cached; + protected StoreFactoryCacheSession cacheSession; + protected Resource updated; + + public ResourceAdapter(CachedResource cached, StoreFactoryCacheSession cacheSession) { + this.cached = cached; + this.cacheSession = cacheSession; + } + + @Override + public Resource getDelegateForUpdate() { + if (updated == null) { + cacheSession.registerResourceInvalidation(cached.getId(), cached.getName(), cached.getResourceServerId()); + updated = cacheSession.getResourceStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + if (updated == null) throw new IllegalStateException("Not found in database"); + } + return updated; + } + + protected boolean invalidated; + + protected void invalidateFlag() { + invalidated = true; + + } + + @Override + public void invalidate() { + invalidated = true; + getDelegateForUpdate(); + } + + @Override + public long getCacheTimestamp() { + return cached.getCacheTimestamp(); + } + + protected boolean isUpdated() { + if (updated != null) return true; + if (!invalidated) return false; + updated = cacheSession.getResourceStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + if (updated == null) throw new IllegalStateException("Not found in database"); + return true; + } + + + @Override + public String getId() { + if (isUpdated()) return updated.getId(); + return cached.getId(); + } + + @Override + public String getName() { + if (isUpdated()) return updated.getName(); + return cached.getName(); + } + + @Override + public void setName(String name) { + getDelegateForUpdate(); + updated.setName(name); + + } + + @Override + public String getIconUri() { + if (isUpdated()) return updated.getIconUri(); + return cached.getIconUri(); + } + + @Override + public void setIconUri(String iconUri) { + getDelegateForUpdate(); + updated.setIconUri(iconUri); + + } + + @Override + public ResourceServer getResourceServer() { + return cacheSession.getResourceServerStore().findById(cached.getResourceServerId()); + } + + @Override + public String getUri() { + if (isUpdated()) return updated.getUri(); + return cached.getUri(); + } + + @Override + public void setUri(String uri) { + getDelegateForUpdate(); + updated.setUri(uri); + + } + + @Override + public String getType() { + if (isUpdated()) return updated.getType(); + return cached.getType(); + } + + @Override + public void setType(String type) { + getDelegateForUpdate(); + updated.setType(type); + + } + + protected List scopes; + + @Override + public List getScopes() { + if (isUpdated()) return updated.getScopes(); + if (scopes != null) return scopes; + scopes = new LinkedList<>(); + for (String scopeId : cached.getScopesIds()) { + scopes.add(cacheSession.getScopeStore().findById(scopeId, cached.getResourceServerId())); + } + scopes = Collections.unmodifiableList(scopes); + return scopes; + } + + @Override + public String getOwner() { + if (isUpdated()) return updated.getOwner(); + return cached.getOwner(); + } + + @Override + public void updateScopes(Set scopes) { + getDelegateForUpdate(); + updated.updateScopes(scopes); + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || !(o instanceof Resource)) return false; + + Resource that = (Resource) o; + return that.getId().equals(getId()); + } + + @Override + public int hashCode() { + return getId().hashCode(); + } + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceServerAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceServerAdapter.java new file mode 100644 index 0000000000..bb3ec6cbc0 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceServerAdapter.java @@ -0,0 +1,127 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.cache.infinispan.authorization; + +import org.keycloak.authorization.model.CachedModel; +import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.models.cache.infinispan.authorization.entities.CachedResourceServer; +import org.keycloak.representations.idm.authorization.PolicyEnforcementMode; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class ResourceServerAdapter implements ResourceServer, CachedModel { + protected CachedResourceServer cached; + protected StoreFactoryCacheSession cacheSession; + protected ResourceServer updated; + + public ResourceServerAdapter(CachedResourceServer cached, StoreFactoryCacheSession cacheSession) { + this.cached = cached; + this.cacheSession = cacheSession; + } + + @Override + public ResourceServer getDelegateForUpdate() { + if (updated == null) { + cacheSession.registerResourceServerInvalidation(cached.getId(), cached.getClientId()); + updated = cacheSession.getResourceServerStoreDelegate().findById(cached.getId()); + if (updated == null) throw new IllegalStateException("Not found in database"); + } + return updated; + } + + protected boolean invalidated; + + protected void invalidateFlag() { + invalidated = true; + + } + + @Override + public void invalidate() { + invalidated = true; + getDelegateForUpdate(); + } + + @Override + public long getCacheTimestamp() { + return cached.getCacheTimestamp(); + } + + protected boolean isUpdated() { + if (updated != null) return true; + if (!invalidated) return false; + updated = cacheSession.getResourceServerStoreDelegate().findById(cached.getId()); + if (updated == null) throw new IllegalStateException("Not found in database"); + return true; + } + + + @Override + public String getId() { + if (isUpdated()) return updated.getId(); + return cached.getId(); + } + + @Override + public String getClientId() { + if (isUpdated()) return updated.getClientId(); + return cached.getClientId(); + } + + @Override + public boolean isAllowRemoteResourceManagement() { + if (isUpdated()) return updated.isAllowRemoteResourceManagement(); + return cached.isAllowRemoteResourceManagement(); + } + + @Override + public void setAllowRemoteResourceManagement(boolean allowRemoteResourceManagement) { + getDelegateForUpdate(); + updated.setAllowRemoteResourceManagement(allowRemoteResourceManagement); + } + + @Override + public PolicyEnforcementMode getPolicyEnforcementMode() { + if (isUpdated()) return updated.getPolicyEnforcementMode(); + return cached.getPolicyEnforcementMode(); + } + + @Override + public void setPolicyEnforcementMode(PolicyEnforcementMode enforcementMode) { + getDelegateForUpdate(); + updated.setPolicyEnforcementMode(enforcementMode); + + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || !(o instanceof ResourceServer)) return false; + + ResourceServer that = (ResourceServer) o; + return that.getId().equals(getId()); + } + + @Override + public int hashCode() { + return getId().hashCode(); + } + + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java new file mode 100644 index 0000000000..d90b27a19f --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java @@ -0,0 +1,127 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.cache.infinispan.authorization; + +import org.keycloak.authorization.model.CachedModel; +import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; +import org.keycloak.models.cache.infinispan.authorization.entities.CachedScope; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class ScopeAdapter implements Scope, CachedModel { + protected CachedScope cached; + protected StoreFactoryCacheSession cacheSession; + protected Scope updated; + + public ScopeAdapter(CachedScope cached, StoreFactoryCacheSession cacheSession) { + this.cached = cached; + this.cacheSession = cacheSession; + } + + @Override + public Scope getDelegateForUpdate() { + if (updated == null) { + cacheSession.registerScopeInvalidation(cached.getId(), cached.getName(), cached.getResourceServerId()); + updated = cacheSession.getScopeStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + if (updated == null) throw new IllegalStateException("Not found in database"); + } + return updated; + } + + protected boolean invalidated; + + protected void invalidateFlag() { + invalidated = true; + + } + + @Override + public void invalidate() { + invalidated = true; + getDelegateForUpdate(); + } + + @Override + public long getCacheTimestamp() { + return cached.getCacheTimestamp(); + } + + protected boolean isUpdated() { + if (updated != null) return true; + if (!invalidated) return false; + updated = cacheSession.getScopeStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + if (updated == null) throw new IllegalStateException("Not found in database"); + return true; + } + + + @Override + public String getId() { + if (isUpdated()) return updated.getId(); + return cached.getId(); + } + + @Override + public String getName() { + if (isUpdated()) return updated.getName(); + return cached.getName(); + } + + @Override + public void setName(String name) { + getDelegateForUpdate(); + updated.setName(name); + + } + + @Override + public String getIconUri() { + if (isUpdated()) return updated.getIconUri(); + return cached.getIconUri(); + } + + @Override + public void setIconUri(String iconUri) { + getDelegateForUpdate(); + updated.setIconUri(iconUri); + + } + + @Override + public ResourceServer getResourceServer() { + return cacheSession.getResourceServerStore().findById(cached.getResourceServerId()); + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || !(o instanceof Scope)) return false; + + Scope that = (Scope) o; + return that.getId().equals(getId()); + } + + @Override + public int hashCode() { + return getId().hashCode(); + } + + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheManager.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheManager.java new file mode 100644 index 0000000000..2c86648737 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheManager.java @@ -0,0 +1,93 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.cache.infinispan.authorization; + +import org.infinispan.Cache; +import org.jboss.logging.Logger; +import org.keycloak.models.cache.infinispan.CacheManager; +import org.keycloak.models.cache.infinispan.RealmCacheManager; +import org.keycloak.models.cache.infinispan.authorization.events.AuthorizationCacheInvalidationEvent; +import org.keycloak.models.cache.infinispan.authorization.stream.InResourceServerPredicate; +import org.keycloak.models.cache.infinispan.entities.Revisioned; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; + +import java.util.Set; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class StoreFactoryCacheManager extends CacheManager { + private static final Logger logger = Logger.getLogger(RealmCacheManager.class); + + public StoreFactoryCacheManager(Cache cache, Cache revisions) { + super(cache, revisions); + } + @Override + protected Logger getLogger() { + return logger; + } + + @Override + protected void addInvalidationsFromEvent(InvalidationEvent event, Set invalidations) { + if (event instanceof AuthorizationCacheInvalidationEvent) { + invalidations.add(event.getId()); + + ((AuthorizationCacheInvalidationEvent) event).addInvalidations(this, invalidations); + } + } + + public void resourceServerUpdated(String id, String clientId, Set invalidations) { + invalidations.add(id); + invalidations.add(StoreFactoryCacheSession.getResourceServerByClientCacheKey(clientId)); + } + + public void resourceServerRemoval(String id, String name, Set invalidations) { + resourceServerUpdated(id, name, invalidations); + + addInvalidations(InResourceServerPredicate.create().resourceServer(id), invalidations); + } + + public void scopeUpdated(String id, String name, String serverId, Set invalidations) { + invalidations.add(id); + invalidations.add(StoreFactoryCacheSession.getScopeByNameCacheKey(name, serverId)); + } + + public void scopeRemoval(String id, String name, String serverId, Set invalidations) { + scopeUpdated(id, name, serverId, invalidations); + } + + public void resourceUpdated(String id, String name, String serverId, Set invalidations) { + invalidations.add(id); + invalidations.add(StoreFactoryCacheSession.getResourceByNameCacheKey(name, serverId)); + } + + public void resourceRemoval(String id, String name, String serverId, Set invalidations) { + resourceUpdated(id, name, serverId, invalidations); + } + + public void policyUpdated(String id, String name, String serverId, Set invalidations) { + invalidations.add(id); + invalidations.add(StoreFactoryCacheSession.getPolicyByNameCacheKey(name, serverId)); + } + + public void policyRemoval(String id, String name, String serverId, Set invalidations) { + policyUpdated(id, name, serverId, invalidations); + } + + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java new file mode 100644 index 0000000000..87f311b707 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java @@ -0,0 +1,667 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.cache.infinispan.authorization; + +import org.jboss.logging.Logger; +import org.keycloak.authorization.model.Policy; +import org.keycloak.authorization.model.Resource; +import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; +import org.keycloak.authorization.store.PolicyStore; +import org.keycloak.authorization.store.ResourceServerStore; +import org.keycloak.authorization.store.ResourceStore; +import org.keycloak.authorization.store.ScopeStore; +import org.keycloak.authorization.store.StoreFactory; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.KeycloakTransaction; +import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider; +import org.keycloak.models.cache.infinispan.authorization.entities.CachedPolicy; +import org.keycloak.models.cache.infinispan.authorization.entities.CachedResource; +import org.keycloak.models.cache.infinispan.authorization.entities.CachedResourceServer; +import org.keycloak.models.cache.infinispan.authorization.entities.CachedScope; +import org.keycloak.models.cache.infinispan.authorization.entities.PolicyListQuery; +import org.keycloak.models.cache.infinispan.authorization.entities.ResourceListQuery; +import org.keycloak.models.cache.infinispan.authorization.entities.ResourceServerListQuery; +import org.keycloak.models.cache.infinispan.authorization.entities.ScopeListQuery; +import org.keycloak.models.cache.infinispan.authorization.events.PolicyRemovedEvent; +import org.keycloak.models.cache.infinispan.authorization.events.PolicyUpdatedEvent; +import org.keycloak.models.cache.infinispan.authorization.events.ResourceRemovedEvent; +import org.keycloak.models.cache.infinispan.authorization.events.ResourceServerRemovedEvent; +import org.keycloak.models.cache.infinispan.authorization.events.ResourceServerUpdatedEvent; +import org.keycloak.models.cache.infinispan.authorization.events.ResourceUpdatedEvent; +import org.keycloak.models.cache.infinispan.authorization.events.ScopeRemovedEvent; +import org.keycloak.models.cache.infinispan.authorization.events.ScopeUpdatedEvent; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; +import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation; + +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { + protected static final Logger logger = Logger.getLogger(StoreFactoryCacheSession.class); + + protected StoreFactoryCacheManager cache; + protected boolean transactionActive; + protected boolean setRollbackOnly; + + protected Map managedResourceServers = new HashMap<>(); + protected Map managedScopes = new HashMap<>(); + protected Map managedResources = new HashMap<>(); + protected Map managedPolicies = new HashMap<>(); + protected Set invalidations = new HashSet<>(); + protected Set invalidationEvents = new HashSet<>(); // Events to be sent across cluster + + protected boolean clearAll; + protected final long startupRevision; + protected StoreFactory delegate; + protected KeycloakSession session; + protected ResourceServerCache resourceServerCache; + protected ScopeCache scopeCache; + protected ResourceCache resourceCache; + protected PolicyCache policyCache; + + public StoreFactoryCacheSession(StoreFactoryCacheManager cache, KeycloakSession session) { + this.cache = cache; + this.startupRevision = cache.getCurrentCounter(); + this.session = session; + this.resourceServerCache = new ResourceServerCache(); + this.scopeCache = new ScopeCache(); + this.resourceCache = new ResourceCache(); + this.policyCache = new PolicyCache(); + session.getTransactionManager().enlistPrepare(getPrepareTransaction()); + session.getTransactionManager().enlistAfterCompletion(getAfterTransaction()); + } + + @Override + public ResourceServerStore getResourceServerStore() { + return resourceServerCache; + } + + @Override + public ScopeStore getScopeStore() { + return scopeCache; + } + + @Override + public ResourceStore getResourceStore() { + return resourceCache; + } + + @Override + public PolicyStore getPolicyStore() { + return policyCache; + } + + public void close() { + } + + private KeycloakTransaction getPrepareTransaction() { + return new KeycloakTransaction() { + @Override + public void begin() { + transactionActive = true; + } + + @Override + public void commit() { + } + + @Override + public void rollback() { + setRollbackOnly = true; + transactionActive = false; + } + + @Override + public void setRollbackOnly() { + setRollbackOnly = true; + } + + @Override + public boolean getRollbackOnly() { + return setRollbackOnly; + } + + @Override + public boolean isActive() { + return transactionActive; + } + }; + } + + private KeycloakTransaction getAfterTransaction() { + return new KeycloakTransaction() { + @Override + public void begin() { + transactionActive = true; + } + + @Override + public void commit() { + try { + if (getDelegate() == null) return; + if (clearAll) { + cache.clear(); + } + runInvalidations(); + transactionActive = false; + } finally { + cache.endRevisionBatch(); + } + } + + @Override + public void rollback() { + try { + setRollbackOnly = true; + runInvalidations(); + transactionActive = false; + } finally { + cache.endRevisionBatch(); + } + } + + @Override + public void setRollbackOnly() { + setRollbackOnly = true; + } + + @Override + public boolean getRollbackOnly() { + return setRollbackOnly; + } + + @Override + public boolean isActive() { + return transactionActive; + } + }; + } + + protected void runInvalidations() { + for (String id : invalidations) { + cache.invalidateObject(id); + } + + cache.sendInvalidationEvents(session, invalidationEvents); + } + + + + public long getStartupRevision() { + return startupRevision; + } + + public boolean isInvalid(String id) { + return invalidations.contains(id); + } + + public void registerResourceServerInvalidation(String id, String clientId) { + cache.resourceServerUpdated(id, clientId, invalidations); + ResourceServerAdapter adapter = managedResourceServers.get(id); + if (adapter != null) adapter.invalidateFlag(); + + invalidationEvents.add(ResourceServerUpdatedEvent.create(id, clientId)); + } + + public void registerScopeInvalidation(String id, String name, String serverId) { + cache.scopeUpdated(id, name, serverId, invalidations); + ScopeAdapter adapter = managedScopes.get(id); + if (adapter != null) adapter.invalidateFlag(); + + invalidationEvents.add(ScopeUpdatedEvent.create(id, name, serverId)); + } + + public void registerResourceInvalidation(String id, String name, String serverId) { + cache.resourceUpdated(id, name, serverId, invalidations); + ResourceAdapter adapter = managedResources.get(id); + if (adapter != null) adapter.invalidateFlag(); + + invalidationEvents.add(ResourceUpdatedEvent.create(id, name, serverId)); + } + + public void registerPolicyInvalidation(String id, String name, String serverId) { + cache.policyUpdated(id, name, serverId, invalidations); + PolicyAdapter adapter = managedPolicies.get(id); + if (adapter != null) adapter.invalidateFlag(); + + invalidationEvents.add(PolicyUpdatedEvent.create(id, name, serverId)); + } + + public ResourceServerStore getResourceServerStoreDelegate() { + return getDelegate().getResourceServerStore(); + } + + public ScopeStore getScopeStoreDelegate() { + return getDelegate().getScopeStore(); + } + + public ResourceStore getResourceStoreDelegate() { + return getDelegate().getResourceStore(); + } + + public PolicyStore getPolicyStoreDelegate() { + return getDelegate().getPolicyStore(); + } + + public static String getResourceServerByClientCacheKey(String clientId) { + return "resource.server.client.id." + clientId; + } + + public static String getScopeByNameCacheKey(String name, String serverId) { + return "scope.name." + name + "." + serverId; + } + + public static String getResourceByNameCacheKey(String name, String serverId) { + return "resource.name." + name + "." + serverId; + } + + public static String getPolicyByNameCacheKey(String name, String serverId) { + return "policy.name." + name + "." + serverId; + } + + public StoreFactory getDelegate() { + if (delegate != null) return delegate; + delegate = session.getProvider(StoreFactory.class); + return delegate; + } + + + protected class ResourceServerCache implements ResourceServerStore { + @Override + public ResourceServer create(String clientId) { + ResourceServer server = getResourceServerStoreDelegate().create(clientId); + registerResourceServerInvalidation(server.getId(), server.getClientId()); + return server; + } + + @Override + public void delete(String id) { + if (id == null) return; + ResourceServer server = findById(id); + if (server == null) return; + + cache.invalidateObject(id); + invalidationEvents.add(ResourceServerRemovedEvent.create(id, server.getClientId())); + cache.resourceServerRemoval(id, server.getClientId(), invalidations); + getResourceServerStoreDelegate().delete(id); + + } + + @Override + public ResourceServer findById(String id) { + if (id == null) return null; + CachedResourceServer cached = cache.get(id, CachedResourceServer.class); + if (cached != null) { + logger.tracev("by id cache hit: {0}", cached.getId()); + } + boolean wasCached = false; + if (cached == null) { + Long loaded = cache.getCurrentRevision(id); + ResourceServer model = getResourceServerStoreDelegate().findById(id); + if (model == null) return null; + if (invalidations.contains(id)) return model; + cached = new CachedResourceServer(loaded, model); + cache.addRevisioned(cached, startupRevision); + wasCached =true; + } else if (invalidations.contains(id)) { + return getResourceServerStoreDelegate().findById(id); + } else if (managedResourceServers.containsKey(id)) { + return managedResourceServers.get(id); + } + ResourceServerAdapter adapter = new ResourceServerAdapter(cached, StoreFactoryCacheSession.this); + managedResourceServers.put(id, adapter); + return adapter; + } + + + @Override + public ResourceServer findByClient(String clientId) { + String cacheKey = getResourceServerByClientCacheKey(clientId); + ResourceServerListQuery query = cache.get(cacheKey, ResourceServerListQuery.class); + if (query != null) { + logger.tracev("ResourceServer by clientId cache hit: {0}", clientId); + } + if (query == null) { + Long loaded = cache.getCurrentRevision(cacheKey); + ResourceServer model = getResourceServerStoreDelegate().findByClient(clientId); + if (model == null) return null; + if (invalidations.contains(model.getId())) return model; + query = new ResourceServerListQuery(loaded, cacheKey, model.getId()); + cache.addRevisioned(query, startupRevision); + return model; + } else if (invalidations.contains(cacheKey)) { + return getResourceServerStoreDelegate().findByClient(clientId); + } else { + String serverId = query.getResourceServers().iterator().next(); + if (invalidations.contains(serverId)) { + return getResourceServerStoreDelegate().findByClient(clientId); + } + return findById(serverId); + } + } + } + + protected class ScopeCache implements ScopeStore { + @Override + public Scope create(String name, ResourceServer resourceServer) { + Scope scope = getScopeStoreDelegate().create(name, resourceServer); + registerScopeInvalidation(scope.getId(), scope.getName(), resourceServer.getId()); + return scope; + } + + @Override + public void delete(String id) { + if (id == null) return; + Scope scope = findById(id, null); + if (scope == null) return; + + cache.invalidateObject(id); + invalidationEvents.add(ScopeRemovedEvent.create(id, scope.getName(), scope.getResourceServer().getId())); + cache.scopeRemoval(id, scope.getName(), scope.getResourceServer().getId(), invalidations); + getScopeStoreDelegate().delete(id); + } + + @Override + public Scope findById(String id, String resourceServerId) { + if (id == null) return null; + CachedScope cached = cache.get(id, CachedScope.class); + if (cached != null) { + logger.tracev("by id cache hit: {0}", cached.getId()); + } + boolean wasCached = false; + if (cached == null) { + Long loaded = cache.getCurrentRevision(id); + Scope model = getScopeStoreDelegate().findById(id, resourceServerId); + if (model == null) return null; + if (invalidations.contains(id)) return model; + cached = new CachedScope(loaded, model); + cache.addRevisioned(cached, startupRevision); + wasCached =true; + } else if (invalidations.contains(id)) { + return getScopeStoreDelegate().findById(id, resourceServerId); + } else if (managedScopes.containsKey(id)) { + return managedScopes.get(id); + } + ScopeAdapter adapter = new ScopeAdapter(cached, StoreFactoryCacheSession.this); + managedScopes.put(id, adapter); + return adapter; + } + + @Override + public Scope findByName(String name, String resourceServerId) { + if (name == null) return null; + String cacheKey = getScopeByNameCacheKey(name, resourceServerId); + ScopeListQuery query = cache.get(cacheKey, ScopeListQuery.class); + if (query != null) { + logger.tracev("scope by name cache hit: {0}", name); + } + if (query == null) { + Long loaded = cache.getCurrentRevision(cacheKey); + Scope model = getScopeStoreDelegate().findByName(name, resourceServerId); + if (model == null) return null; + if (invalidations.contains(model.getId())) return model; + query = new ScopeListQuery(loaded, cacheKey, model.getId(), resourceServerId); + cache.addRevisioned(query, startupRevision); + return model; + } else if (invalidations.contains(cacheKey)) { + return getScopeStoreDelegate().findByName(name, resourceServerId); + } else { + String id = query.getScopes().iterator().next(); + if (invalidations.contains(id)) { + return getScopeStoreDelegate().findByName(name, resourceServerId); + } + return findById(id, query.getResourceServerId()); + } + } + + @Override + public List findByResourceServer(String id) { + return getScopeStoreDelegate().findByResourceServer(id); + } + + @Override + public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { + return getScopeStoreDelegate().findByResourceServer(attributes, resourceServerId, firstResult, maxResult); + } + } + + protected class ResourceCache implements ResourceStore { + @Override + public Resource create(String name, ResourceServer resourceServer, String owner) { + Resource resource = getResourceStoreDelegate().create(name, resourceServer, owner); + registerResourceInvalidation(resource.getId(), resource.getName(), resourceServer.getId()); + return resource; + } + + @Override + public void delete(String id) { + if (id == null) return; + Resource resource = findById(id, null); + if (resource == null) return; + + cache.invalidateObject(id); + invalidationEvents.add(ResourceRemovedEvent.create(id, resource.getName(), resource.getResourceServer().getId())); + cache.resourceRemoval(id, resource.getName(), resource.getResourceServer().getId(), invalidations); + getResourceStoreDelegate().delete(id); + + } + + @Override + public Resource findById(String id, String resourceServerId) { + if (id == null) return null; + CachedResource cached = cache.get(id, CachedResource.class); + if (cached != null) { + logger.tracev("by id cache hit: {0}", cached.getId()); + } + boolean wasCached = false; + if (cached == null) { + Long loaded = cache.getCurrentRevision(id); + Resource model = getResourceStoreDelegate().findById(id, resourceServerId); + if (model == null) return null; + if (invalidations.contains(id)) return model; + cached = new CachedResource(loaded, model); + cache.addRevisioned(cached, startupRevision); + wasCached =true; + } else if (invalidations.contains(id)) { + return getResourceStoreDelegate().findById(id, resourceServerId); + } else if (managedResources.containsKey(id)) { + return managedResources.get(id); + } + ResourceAdapter adapter = new ResourceAdapter(cached, StoreFactoryCacheSession.this); + managedResources.put(id, adapter); + return adapter; + } + + @Override + public Resource findByName(String name, String resourceServerId) { + if (name == null) return null; + String cacheKey = getResourceByNameCacheKey(name, resourceServerId); + ResourceListQuery query = cache.get(cacheKey, ResourceListQuery.class); + if (query != null) { + logger.tracev("resource by name cache hit: {0}", name); + } + if (query == null) { + Long loaded = cache.getCurrentRevision(cacheKey); + Resource model = getResourceStoreDelegate().findByName(name, resourceServerId); + if (model == null) return null; + if (invalidations.contains(model.getId())) return model; + query = new ResourceListQuery(loaded, cacheKey, model.getId(), resourceServerId); + cache.addRevisioned(query, startupRevision); + return model; + } else if (invalidations.contains(cacheKey)) { + return getResourceStoreDelegate().findByName(name, resourceServerId); + } else { + String id = query.getResources().iterator().next(); + if (invalidations.contains(id)) { + return getResourceStoreDelegate().findByName(name, resourceServerId); + } + return findById(id, query.getResourceServerId()); + } + } + + @Override + public List findByOwner(String ownerId, String resourceServerId) { + return getResourceStoreDelegate().findByOwner(ownerId, resourceServerId); + } + + @Override + public List findByUri(String uri, String resourceServerId) { + return getResourceStoreDelegate().findByUri(uri, resourceServerId); + } + + @Override + public List findByResourceServer(String resourceServerId) { + return getResourceStoreDelegate().findByResourceServer(resourceServerId); + } + + @Override + public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { + return getResourceStoreDelegate().findByResourceServer(attributes, resourceServerId, firstResult, maxResult); + } + + @Override + public List findByScope(List ids, String resourceServerId) { + return getResourceStoreDelegate().findByScope(ids, resourceServerId); + } + + @Override + public List findByType(String type, String resourceServerId) { + return getResourceStoreDelegate().findByType(type, resourceServerId); + } + } + + protected class PolicyCache implements PolicyStore { + @Override + public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) { + Policy resource = getPolicyStoreDelegate().create(representation, resourceServer); + registerPolicyInvalidation(resource.getId(), resource.getName(), resourceServer.getId()); + return resource; + } + + @Override + public void delete(String id) { + if (id == null) return; + Policy policy = findById(id, null); + if (policy == null) return; + + cache.invalidateObject(id); + invalidationEvents.add(PolicyRemovedEvent.create(id, policy.getName(), policy.getResourceServer().getId())); + cache.policyRemoval(id, policy.getName(), policy.getResourceServer().getId(), invalidations); + getPolicyStoreDelegate().delete(id); + + } + + @Override + public Policy findById(String id, String resourceServerId) { + if (id == null) return null; + + CachedPolicy cached = cache.get(id, CachedPolicy.class); + if (cached != null) { + logger.tracev("by id cache hit: {0}", cached.getId()); + } + boolean wasCached = false; + if (cached == null) { + Long loaded = cache.getCurrentRevision(id); + Policy model = getPolicyStoreDelegate().findById(id, resourceServerId); + if (model == null) return null; + if (invalidations.contains(id)) return model; + cached = new CachedPolicy(loaded, model); + cache.addRevisioned(cached, startupRevision); + wasCached =true; + } else if (invalidations.contains(id)) { + return getPolicyStoreDelegate().findById(id, resourceServerId); + } else if (managedPolicies.containsKey(id)) { + return managedPolicies.get(id); + } + PolicyAdapter adapter = new PolicyAdapter(cached, StoreFactoryCacheSession.this); + managedPolicies.put(id, adapter); + return adapter; + } + + @Override + public Policy findByName(String name, String resourceServerId) { + if (name == null) return null; + String cacheKey = getPolicyByNameCacheKey(name, resourceServerId); + PolicyListQuery query = cache.get(cacheKey, PolicyListQuery.class); + if (query != null) { + logger.tracev("policy by name cache hit: {0}", name); + } + if (query == null) { + Long loaded = cache.getCurrentRevision(cacheKey); + Policy model = getPolicyStoreDelegate().findByName(name, resourceServerId); + if (model == null) return null; + if (invalidations.contains(model.getId())) return model; + query = new PolicyListQuery(loaded, cacheKey, model.getId(), resourceServerId); + cache.addRevisioned(query, startupRevision); + return model; + } else if (invalidations.contains(cacheKey)) { + return getPolicyStoreDelegate().findByName(name, resourceServerId); + } else { + String id = query.getPolicies().iterator().next(); + if (invalidations.contains(id)) { + return getPolicyStoreDelegate().findByName(name, resourceServerId); + } + return findById(id, query.getResourceServerId()); + } + } + + @Override + public List findByResourceServer(String resourceServerId) { + return getPolicyStoreDelegate().findByResourceServer(resourceServerId); + } + + @Override + public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { + return getPolicyStoreDelegate().findByResourceServer(attributes, resourceServerId, firstResult, maxResult); + } + + @Override + public List findByResource(String resourceId, String resourceServerId) { + return getPolicyStoreDelegate().findByResource(resourceId, resourceServerId); + } + + @Override + public List findByResourceType(String resourceType, String resourceServerId) { + return getPolicyStoreDelegate().findByResourceType(resourceType, resourceServerId); + } + + @Override + public List findByScopeIds(List scopeIds, String resourceServerId) { + return getPolicyStoreDelegate().findByScopeIds(scopeIds, resourceServerId); + } + + @Override + public List findByType(String type, String resourceServerId) { + return getPolicyStoreDelegate().findByType(type, resourceServerId); + } + + @Override + public List findDependentPolicies(String id, String resourceServerId) { + return getPolicyStoreDelegate().findDependentPolicies(id, resourceServerId); + } + } + + +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedPolicy.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedPolicy.java similarity index 53% rename from model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedPolicy.java rename to model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedPolicy.java index c7bef79092..0ea771b172 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedPolicy.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedPolicy.java @@ -16,12 +16,13 @@ * limitations under the License. */ -package org.keycloak.models.authorization.infinispan.entities; +package org.keycloak.models.cache.infinispan.authorization.entities; import org.keycloak.authorization.model.Policy; import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.Scope; +import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned; import org.keycloak.representations.idm.authorization.DecisionStrategy; import org.keycloak.representations.idm.authorization.Logic; @@ -34,11 +35,8 @@ import java.util.stream.Collectors; /** * @author Pedro Igor */ -public class CachedPolicy implements Policy, Serializable { +public class CachedPolicy extends AbstractRevisioned implements InResourceServer { - private static final long serialVersionUID = -144247681046298128L; - - private String id; private String type; private DecisionStrategy decisionStrategy; private Logic logic; @@ -50,8 +48,8 @@ public class CachedPolicy implements Policy, Serializable { private Set resourcesIds; private Set scopesIds; - public CachedPolicy(Policy policy) { - this.id = policy.getId(); + public CachedPolicy(Long revision, Policy policy) { + super(revision, policy.getId()); this.type = policy.getType(); this.decisionStrategy = policy.getDecisionStrategy(); this.logic = policy.getLogic(); @@ -64,120 +62,30 @@ public class CachedPolicy implements Policy, Serializable { this.scopesIds = policy.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()); } - public CachedPolicy(String id) { - this.id = id; - } - - @Override - public String getId() { - return this.id; - } - - @Override public String getType() { return this.type; } - @Override public DecisionStrategy getDecisionStrategy() { return this.decisionStrategy; } - @Override - public void setDecisionStrategy(DecisionStrategy decisionStrategy) { - this.decisionStrategy = decisionStrategy; - } - - @Override public Logic getLogic() { return this.logic; } - @Override - public void setLogic(Logic logic) { - this.logic = logic; - } - - @Override public Map getConfig() { return this.config; } - @Override - public void setConfig(Map config) { - this.config = config; - } - - @Override public String getName() { return this.name; } - @Override - public void setName(String name) { - this.name = name; - } - - @Override public String getDescription() { return this.description; } - @Override - public void setDescription(String description) { - this.description = description; - } - - @Override - public ResourceServer getResourceServer() { - throw new RuntimeException("Not implemented"); - } - - @Override - public void addScope(Scope scope) { - this.scopesIds.add(scope.getId()); - } - - @Override - public void removeScope(Scope scope) { - this.scopesIds.remove(scope.getId()); - } - - @Override - public void addAssociatedPolicy(Policy associatedPolicy) { - this.associatedPoliciesIds.add(associatedPolicy.getId()); - } - - @Override - public void removeAssociatedPolicy(Policy associatedPolicy) { - this.associatedPoliciesIds.remove(associatedPolicy.getId()); - } - - @Override - public void addResource(Resource resource) { - this.resourcesIds.add(resource.getId()); - } - - @Override - public void removeResource(Resource resource) { - this.resourcesIds.remove(resource.getId()); - } - - @Override - public Set getAssociatedPolicies() { - throw new RuntimeException("Not implemented"); - } - - @Override - public Set getResources() { - throw new RuntimeException("Not implemented"); - } - - @Override - public Set getScopes() { - throw new RuntimeException("Not implemented"); - } - public Set getAssociatedPoliciesIds() { return this.associatedPoliciesIds; } @@ -194,24 +102,4 @@ public class CachedPolicy implements Policy, Serializable { return this.resourceServerId; } - @Override - public boolean equals(Object o) { - if (o == this) return true; - - if (this.id == null) return false; - - if (o == null || getClass() != o.getClass()) return false; - - Policy that = (Policy) o; - - if (!getId().equals(that.getId())) return false; - - return true; - - } - - @Override - public int hashCode() { - return id!=null ? id.hashCode() : super.hashCode(); - } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedResource.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResource.java similarity index 61% rename from model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedResource.java rename to model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResource.java index ee1212f703..584d311507 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedResource.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResource.java @@ -16,11 +16,12 @@ * limitations under the License. */ -package org.keycloak.models.authorization.infinispan.entities; +package org.keycloak.models.cache.infinispan.authorization.entities; import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.Scope; +import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned; import java.io.Serializable; import java.util.List; @@ -30,11 +31,8 @@ import java.util.stream.Collectors; /** * @author Pedro Igor */ -public class CachedResource implements Resource, Serializable { +public class CachedResource extends AbstractRevisioned implements InResourceServer { - private static final long serialVersionUID = -6886179034626995165L; - - private final String id; private String resourceServerId; private String iconUri; private String owner; @@ -43,8 +41,8 @@ public class CachedResource implements Resource, Serializable { private String uri; private Set scopesIds; - public CachedResource(Resource resource) { - this.id = resource.getId(); + public CachedResource(Long revision, Resource resource) { + super(revision, resource.getId()); this.name = resource.getName(); this.uri = resource.getUri(); this.type = resource.getType(); @@ -54,76 +52,27 @@ public class CachedResource implements Resource, Serializable { this.scopesIds = resource.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()); } - public CachedResource(String id) { - this.id = id; - } - @Override - public String getId() { - return this.id; - } - - @Override public String getName() { return this.name; } - @Override - public void setName(String name) { - this.name = name; - } - - @Override public String getUri() { return this.uri; } - @Override - public void setUri(String uri) { - this.uri = uri; - } - - @Override public String getType() { return this.type; } - @Override - public void setType(String type) { - this.type = type; - } - - @Override - public List getScopes() { - throw new RuntimeException("Not implemented"); - } - - @Override public String getIconUri() { return this.iconUri; } - @Override - public void setIconUri(String iconUri) { - this.iconUri = iconUri; - } - - @Override - public ResourceServer getResourceServer() { - throw new RuntimeException("Not implemented"); - } - - @Override public String getOwner() { return this.owner; } - @Override - public void updateScopes(Set scopes) { - this.scopesIds.clear(); - this.scopesIds.addAll(scopes.stream().map(Scope::getId).collect(Collectors.toSet())); - } - public String getResourceServerId() { return this.resourceServerId; } diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedResourceServer.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResourceServer.java similarity index 64% rename from model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedResourceServer.java rename to model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResourceServer.java index 7dab0b20eb..7dfb5fbf86 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedResourceServer.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResourceServer.java @@ -16,9 +16,10 @@ * limitations under the License. */ -package org.keycloak.models.authorization.infinispan.entities; +package org.keycloak.models.cache.infinispan.authorization.entities; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned; import org.keycloak.representations.idm.authorization.PolicyEnforcementMode; import java.io.Serializable; @@ -26,53 +27,30 @@ import java.io.Serializable; /** * @author Pedro Igor */ -public class CachedResourceServer implements ResourceServer, Serializable { +public class CachedResourceServer extends AbstractRevisioned { - private static final long serialVersionUID = 5054253390723121289L; - - private final String id; private String clientId; private boolean allowRemoteResourceManagement; private PolicyEnforcementMode policyEnforcementMode; - public CachedResourceServer(ResourceServer resourceServer) { - this.id = resourceServer.getId(); + public CachedResourceServer(Long revision, ResourceServer resourceServer) { + super(revision, resourceServer.getId()); this.clientId = resourceServer.getClientId(); this.allowRemoteResourceManagement = resourceServer.isAllowRemoteResourceManagement(); this.policyEnforcementMode = resourceServer.getPolicyEnforcementMode(); } - public CachedResourceServer(String id) { - this.id = id; - } - @Override - public String getId() { - return this.id; - } - - @Override public String getClientId() { return this.clientId; } - @Override public boolean isAllowRemoteResourceManagement() { return this.allowRemoteResourceManagement; } - @Override - public void setAllowRemoteResourceManagement(boolean allowRemoteResourceManagement) { - this.allowRemoteResourceManagement = allowRemoteResourceManagement; - } - - @Override public PolicyEnforcementMode getPolicyEnforcementMode() { return this.policyEnforcementMode; } - @Override - public void setPolicyEnforcementMode(PolicyEnforcementMode enforcementMode) { - this.policyEnforcementMode = enforcementMode; - } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedScope.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedScope.java similarity index 56% rename from model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedScope.java rename to model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedScope.java index 3e931d8e60..0519805c6a 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedScope.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedScope.java @@ -16,10 +16,11 @@ * limitations under the License. */ -package org.keycloak.models.authorization.infinispan.entities; +package org.keycloak.models.cache.infinispan.authorization.entities; import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.Scope; +import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned; import java.io.Serializable; import java.util.Objects; @@ -27,70 +28,30 @@ import java.util.Objects; /** * @author Pedro Igor */ -public class CachedScope implements Scope, Serializable { +public class CachedScope extends AbstractRevisioned implements InResourceServer { - private static final long serialVersionUID = -3919706923417065454L; - - private final String id; private String resourceServerId; private String name; private String iconUri; - public CachedScope(Scope scope) { - this.id = scope.getId(); + public CachedScope(Long revision, Scope scope) { + super(revision, scope.getId()); this.name = scope.getName(); this.iconUri = scope.getIconUri(); this.resourceServerId = scope.getResourceServer().getId(); } - public CachedScope(String id) { - this.id = id; - } - - @Override - public String getId() { - return this.id; - } - - @Override public String getName() { return this.name; } - @Override - public void setName(String name) { - this.name = name; - } - - @Override public String getIconUri() { return this.iconUri; } @Override - public void setIconUri(String iconUri) { - this.iconUri = iconUri; - } - - @Override - public ResourceServer getResourceServer() { - throw new RuntimeException("Not implemented"); - } - public String getResourceServerId() { return this.resourceServerId; } - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || !Scope.class.isInstance(o)) return false; - Scope that = (Scope) o; - return Objects.equals(id, that.getId()); - } - - @Override - public int hashCode() { - return Objects.hash(id); - } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/InResourceServer.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/InResourceServer.java new file mode 100644 index 0000000000..807588e44f --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/InResourceServer.java @@ -0,0 +1,25 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.models.cache.infinispan.authorization.entities; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public interface InResourceServer { + String getResourceServerId(); +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/PolicyListQuery.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/PolicyListQuery.java new file mode 100755 index 0000000000..1cbf044d01 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/PolicyListQuery.java @@ -0,0 +1,36 @@ +package org.keycloak.models.cache.infinispan.authorization.entities; + +import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned; + +import java.util.HashSet; +import java.util.Set; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class PolicyListQuery extends AbstractRevisioned implements InResourceServer { + private final Set policies; + private final String serverId; + + public PolicyListQuery(Long revision, String id, String policyId, String serverId) { + super(revision, id); + this.serverId = serverId; + policies = new HashSet<>(); + policies.add(policyId); + } + public PolicyListQuery(Long revision, String id, Set policies, String serverId) { + super(revision, id); + this.serverId = serverId; + this.policies = policies; + } + + @Override + public String getResourceServerId() { + return serverId; + } + + public Set getPolicies() { + return policies; + } +} \ No newline at end of file diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ResourceListQuery.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ResourceListQuery.java new file mode 100755 index 0000000000..d322b62c02 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ResourceListQuery.java @@ -0,0 +1,36 @@ +package org.keycloak.models.cache.infinispan.authorization.entities; + +import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned; + +import java.util.HashSet; +import java.util.Set; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class ResourceListQuery extends AbstractRevisioned implements InResourceServer { + private final Set resources; + private final String serverId; + + public ResourceListQuery(Long revision, String id, String resourceId, String serverId) { + super(revision, id); + this.serverId = serverId; + resources = new HashSet<>(); + resources.add(resourceId); + } + public ResourceListQuery(Long revision, String id, Set resources, String serverId) { + super(revision, id); + this.serverId = serverId; + this.resources = resources; + } + + @Override + public String getResourceServerId() { + return serverId; + } + + public Set getResources() { + return resources; + } +} \ No newline at end of file diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ResourceServerListQuery.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ResourceServerListQuery.java new file mode 100755 index 0000000000..7cfc122864 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ResourceServerListQuery.java @@ -0,0 +1,29 @@ +package org.keycloak.models.cache.infinispan.authorization.entities; + +import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned; +import org.keycloak.models.cache.infinispan.entities.RealmQuery; + +import java.util.HashSet; +import java.util.Set; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class ResourceServerListQuery extends AbstractRevisioned { + private final Set servers; + + public ResourceServerListQuery(Long revision, String id, String serverId) { + super(revision, id); + servers = new HashSet<>(); + servers.add(serverId); + } + public ResourceServerListQuery(Long revision, String id, Set servers) { + super(revision, id); + this.servers = servers; + } + + public Set getResourceServers() { + return servers; + } +} \ No newline at end of file diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ScopeListQuery.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ScopeListQuery.java new file mode 100755 index 0000000000..2579e61b78 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/ScopeListQuery.java @@ -0,0 +1,36 @@ +package org.keycloak.models.cache.infinispan.authorization.entities; + +import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned; + +import java.util.HashSet; +import java.util.Set; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class ScopeListQuery extends AbstractRevisioned implements InResourceServer { + private final Set scopes; + private final String serverId; + + public ScopeListQuery(Long revision, String id, String scopeId, String serverId) { + super(revision, id); + this.serverId = serverId; + scopes = new HashSet<>(); + scopes.add(scopeId); + } + public ScopeListQuery(Long revision, String id, Set scopes, String serverId) { + super(revision, id); + this.serverId = serverId; + this.scopes = scopes; + } + + @Override + public String getResourceServerId() { + return serverId; + } + + public Set getScopes() { + return scopes; + } +} \ No newline at end of file diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/events/ResourceServerRemovedEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/AuthorizationCacheInvalidationEvent.java similarity index 58% rename from model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/events/ResourceServerRemovedEvent.java rename to model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/AuthorizationCacheInvalidationEvent.java index 9fde6d9bc4..3f4add18f8 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/events/ResourceServerRemovedEvent.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/AuthorizationCacheInvalidationEvent.java @@ -14,23 +14,16 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.keycloak.models.authorization.infinispan.events; +package org.keycloak.models.cache.infinispan.authorization.events; -import java.util.Collections; +import org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheManager; + +import java.util.Set; /** - * @author Pedro Igor + * @author Bill Burke + * @version $Revision: 1 $ */ -public class ResourceServerRemovedEvent extends AuthorizationInvalidationEvent { - - private final String clientId; - - public ResourceServerRemovedEvent(String id, String clientId) { - super(id, Collections.emptySet()); - this.clientId = clientId; - } - - public String getClientId() { - return clientId; - } +public interface AuthorizationCacheInvalidationEvent { + void addInvalidations(StoreFactoryCacheManager realmCache, Set invalidations); } diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/PolicyRemovedEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/PolicyRemovedEvent.java new file mode 100644 index 0000000000..3a721baa89 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/PolicyRemovedEvent.java @@ -0,0 +1,56 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.cache.infinispan.authorization.events; + +import org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheManager; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; + +import java.util.Set; + +/** + * @author Marek Posolda + */ +public class PolicyRemovedEvent extends InvalidationEvent implements AuthorizationCacheInvalidationEvent { + + private String id; + private String name; + private String serverId; + + public static PolicyRemovedEvent create(String id, String name, String serverId) { + PolicyRemovedEvent event = new PolicyRemovedEvent(); + event.id = id; + event.name = name; + event.serverId = serverId; + return event; + } + + @Override + public String getId() { + return id; + } + + @Override + public String toString() { + return String.format("PolicyRemovedEvent [ id=%s, name=%s]", id, name); + } + + @Override + public void addInvalidations(StoreFactoryCacheManager cache, Set invalidations) { + cache.policyRemoval(id, name, serverId, invalidations); + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/PolicyUpdatedEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/PolicyUpdatedEvent.java new file mode 100644 index 0000000000..1e1d9925bf --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/PolicyUpdatedEvent.java @@ -0,0 +1,56 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.cache.infinispan.authorization.events; + +import org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheManager; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; + +import java.util.Set; + +/** + * @author Marek Posolda + */ +public class PolicyUpdatedEvent extends InvalidationEvent implements AuthorizationCacheInvalidationEvent { + + private String id; + private String name; + private String serverId; + + public static PolicyUpdatedEvent create(String id, String name, String serverId) { + PolicyUpdatedEvent event = new PolicyUpdatedEvent(); + event.id = id; + event.name = name; + event.serverId = serverId; + return event; + } + + @Override + public String getId() { + return id; + } + + @Override + public String toString() { + return String.format("PolicyUpdatedEvent [ id=%s, name=%s ]", id, name); + } + + @Override + public void addInvalidations(StoreFactoryCacheManager cache, Set invalidations) { + cache.policyUpdated(id, name, serverId, invalidations); + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceRemovedEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceRemovedEvent.java new file mode 100644 index 0000000000..4e1a31fbd0 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceRemovedEvent.java @@ -0,0 +1,56 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.cache.infinispan.authorization.events; + +import org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheManager; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; + +import java.util.Set; + +/** + * @author Marek Posolda + */ +public class ResourceRemovedEvent extends InvalidationEvent implements AuthorizationCacheInvalidationEvent { + + private String id; + private String name; + private String serverId; + + public static ResourceRemovedEvent create(String id, String name, String serverId) { + ResourceRemovedEvent event = new ResourceRemovedEvent(); + event.id = id; + event.name = name; + event.serverId = serverId; + return event; + } + + @Override + public String getId() { + return id; + } + + @Override + public String toString() { + return String.format("ResourceRemovedEvent [ id=%s, name=%s ]", id, name); + } + + @Override + public void addInvalidations(StoreFactoryCacheManager cache, Set invalidations) { + cache.resourceRemoval(id, name, serverId, invalidations); + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerRemovedEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerRemovedEvent.java new file mode 100644 index 0000000000..fbe5a7aa48 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerRemovedEvent.java @@ -0,0 +1,54 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.cache.infinispan.authorization.events; + +import org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheManager; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; + +import java.util.Set; + +/** + * @author Marek Posolda + */ +public class ResourceServerRemovedEvent extends InvalidationEvent implements AuthorizationCacheInvalidationEvent { + + private String id; + private String clientId; + + public static ResourceServerRemovedEvent create(String id, String clientId) { + ResourceServerRemovedEvent event = new ResourceServerRemovedEvent(); + event.id = id; + event.clientId = clientId; + return event; + } + + @Override + public String getId() { + return id; + } + + @Override + public String toString() { + return String.format("ResourceServerRemovedEvent [ id=%s, clientId=%s ]", id, clientId); + } + + @Override + public void addInvalidations(StoreFactoryCacheManager cache, Set invalidations) { + cache.resourceServerRemoval(id, clientId, invalidations); + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerUpdatedEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerUpdatedEvent.java new file mode 100644 index 0000000000..2034c9b4d6 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerUpdatedEvent.java @@ -0,0 +1,54 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.cache.infinispan.authorization.events; + +import org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheManager; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; + +import java.util.Set; + +/** + * @author Marek Posolda + */ +public class ResourceServerUpdatedEvent extends InvalidationEvent implements AuthorizationCacheInvalidationEvent { + + private String id; + private String clientId; + + public static ResourceServerUpdatedEvent create(String id, String clientId) { + ResourceServerUpdatedEvent event = new ResourceServerUpdatedEvent(); + event.id = id; + event.clientId = clientId; + return event; + } + + @Override + public String getId() { + return id; + } + + @Override + public String toString() { + return String.format("ResourceServerRemovedEvent [ id=%s, clientId=%s ]", id, clientId); + } + + @Override + public void addInvalidations(StoreFactoryCacheManager cache, Set invalidations) { + cache.resourceServerUpdated(id, clientId, invalidations); + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceUpdatedEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceUpdatedEvent.java new file mode 100644 index 0000000000..113d5e0a53 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceUpdatedEvent.java @@ -0,0 +1,56 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.cache.infinispan.authorization.events; + +import org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheManager; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; + +import java.util.Set; + +/** + * @author Marek Posolda + */ +public class ResourceUpdatedEvent extends InvalidationEvent implements AuthorizationCacheInvalidationEvent { + + private String id; + private String name; + private String serverId; + + public static ResourceUpdatedEvent create(String id, String name, String serverId) { + ResourceUpdatedEvent event = new ResourceUpdatedEvent(); + event.id = id; + event.name = name; + event.serverId = serverId; + return event; + } + + @Override + public String getId() { + return id; + } + + @Override + public String toString() { + return String.format("ResourceUpdatedEvent [ id=%s, name=%s ]", id, name); + } + + @Override + public void addInvalidations(StoreFactoryCacheManager cache, Set invalidations) { + cache.resourceUpdated(id, name, serverId, invalidations); + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ScopeRemovedEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ScopeRemovedEvent.java new file mode 100644 index 0000000000..eb2747c7a4 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ScopeRemovedEvent.java @@ -0,0 +1,56 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.cache.infinispan.authorization.events; + +import org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheManager; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; + +import java.util.Set; + +/** + * @author Marek Posolda + */ +public class ScopeRemovedEvent extends InvalidationEvent implements AuthorizationCacheInvalidationEvent { + + private String id; + private String name; + private String serverId; + + public static ScopeRemovedEvent create(String id, String name, String serverId) { + ScopeRemovedEvent event = new ScopeRemovedEvent(); + event.id = id; + event.name = name; + event.serverId = serverId; + return event; + } + + @Override + public String getId() { + return id; + } + + @Override + public String toString() { + return String.format("ScopeRemovedEvent [ id=%s, name=%s]", id, name); + } + + @Override + public void addInvalidations(StoreFactoryCacheManager cache, Set invalidations) { + cache.scopeRemoval(id, name, serverId, invalidations); + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ScopeUpdatedEvent.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ScopeUpdatedEvent.java new file mode 100644 index 0000000000..9fbbd443bb --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ScopeUpdatedEvent.java @@ -0,0 +1,56 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.models.cache.infinispan.authorization.events; + +import org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheManager; +import org.keycloak.models.cache.infinispan.events.InvalidationEvent; + +import java.util.Set; + +/** + * @author Marek Posolda + */ +public class ScopeUpdatedEvent extends InvalidationEvent implements AuthorizationCacheInvalidationEvent { + + private String id; + private String name; + private String serverId; + + public static ScopeUpdatedEvent create(String id, String name, String serverId) { + ScopeUpdatedEvent event = new ScopeUpdatedEvent(); + event.id = id; + event.name = name; + event.serverId = serverId; + return event; + } + + @Override + public String getId() { + return id; + } + + @Override + public String toString() { + return String.format("ScopeUpdatedEvent [ id=%s, name=%s ]", id, name); + } + + @Override + public void addInvalidations(StoreFactoryCacheManager cache, Set invalidations) { + cache.scopeUpdated(id, name, serverId, invalidations); + } +} diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/stream/InResourceServerPredicate.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/stream/InResourceServerPredicate.java new file mode 100755 index 0000000000..46782b85f6 --- /dev/null +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/stream/InResourceServerPredicate.java @@ -0,0 +1,35 @@ +package org.keycloak.models.cache.infinispan.authorization.stream; + +import org.keycloak.models.cache.infinispan.authorization.entities.InResourceServer; +import org.keycloak.models.cache.infinispan.entities.InRealm; +import org.keycloak.models.cache.infinispan.entities.Revisioned; + +import java.io.Serializable; +import java.util.Map; +import java.util.function.Predicate; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class InResourceServerPredicate implements Predicate>, Serializable { + private String serverId; + + public static InResourceServerPredicate create() { + return new InResourceServerPredicate(); + } + + public InResourceServerPredicate resourceServer(String id) { + serverId = id; + return this; + } + + @Override + public boolean test(Map.Entry entry) { + Object value = entry.getValue(); + if (value == null) return false; + if (!(value instanceof InResourceServer)) return false; + + return serverId.equals(((InResourceServer)value).getResourceServerId()); + } +} diff --git a/model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.cache.authorization.CachedStoreProviderFactory b/model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.cache.authorization.CachedStoreProviderFactory index 0a46bb3ad2..d9bed49c9b 100644 --- a/model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.cache.authorization.CachedStoreProviderFactory +++ b/model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.cache.authorization.CachedStoreProviderFactory @@ -16,4 +16,4 @@ # limitations under the License. # -org.keycloak.models.authorization.infinispan.InfinispanStoreProviderFactory \ No newline at end of file +org.keycloak.models.cache.infinispan.authorization.InfinispanCacheStoreFactoryProviderFactory \ No newline at end of file diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/PolicyEntity.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/PolicyEntity.java index 0305ae50d1..dc11724e6c 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/PolicyEntity.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/PolicyEntity.java @@ -35,6 +35,8 @@ import javax.persistence.JoinColumn; import javax.persistence.JoinTable; import javax.persistence.ManyToOne; import javax.persistence.MapKeyColumn; +import javax.persistence.NamedQueries; +import javax.persistence.NamedQuery; import javax.persistence.OneToMany; import javax.persistence.Table; import javax.persistence.UniqueConstraint; @@ -52,11 +54,25 @@ import org.keycloak.representations.idm.authorization.Logic; @Table(name = "RESOURCE_SERVER_POLICY", uniqueConstraints = { @UniqueConstraint(columnNames = {"NAME", "RESOURCE_SERVER_ID"}) }) -public class PolicyEntity implements Policy { +@NamedQueries( + { + @NamedQuery(name="findPolicyIdByServerId", query="select p.id from PolicyEntity p where p.resourceServer.id = :serverId "), + @NamedQuery(name="findPolicyIdByName", query="select p.id from PolicyEntity p where p.resourceServer.id = :serverId and p.name = :name"), + @NamedQuery(name="findPolicyIdByResource", query="select p.id from PolicyEntity p inner join p.resources r where p.resourceServer.id = :serverId and (r.resourceServer.id = :serverId and r.id = :resourceId)"), + @NamedQuery(name="findPolicyIdByScope", query="select pe.id from PolicyEntity pe where pe.resourceServer.id = :serverId and pe.id IN (select p.id from ScopeEntity s inner join s.policies p where s.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and s.id in (:scopeIds)))"), + @NamedQuery(name="findPolicyIdByType", query="select p.id from PolicyEntity p where p.resourceServer.id = :serverId and p.type = :type"), + @NamedQuery(name="findPolicyIdByResourceType", query="select p.id from PolicyEntity p inner join p.config c where p.resourceServer.id = :serverId and KEY(c) = 'defaultResourceType' and c like :type"), + @NamedQuery(name="findPolicyIdByDependentPolices", query="select p.id from PolicyEntity p inner join p.associatedPolicies ap where p.resourceServer.id = :serverId and (ap.resourceServer.id = :serverId and ap.id = :policyId)"), + @NamedQuery(name="deletePolicyByResourceServer", query="delete from PolicyEntity p where p.resourceServer.id = :serverId") + } +) + +public class PolicyEntity { @Id - @Column(name="ID", length = 36) - @Access(AccessType.PROPERTY) // we do this because relationships often fetch id, but not entity. This avoids an extra SQL + @Column(name = "ID", length = 36) + @Access(AccessType.PROPERTY) + // we do this because relationships often fetch id, but not entity. This avoids an extra SQL private String id; @Column(name = "NAME") @@ -75,9 +91,9 @@ public class PolicyEntity implements Policy { private Logic logic = Logic.POSITIVE; @ElementCollection(fetch = FetchType.LAZY) - @MapKeyColumn(name="NAME") - @Column(name="VALUE", columnDefinition = "TEXT") - @CollectionTable(name="POLICY_CONFIG", joinColumns={ @JoinColumn(name="POLICY_ID") }) + @MapKeyColumn(name = "NAME") + @Column(name = "VALUE", columnDefinition = "TEXT") + @CollectionTable(name = "POLICY_CONFIG", joinColumns = {@JoinColumn(name = "POLICY_ID")}) private Map config = new HashMap(); @ManyToOne(optional = false, fetch = FetchType.LAZY) @@ -96,7 +112,6 @@ public class PolicyEntity implements Policy { @JoinTable(name = "SCOPE_POLICY", joinColumns = @JoinColumn(name = "POLICY_ID"), inverseJoinColumns = @JoinColumn(name = "SCOPE_ID")) private Set scopes = new HashSet<>(); - @Override public String getId() { return this.id; } @@ -105,7 +120,6 @@ public class PolicyEntity implements Policy { this.id = id; } - @Override public String getType() { return this.type; } @@ -114,57 +128,46 @@ public class PolicyEntity implements Policy { this.type = type; } - @Override public DecisionStrategy getDecisionStrategy() { return this.decisionStrategy; } - @Override public void setDecisionStrategy(DecisionStrategy decisionStrategy) { this.decisionStrategy = decisionStrategy; } - @Override public Logic getLogic() { return this.logic; } - @Override public void setLogic(Logic logic) { this.logic = logic; } - @Override public Map getConfig() { return this.config; } - @Override public void setConfig(Map config) { this.config = config; } - @Override public String getName() { return this.name; } - @Override public void setName(String name) { this.name = name; } - @Override public String getDescription() { return this.description; } - @Override public void setDescription(String description) { this.description = description; } - @Override public ResourceServerEntity getResourceServer() { return this.resourceServer; } @@ -173,16 +176,6 @@ public class PolicyEntity implements Policy { this.resourceServer = resourceServer; } - @Override - public

    Set

    getAssociatedPolicies() { - return (Set

    ) this.associatedPolicies; - } - - public void setAssociatedPolicies(Set associatedPolicies) { - this.associatedPolicies = associatedPolicies; - } - - @Override public Set getResources() { return this.resources; } @@ -191,7 +184,6 @@ public class PolicyEntity implements Policy { this.resources = resources; } - @Override public Set getScopes() { return this.scopes; } @@ -200,54 +192,26 @@ public class PolicyEntity implements Policy { this.scopes = scopes; } - @Override - public void addScope(Scope scope) { - getScopes().add((ScopeEntity) scope); + public Set getAssociatedPolicies() { + return associatedPolicies; } - @Override - public void removeScope(Scope scope) { - getScopes().remove(scope); - } - - @Override - public void addAssociatedPolicy(Policy associatedPolicy) { - getAssociatedPolicies().add(associatedPolicy); - } - - @Override - public void removeAssociatedPolicy(Policy associatedPolicy) { - getAssociatedPolicies().remove(associatedPolicy); - } - - @Override - public void addResource(Resource resource) { - getResources().add((ResourceEntity) resource); - } - - @Override - public void removeResource(Resource resource) { - getResources().remove(resource); + public void setAssociatedPolicies(Set associatedPolicies) { + this.associatedPolicies = associatedPolicies; } @Override public boolean equals(Object o) { - if (o == this) return true; + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; - if (this.id == null) return false; - - if (!Policy.class.isInstance(o)) return false; - - Policy that = (Policy) o; - - if (!getId().equals(that.getId())) return false; - - return true; + PolicyEntity that = (PolicyEntity) o; + return getId().equals(that.getId()); } @Override public int hashCode() { - return id!=null ? id.hashCode() : super.hashCode(); + return getId().hashCode(); } } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ResourceEntity.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ResourceEntity.java index 29b5740d0c..a71745725f 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ResourceEntity.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ResourceEntity.java @@ -31,10 +31,13 @@ import javax.persistence.JoinColumn; import javax.persistence.JoinTable; import javax.persistence.ManyToMany; import javax.persistence.ManyToOne; +import javax.persistence.NamedQueries; +import javax.persistence.NamedQuery; import javax.persistence.Table; import javax.persistence.UniqueConstraint; import java.util.ArrayList; import java.util.HashSet; +import java.util.LinkedList; import java.util.List; import java.util.Set; @@ -45,7 +48,18 @@ import java.util.Set; @Table(name = "RESOURCE_SERVER_RESOURCE", uniqueConstraints = { @UniqueConstraint(columnNames = {"NAME", "RESOURCE_SERVER_ID", "OWNER"}) }) -public class ResourceEntity implements Resource { +@NamedQueries( + { + @NamedQuery(name="findResourceIdByOwner", query="select r.id from ResourceEntity r where r.resourceServer.id = :serverId and r.owner = :owner"), + @NamedQuery(name="findResourceIdByUri", query="select r.id from ResourceEntity r where r.resourceServer.id = :serverId and r.uri = :uri"), + @NamedQuery(name="findResourceIdByName", query="select r.id from ResourceEntity r where r.resourceServer.id = :serverId and r.name = :name"), + @NamedQuery(name="findResourceIdByType", query="select r.id from ResourceEntity r where r.resourceServer.id = :serverId and r.type = :type"), + @NamedQuery(name="findResourceIdByServerId", query="select r.id from ResourceEntity r where r.resourceServer.id = :serverId "), + @NamedQuery(name="findResourceIdByScope", query="select r.id from ResourceEntity r inner join r.scopes s where r.resourceServer.id = :serverId and (s.resourceServer.id = :serverId and s.id in (:scopeIds))"), + @NamedQuery(name="deleteResourceByResourceServer", query="delete from ResourceEntity r where r.resourceServer.id = :serverId") + } +) +public class ResourceEntity { @Id @Column(name="ID", length = 36) @@ -73,13 +87,12 @@ public class ResourceEntity implements Resource { @ManyToMany(fetch = FetchType.LAZY, cascade = {}) @JoinTable(name = "RESOURCE_SCOPE", joinColumns = @JoinColumn(name = "RESOURCE_ID"), inverseJoinColumns = @JoinColumn(name = "SCOPE_ID")) - private List scopes = new ArrayList<>(); + private List scopes = new LinkedList<>(); @ManyToMany(fetch = FetchType.LAZY, cascade = {}) @JoinTable(name = "RESOURCE_POLICY", joinColumns = @JoinColumn(name = "RESOURCE_ID"), inverseJoinColumns = @JoinColumn(name = "POLICY_ID")) - private List policies = new ArrayList<>(); + private List policies = new LinkedList<>(); - @Override public String getId() { return id; } @@ -88,52 +101,42 @@ public class ResourceEntity implements Resource { this.id = id; } - @Override public String getName() { return name; } - @Override public void setName(String name) { this.name = name; } - @Override public String getUri() { return uri; } - @Override public void setUri(String uri) { this.uri = uri; } - @Override public String getType() { return type; } - @Override public void setType(String type) { this.type = type; } - @Override public List getScopes() { return this.scopes; } - @Override public String getIconUri() { return iconUri; } - @Override public void setIconUri(String iconUri) { this.iconUri = iconUri; } - @Override public ResourceServerEntity getResourceServer() { return resourceServer; } @@ -154,37 +157,23 @@ public class ResourceEntity implements Resource { return this.policies; } - public void updateScopes(Set toUpdate) { - for (Scope scope : toUpdate) { - boolean hasScope = false; - - for (Scope existingScope : this.scopes) { - if (existingScope.equals(scope)) { - hasScope = true; - } - } - - if (!hasScope) { - this.scopes.add((ScopeEntity) scope); - } - } - - for (Scope scopeModel : new HashSet(this.scopes)) { - boolean hasScope = false; - - for (Scope scope : toUpdate) { - if (scopeModel.equals(scope)) { - hasScope = true; - } - } - - if (!hasScope) { - this.scopes.remove(scopeModel); - } - } - } public void setPolicies(List policies) { this.policies = policies; } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + + ResourceEntity that = (ResourceEntity) o; + + return getId().equals(that.getId()); + } + + @Override + public int hashCode() { + return getId().hashCode(); + } } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ResourceServerEntity.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ResourceServerEntity.java index a0be18ae02..9ee63b679d 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ResourceServerEntity.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ResourceServerEntity.java @@ -26,6 +26,8 @@ import javax.persistence.AccessType; import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.Id; +import javax.persistence.NamedQueries; +import javax.persistence.NamedQuery; import javax.persistence.OneToMany; import javax.persistence.Table; import javax.persistence.UniqueConstraint; @@ -36,7 +38,12 @@ import java.util.List; */ @Entity @Table(name = "RESOURCE_SERVER", uniqueConstraints = {@UniqueConstraint(columnNames = "CLIENT_ID")}) -public class ResourceServerEntity implements ResourceServer { +@NamedQueries( + { + @NamedQuery(name="findResourceServerIdByClient", query="select r.id from ResourceServerEntity r where r.clientId = :clientId"), + } +) +public class ResourceServerEntity { @Id @Column(name="ID", length = 36) @@ -58,7 +65,6 @@ public class ResourceServerEntity implements ResourceServer { @OneToMany (mappedBy = "resourceServer") private List scopes; - @Override public String getId() { return this.id; } @@ -67,7 +73,6 @@ public class ResourceServerEntity implements ResourceServer { this.id = id; } - @Override public String getClientId() { return this.clientId; } @@ -76,22 +81,18 @@ public class ResourceServerEntity implements ResourceServer { this.clientId = clientId; } - @Override public boolean isAllowRemoteResourceManagement() { return this.allowRemoteResourceManagement; } - @Override public void setAllowRemoteResourceManagement(boolean allowRemoteResourceManagement) { this.allowRemoteResourceManagement = allowRemoteResourceManagement; } - @Override public PolicyEnforcementMode getPolicyEnforcementMode() { return this.policyEnforcementMode; } - @Override public void setPolicyEnforcementMode(PolicyEnforcementMode policyEnforcementMode) { this.policyEnforcementMode = policyEnforcementMode; } @@ -111,4 +112,19 @@ public class ResourceServerEntity implements ResourceServer { public void setScopes(final List scopes) { this.scopes = scopes; } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + + ResourceServerEntity that = (ResourceServerEntity) o; + + return getId().equals(that.getId()); + } + + @Override + public int hashCode() { + return getId().hashCode(); + } } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ScopeEntity.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ScopeEntity.java index 523f38a95c..c1619f9d8b 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ScopeEntity.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ScopeEntity.java @@ -31,6 +31,8 @@ import javax.persistence.JoinColumn; import javax.persistence.JoinTable; import javax.persistence.ManyToMany; import javax.persistence.ManyToOne; +import javax.persistence.NamedQueries; +import javax.persistence.NamedQuery; import javax.persistence.Table; import javax.persistence.UniqueConstraint; import java.util.ArrayList; @@ -44,7 +46,14 @@ import java.util.Objects; @Table(name = "RESOURCE_SERVER_SCOPE", uniqueConstraints = { @UniqueConstraint(columnNames = {"NAME", "RESOURCE_SERVER_ID"}) }) -public class ScopeEntity implements Scope { +@NamedQueries( + { + @NamedQuery(name="findScopeIdByName", query="select s.id from ScopeEntity s where s.resourceServer.id = :serverId and s.name = :name"), + @NamedQuery(name="findScopeIdByResourceServer", query="select s.id from ScopeEntity s where s.resourceServer.id = :serverId"), + @NamedQuery(name="deleteScopeByResourceServer", query="delete from ScopeEntity s where s.resourceServer.id = :serverId") + } +) +public class ScopeEntity { @Id @Column(name="ID", length = 36) @@ -65,7 +74,6 @@ public class ScopeEntity implements Scope { @JoinTable(name = "SCOPE_POLICY", joinColumns = @JoinColumn(name = "SCOPE_ID"), inverseJoinColumns = @JoinColumn(name = "POLICY_ID")) private List policies = new ArrayList<>(); - @Override public String getId() { return id; } @@ -74,33 +82,28 @@ public class ScopeEntity implements Scope { this.id = id; } - @Override public String getName() { return name; } - @Override public void setName(String name) { this.name = name; } - @Override public String getIconUri() { return iconUri; } - @Override public void setIconUri(String iconUri) { this.iconUri = iconUri; } - @Override public ResourceServerEntity getResourceServer() { return resourceServer; } - public List getPolicies() { - return this.policies; + public List getPolicies() { + return policies; } public void setPolicies(List policies) { @@ -114,13 +117,15 @@ public class ScopeEntity implements Scope { @Override public boolean equals(Object o) { if (this == o) return true; - if (o == null || !Scope.class.isInstance(o)) return false; - Scope that = (Scope) o; - return Objects.equals(id, that.getId()); + if (o == null || getClass() != o.getClass()) return false; + + ScopeEntity that = (ScopeEntity) o; + + return getId().equals(that.getId()); } @Override public int hashCode() { - return Objects.hash(id); + return getId().hashCode(); } } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java index 87508071cc..9f17606a71 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java @@ -32,8 +32,9 @@ import org.keycloak.models.KeycloakSession; */ public class JPAAuthorizationStoreFactory implements AuthorizationStoreFactory { @Override - public StoreFactory create(KeycloakSession session) { - return new JPAStoreFactory(getEntityManager(session)); + public StoreFactory create(KeycloakSession session) { + AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class); + return new JPAStoreFactory(getEntityManager(session), provider); } @Override diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java index c6671de0e5..eb350be7ae 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java @@ -19,23 +19,29 @@ package org.keycloak.authorization.jpa.store; import java.util.ArrayList; import java.util.Collections; +import java.util.LinkedList; import java.util.List; import java.util.Map; import javax.persistence.EntityManager; import javax.persistence.NoResultException; import javax.persistence.Query; +import javax.persistence.TypedQuery; import javax.persistence.criteria.CriteriaBuilder; import javax.persistence.criteria.CriteriaQuery; import javax.persistence.criteria.Predicate; import javax.persistence.criteria.Root; +import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.jpa.entities.PolicyEntity; import org.keycloak.authorization.jpa.entities.ResourceServerEntity; import org.keycloak.authorization.model.Policy; +import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.store.PolicyStore; +import org.keycloak.authorization.store.StoreFactory; import org.keycloak.models.utils.KeycloakModelUtils; +import org.keycloak.models.utils.RepresentationToModel; import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation; /** @@ -44,9 +50,10 @@ import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentati public class JPAPolicyStore implements PolicyStore { private final EntityManager entityManager; - - public JPAPolicyStore(EntityManager entityManager) { + private final AuthorizationProvider provider; + public JPAPolicyStore(EntityManager entityManager, AuthorizationProvider provider) { this.entityManager = entityManager; + this.provider = provider; } @Override @@ -56,17 +63,17 @@ public class JPAPolicyStore implements PolicyStore { entity.setId(KeycloakModelUtils.generateId()); entity.setType(representation.getType()); entity.setName(representation.getName()); - entity.setResourceServer((ResourceServerEntity) resourceServer); + entity.setResourceServer(ResourceServerAdapter.toEntity(entityManager, resourceServer)); this.entityManager.persist(entity); this.entityManager.flush(); - return entity; + Policy model = new PolicyAdapter(entity, entityManager, provider.getStoreFactory()); + return model; } @Override public void delete(String id) { - Policy policy = entityManager.find(PolicyEntity.class, id); - + PolicyEntity policy = entityManager.find(PolicyEntity.class, id); if (policy != null) { this.entityManager.remove(policy); } @@ -79,39 +86,38 @@ public class JPAPolicyStore implements PolicyStore { return null; } - if (resourceServerId == null) { - return entityManager.find(PolicyEntity.class, id); - } + PolicyEntity entity = entityManager.find(PolicyEntity.class, id); + if (entity == null) return null; - Query query = entityManager.createQuery("from PolicyEntity where resourceServer.id = :serverId and id = :id"); - - query.setParameter("serverId", resourceServerId); - query.setParameter("id", id); - - return entityManager.find(PolicyEntity.class, id); + return new PolicyAdapter(entity, entityManager, provider.getStoreFactory()); } @Override public Policy findByName(String name, String resourceServerId) { + TypedQuery query = entityManager.createNamedQuery("findPolicyIdByName", String.class); + + query.setParameter("serverId", resourceServerId); + query.setParameter("name", name); try { - Query query = entityManager.createQuery("from PolicyEntity where name = :name and resourceServer.id = :serverId"); - - query.setParameter("name", name); - query.setParameter("serverId", resourceServerId); - - return (Policy) query.getSingleResult(); - } catch (NoResultException nre) { + String id = query.getSingleResult(); + return provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId); + } catch (NoResultException ex) { return null; } } @Override public List findByResourceServer(final String resourceServerId) { - Query query = entityManager.createQuery("from PolicyEntity where resourceServer.id = :serverId"); + TypedQuery query = entityManager.createNamedQuery("findPolicyIdByServerId", String.class); query.setParameter("serverId", resourceServerId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); + } + return list; } @Override @@ -120,6 +126,7 @@ public class JPAPolicyStore implements PolicyStore { CriteriaQuery querybuilder = builder.createQuery(PolicyEntity.class); Root root = querybuilder.from(PolicyEntity.class); List predicates = new ArrayList(); + querybuilder.select(root.get("id")); predicates.add(builder.equal(root.get("resourceServer").get("id"), resourceServerId)); @@ -148,27 +155,42 @@ public class JPAPolicyStore implements PolicyStore { query.setMaxResults(maxResult); } - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); + } + return list; } @Override public List findByResource(final String resourceId, String resourceServerId) { - Query query = entityManager.createQuery("select p from PolicyEntity p inner join p.resources r where p.resourceServer.id = :serverId and (r.resourceServer.id = :serverId and r.id = :resourceId)"); + TypedQuery query = entityManager.createNamedQuery("findPolicyIdByResource", String.class); query.setParameter("resourceId", resourceId); query.setParameter("serverId", resourceServerId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); + } + return list; } @Override public List findByResourceType(final String resourceType, String resourceServerId) { - Query query = entityManager.createQuery("select p from PolicyEntity p inner join p.config c where p.resourceServer.id = :serverId and KEY(c) = 'defaultResourceType' and c like :type"); + TypedQuery query = entityManager.createNamedQuery("findPolicyIdByResourceType", String.class); - query.setParameter("serverId", resourceServerId); query.setParameter("type", resourceType); + query.setParameter("serverId", resourceServerId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); + } + return list; } @Override @@ -178,31 +200,47 @@ public class JPAPolicyStore implements PolicyStore { } // Use separate subquery to handle DB2 and MSSSQL - Query query = entityManager.createQuery("select pe from PolicyEntity pe where pe.resourceServer.id = :serverId and pe.id IN (select p.id from ScopeEntity s inner join s.policies p where s.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and s.id in (:scopeIds)))"); + TypedQuery query = entityManager.createNamedQuery("findPolicyIdByScope", String.class); - query.setParameter("serverId", resourceServerId); query.setParameter("scopeIds", scopeIds); + query.setParameter("serverId", resourceServerId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); + } + return list; } @Override public List findByType(String type, String resourceServerId) { - Query query = entityManager.createQuery("select p from PolicyEntity p where p.resourceServer.id = :serverId and p.type = :type"); + TypedQuery query = entityManager.createNamedQuery("findPolicyIdByType", String.class); query.setParameter("serverId", resourceServerId); query.setParameter("type", type); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); + } + return list; } @Override public List findDependentPolicies(String policyId, String resourceServerId) { - Query query = entityManager.createQuery("select p from PolicyEntity p inner join p.associatedPolicies ap where p.resourceServer.id = :serverId and (ap.resourceServer.id = :serverId and ap.id = :policyId)"); + + TypedQuery query = entityManager.createNamedQuery("findPolicyIdByDependentPolices", String.class); query.setParameter("serverId", resourceServerId); query.setParameter("policyId", policyId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); + } + return list; } } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceServerStore.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceServerStore.java index 51d0369245..20404e5a5a 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceServerStore.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceServerStore.java @@ -17,13 +17,19 @@ */ package org.keycloak.authorization.jpa.store; +import org.keycloak.authorization.AuthorizationProvider; +import org.keycloak.authorization.jpa.entities.PolicyEntity; import org.keycloak.authorization.jpa.entities.ResourceServerEntity; +import org.keycloak.authorization.model.Policy; import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.store.ResourceServerStore; import org.keycloak.models.utils.KeycloakModelUtils; import javax.persistence.EntityManager; +import javax.persistence.NoResultException; import javax.persistence.Query; +import javax.persistence.TypedQuery; +import java.util.LinkedList; import java.util.List; /** @@ -32,9 +38,11 @@ import java.util.List; public class JPAResourceServerStore implements ResourceServerStore { private final EntityManager entityManager; + private final AuthorizationProvider provider; - public JPAResourceServerStore(EntityManager entityManager) { + public JPAResourceServerStore(EntityManager entityManager, AuthorizationProvider provider) { this.entityManager = entityManager; + this.provider = provider; } @Override @@ -46,30 +54,54 @@ public class JPAResourceServerStore implements ResourceServerStore { this.entityManager.persist(entity); - return entity; + return new ResourceServerAdapter(entity, entityManager, provider.getStoreFactory()); } @Override public void delete(String id) { - this.entityManager.remove(findById(id)); + ResourceServerEntity entity = entityManager.find(ResourceServerEntity.class, id); + if (entity == null) return; + //This didn't work, had to loop through and remove each policy individually + //entityManager.createNamedQuery("deletePolicyByResourceServer") + // .setParameter("serverId", id).executeUpdate(); + + TypedQuery query = entityManager.createNamedQuery("findPolicyIdByServerId", String.class); + query.setParameter("serverId", id); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String policyId : result) { + entityManager.remove(entityManager.getReference(PolicyEntity.class, policyId)); + } + + entityManager.flush(); + entityManager.createNamedQuery("deleteResourceByResourceServer") + .setParameter("serverId", id).executeUpdate(); + entityManager.flush(); + entityManager.createNamedQuery("deleteScopeByResourceServer") + .setParameter("serverId", id).executeUpdate(); + entityManager.flush(); + + this.entityManager.remove(entity); + entityManager.flush(); } @Override public ResourceServer findById(String id) { - return entityManager.find(ResourceServerEntity.class, id); + ResourceServerEntity entity = entityManager.find(ResourceServerEntity.class, id); + if (entity == null) return null; + return new ResourceServerAdapter(entity, entityManager, provider.getStoreFactory()); } @Override public ResourceServer findByClient(final String clientId) { - Query query = entityManager.createQuery("from ResourceServerEntity where clientId = :clientId"); + TypedQuery query = entityManager.createNamedQuery("findResourceServerIdByClient", String.class); query.setParameter("clientId", clientId); - List result = query.getResultList(); - - if (result.isEmpty()) { + try { + String id = query.getSingleResult(); + return provider.getStoreFactory().getResourceServerStore().findById(id); + } catch (NoResultException ex) { return null; } - - return (ResourceServer) result.get(0); } } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java index 0b04388e55..8a647d8a85 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java @@ -17,6 +17,7 @@ */ package org.keycloak.authorization.jpa.store; +import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.jpa.entities.ResourceEntity; import org.keycloak.authorization.jpa.entities.ResourceServerEntity; import org.keycloak.authorization.model.Resource; @@ -25,13 +26,16 @@ import org.keycloak.authorization.store.ResourceStore; import org.keycloak.models.utils.KeycloakModelUtils; import javax.persistence.EntityManager; +import javax.persistence.NoResultException; import javax.persistence.Query; +import javax.persistence.TypedQuery; import javax.persistence.criteria.CriteriaBuilder; import javax.persistence.criteria.CriteriaQuery; import javax.persistence.criteria.Predicate; import javax.persistence.criteria.Root; import java.util.ArrayList; import java.util.Arrays; +import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -41,38 +45,34 @@ import java.util.Map; public class JPAResourceStore implements ResourceStore { private final EntityManager entityManager; + private final AuthorizationProvider provider; - public JPAResourceStore(EntityManager entityManager) { + public JPAResourceStore(EntityManager entityManager, AuthorizationProvider provider) { this.entityManager = entityManager; + this.provider = provider; } @Override public Resource create(String name, ResourceServer resourceServer, String owner) { - if (!(resourceServer instanceof ResourceServerEntity)) { - throw new RuntimeException("Unexpected type [" + resourceServer.getClass() + "]."); - } - ResourceEntity entity = new ResourceEntity(); entity.setId(KeycloakModelUtils.generateId()); entity.setName(name); - entity.setResourceServer((ResourceServerEntity) resourceServer); + entity.setResourceServer(ResourceServerAdapter.toEntity(entityManager, resourceServer)); entity.setOwner(owner); this.entityManager.persist(entity); - return entity; + return new ResourceAdapter(entity, entityManager, provider.getStoreFactory()); } @Override public void delete(String id) { - Resource resource = entityManager.find(ResourceEntity.class, id); + ResourceEntity resource = entityManager.find(ResourceEntity.class, id); + if (resource == null) return; resource.getScopes().clear(); - - if (resource != null) { - this.entityManager.remove(resource); - } + this.entityManager.remove(resource); } @Override @@ -81,52 +81,61 @@ public class JPAResourceStore implements ResourceStore { return null; } - if (resourceServerId == null) { - return entityManager.find(ResourceEntity.class, id); - } - - Query query = entityManager.createQuery("from ResourceEntity where resourceServer.id = :serverId and id = :id"); - - query.setParameter("serverId", resourceServerId); - query.setParameter("id", id); - - return entityManager.find(ResourceEntity.class, id); + ResourceEntity entity = entityManager.find(ResourceEntity.class, id); + if (entity == null) return null; + return new ResourceAdapter(entity, entityManager, provider.getStoreFactory()); } @Override public List findByOwner(String ownerId, String resourceServerId) { - Query query = entityManager.createQuery("from ResourceEntity where resourceServer.id = :serverId and owner = :ownerId"); + TypedQuery query = entityManager.createNamedQuery("findResourceIdByOwner", String.class); - query.setParameter("ownerId", ownerId); + query.setParameter("owner", ownerId); query.setParameter("serverId", resourceServerId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getResourceStore().findById(id, resourceServerId)); + } + return list; } @Override public List findByUri(String uri, String resourceServerId) { - Query query = entityManager.createQuery("from ResourceEntity where resourceServer.id = :serverId and uri = :uri"); + TypedQuery query = entityManager.createNamedQuery("findResourceIdByUri", String.class); query.setParameter("uri", uri); query.setParameter("serverId", resourceServerId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getResourceStore().findById(id, resourceServerId)); + } + return list; } @Override - public List findByResourceServer(String resourceServerId) { - Query query = entityManager.createQuery("from ResourceEntity where resourceServer.id = :serverId"); + public List findByResourceServer(String resourceServerId) { + TypedQuery query = entityManager.createNamedQuery("findResourceIdByServerId", String.class); query.setParameter("serverId", resourceServerId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getResourceStore().findById(id, resourceServerId)); + } + return list; } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { + public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { CriteriaBuilder builder = entityManager.getCriteriaBuilder(); CriteriaQuery querybuilder = builder.createQuery(ResourceEntity.class); Root root = querybuilder.from(ResourceEntity.class); + querybuilder.select(root.get("id")); List predicates = new ArrayList(); predicates.add(builder.equal(root.get("resourceServer").get("id"), resourceServerId)); @@ -152,42 +161,55 @@ public class JPAResourceStore implements ResourceStore { query.setMaxResults(maxResult); } - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getResourceStore().findById(id, resourceServerId)); + } + return list; } @Override - public List findByScope(List id, String resourceServerId) { - Query query = entityManager.createQuery("select r from ResourceEntity r inner join r.scopes s where r.resourceServer.id = :serverId and (s.resourceServer.id = :serverId and s.id in (:scopeIds))"); + public List findByScope(List scopes, String resourceServerId) { + TypedQuery query = entityManager.createNamedQuery("findResourceIdByScope", String.class); - query.setParameter("scopeIds", id); + query.setParameter("scopeIds", scopes); query.setParameter("serverId", resourceServerId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getResourceStore().findById(id, resourceServerId)); + } + return list; } @Override public Resource findByName(String name, String resourceServerId) { - Query query = entityManager.createQuery("from ResourceEntity where resourceServer.id = :serverId and name = :name"); + TypedQuery query = entityManager.createNamedQuery("findResourceIdByName", String.class); query.setParameter("serverId", resourceServerId); query.setParameter("name", name); - - List result = query.getResultList(); - - if (!result.isEmpty()) { - return result.get(0); + try { + String id = query.getSingleResult(); + return provider.getStoreFactory().getResourceStore().findById(id, resourceServerId); + } catch (NoResultException ex) { + return null; } - - return null; } @Override public List findByType(String type, String resourceServerId) { - Query query = entityManager.createQuery("from ResourceEntity r where r.resourceServer.id = :serverId and type = :type"); + TypedQuery query = entityManager.createNamedQuery("findResourceIdByType", String.class); query.setParameter("type", type); query.setParameter("serverId", resourceServerId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getResourceStore().findById(id, resourceServerId)); + } + return list; } } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAScopeStore.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAScopeStore.java index 031eb4a087..f8a9350442 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAScopeStore.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAScopeStore.java @@ -18,17 +18,20 @@ package org.keycloak.authorization.jpa.store; import java.util.ArrayList; +import java.util.LinkedList; import java.util.List; import java.util.Map; import javax.persistence.EntityManager; import javax.persistence.NoResultException; import javax.persistence.Query; +import javax.persistence.TypedQuery; import javax.persistence.criteria.CriteriaBuilder; import javax.persistence.criteria.CriteriaQuery; import javax.persistence.criteria.Predicate; import javax.persistence.criteria.Root; +import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.jpa.entities.ResourceServerEntity; import org.keycloak.authorization.jpa.entities.ScopeEntity; import org.keycloak.authorization.model.ResourceServer; @@ -42,9 +45,11 @@ import org.keycloak.models.utils.KeycloakModelUtils; public class JPAScopeStore implements ScopeStore { private final EntityManager entityManager; + private final AuthorizationProvider provider; - public JPAScopeStore(EntityManager entityManager) { + public JPAScopeStore(EntityManager entityManager, AuthorizationProvider provider) { this.entityManager = entityManager; + this.provider = provider; } @Override @@ -53,16 +58,16 @@ public class JPAScopeStore implements ScopeStore { entity.setId(KeycloakModelUtils.generateId()); entity.setName(name); - entity.setResourceServer((ResourceServerEntity) resourceServer); + entity.setResourceServer(ResourceServerAdapter.toEntity(entityManager, resourceServer)); this.entityManager.persist(entity); - return entity; + return new ScopeAdapter(entity, entityManager, provider.getStoreFactory()); } @Override public void delete(String id) { - Scope scope = entityManager.find(ScopeEntity.class, id); + ScopeEntity scope = entityManager.find(ScopeEntity.class, id); if (scope != null) { this.entityManager.remove(scope); @@ -75,28 +80,21 @@ public class JPAScopeStore implements ScopeStore { return null; } - if (resourceServerId == null) { - return entityManager.find(ScopeEntity.class, id); - } - - Query query = entityManager.createQuery("from ScopeEntity where resourceServer.id = :serverId and id = :id"); - - query.setParameter("serverId", resourceServerId); - query.setParameter("id", id); - - return entityManager.find(ScopeEntity.class, id); + ScopeEntity entity = entityManager.find(ScopeEntity.class, id); + if (entity == null) return null; + return new ScopeAdapter(entity, entityManager, provider.getStoreFactory()); } @Override public Scope findByName(String name, String resourceServerId) { try { - Query query = entityManager.createQuery("select s from ScopeEntity s inner join s.resourceServer rs where rs.id = :resourceServerId and name = :name"); + TypedQuery query = entityManager.createNamedQuery("findScopeIdByName", String.class); - query.setParameter("resourceServerId", resourceServerId); + query.setParameter("serverId", resourceServerId); query.setParameter("name", name); - - return (Scope) query.getSingleResult(); + String id = query.getSingleResult(); + return provider.getStoreFactory().getScopeStore().findById(id, resourceServerId); } catch (NoResultException nre) { return null; } @@ -104,11 +102,16 @@ public class JPAScopeStore implements ScopeStore { @Override public List findByResourceServer(final String serverId) { - Query query = entityManager.createQuery("from ScopeEntity where resourceServer.id = :serverId"); + TypedQuery query = entityManager.createNamedQuery("findScopeIdByResourceServer", String.class); query.setParameter("serverId", serverId); - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (String id : result) { + list.add(provider.getStoreFactory().getScopeStore().findById(id, serverId)); + } + return list; } @Override @@ -116,6 +119,7 @@ public class JPAScopeStore implements ScopeStore { CriteriaBuilder builder = entityManager.getCriteriaBuilder(); CriteriaQuery querybuilder = builder.createQuery(ScopeEntity.class); Root root = querybuilder.from(ScopeEntity.class); + querybuilder.select(root.get("id")); List predicates = new ArrayList(); predicates.add(builder.equal(root.get("resourceServer").get("id"), resourceServerId)); @@ -139,6 +143,12 @@ public class JPAScopeStore implements ScopeStore { query.setMaxResults(maxResult); } - return query.getResultList(); + List result = query.getResultList(); + List list = new LinkedList<>(); + for (Object id : result) { + list.add(provider.getStoreFactory().getScopeStore().findById((String)id, resourceServerId)); + } + return list; + } } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java index e45d343af2..855f66a53a 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java @@ -20,6 +20,7 @@ package org.keycloak.authorization.jpa.store; import javax.persistence.EntityManager; +import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.store.PolicyStore; import org.keycloak.authorization.store.ResourceServerStore; import org.keycloak.authorization.store.ResourceStore; @@ -36,11 +37,11 @@ public class JPAStoreFactory implements StoreFactory { private final ResourceStore resourceStore; private final ScopeStore scopeStore; - public JPAStoreFactory(EntityManager entityManager) { - policyStore = new JPAPolicyStore(entityManager); - resourceServerStore = new JPAResourceServerStore(entityManager); - resourceStore = new JPAResourceStore(entityManager); - scopeStore = new JPAScopeStore(entityManager); + public JPAStoreFactory(EntityManager entityManager, AuthorizationProvider provider) { + policyStore = new JPAPolicyStore(entityManager, provider); + resourceServerStore = new JPAResourceServerStore(entityManager, provider); + resourceStore = new JPAResourceStore(entityManager, provider); + scopeStore = new JPAScopeStore(entityManager, provider); } @Override diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PolicyAdapter.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PolicyAdapter.java new file mode 100644 index 0000000000..6fc2d1e85e --- /dev/null +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PolicyAdapter.java @@ -0,0 +1,235 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authorization.jpa.store; + +import org.keycloak.authorization.AuthorizationProvider; +import org.keycloak.authorization.jpa.entities.PolicyEntity; +import org.keycloak.authorization.jpa.entities.ResourceEntity; +import org.keycloak.authorization.jpa.entities.ScopeEntity; +import org.keycloak.authorization.model.Policy; +import org.keycloak.authorization.model.Resource; +import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; +import org.keycloak.authorization.store.StoreFactory; +import org.keycloak.models.jpa.JpaModel; +import org.keycloak.representations.idm.authorization.DecisionStrategy; +import org.keycloak.representations.idm.authorization.Logic; + +import javax.persistence.EntityManager; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class PolicyAdapter implements Policy, JpaModel { + private PolicyEntity entity; + private EntityManager em; + private StoreFactory storeFactory; + + public PolicyAdapter(PolicyEntity entity, EntityManager em, StoreFactory storeFactory) { + this.entity = entity; + this.em = em; + this.storeFactory = storeFactory; + } + + @Override + public PolicyEntity getEntity() { + return entity; + } + + @Override + public String getId() { + return entity.getId(); + } + + @Override + public String getType() { + return entity.getType(); + } + + @Override + public DecisionStrategy getDecisionStrategy() { + return entity.getDecisionStrategy(); + } + + @Override + public void setDecisionStrategy(DecisionStrategy decisionStrategy) { + entity.setDecisionStrategy(decisionStrategy); + + } + + @Override + public Logic getLogic() { + return entity.getLogic(); + } + + @Override + public void setLogic(Logic logic) { + entity.setLogic(logic); + } + + @Override + public Map getConfig() { + Map result = new HashMap(); + if (entity.getConfig() != null) result.putAll(entity.getConfig()); + return Collections.unmodifiableMap(result); + } + + @Override + public void setConfig(Map config) { + if (entity.getConfig() == null) { + entity.setConfig(new HashMap<>()); + } else { + entity.getConfig().clear(); + } + entity.getConfig().putAll(config); + } + + @Override + public void removeConfig(String name) { + if (entity.getConfig() == null) { + return; + } + entity.getConfig().remove(name); + } + + @Override + public void putConfig(String name, String value) { + if (entity.getConfig() == null) { + entity.setConfig(new HashMap<>()); + } + entity.getConfig().put(name, value); + + } + + @Override + public String getName() { + return entity.getName(); + } + + @Override + public void setName(String name) { + entity.setName(name); + + } + + @Override + public String getDescription() { + return entity.getDescription(); + } + + @Override + public void setDescription(String description) { + entity.setDescription(description); + + } + + @Override + public ResourceServer getResourceServer() { + return storeFactory.getResourceServerStore().findById(entity.getResourceServer().getId()); + } + + @Override + public Set getAssociatedPolicies() { + Set result = new HashSet<>(); + for (PolicyEntity policy : entity.getAssociatedPolicies()) { + Policy p = storeFactory.getPolicyStore().findById(policy.getId(), entity.getResourceServer().getId()); + result.add(p); + } + return Collections.unmodifiableSet(result); + } + + @Override + public Set getResources() { + Set set = new HashSet<>(); + for (ResourceEntity res : entity.getResources()) { + set.add(storeFactory.getResourceStore().findById(res.getId(), entity.getResourceServer().getId())); + } + return Collections.unmodifiableSet(set); + } + + @Override + public Set getScopes() { + Set set = new HashSet<>(); + for (ScopeEntity res : entity.getScopes()) { + set.add(storeFactory.getScopeStore().findById(res.getId(), entity.getResourceServer().getId())); + } + return Collections.unmodifiableSet(set); + } + + @Override + public void addScope(Scope scope) { + entity.getScopes().add(ScopeAdapter.toEntity(em, scope)); + } + + @Override + public void removeScope(Scope scope) { + entity.getScopes().remove(ScopeAdapter.toEntity(em, scope)); + + } + + @Override + public void addAssociatedPolicy(Policy associatedPolicy) { + entity.getAssociatedPolicies().add(toEntity(em, associatedPolicy)); + } + + @Override + public void removeAssociatedPolicy(Policy associatedPolicy) { + entity.getAssociatedPolicies().remove(toEntity(em, associatedPolicy)); + + } + + @Override + public void addResource(Resource resource) { + entity.getResources().add(ResourceAdapter.toEntity(em, resource)); + } + + @Override + public void removeResource(Resource resource) { + entity.getResources().remove(ResourceAdapter.toEntity(em, resource)); + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || !(o instanceof Policy)) return false; + + Policy that = (Policy) o; + return that.getId().equals(getId()); + } + + @Override + public int hashCode() { + return getId().hashCode(); + } + + public static PolicyEntity toEntity(EntityManager em, Policy policy) { + if (policy instanceof PolicyAdapter) { + return ((PolicyAdapter)policy).getEntity(); + } else { + return em.getReference(PolicyEntity.class, policy.getId()); + } + } + + + +} diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java new file mode 100644 index 0000000000..5c55114901 --- /dev/null +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java @@ -0,0 +1,166 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authorization.jpa.store; + +import org.keycloak.authorization.AuthorizationProvider; +import org.keycloak.authorization.jpa.entities.ResourceEntity; +import org.keycloak.authorization.jpa.entities.ScopeEntity; +import org.keycloak.authorization.model.Resource; +import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; +import org.keycloak.authorization.store.StoreFactory; +import org.keycloak.models.jpa.JpaModel; + +import javax.persistence.EntityManager; +import java.util.Collections; +import java.util.HashSet; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Set; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class ResourceAdapter implements Resource, JpaModel { + private ResourceEntity entity; + private EntityManager em; + private StoreFactory storeFactory; + + public ResourceAdapter(ResourceEntity entity, EntityManager em, StoreFactory storeFactory) { + this.entity = entity; + this.em = em; + this.storeFactory = storeFactory; + } + + @Override + public ResourceEntity getEntity() { + return entity; + } + + @Override + public String getId() { + return entity.getId(); + } + + @Override + public String getName() { + return entity.getName(); + } + + @Override + public void setName(String name) { + entity.setName(name); + + } + + @Override + public String getUri() { + return entity.getUri(); + } + + @Override + public void setUri(String uri) { + entity.setUri(uri); + + } + + @Override + public String getType() { + return entity.getType(); + } + + @Override + public void setType(String type) { + entity.setType(type); + + } + + @Override + public List getScopes() { + List scopes = new LinkedList<>(); + for (ScopeEntity scope : entity.getScopes()) { + scopes.add(storeFactory.getScopeStore().findById(scope.getId(), entity.getResourceServer().getId())); + } + + return Collections.unmodifiableList(scopes); + } + + @Override + public String getIconUri() { + return entity.getIconUri(); + } + + @Override + public void setIconUri(String iconUri) { + entity.setIconUri(iconUri); + + } + + @Override + public ResourceServer getResourceServer() { + return storeFactory.getResourceServerStore().findById(entity.getResourceServer().getId()); + } + + @Override + public String getOwner() { + return entity.getOwner(); + } + + @Override + public void updateScopes(Set toUpdate) { + Set ids = new HashSet<>(); + for (Scope scope : toUpdate) { + ids.add(scope.getId()); + } + Iterator it = entity.getScopes().iterator(); + while (it.hasNext()) { + ScopeEntity next = it.next(); + if (!ids.contains(next.getId())) it.remove(); + else ids.remove(next.getId()); + } + for (String addId : ids) { + entity.getScopes().add(em.getReference(ScopeEntity.class, addId)); + } + } + + + public static ResourceEntity toEntity(EntityManager em, Resource resource) { + if (resource instanceof ResourceAdapter) { + return ((ResourceAdapter)resource).getEntity(); + } else { + return em.getReference(ResourceEntity.class, resource.getId()); + } + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || !(o instanceof Resource)) return false; + + Resource that = (Resource) o; + return that.getId().equals(getId()); + } + + @Override + public int hashCode() { + return getId().hashCode(); + } + + +} diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceServerAdapter.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceServerAdapter.java new file mode 100644 index 0000000000..56d585650e --- /dev/null +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceServerAdapter.java @@ -0,0 +1,106 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authorization.jpa.store; + +import org.keycloak.authorization.AuthorizationProvider; +import org.keycloak.authorization.jpa.entities.ResourceEntity; +import org.keycloak.authorization.jpa.entities.ResourceServerEntity; +import org.keycloak.authorization.model.Policy; +import org.keycloak.authorization.model.Resource; +import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.store.StoreFactory; +import org.keycloak.models.jpa.JpaModel; +import org.keycloak.representations.idm.authorization.PolicyEnforcementMode; + +import javax.persistence.EntityManager; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class ResourceServerAdapter implements ResourceServer, JpaModel { + private ResourceServerEntity entity; + private EntityManager em; + private StoreFactory storeFactory; + + public ResourceServerAdapter(ResourceServerEntity entity, EntityManager em, StoreFactory storeFactory) { + this.entity = entity; + this.em = em; + this.storeFactory = storeFactory; + } + + @Override + public ResourceServerEntity getEntity() { + return entity; + } + + @Override + public String getId() { + return entity.getId(); + } + + @Override + public String getClientId() { + return entity.getClientId(); + } + + @Override + public boolean isAllowRemoteResourceManagement() { + return entity.isAllowRemoteResourceManagement(); + } + + @Override + public void setAllowRemoteResourceManagement(boolean allowRemoteResourceManagement) { + entity.setAllowRemoteResourceManagement(allowRemoteResourceManagement); + + } + + @Override + public PolicyEnforcementMode getPolicyEnforcementMode() { + return entity.getPolicyEnforcementMode(); + } + + @Override + public void setPolicyEnforcementMode(PolicyEnforcementMode enforcementMode) { + entity.setPolicyEnforcementMode(enforcementMode); + + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || !(o instanceof ResourceServer)) return false; + + ResourceServer that = (ResourceServer) o; + return that.getId().equals(getId()); + } + + @Override + public int hashCode() { + return getId().hashCode(); + } + + public static ResourceServerEntity toEntity(EntityManager em, ResourceServer resource) { + if (resource instanceof ResourceAdapter) { + return ((ResourceServerAdapter)resource).getEntity(); + } else { + return em.getReference(ResourceServerEntity.class, resource.getId()); + } + } + + +} diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ScopeAdapter.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ScopeAdapter.java new file mode 100644 index 0000000000..6b59dc8895 --- /dev/null +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ScopeAdapter.java @@ -0,0 +1,103 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authorization.jpa.store; + +import org.keycloak.authorization.AuthorizationProvider; +import org.keycloak.authorization.jpa.entities.ScopeEntity; +import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; +import org.keycloak.authorization.store.StoreFactory; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.jpa.JpaModel; + +import javax.persistence.EntityManager; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class ScopeAdapter implements Scope, JpaModel { + private ScopeEntity entity; + private EntityManager em; + private StoreFactory storeFactory; + + public ScopeAdapter(ScopeEntity entity, EntityManager em, StoreFactory storeFactory) { + this.entity = entity; + this.em = em; + this.storeFactory = storeFactory; + } + + @Override + public ScopeEntity getEntity() { + return entity; + } + + @Override + public String getId() { + return entity.getId(); + } + + @Override + public String getName() { + return entity.getName(); + } + + @Override + public void setName(String name) { + entity.setName(name); + + } + + @Override + public String getIconUri() { + return entity.getIconUri(); + } + + @Override + public void setIconUri(String iconUri) { + entity.setIconUri(iconUri); + + } + + @Override + public ResourceServer getResourceServer() { + return storeFactory.getResourceServerStore().findById(entity.getResourceServer().getId()); + } + + public static ScopeEntity toEntity(EntityManager em, Scope scope) { + if (scope instanceof ScopeAdapter) { + return ((ScopeAdapter)scope).getEntity(); + } else { + return em.getReference(ScopeEntity.class, scope.getId()); + } + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || !(o instanceof Scope)) return false; + + Scope that = (Scope) o; + return that.getId().equals(getId()); + } + + @Override + public int hashCode() { + return getId().hashCode(); + } + +} diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java b/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java index c5b75d38db..8a55ff14c3 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java @@ -28,6 +28,7 @@ import org.keycloak.authorization.permission.evaluator.Evaluators; import org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator; import org.keycloak.authorization.policy.provider.PolicyProvider; import org.keycloak.authorization.policy.provider.PolicyProviderFactory; +import org.keycloak.authorization.store.AuthorizationStoreFactory; import org.keycloak.authorization.store.PolicyStore; import org.keycloak.authorization.store.ResourceServerStore; import org.keycloak.authorization.store.ResourceStore; @@ -35,13 +36,15 @@ import org.keycloak.authorization.store.ScopeStore; import org.keycloak.authorization.store.StoreFactory; import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; +import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider; +import org.keycloak.models.cache.authorization.CachedStoreProviderFactory; import org.keycloak.models.utils.RepresentationToModel; import org.keycloak.provider.Provider; import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation; /** *

    The main contract here is the creation of {@link org.keycloak.authorization.permission.evaluator.PermissionEvaluator} instances. Usually - * an application has a single {@link AuthorizationProvider} instance and threads servicing client requests obtain {@link org.keycloak.authorization.core.permission.evaluator.PermissionEvaluator} + * an application has a single {@link AuthorizationProvider} instance and threads servicing client requests obtain {@link org.keycloak.authorization.permission.evaluator.PermissionEvaluator} * from the {@link #evaluators()} method. * *

    The internal state of a {@link AuthorizationProvider} is immutable. This internal state includes all of the metadata @@ -69,14 +72,14 @@ public final class AuthorizationProvider implements Provider { private final DefaultPolicyEvaluator policyEvaluator; private StoreFactory storeFactory; + private StoreFactory storeFactoryDelegate; private final Map policyProviderFactories; private final KeycloakSession keycloakSession; private final RealmModel realm; - public AuthorizationProvider(KeycloakSession session, RealmModel realm, StoreFactory storeFactory, Map policyProviderFactories) { + public AuthorizationProvider(KeycloakSession session, RealmModel realm, Map policyProviderFactories) { this.keycloakSession = session; this.realm = realm; - this.storeFactory = storeFactory; this.policyProviderFactories = policyProviderFactories; this.policyEvaluator = new DefaultPolicyEvaluator(this); } @@ -92,15 +95,32 @@ public final class AuthorizationProvider implements Provider { } /** + * Cache sits in front of this + * * Returns a {@link StoreFactory}. * * @return the {@link StoreFactory} */ public StoreFactory getStoreFactory() { - return createStoreFactory(); + if (storeFactory != null) return storeFactory; + storeFactory = keycloakSession.getProvider(CachedStoreFactoryProvider.class); + if (storeFactory == null) storeFactory = getLocalStoreFactory(); + storeFactory = createStoreFactory(storeFactory); + return storeFactory; } - private StoreFactory createStoreFactory() { + /** + * No cache sits in front of this + * + * @return + */ + public StoreFactory getLocalStoreFactory() { + if (storeFactoryDelegate != null) return storeFactoryDelegate; + storeFactoryDelegate = keycloakSession.getProvider(StoreFactory.class); + return storeFactoryDelegate; + } + + private StoreFactory createStoreFactory(StoreFactory storeFactory) { return new StoreFactory() { @Override public ResourceStore getResourceStore() { @@ -222,7 +242,7 @@ public final class AuthorizationProvider implements Provider { * Returns a {@link PolicyProviderFactory} given a type. * * @param type the type of the policy provider - * @param the expected type of the provider + * @param

    the expected type of the provider * @return a {@link PolicyProvider} with the given type */ public

    P getProvider(String type) { diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/model/CachedModel.java b/server-spi-private/src/main/java/org/keycloak/authorization/model/CachedModel.java new file mode 100644 index 0000000000..d908a84bc0 --- /dev/null +++ b/server-spi-private/src/main/java/org/keycloak/authorization/model/CachedModel.java @@ -0,0 +1,45 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.keycloak.authorization.model; + +/** + * Cached authorization model classes will implement this interface. + * + * @author Bill Burke + * @version $Revision: 1 $ + */ +public interface CachedModel { + /** + * Invalidates the cache for this model and returns a delegate that represents the actual data provider + * + * @return + */ + Model getDelegateForUpdate(); + + /** + * Invalidate the cache for this model + * + */ + void invalidate(); + + /** + * When was the model was loaded from database. + * + * @return + */ + long getCacheTimestamp(); +} diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/model/Policy.java b/server-spi-private/src/main/java/org/keycloak/authorization/model/Policy.java index 03596d948c..f46f61ad29 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/model/Policy.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/model/Policy.java @@ -76,10 +76,11 @@ public interface Policy { /** * Returns a {@link Map} holding string-based key/value pairs representing any additional configuration for this policy. * - * @return a map with any additional configuration defined for this policy. + * @return a unmodifiable map with any additional configuration defined for this policy. */ Map getConfig(); + /** * Sets a {@link Map} with string-based key/value pairs representing any additional configuration for this policy. * @@ -87,6 +88,9 @@ public interface Policy { */ void setConfig(Map config); + void removeConfig(String name); + void putConfig(String name, String value); + /** * Returns the name of this policy. * @@ -120,7 +124,7 @@ public interface Policy { * * @return a resource server */ - R getResourceServer(); + ResourceServer getResourceServer(); /** * Returns the {@link Policy} instances associated with this policy and used to evaluate authorization decisions when @@ -128,21 +132,21 @@ public interface Policy { * * @return the associated policies or an empty set if no policy is associated with this policy */ -

    Set

    getAssociatedPolicies(); + Set getAssociatedPolicies(); /** * Returns the {@link Resource} instances where this policy applies. * * @return a set with all resource instances where this policy applies. Or an empty set if there is no resource associated with this policy */ - Set getResources(); + Set getResources(); /** * Returns the {@link Scope} instances where this policy applies. * * @return a set with all scope instances where this policy applies. Or an empty set if there is no scope associated with this policy */ - Set getScopes(); + Set getScopes(); void addScope(Scope scope); diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java b/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java index 2bf2c6fa3f..4c2521ccd7 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java @@ -82,7 +82,7 @@ public interface Resource { * * @return a list with all scopes associated with this resource */ - List getScopes(); + List getScopes(); /** * Returns an icon {@link java.net.URI} for this resource. @@ -103,7 +103,7 @@ public interface Resource { * * @return the resource server associated with this resource */ - R getResourceServer(); + ResourceServer getResourceServer(); /** * Returns the resource's owner, which is usually an identifier that uniquely identifies the resource's owner. diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java index 76a3fab2fe..1c9c0df82c 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java @@ -21,10 +21,12 @@ package org.keycloak.authorization.store; import java.util.HashMap; import java.util.Map; +import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.store.syncronization.ClientApplicationSynchronizer; import org.keycloak.authorization.store.syncronization.RealmSynchronizer; import org.keycloak.authorization.store.syncronization.Synchronizer; import org.keycloak.authorization.store.syncronization.UserSynchronizer; +import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.RealmModel.ClientRemovedEvent; import org.keycloak.models.RealmModel.RealmRemovedEvent; diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceStore.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceStore.java index b55ec746c8..9a2ac51609 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceStore.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceStore.java @@ -66,7 +66,7 @@ public interface ResourceStore { /** * Finds all {@link Resource} instances with the given uri. * - * @param ownerId the identifier of the owner + * @param uri the identifier of the uri * @return a list with all resource instances owned by the given owner */ List findByUri(String uri, String resourceServerId); diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java index 686eeef4b0..aeb039dc4f 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java @@ -41,9 +41,9 @@ public class ClientApplicationSynchronizer implements Synchronizer storeFactory.getResourceStore().delete(resource.getId())); - storeFactory.getScopeStore().findByResourceServer(id).forEach(scope -> storeFactory.getScopeStore().delete(scope.getId())); - storeFactory.getPolicyStore().findByResourceServer(id).forEach(scope -> storeFactory.getPolicyStore().delete(scope.getId())); + //storeFactory.getResourceStore().findByResourceServer(id).forEach(resource -> storeFactory.getResourceStore().delete(resource.getId())); + //storeFactory.getScopeStore().findByResourceServer(id).forEach(scope -> storeFactory.getScopeStore().delete(scope.getId())); + //storeFactory.getPolicyStore().findByResourceServer(id).forEach(scope -> storeFactory.getPolicyStore().delete(scope.getId())); storeFactory.getResourceServerStore().delete(id); } } diff --git a/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo2_1_0.java b/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo2_1_0.java index f8844f15bb..d1e0ca2b35 100644 --- a/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo2_1_0.java +++ b/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo2_1_0.java @@ -71,7 +71,7 @@ public class MigrateTo2_1_0 implements Migration { if (resourceServer != null) { policyStore.findByType("role", resourceServer.getId()).forEach(policy -> { - Map config = policy.getConfig(); + Map config = new HashMap(policy.getConfig()); String roles = config.get("roles"); List roleConfig; diff --git a/server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java index b8563cb74c..d466f7ae90 100644 --- a/server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java +++ b/server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java @@ -18,6 +18,9 @@ package org.keycloak.models.cache.authorization; +import org.keycloak.authorization.AuthorizationProvider; +import org.keycloak.authorization.store.StoreFactory; +import org.keycloak.models.KeycloakSession; import org.keycloak.provider.ProviderFactory; /** diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java index b427477846..b857bad8b3 100755 --- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java +++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java @@ -2098,7 +2098,7 @@ public class RepresentationToModel { } } - policy.getConfig().remove("scopes"); + policy.removeConfig("scopes"); } private static void updateAssociatedPolicies(Set policyIds, Policy policy, StoreFactory storeFactory) { @@ -2151,7 +2151,7 @@ public class RepresentationToModel { } } - policy.getConfig().remove("applyPolicies"); + policy.removeConfig("applyPolicies"); } private static void updateResources(Set resourceIds, Policy policy, StoreFactory storeFactory) { @@ -2197,7 +2197,7 @@ public class RepresentationToModel { } } - policy.getConfig().remove("resources"); + policy.removeConfig("resources"); } public static Resource toModel(ResourceRepresentation resource, ResourceServer resourceServer, AuthorizationProvider authorization) { diff --git a/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java b/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java index cc06284c6c..d9d7b2d02c 100644 --- a/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java +++ b/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java @@ -65,11 +65,7 @@ public class DefaultAuthorizationProviderFactory implements AuthorizationProvide @Override public AuthorizationProvider create(KeycloakSession session, RealmModel realm) { - StoreFactory storeFactory = session.getProvider(CachedStoreFactoryProvider.class); - if (storeFactory == null) { - storeFactory = session.getProvider(StoreFactory.class); - } - return new AuthorizationProvider(session, realm, storeFactory, policyProviderFactories); + return new AuthorizationProvider(session, realm, policyProviderFactories); } private Map configurePolicyProviderFactories(KeycloakSessionFactory keycloakSessionFactory) { diff --git a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java index fb28054740..3a9337e730 100644 --- a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java +++ b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java @@ -16,6 +16,7 @@ */ package org.keycloak.authorization.authorization; +import org.jboss.logging.Logger; import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.OAuth2Constants; import org.keycloak.OAuthErrorException; @@ -46,6 +47,7 @@ import org.keycloak.representations.idm.authorization.Permission; import org.keycloak.representations.idm.authorization.ScopeRepresentation; import org.keycloak.services.ErrorResponseException; import org.keycloak.services.resources.Cors; +import org.keycloak.services.resources.RealmsResource; import javax.ws.rs.Consumes; import javax.ws.rs.OPTIONS; @@ -72,6 +74,7 @@ import java.util.stream.Stream; * @author Pedro Igor */ public class AuthorizationTokenService { + protected static final Logger logger = Logger.getLogger(AuthorizationTokenService.class); private final AuthorizationProvider authorization; @@ -131,6 +134,7 @@ public class AuthorizationTokenService { @Override public void onError(Throwable cause) { + logger.error("failed authorize", cause); asyncResponse.resume(cause); } }); diff --git a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java index 326deb6453..463ff0bf19 100644 --- a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java +++ b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java @@ -41,10 +41,12 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.Response; import javax.ws.rs.core.Response.Status; +import org.jboss.logging.Logger; import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.OAuth2Constants; import org.keycloak.OAuthErrorException; import org.keycloak.authorization.AuthorizationProvider; +import org.keycloak.authorization.authorization.AuthorizationTokenService; import org.keycloak.authorization.common.KeycloakEvaluationContext; import org.keycloak.authorization.common.KeycloakIdentity; import org.keycloak.authorization.entitlement.representation.EntitlementRequest; @@ -79,6 +81,7 @@ import org.keycloak.services.resources.Cors; */ public class EntitlementService { + protected static final Logger logger = Logger.getLogger(EntitlementService.class); private final AuthorizationProvider authorization; @Context @@ -122,6 +125,7 @@ public class EntitlementService { @Override public void onError(Throwable cause) { + logger.error("failed", cause); asyncResponse.resume(cause); } @@ -175,6 +179,7 @@ public class EntitlementService { authorization.evaluators().from(createPermissions(entitlementRequest, resourceServer, authorization), new KeycloakEvaluationContext(this.authorization.getKeycloakSession())).evaluate(new DecisionResultCollector() { @Override public void onError(Throwable cause) { + logger.error("failed", cause); asyncResponse.resume(cause); } diff --git a/services/src/main/java/org/keycloak/authorization/util/Permissions.java b/services/src/main/java/org/keycloak/authorization/util/Permissions.java index 2e2c4a8b6a..a805fbc7c9 100644 --- a/services/src/main/java/org/keycloak/authorization/util/Permissions.java +++ b/services/src/main/java/org/keycloak/authorization/util/Permissions.java @@ -21,6 +21,7 @@ package org.keycloak.authorization.util; import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; +import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Set; @@ -61,8 +62,8 @@ public final class Permissions { StoreFactory storeFactory = authorization.getStoreFactory(); ResourceStore resourceStore = storeFactory.getResourceStore(); - resourceStore.findByOwner(resourceServer.getClientId(), resourceServer.getId()).stream().forEach(resource -> permissions.addAll(createResourcePermissionsWithScopes(resource, resource.getScopes(), authorization))); - resourceStore.findByOwner(identity.getId(), resourceServer.getId()).stream().forEach(resource -> permissions.addAll(createResourcePermissionsWithScopes(resource, resource.getScopes(), authorization))); + resourceStore.findByOwner(resourceServer.getClientId(), resourceServer.getId()).stream().forEach(resource -> permissions.addAll(createResourcePermissionsWithScopes(resource, new LinkedList(resource.getScopes()), authorization))); + resourceStore.findByOwner(identity.getId(), resourceServer.getId()).stream().forEach(resource -> permissions.addAll(createResourcePermissionsWithScopes(resource, new LinkedList(resource.getScopes()), authorization))); return permissions; } @@ -74,7 +75,7 @@ public final class Permissions { List scopes; if (requestedScopes.isEmpty()) { - scopes = resource.getScopes(); + scopes = new LinkedList<>(resource.getScopes()); // check if there is a typed resource whose scopes are inherited by the resource being requested. In this case, we assume that parent resource // is owned by the resource server itself if (type != null && !resource.getOwner().equals(resourceServer.getClientId())) { @@ -102,7 +103,6 @@ public final class Permissions { return byName; }).collect(Collectors.toList()); } - permissions.add(new ResourcePermission(resource, scopes, resource.getResourceServer())); return permissions; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java index 6db4891238..4d5897cf56 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java @@ -214,7 +214,7 @@ public class ConflictingScopePermissionTest extends AbstractKeycloakTest { } representation.addScope(scopes.toArray(new String[scopes.size()])); - representation.addPolicy(scopes.toArray(new String[policies.size()])); + representation.addPolicy(policies.toArray(new String[policies.size()])); authorization.permissions().scope().create(representation); } diff --git a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml index 205c1f51af..fb832fa23a 100755 --- a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml +++ b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml @@ -36,7 +36,7 @@ - + From 56d68c17f538b436029de904ef67d3e81887b615 Mon Sep 17 00:00:00 2001 From: Bob McWhirter Date: Wed, 10 May 2017 10:21:12 -0400 Subject: [PATCH 20/30] KEYCLOAK-4933 Use a newer version of the server-provisioning-plugin. By using a newer version of the plugin, we can reduce the amount of build code that replicates the provisioning logic when building overlays. This applies to both: * Server distribution overlay * Adapter distribution overlay Both overlays are created purely by using the provisioning plugin and the feature-packs produced elsewhere in the build, along with the admin-cli artifact when appropriate. --- .../adapters/wildfly-adapter/assembly.xml | 78 +++++ .../cli/adapter-elytron-install-offline.cli | 0 .../cli/adapter-install-offline.cli | 0 distribution/adapters/wildfly-adapter/pom.xml | 115 +++++++- .../wildfly-adapter}/server-provisioning.xml | 6 +- .../wildfly-adapter-zip/assembly.xml | 70 ----- .../wildfly-adapter-zip/pom.xml | 107 ------- .../wildfly-modules/assembly.xml | 39 --- .../wildfly-adapter/wildfly-modules/build.xml | 94 ------ .../wildfly-adapter/wildfly-modules/lib.xml | 277 ------------------ .../wildfly-adapter/wildfly-modules/pom.xml | 203 ------------- .../keycloak-adapter-core/main/module.xml | 40 --- .../keycloak-adapter-spi/main/module.xml | 37 --- .../main/module.xml | 33 --- .../keycloak-authz-client/main/module.xml | 42 --- .../keycloak/keycloak-core/main/module.xml | 38 --- .../main/module.xml | 35 --- .../main/module.xml | 36 --- .../keycloak-undertow-adapter/main/module.xml | 48 --- .../keycloak-wildfly-adapter/main/module.xml | 49 ---- .../main/module.xml | 51 ---- .../main/module.xml | 43 --- distribution/server-dist/pom.xml | 30 +- distribution/server-overlay/assembly.xml | 58 +++- distribution/server-overlay/pom.xml | 146 ++++----- .../server-overlay/src/main/version.txt | 1 + .../module.xml => server-provisioning.xml} | 25 +- pom.xml | 8 +- 28 files changed, 316 insertions(+), 1393 deletions(-) create mode 100755 distribution/adapters/wildfly-adapter/assembly.xml rename distribution/adapters/wildfly-adapter/{wildfly-adapter-zip => }/cli/adapter-elytron-install-offline.cli (100%) rename distribution/adapters/wildfly-adapter/{wildfly-adapter-zip => }/cli/adapter-install-offline.cli (100%) rename distribution/{server-dist => adapters/wildfly-adapter}/server-provisioning.xml (85%) delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-adapter-zip/assembly.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-adapter-zip/pom.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/assembly.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/build.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/lib.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/pom.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-core/main/module.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-spi/main/module.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-subsystem/main/module.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-authz-client/main/module.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-core/main/module.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-jboss-adapter-core/main/module.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-servlet-oauth-client/main/module.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-undertow-adapter/main/module.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-adapter/main/module.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-elytron-oidc-adapter/main/module.xml delete mode 100755 distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-subsystem/main/module.xml create mode 100644 distribution/server-overlay/src/main/version.txt rename distribution/{adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-common/main/module.xml => server-provisioning.xml} (59%) mode change 100755 => 100644 diff --git a/distribution/adapters/wildfly-adapter/assembly.xml b/distribution/adapters/wildfly-adapter/assembly.xml new file mode 100755 index 0000000000..cb9db53a00 --- /dev/null +++ b/distribution/adapters/wildfly-adapter/assembly.xml @@ -0,0 +1,78 @@ + + + + server-dist + + + zip + tar.gz + + + false + + + + target/${project.build.finalName} + + true + + **/module.xml + + + + target/${project.build.finalName} + + false + + docs/** + README.md + + + + target/${project.build.finalName} + + + bin/*.sh + + 0755 + + + target/${project.build.finalName} + + + themes/** + + 0444 + + + cli + bin + + *.* + + + + src/main/modules + modules + + layers.conf + + + + + diff --git a/distribution/adapters/wildfly-adapter/wildfly-adapter-zip/cli/adapter-elytron-install-offline.cli b/distribution/adapters/wildfly-adapter/cli/adapter-elytron-install-offline.cli similarity index 100% rename from distribution/adapters/wildfly-adapter/wildfly-adapter-zip/cli/adapter-elytron-install-offline.cli rename to distribution/adapters/wildfly-adapter/cli/adapter-elytron-install-offline.cli diff --git a/distribution/adapters/wildfly-adapter/wildfly-adapter-zip/cli/adapter-install-offline.cli b/distribution/adapters/wildfly-adapter/cli/adapter-install-offline.cli similarity index 100% rename from distribution/adapters/wildfly-adapter/wildfly-adapter-zip/cli/adapter-install-offline.cli rename to distribution/adapters/wildfly-adapter/cli/adapter-install-offline.cli diff --git a/distribution/adapters/wildfly-adapter/pom.xml b/distribution/adapters/wildfly-adapter/pom.xml index 420b02a953..082292acd2 100644 --- a/distribution/adapters/wildfly-adapter/pom.xml +++ b/distribution/adapters/wildfly-adapter/pom.xml @@ -17,21 +17,116 @@ + 4.0.0 - keycloak-parent + keycloak-adapters-distribution-parent org.keycloak 3.2.0.CR1-SNAPSHOT - ../../../pom.xml - Keycloak Wildfly Adapter - - 4.0.0 - keycloak-wildfly-adapter-dist-pom + keycloak-wildfly-adapter-dist pom + Keycloak Adapter Overlay Distribution + + + + + org.keycloak + keycloak-adapter-feature-pack + zip + + + + + + + org.wildfly.build + wildfly-server-provisioning-maven-plugin + ${build-tools.version} + + + server-provisioning + + build + + compile + + server-provisioning.xml + true + + + + + + org.apache.maven.plugins + maven-assembly-plugin + + + assemble + package + + single + + + + ${assemblyFile} + + true + ${project.build.finalName} + false + ${project.build.directory} + ${project.build.directory}/assembly/work + + + + + + + + + + community + + + !product + + + + ${wildfly.build-tools.version} + assembly.xml + + + + + wf11 + + ${wildfly11.build-tools.version} + + + + + product + + + product + + + + ${eap.build-tools.version} + assembly.xml + %regex[(providers.*)|(docs/contrib.*)|(docs/examples.*)|(docs/schema.*)] + + + + org.wildfly + wildfly-dist + zip + + + + ${product.name}-${product.filename.version}-eap7-adapter + + + - - wildfly-modules - wildfly-adapter-zip - diff --git a/distribution/server-dist/server-provisioning.xml b/distribution/adapters/wildfly-adapter/server-provisioning.xml similarity index 85% rename from distribution/server-dist/server-provisioning.xml rename to distribution/adapters/wildfly-adapter/server-provisioning.xml index 4ce4a6f1c9..5f4ff95073 100644 --- a/distribution/server-dist/server-provisioning.xml +++ b/distribution/adapters/wildfly-adapter/server-provisioning.xml @@ -14,8 +14,8 @@ ~ See the License for the specific language governing permissions and ~ limitations under the License. --> - + - + - \ No newline at end of file + diff --git a/distribution/adapters/wildfly-adapter/wildfly-adapter-zip/assembly.xml b/distribution/adapters/wildfly-adapter/wildfly-adapter-zip/assembly.xml deleted file mode 100755 index fcecc4845d..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-adapter-zip/assembly.xml +++ /dev/null @@ -1,70 +0,0 @@ - - - - war-dist - - - zip - tar.gz - - false - - - - ${project.build.directory}/unpacked - - org/keycloak/keycloak-common/** - org/keycloak/keycloak-core/** - org/keycloak/keycloak-adapter-core/** - org/keycloak/keycloak-adapter-spi/** - org/keycloak/keycloak-jboss-adapter-core/** - org/keycloak/keycloak-undertow-adapter/** - org/keycloak/keycloak-wildfly-adapter/** - org/keycloak/keycloak-wildfly-elytron-oidc-adapter/** - org/keycloak/keycloak-wildfly-subsystem/** - org/keycloak/keycloak-adapter-subsystem/** - org/keycloak/keycloak-servlet-oauth-client/** - - - org/keycloak/keycloak-authz-client/** - - - **/*.war - - modules/system/add-ons/keycloak - - - - - ../../shared-cli/adapter-install.cli - bin - - - cli/adapter-install-offline.cli - bin - - - ../../shared-cli/adapter-elytron-install.cli - bin - - - cli/adapter-elytron-install-offline.cli - bin - - - \ No newline at end of file diff --git a/distribution/adapters/wildfly-adapter/wildfly-adapter-zip/pom.xml b/distribution/adapters/wildfly-adapter/wildfly-adapter-zip/pom.xml deleted file mode 100755 index 9bc2b894a6..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-adapter-zip/pom.xml +++ /dev/null @@ -1,107 +0,0 @@ - - - - 4.0.0 - - keycloak-parent - org.keycloak - 3.2.0.CR1-SNAPSHOT - ../../../../pom.xml - - - keycloak-wildfly-adapter-dist - pom - Keycloak Wildfly Adapter Distro - - - - - org.keycloak - keycloak-wildfly-modules - zip - - - - - - - org.apache.maven.plugins - maven-dependency-plugin - - - unpack - prepare-package - - unpack - - - - - org.keycloak - keycloak-wildfly-modules - zip - ${project.build.directory}/unpacked - - - - - - - - maven-assembly-plugin - - - assemble - package - - single - - - - assembly.xml - - - target - - - target/assembly/work - - false - - - - - - - - - - product - - - product - - - - ${product.name}-${product.filename.version}-eap7-adapter - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/assembly.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/assembly.xml deleted file mode 100755 index 4acef09b9c..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/assembly.xml +++ /dev/null @@ -1,39 +0,0 @@ - - - - dist - - - zip - - false - - - - ../../ - - License.html - - - - - ${project.build.directory}/modules - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/build.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/build.xml deleted file mode 100755 index 8e608a59ee..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/build.xml +++ /dev/null @@ -1,94 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/lib.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/lib.xml deleted file mode 100755 index 5794c22ec0..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/lib.xml +++ /dev/null @@ -1,277 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "; - project.setProperty("current.maven.root", root); - ]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "; - if(path.indexOf('${') != -1) { - throw "Module resource root not found, make sure it is listed in build/pom.xml" + path; - } - if(attributes.get("jandex") == "true" ) { - root = root + "\n\t"; - } - project.setProperty("current.resource.root", root); - ]]> - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/pom.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/pom.xml deleted file mode 100755 index ca097a3066..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/pom.xml +++ /dev/null @@ -1,203 +0,0 @@ - - - - - - 4.0.0 - - - keycloak-parent - org.keycloak - 3.2.0.CR1-SNAPSHOT - ../../../../pom.xml - - - keycloak-wildfly-modules - - Keycloak Wildfly Modules - pom - - - org.keycloak - keycloak-common - - - org.keycloak - keycloak-core - - - org.keycloak - keycloak-adapter-spi - - - org.keycloak - keycloak-undertow-adapter-spi - - - org.keycloak - keycloak-adapter-core - - - org.keycloak - keycloak-jboss-adapter-core - - - org.keycloak - keycloak-undertow-adapter - - - org.keycloak - keycloak-wildfly-adapter - - - org.keycloak - keycloak-wildfly-elytron-oidc-adapter - - - org.keycloak - keycloak-wildfly-subsystem - - - org.keycloak - keycloak-servlet-oauth-client - - - org.apache.httpcomponents - httpmime - - - org.apache.httpcomponents - httpcore - - - - - org.keycloak - keycloak-authz-client - - - - - - - org.apache.maven.plugins - maven-antrun-plugin - false - - - build-dist - - run - - compile - - - - - - - - - - - - org.jboss - jandex - 1.0.3.Final - - - ant-contrib - ant-contrib - 1.0b3 - - - ant - ant - - - - - org.apache.ant - ant-apache-bsf - 1.9.3 - - - org.apache.bsf - bsf-api - 3.1 - - - rhino - js - 1.7R2 - - - - - maven-assembly-plugin - - - assemble - package - - single - - - - assembly.xml - - - target - - - target/assembly/work - - false - - - - - - org.apache.maven.plugins - maven-resources-plugin - - - copy-resources - - validate - - copy-resources - - - ${project.build.directory}/modules/org/keycloak/keycloak-adapter-subsystem - - - src/main/resources/modules/org/keycloak/keycloak-adapter-subsystem - true - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-core/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-core/main/module.xml deleted file mode 100755 index 84a08f02d9..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-core/main/module.xml +++ /dev/null @@ -1,40 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-spi/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-spi/main/module.xml deleted file mode 100755 index 6f50fa4f23..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-spi/main/module.xml +++ /dev/null @@ -1,37 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-subsystem/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-subsystem/main/module.xml deleted file mode 100755 index 9cfb9349b5..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-adapter-subsystem/main/module.xml +++ /dev/null @@ -1,33 +0,0 @@ - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-authz-client/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-authz-client/main/module.xml deleted file mode 100755 index 3cd1abd063..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-authz-client/main/module.xml +++ /dev/null @@ -1,42 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-core/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-core/main/module.xml deleted file mode 100755 index f40e1e3165..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-core/main/module.xml +++ /dev/null @@ -1,38 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-jboss-adapter-core/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-jboss-adapter-core/main/module.xml deleted file mode 100755 index 40186d743f..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-jboss-adapter-core/main/module.xml +++ /dev/null @@ -1,35 +0,0 @@ - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-servlet-oauth-client/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-servlet-oauth-client/main/module.xml deleted file mode 100755 index 21b32bf898..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-servlet-oauth-client/main/module.xml +++ /dev/null @@ -1,36 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-undertow-adapter/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-undertow-adapter/main/module.xml deleted file mode 100755 index b3af92087a..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-undertow-adapter/main/module.xml +++ /dev/null @@ -1,48 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-adapter/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-adapter/main/module.xml deleted file mode 100755 index 64da990e28..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-adapter/main/module.xml +++ /dev/null @@ -1,49 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-elytron-oidc-adapter/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-elytron-oidc-adapter/main/module.xml deleted file mode 100755 index 1ca98391a2..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-elytron-oidc-adapter/main/module.xml +++ /dev/null @@ -1,51 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-subsystem/main/module.xml b/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-subsystem/main/module.xml deleted file mode 100755 index 9216ec70df..0000000000 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-wildfly-subsystem/main/module.xml +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/server-dist/pom.xml b/distribution/server-dist/pom.xml index e538b7d037..40ef67043d 100755 --- a/distribution/server-dist/pom.xml +++ b/distribution/server-dist/pom.xml @@ -35,6 +35,11 @@ keycloak-server-feature-pack zip + + org.keycloak + keycloak-client-cli-dist + zip + @@ -51,7 +56,7 @@ compile - server-provisioning.xml + ../server-provisioning.xml @@ -79,29 +84,6 @@ - - org.apache.maven.plugins - maven-dependency-plugin - - - unpack-client-cli-dist - prepare-package - - unpack - - - - - org.keycloak - keycloak-client-cli-dist - zip - ${project.build.directory}/unpacked - - - - - - diff --git a/distribution/server-overlay/assembly.xml b/distribution/server-overlay/assembly.xml index c2b5275c51..7a0fee0226 100755 --- a/distribution/server-overlay/assembly.xml +++ b/distribution/server-overlay/assembly.xml @@ -27,35 +27,67 @@ - ${project.build.directory}/cli + target/${project.build.finalName} + + true - *.cli + **/module.xml - bin - ${project.build.directory}/unpacked/${serverDistDir} + target/${project.build.finalName} - - **/** - + false - modules/** + bin/*.sh + module.xml + welcome-content/** + appclient/** + bin/appclient.* + copyright.txt + README.txt + themes/** + version.txt + ${profileExcludes} - ${project.build.directory}/unpacked/${serverDistDir}/modules/system/layers/keycloak - modules/system/${identityType}/keycloak + target/${project.build.finalName} + - **/** + bin/*.sh + + 0755 + + + target/${project.build.finalName} + + + themes/** + + 0444 + + + src/main/welcome-content + welcome-content + + *.* + + + + src/main/modules + modules + + layers.conf - target/README.txt - + src/main/version.txt + + true diff --git a/distribution/server-overlay/pom.xml b/distribution/server-overlay/pom.xml index 54923a31f0..c8bbf4937b 100755 --- a/distribution/server-overlay/pom.xml +++ b/distribution/server-overlay/pom.xml @@ -32,67 +32,32 @@ org.keycloak - keycloak-server-dist + keycloak-server-feature-pack + zip + + + org.keycloak + keycloak-client-cli-dist zip - - - ${serverDistDir}/modules/system/layers/keycloak/**, - ${serverDistDir}/themes/**, - ${serverDistDir}/providers/**, - ${serverDistDir}/License.html, - ${serverDistDir}/bin/client/keycloak*, - ${serverDistDir}/bin/*keycloak*, - ${serverDistDir}/bin/kc*, - ${serverDistDir}/bin/federation-sssd-setup.sh, - ${serverDistDir}/bin/migrate* - - - - keycloak-overlay-${project.version} - org.apache.maven.plugins - maven-dependency-plugin + org.wildfly.build + wildfly-server-provisioning-maven-plugin + ${build-tools.version} - unpack + server-provisioning + + build + compile - - unpack - - - - org.keycloak - keycloak-wildfly-server-subsystem - ${project.version} - jar - cli/*.cli - ${project.build.directory} - - - - - - unpack-server-dist - prepare-package - - unpack - - - - - org.keycloak - keycloak-server-dist - zip - ${project.build.directory}/unpacked - ${filesToInclude} - - + ../server-provisioning.xml + true @@ -119,29 +84,6 @@ - - org.apache.maven.plugins - maven-assembly-plugin - - - assemble - package - - single - - - - assembly.xml - - true - ${project.build.finalName} - false - ${project.build.directory} - ${project.build.directory}/assembly/work - - - - org.apache.maven.plugins maven-antrun-plugin @@ -179,10 +121,32 @@ + + org.apache.maven.plugins + maven-assembly-plugin + + + assemble + package + + single + + + + ${assemblyFile} + + true + ${project.build.finalName} + false + ${project.build.directory} + ${project.build.directory}/assembly/work + + + + - community @@ -192,9 +156,18 @@ - add-ons - keycloak-${project.version} - ${commonFilesToInclude} + ${wildfly.build-tools.version} + assembly.xml + + + keycloak-overlay-${project.version} + + + + + wf11 + + ${wildfly11.build-tools.version} @@ -206,13 +179,20 @@ - layers - ${product.name}-${product.filename.version} - - ${commonFilesToInclude}, - ${serverDistDir}/bin/product.conf, - ${serverDistDir}/modules/layers.conf + ${eap.build-tools.version} + assembly.xml + %regex[(providers.*)|(docs/contrib.*)|(docs/examples.*)|(docs/schema.*)] + + + org.wildfly + wildfly-dist + zip + + + + ${product.name}-overlay-${product.filename.version} + diff --git a/distribution/server-overlay/src/main/version.txt b/distribution/server-overlay/src/main/version.txt new file mode 100644 index 0000000000..c9db8ca50e --- /dev/null +++ b/distribution/server-overlay/src/main/version.txt @@ -0,0 +1 @@ +${product.name.full} - Version ${product.version} diff --git a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-common/main/module.xml b/distribution/server-provisioning.xml old mode 100755 new mode 100644 similarity index 59% rename from distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-common/main/module.xml rename to distribution/server-provisioning.xml index 4afb80d502..4e4afd5426 --- a/distribution/adapters/wildfly-adapter/wildfly-modules/src/main/resources/modules/org/keycloak/keycloak-common/main/module.xml +++ b/distribution/server-provisioning.xml @@ -1,7 +1,3 @@ - - - - - - - - - - - - - - - - - + + + + + + + + diff --git a/pom.xml b/pom.xml index 48072ba177..6774018303 100755 --- a/pom.xml +++ b/pom.xml @@ -44,7 +44,7 @@ 7.2.0.Final 10.0.0.Final - 1.1.3.Final + 1.2.2.Final 11.0.0.Alpha1 1.1.8.Final 7.1.0.Beta1-redhat-2 @@ -1247,6 +1247,12 @@ ${project.version} zip + + org.keycloak + keycloak-adapter-feature-pack + ${project.version} + zip + org.keycloak keycloak-saml-tomcat6-adapter-dist From 6d8a3f7a8b644ebd6b09000c5ec5670e3906caeb Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Tue, 16 May 2017 13:52:42 +0200 Subject: [PATCH 21/30] KEYCLOAK-4933 Fixes --- .../adapters/wildfly-adapter/assembly.xml | 25 +++++++--- .../adapter-feature-pack/pom.xml | 4 ++ .../keycloak/org/bouncycastle/main/module.xml | 29 ----------- .../keycloak-adapter-core/main/module.xml | 2 +- .../keycloak-adapter-spi/main/module.xml | 6 +-- .../keycloak-authz-client/main/module.xml | 28 +++++------ .../main/module.xml | 1 + .../keycloak-undertow-adapter/main/module.xml | 2 +- .../main/module.xml | 50 +++++++++++++++++++ .../main/module.xml | 2 +- distribution/server-overlay/assembly.xml | 20 ++++++++ distribution/server-overlay/pom.xml | 25 ++++++++++ pom.xml | 4 +- 13 files changed, 140 insertions(+), 58 deletions(-) delete mode 100644 distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/bouncycastle/main/module.xml create mode 100755 distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-elytron-oidc-adapter/main/module.xml diff --git a/distribution/adapters/wildfly-adapter/assembly.xml b/distribution/adapters/wildfly-adapter/assembly.xml index cb9db53a00..ec09dcff14 100755 --- a/distribution/adapters/wildfly-adapter/assembly.xml +++ b/distribution/adapters/wildfly-adapter/assembly.xml @@ -59,13 +59,6 @@ 0444 - - cli - bin - - *.* - - src/main/modules modules @@ -74,5 +67,23 @@ + + + ../shared-cli/adapter-install.cli + bin + + + cli/adapter-install-offline.cli + bin + + + ../shared-cli/adapter-elytron-install.cli + bin + + + cli/adapter-elytron-install-offline.cli + bin + + diff --git a/distribution/feature-packs/adapter-feature-pack/pom.xml b/distribution/feature-packs/adapter-feature-pack/pom.xml index be9c989d96..0dbb9fc74e 100755 --- a/distribution/feature-packs/adapter-feature-pack/pom.xml +++ b/distribution/feature-packs/adapter-feature-pack/pom.xml @@ -39,6 +39,10 @@ org.keycloak keycloak-wildfly-adapter + + org.keycloak + keycloak-wildfly-elytron-oidc-adapter + org.keycloak keycloak-servlet-oauth-client diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/bouncycastle/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/bouncycastle/main/module.xml deleted file mode 100644 index 2c3a43a846..0000000000 --- a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/bouncycastle/main/module.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - - - - - - - - - diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-core/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-core/main/module.xml index 9603619bc0..14203f9080 100755 --- a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-core/main/module.xml +++ b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-core/main/module.xml @@ -29,7 +29,7 @@ - + diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-spi/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-spi/main/module.xml index ef2e0ed292..36ce0f1831 100755 --- a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-spi/main/module.xml +++ b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-spi/main/module.xml @@ -26,13 +26,13 @@ + + + - - - diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-authz-client/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-authz-client/main/module.xml index 67cc62c319..a367a6c7ce 100755 --- a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-authz-client/main/module.xml +++ b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-authz-client/main/module.xml @@ -3,20 +3,20 @@ diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-jboss-adapter-core/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-jboss-adapter-core/main/module.xml index 6f342169b2..82a92bd52a 100755 --- a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-jboss-adapter-core/main/module.xml +++ b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-jboss-adapter-core/main/module.xml @@ -29,6 +29,7 @@ + diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-undertow-adapter/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-undertow-adapter/main/module.xml index 9047bbc48d..6dcf78156b 100755 --- a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-undertow-adapter/main/module.xml +++ b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-undertow-adapter/main/module.xml @@ -33,7 +33,7 @@ - + diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-elytron-oidc-adapter/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-elytron-oidc-adapter/main/module.xml new file mode 100755 index 0000000000..c76489a62f --- /dev/null +++ b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-elytron-oidc-adapter/main/module.xml @@ -0,0 +1,50 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-subsystem/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-subsystem/main/module.xml index e99bfe56b5..025f15271b 100755 --- a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-subsystem/main/module.xml +++ b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-wildfly-subsystem/main/module.xml @@ -21,8 +21,8 @@ - + diff --git a/distribution/server-overlay/assembly.xml b/distribution/server-overlay/assembly.xml index 7a0fee0226..4bf7726005 100755 --- a/distribution/server-overlay/assembly.xml +++ b/distribution/server-overlay/assembly.xml @@ -39,6 +39,10 @@ false + .installation + docs/** + domain/** + standalone/** bin/*.sh module.xml welcome-content/** @@ -81,6 +85,22 @@ layers.conf + + src/main + + + README.txt + + true + + + target/cli + bin + + *.cli + + true + diff --git a/distribution/server-overlay/pom.xml b/distribution/server-overlay/pom.xml index c8bbf4937b..fcf151f814 100755 --- a/distribution/server-overlay/pom.xml +++ b/distribution/server-overlay/pom.xml @@ -44,6 +44,31 @@ + + org.apache.maven.plugins + maven-dependency-plugin + + + unpack + compile + + unpack + + + + + org.keycloak + keycloak-wildfly-server-subsystem + ${project.version} + jar + cli/*.cli + ${project.build.directory} + + + + + + org.wildfly.build wildfly-server-provisioning-maven-plugin diff --git a/pom.xml b/pom.xml index 6774018303..fb8700d7ad 100755 --- a/pom.xml +++ b/pom.xml @@ -46,9 +46,9 @@ 10.0.0.Final 1.2.2.Final 11.0.0.Alpha1 - 1.1.8.Final + 1.2.2.Final 7.1.0.Beta1-redhat-2 - 1.1.8.Final + 1.2.2.Final 2.0.10.Final 1.1.0.Beta32 From 2e83eda172d514976581eb85fb2be9764609b403 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Thu, 18 May 2017 10:22:27 +0200 Subject: [PATCH 22/30] KEYCLOAK-4477 Update to WildFly 11 --- distribution/adapters/wildfly-adapter/pom.xml | 7 - .../feature-packs/server-feature-pack/pom.xml | 74 ---------- .../configuration/domain/subsystems.xml | 79 ---------- .../configuration/domain/template.xml | 110 -------------- .../configuration/host/host-master.xml | 135 ----------------- .../configuration/host/host-slave.xml | 124 ---------------- .../configuration/host/host.xml | 137 ------------------ .../configuration/host/subsystems.xml | 26 ---- .../standalone/subsystems-ha.xml | 49 ------- .../configuration/standalone/subsystems.xml | 47 ------ .../configuration/standalone/template.xml | 90 ------------ .../configuration/domain/subsystems.xml | 126 ++++++++-------- .../configuration/domain/template.xml | 58 ++------ .../configuration/host/host-master.xml | 16 +- .../configuration/host/host-slave.xml | 17 ++- .../resources/configuration/host/host.xml | 18 ++- .../configuration/host/subsystems.xml | 2 + .../standalone/subsystems-ha.xml | 5 +- .../configuration/standalone/subsystems.xml | 47 +++--- .../configuration/standalone/template.xml | 45 +++--- distribution/server-dist/pom.xml | 7 - distribution/server-overlay/pom.xml | 7 - pom.xml | 4 +- 23 files changed, 156 insertions(+), 1074 deletions(-) delete mode 100755 distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/domain/subsystems.xml delete mode 100755 distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/domain/template.xml delete mode 100755 distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host-master.xml delete mode 100755 distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host-slave.xml delete mode 100755 distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host.xml delete mode 100644 distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/subsystems.xml delete mode 100755 distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/subsystems-ha.xml delete mode 100755 distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/subsystems.xml delete mode 100644 distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/template.xml diff --git a/distribution/adapters/wildfly-adapter/pom.xml b/distribution/adapters/wildfly-adapter/pom.xml index 082292acd2..0f1338138f 100644 --- a/distribution/adapters/wildfly-adapter/pom.xml +++ b/distribution/adapters/wildfly-adapter/pom.xml @@ -97,13 +97,6 @@ - - wf11 - - ${wildfly11.build-tools.version} - - - product diff --git a/distribution/feature-packs/server-feature-pack/pom.xml b/distribution/feature-packs/server-feature-pack/pom.xml index f9003b371f..c4ab370da0 100644 --- a/distribution/feature-packs/server-feature-pack/pom.xml +++ b/distribution/feature-packs/server-feature-pack/pom.xml @@ -128,7 +128,6 @@ ${wildfly.build-tools.version} org.wildfly:wildfly-feature-pack - src/main/resources/configuration @@ -140,52 +139,6 @@ - - - wf11 - - - ${wildfly11.build-tools.version} - org.wildfly:wildfly-feature-pack - src/main/resources-wf11/configuration - - - - - org.wildfly - wildfly-feature-pack - ${wildfly11.version} - zip - - - - - - - maven-resources-plugin - - - copy-configuration-wf11 - validate - - copy-resources - - - target/resources/configuration - - - src/main/resources-wf11/configuration - true - - - - - - - - - - product @@ -197,7 +150,6 @@ ${eap.build-tools.version} org.jboss.eap:wildfly-feature-pack - src/main/resources-wf11/configuration @@ -208,32 +160,6 @@ zip - - - - - maven-resources-plugin - - - copy-configuration-wf11 - validate - - copy-resources - - - target/resources/configuration - - - src/main/resources-wf11/configuration - true - - - - - - - - diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/domain/subsystems.xml b/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/domain/subsystems.xml deleted file mode 100755 index ab9bfa9dcb..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/domain/subsystems.xml +++ /dev/null @@ -1,79 +0,0 @@ - - - - - logging.xml - bean-validation.xml - core-management.xml - keycloak-datasources.xml - ee.xml - ejb3.xml - io.xml - keycloak-infinispan.xml - jaxrs.xml - jca.xml - jdr.xml - jmx.xml - jpa.xml - jsf.xml - mail.xml - naming.xml - remoting.xml - request-controller.xml - elytron.xml - security.xml - security-manager.xml - transactions.xml - undertow.xml - keycloak-server.xml - - - - logging.xml - bean-validation.xml - core-management.xml - keycloak-datasources.xml - ee.xml - ejb3.xml - io.xml - keycloak-infinispan.xml - jaxrs.xml - jca.xml - jdr.xml - jgroups.xml - jmx.xml - jpa.xml - jsf.xml - mail.xml - mod_cluster.xml - naming.xml - remoting.xml - request-controller.xml - elytron.xml - security.xml - security-manager.xml - transactions.xml - undertow.xml - keycloak-server.xml - - - logging.xml - io.xml - undertow-load-balancer.xml - - diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/domain/template.xml b/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/domain/template.xml deleted file mode 100755 index 5774706ac9..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/domain/template.xml +++ /dev/null @@ -1,110 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host-master.xml b/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host-master.xml deleted file mode 100755 index 095fcc4cc5..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host-master.xml +++ /dev/null @@ -1,135 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host-slave.xml b/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host-slave.xml deleted file mode 100755 index 3b1812ea6b..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host-slave.xml +++ /dev/null @@ -1,124 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host.xml b/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host.xml deleted file mode 100755 index 6a4dba4ff1..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/host.xml +++ /dev/null @@ -1,137 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/subsystems.xml b/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/subsystems.xml deleted file mode 100644 index 67bc4cda9c..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/host/subsystems.xml +++ /dev/null @@ -1,26 +0,0 @@ - - - - - - - core-management.xml - jmx.xml - elytron.xml - - diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/subsystems-ha.xml b/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/subsystems-ha.xml deleted file mode 100755 index 9d9954de9b..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/subsystems-ha.xml +++ /dev/null @@ -1,49 +0,0 @@ - - - - - - - logging.xml - bean-validation.xml - keycloak-datasources.xml - deployment-scanner.xml - ee.xml - ejb3.xml - io.xml - keycloak-infinispan.xml - jaxrs.xml - jca.xml - jdr.xml - jgroups.xml - jmx.xml - jpa.xml - jsf.xml - mail.xml - mod_cluster.xml - naming.xml - remoting.xml - request-controller.xml - security-manager.xml - elytron.xml - security.xml - transactions.xml - undertow.xml - keycloak-server.xml - - \ No newline at end of file diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/subsystems.xml b/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/subsystems.xml deleted file mode 100755 index 823b45cebc..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/subsystems.xml +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - logging.xml - bean-validation.xml - keycloak-datasources2.xml - deployment-scanner.xml - ee.xml - ejb3.xml - io.xml - keycloak-infinispan2.xml - jaxrs.xml - jca.xml - jdr.xml - jmx.xml - jpa.xml - jsf.xml - mail.xml - naming.xml - remoting.xml - request-controller.xml - security-manager.xml - elytron.xml - security.xml - transactions.xml - undertow.xml - keycloak-server.xml - - diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/template.xml b/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/template.xml deleted file mode 100644 index 7b13afe79e..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources-wf11/configuration/standalone/template.xml +++ /dev/null @@ -1,90 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml index d2a8706699..ab9bfa9dcb 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/subsystems.xml @@ -15,71 +15,65 @@ ~ See the License for the specific language governing permissions and ~ limitations under the License. --> - - - - - logging.xml - io.xml - jmx.xml - naming.xml - remoting.xml - request-controller.xml - security.xml - security-manager.xml - - - - logging.xml - bean-validation.xml - keycloak-datasources.xml - ee.xml - ejb3.xml - io.xml - keycloak-infinispan.xml - jaxrs.xml - jca.xml - jdr.xml - jmx.xml - jpa.xml - jsf.xml - mail.xml - naming.xml - remoting.xml - request-controller.xml - security.xml - security-manager.xml - transactions.xml - undertow.xml - keycloak-server.xml - - - - - logging.xml - bean-validation.xml - keycloak-datasources.xml - ee.xml - ejb3.xml - io.xml - keycloak-infinispan.xml - jaxrs.xml - jca.xml - jdr.xml - jgroups.xml - jmx.xml - jpa.xml - jsf.xml - mail.xml - mod_cluster.xml - naming.xml - remoting.xml - request-controller.xml - security.xml - security-manager.xml - transactions.xml - undertow.xml - keycloak-server.xml - + + logging.xml + bean-validation.xml + core-management.xml + keycloak-datasources.xml + ee.xml + ejb3.xml + io.xml + keycloak-infinispan.xml + jaxrs.xml + jca.xml + jdr.xml + jmx.xml + jpa.xml + jsf.xml + mail.xml + naming.xml + remoting.xml + request-controller.xml + elytron.xml + security.xml + security-manager.xml + transactions.xml + undertow.xml + keycloak-server.xml + + + + logging.xml + bean-validation.xml + core-management.xml + keycloak-datasources.xml + ee.xml + ejb3.xml + io.xml + keycloak-infinispan.xml + jaxrs.xml + jca.xml + jdr.xml + jgroups.xml + jmx.xml + jpa.xml + jsf.xml + mail.xml + mod_cluster.xml + naming.xml + remoting.xml + request-controller.xml + elytron.xml + security.xml + security-manager.xml + transactions.xml + undertow.xml + keycloak-server.xml + + + logging.xml + io.xml + undertow-load-balancer.xml + diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/template.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/template.xml index e7b5885177..5774706ac9 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/template.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/domain/template.xml @@ -17,7 +17,7 @@ ~ limitations under the License. --> - + @@ -60,31 +60,6 @@ --> - - - - - - - - - - - - - - - - - - - - - - - - - @@ -96,12 +71,8 @@ These default configurations require the binding specification to be done in host.xml. --> - - - - - - + + @@ -114,20 +85,19 @@ - - - - - - - - - + + + + + + + + @@ -135,12 +105,6 @@ - - - - - - diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host-master.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host-master.xml index f5d89ee791..095fcc4cc5 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host-master.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host-master.xml @@ -22,7 +22,7 @@ is also started by this host controller file. The other instance must be started via host-slave.xml --> - + @@ -39,6 +39,11 @@ + + + + + @@ -53,8 +58,8 @@ - - + + @@ -71,7 +76,8 @@ - + + @@ -98,6 +104,8 @@ diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host-slave.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host-slave.xml index f8695d71a0..3b1812ea6b 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host-slave.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host-slave.xml @@ -17,7 +17,7 @@ ~ limitations under the License. --> - + @@ -27,7 +27,7 @@ - + @@ -39,6 +39,11 @@ + + + + + @@ -53,8 +58,8 @@ - - + + @@ -75,7 +80,7 @@ - + @@ -99,6 +104,8 @@ diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host.xml index a5c9afbdcc..6a4dba4ff1 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/host.xml @@ -23,7 +23,7 @@ via host-slave.xml --> - + @@ -40,6 +40,11 @@ + + + + + @@ -54,8 +59,8 @@ - - + + @@ -72,7 +77,8 @@ - + + @@ -80,6 +86,8 @@ + + @@ -99,6 +107,8 @@ diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/subsystems.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/subsystems.xml index ada31ffc20..67bc4cda9c 100644 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/subsystems.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/host/subsystems.xml @@ -19,6 +19,8 @@ + core-management.xml jmx.xml + elytron.xml diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml index 997a7bfb0c..9d9954de9b 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems-ha.xml @@ -30,16 +30,17 @@ jaxrs.xml jca.xml jdr.xml - jgroups.xml + jgroups.xml jmx.xml jpa.xml jsf.xml mail.xml - mod_cluster.xml + mod_cluster.xml naming.xml remoting.xml request-controller.xml security-manager.xml + elytron.xml security.xml transactions.xml undertow.xml diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml index 0e275394bd..823b45cebc 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/subsystems.xml @@ -19,28 +19,29 @@ - logging.xml - bean-validation.xml - keycloak-datasources.xml - deployment-scanner.xml - ee.xml - ejb3.xml - io.xml - keycloak-infinispan.xml - jaxrs.xml - jca.xml - jdr.xml - jmx.xml - jpa.xml - jsf.xml - mail.xml - naming.xml - remoting.xml - request-controller.xml - security-manager.xml - security.xml - transactions.xml - undertow.xml - keycloak-server.xml + logging.xml + bean-validation.xml + keycloak-datasources2.xml + deployment-scanner.xml + ee.xml + ejb3.xml + io.xml + keycloak-infinispan2.xml + jaxrs.xml + jca.xml + jdr.xml + jmx.xml + jpa.xml + jsf.xml + mail.xml + naming.xml + remoting.xml + request-controller.xml + security-manager.xml + elytron.xml + security.xml + transactions.xml + undertow.xml + keycloak-server.xml diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/template.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/template.xml index c0cc9e578a..7b13afe79e 100644 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/template.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/configuration/standalone/template.xml @@ -1,23 +1,6 @@ - - - + @@ -27,7 +10,7 @@ - + @@ -35,8 +18,13 @@ + + + + + - + @@ -46,19 +34,20 @@ - - + + - + - - - + + + - + + @@ -98,4 +87,4 @@ - + \ No newline at end of file diff --git a/distribution/server-dist/pom.xml b/distribution/server-dist/pom.xml index 40ef67043d..64ea4f09e8 100755 --- a/distribution/server-dist/pom.xml +++ b/distribution/server-dist/pom.xml @@ -104,13 +104,6 @@ - - wf11 - - ${wildfly11.build-tools.version} - - - product diff --git a/distribution/server-overlay/pom.xml b/distribution/server-overlay/pom.xml index fcf151f814..2ee5b40bfe 100755 --- a/distribution/server-overlay/pom.xml +++ b/distribution/server-overlay/pom.xml @@ -189,13 +189,6 @@ - - wf11 - - ${wildfly11.build-tools.version} - - - product diff --git a/pom.xml b/pom.xml index fb8700d7ad..493ebb183a 100755 --- a/pom.xml +++ b/pom.xml @@ -43,10 +43,8 @@ 7.2.0.Final - 10.0.0.Final + 11.0.0.Alpha1 1.2.2.Final - 11.0.0.Alpha1 - 1.2.2.Final 7.1.0.Beta1-redhat-2 1.2.2.Final 2.0.10.Final From 9ec3a8c3d97c79600bc6d9647c254bf02d980cce Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 19 May 2017 06:17:39 +0200 Subject: [PATCH 23/30] KEYCLOAK-4933 Fixes --- .../keycloak-adapter-subsystem/main/module.xml | 1 + .../feature-packs/server-feature-pack/assembly.xml | 10 ---------- distribution/server-overlay/assembly.xml | 2 +- distribution/server-overlay/pom.xml | 9 +++------ 4 files changed, 5 insertions(+), 17 deletions(-) diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-subsystem/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-subsystem/main/module.xml index 6ab98b9645..b64b3afc43 100755 --- a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-subsystem/main/module.xml +++ b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-adapter-subsystem/main/module.xml @@ -22,6 +22,7 @@ + diff --git a/distribution/feature-packs/server-feature-pack/assembly.xml b/distribution/feature-packs/server-feature-pack/assembly.xml index c118dec8e7..c449b2fdce 100644 --- a/distribution/feature-packs/server-feature-pack/assembly.xml +++ b/distribution/feature-packs/server-feature-pack/assembly.xml @@ -28,9 +28,6 @@ target/${project.build.finalName} - - configuration/** - target/unpacked-themes/theme @@ -52,13 +49,6 @@ content/bin true - - ${configDir} - - **/** - - configuration - ../../../ diff --git a/distribution/server-overlay/assembly.xml b/distribution/server-overlay/assembly.xml index 4bf7726005..aa049fee69 100755 --- a/distribution/server-overlay/assembly.xml +++ b/distribution/server-overlay/assembly.xml @@ -89,7 +89,7 @@ src/main - README.txt + ${readmeInclude} true diff --git a/distribution/server-overlay/pom.xml b/distribution/server-overlay/pom.xml index 2ee5b40bfe..d57c5380f8 100755 --- a/distribution/server-overlay/pom.xml +++ b/distribution/server-overlay/pom.xml @@ -43,6 +43,7 @@ + keycloak-overlay-${project.version} org.apache.maven.plugins @@ -183,10 +184,8 @@ ${wildfly.build-tools.version} assembly.xml + README.txt - - keycloak-overlay-${project.version} - @@ -200,6 +199,7 @@ ${eap.build-tools.version} assembly.xml %regex[(providers.*)|(docs/contrib.*)|(docs/examples.*)|(docs/schema.*)] + @@ -208,9 +208,6 @@ zip - - ${product.name}-overlay-${product.filename.version} - From cc42ea9332a06c92aa8e864b684ee658478cdbe3 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 19 May 2017 06:24:37 +0200 Subject: [PATCH 24/30] KEYCLOAK-4773 Remove 'providers' directory --- distribution/adapters/wildfly-adapter/pom.xml | 2 +- .../src/main/resources/content/providers/README.txt | 2 -- distribution/server-dist/pom.xml | 2 +- distribution/server-overlay/pom.xml | 2 +- .../src/main/resources/cli/default-keycloak-subsys-config.cli | 2 +- 5 files changed, 4 insertions(+), 6 deletions(-) delete mode 100644 distribution/feature-packs/server-feature-pack/src/main/resources/content/providers/README.txt diff --git a/distribution/adapters/wildfly-adapter/pom.xml b/distribution/adapters/wildfly-adapter/pom.xml index 0f1338138f..6090e9cb1e 100644 --- a/distribution/adapters/wildfly-adapter/pom.xml +++ b/distribution/adapters/wildfly-adapter/pom.xml @@ -107,7 +107,7 @@ ${eap.build-tools.version} assembly.xml - %regex[(providers.*)|(docs/contrib.*)|(docs/examples.*)|(docs/schema.*)] + %regex[(docs/contrib.*)|(docs/examples.*)|(docs/schema.*)] diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/providers/README.txt b/distribution/feature-packs/server-feature-pack/src/main/resources/content/providers/README.txt deleted file mode 100644 index 20b281aefd..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/content/providers/README.txt +++ /dev/null @@ -1,2 +0,0 @@ -Any provider implementation jars and libraries in this folder will be loaded. See the providers section in the -documentation for more details. \ No newline at end of file diff --git a/distribution/server-dist/pom.xml b/distribution/server-dist/pom.xml index 64ea4f09e8..fd216303ff 100755 --- a/distribution/server-dist/pom.xml +++ b/distribution/server-dist/pom.xml @@ -114,7 +114,7 @@ ${eap.build-tools.version} assembly.xml - %regex[(providers.*)|(docs/contrib.*)|(docs/examples.*)|(docs/schema.*)] + %regex[(docs/contrib.*)|(docs/examples.*)|(docs/schema.*)] diff --git a/distribution/server-overlay/pom.xml b/distribution/server-overlay/pom.xml index d57c5380f8..d3310bbe26 100755 --- a/distribution/server-overlay/pom.xml +++ b/distribution/server-overlay/pom.xml @@ -198,7 +198,7 @@ ${eap.build-tools.version} assembly.xml - %regex[(providers.*)|(docs/contrib.*)|(docs/examples.*)|(docs/schema.*)] + %regex[(docs/contrib.*)|(docs/examples.*)|(docs/schema.*)] diff --git a/wildfly/server-subsystem/src/main/resources/cli/default-keycloak-subsys-config.cli b/wildfly/server-subsystem/src/main/resources/cli/default-keycloak-subsys-config.cli index 071386c10e..f76cd45221 100644 --- a/wildfly/server-subsystem/src/main/resources/cli/default-keycloak-subsys-config.cli +++ b/wildfly/server-subsystem/src/main/resources/cli/default-keycloak-subsys-config.cli @@ -1,4 +1,4 @@ -/subsystem=keycloak-server:add(web-context=auth,master-realm-name=master,scheduled-task-interval=900,providers=[classpath:${jboss.home.dir}/providers/*]) +/subsystem=keycloak-server:add(web-context=auth,master-realm-name=master,scheduled-task-interval=900) /subsystem=keycloak-server/theme=defaults/:add(dir=${jboss.home.dir}/themes,staticMaxAge=2592000,cacheTemplates=true,cacheThemes=true) /subsystem=keycloak-server/spi=eventsStore/:add /subsystem=keycloak-server/spi=eventsStore/provider=jpa/:add(properties={exclude-events => "[\"REFRESH_TOKEN\"]"},enabled=true) From 43a625db28fa06b3b89c032098d87ee1cf67787d Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 19 May 2017 08:25:36 +0200 Subject: [PATCH 25/30] KEYCLOAK-4477 Fix update to WF 11 --- .../feature-packs/server-feature-pack/pom.xml | 671 +++++++++++++++++- .../keycloak/org/drools/main/module.xml | 2 +- .../jdt/core/compiler/ecj/main/module.xml | 37 - 3 files changed, 668 insertions(+), 42 deletions(-) delete mode 100644 distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/eclipse/jdt/core/compiler/ecj/main/module.xml diff --git a/distribution/feature-packs/server-feature-pack/pom.xml b/distribution/feature-packs/server-feature-pack/pom.xml index c4ab370da0..2d39ad1063 100644 --- a/distribution/feature-packs/server-feature-pack/pom.xml +++ b/distribution/feature-packs/server-feature-pack/pom.xml @@ -29,23 +29,676 @@ Keycloak Feature Pack: Server pom + + + + org.jboss.integration-platform + jboss-integration-platform-bom + pom + import + ${version.jboss-integration-platform} + + + org.drools + drools-bom + pom + ${version.org.drools} + import + + + + + + aopalliance + aopalliance + + + * + * + + + + + com.google.zxing + core + + + * + * + + + + + com.google.zxing + javase + + + * + * + + + + + com.thoughtworks.xstream + xstream + + + * + * + + + + + org.antlr + antlr-runtime + + + * + * + + + + + org.apache.ant + ant + + + * + * + + + + + org.apache.ant + ant-launcher + + + * + * + + + + + org.apache.maven + maven-aether-provider + + + * + * + + + + + org.apache.maven + maven-artifact + + + * + * + + + + + org.apache.maven + maven-compat + + + * + * + + + + + org.apache.maven + maven-core + + + * + * + + + + + org.apache.maven + maven-model + + + * + * + + + + + org.apache.maven + maven-model-builder + + + * + * + + + + + org.apache.maven + maven-plugin-api + + + * + * + + + + + org.apache.maven + maven-repository-metadata + + + * + * + + + + + org.apache.maven + maven-settings + + + * + * + + + + + org.apache.maven + maven-settings-builder + + + * + * + + + + + org.apache.maven.wagon + wagon-http + + + * + * + + + + + org.apache.maven.wagon + wagon-http-shared + + + * + * + + + + + org.apache.maven.wagon + wagon-provider-api + + + * + * + + + + + org.codehaus.plexus + plexus-classworlds + + + * + * + + + + + org.codehaus.plexus + plexus-component-annotations + + + * + * + + + + + org.codehaus.plexus + plexus-interpolation + + + * + * + + + + + org.codehaus.plexus + plexus-utils + + + * + * + + + + + org.drools + drools-compiler + + + * + * + + + + + org.drools + drools-core + + + * + * + + + + + org.eclipse.aether + aether-api + + + * + * + + + + + org.eclipse.aether + aether-connector-basic + + + * + * + + + + + org.eclipse.aether + aether-impl + + + * + * + + + + + org.eclipse.aether + aether-spi + + + * + * + + + + + org.eclipse.aether + aether-transport-file + + + * + * + + + + + org.eclipse.aether + aether-transport-http + + + * + * + + + + + org.eclipse.aether + aether-transport-wagon + + + * + * + + + + + org.eclipse.aether + aether-util + + + * + * + + + + + org.eclipse.sisu + org.eclipse.sisu.inject + + + * + * + + + + + org.eclipse.sisu + org.eclipse.sisu.plexus + + + * + * + + + + + org.freemarker + freemarker + + + * + * + + + org.keycloak - keycloak-dependencies-server-all - pom + keycloak-authz-policy-common + + + * + * + + + + + org.keycloak + keycloak-authz-policy-drools + + + * + * + + + + + org.keycloak + keycloak-common + + + * + * + + + + + org.keycloak + keycloak-core + + + * + * + + + + + org.keycloak + keycloak-js-adapter + + + * + * + + + + + org.keycloak + keycloak-kerberos-federation + + + * + * + + + + + org.keycloak + keycloak-ldap-federation + + + * + * + + + + + org.keycloak + keycloak-model-infinispan + + + * + * + + + + + org.keycloak + keycloak-model-jpa + + + * + * + + + + + org.keycloak + keycloak-saml-core + + + * + * + + + + + org.keycloak + keycloak-saml-core-public + + + * + * + + + + + org.keycloak + keycloak-server-spi + + + * + * + + + + + org.keycloak + keycloak-server-spi-private + + + * + * + + + + + org.keycloak + keycloak-services + + + * + * + + + + + org.keycloak + keycloak-sssd-federation + + + * + * + + org.keycloak keycloak-wildfly-adduser + + + * + * + + org.keycloak keycloak-wildfly-extensions + + + * + * + + org.keycloak keycloak-wildfly-server-subsystem + + + * + * + + + + + org.kie + kie-api + + + * + * + + + + + org.kie + kie-ci + + + * + * + + + + + org.kie + kie-internal + + + * + * + + + + + org.liquibase + liquibase-core + + + * + * + + + + + org.mvel + mvel2 + + + * + * + + + + + org.sonatype.plexus + plexus-cipher + + + * + * + + + + + org.sonatype.plexus + plexus-sec-dispatcher + + + * + * + + + + + org.sonatype.sisu.inject + guice-servlet + + + * + * + + + + + org.sonatype.sisu + sisu-guice + no_aop + + + * + * + + + + + org.twitter4j + twitter4j-core + + + * + * + + @@ -126,7 +779,6 @@ - ${wildfly.build-tools.version} org.wildfly:wildfly-feature-pack @@ -135,6 +787,12 @@ org.wildfly wildfly-feature-pack zip + + + * + * + + @@ -148,7 +806,6 @@ - ${eap.build-tools.version} org.jboss.eap:wildfly-feature-pack @@ -158,6 +815,12 @@ wildfly-feature-pack ${eap.version} zip + + + * + * + + diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/drools/main/module.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/drools/main/module.xml index 4c5af2f8c2..9c91f88d7e 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/drools/main/module.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/drools/main/module.xml @@ -37,6 +37,6 @@ - + diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/eclipse/jdt/core/compiler/ecj/main/module.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/eclipse/jdt/core/compiler/ecj/main/module.xml deleted file mode 100644 index 849fc353f5..0000000000 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/eclipse/jdt/core/compiler/ecj/main/module.xml +++ /dev/null @@ -1,37 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - From a2af516df78e4553317a9f40067d9751890747eb Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 5 May 2017 11:07:34 +0200 Subject: [PATCH 26/30] KEYCLOAK-4855 [RHSSO] Compilation issues with Bouncycastle 1.56 --- common/src/main/java/org/keycloak/common/util/OCSPUtils.java | 4 ++-- pom.xml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/common/src/main/java/org/keycloak/common/util/OCSPUtils.java b/common/src/main/java/org/keycloak/common/util/OCSPUtils.java index 59eaab209d..9dedec7136 100644 --- a/common/src/main/java/org/keycloak/common/util/OCSPUtils.java +++ b/common/src/main/java/org/keycloak/common/util/OCSPUtils.java @@ -317,8 +317,8 @@ public final class OCSPUtils { } if (certs.size() > 0) { - X500Name responderName = basicOcspResponse.getResponderId().toASN1Object().getName(); - byte[] responderKey = basicOcspResponse.getResponderId().toASN1Object().getKeyHash(); + X500Name responderName = basicOcspResponse.getResponderId().toASN1Primitive().getName(); + byte[] responderKey = basicOcspResponse.getResponderId().toASN1Primitive().getKeyHash(); if (responderName != null) { logger.log(Level.INFO, "Responder Name: {0}", responderName.toString()); diff --git a/pom.xml b/pom.xml index 493ebb183a..5559502d34 100755 --- a/pom.xml +++ b/pom.xml @@ -57,7 +57,7 @@ 4.4.1 0.6 1.3.0.Final - 1.52 + 1.56 3.1.5 1.6.1 2011.1 From ca8d756c05696dbf5574f8d2cd1e9afa8b17fdf3 Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Fri, 19 May 2017 09:39:58 +0200 Subject: [PATCH 27/30] KEYCLOAK-4627 Change wording of the configuration in UI --- .../base/admin/messages/admin-messages_en.properties | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties index f129e459e5..31130d2db1 100644 --- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties +++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties @@ -108,10 +108,10 @@ access-token-lifespan=Access Token Lifespan access-token-lifespan.tooltip=Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout. access-token-lifespan-for-implicit-flow=Access Token Lifespan For Implicit Flow access-token-lifespan-for-implicit-flow.tooltip=Max time before an access token issued during OpenID Connect Implicit Flow is expired. This value is recommended to be shorter than SSO timeout. There is no possibility to refresh token during implicit flow, that's why there is separate timeout different to 'Access Token Lifespan'. -action-token-generated-by-admin-lifespan=Default Admin Action Token Lifespan -action-token-generated-by-admin-lifespan.tooltip=Max time before an action token generated via admin interface is expired. This value is recommended to be long to allow admins send e-mails for users that are currently offline. The default timeout can be overridden right before issuing the token. -action-token-generated-by-user-lifespan=User Action Token Lifespan -action-token-generated-by-user-lifespan.tooltip=Max time before an action token generated via user action (e.g. e-mail verification) is expired. This value is recommended to be short because it is expected that the user would react to self-created action token quickly. +action-token-generated-by-admin-lifespan=Default Admin-Initiated Action Lifespan +action-token-generated-by-admin-lifespan.tooltip=Maximum time before an action permit sent to a user by admin is expired. This value is recommended to be long to allow admins send e-mails for users that are currently offline. The default timeout can be overridden right before issuing the token. +action-token-generated-by-user-lifespan=User-Initiated Action Lifespan +action-token-generated-by-user-lifespan.tooltip=Maximum time before an action permit sent by a user (e.g. forgot password e-mail) is expired. This value is recommended to be short because it is expected that the user would react to self-created action quickly. client-login-timeout=Client login timeout client-login-timeout.tooltip=Max time an client has to finish the access token protocol. This should normally be 1 minute. login-timeout=Login timeout @@ -1296,8 +1296,8 @@ credential-types=Credential Types manage-user-password=Manage Password disable-credentials=Disable Credentials credential-reset-actions=Credential Reset -credential-reset-actions-timeout=Token validity -credential-reset-actions-timeout.tooltip=Max time before the action token allowing execution of given actions is expired. +credential-reset-actions-timeout=Expires In +credential-reset-actions-timeout.tooltip=Maximum time before the action permit expires. ldap-mappers=LDAP Mappers create-ldap-mapper=Create LDAP mapper From 0b6c9aa927e8cdd5cb973632ba4001baff1c5a15 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 19 May 2017 09:43:15 +0200 Subject: [PATCH 28/30] KEYCLOAK-4723 Refactor service dependencies for caches in KeycloakServerDeploymentProcessor --- pom.xml | 2 +- .../KeycloakServerDeploymentProcessor.java | 21 +++++-------------- 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/pom.xml b/pom.xml index 5559502d34..e18f9da00d 100755 --- a/pom.xml +++ b/pom.xml @@ -47,7 +47,7 @@ 1.2.2.Final 7.1.0.Beta1-redhat-2 1.2.2.Final - 2.0.10.Final + 3.0.0.Beta11 1.1.0.Beta32 1.0.0.Beta14 diff --git a/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java b/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java index d83cd189ea..53e97a5e58 100755 --- a/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java +++ b/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java @@ -96,22 +96,11 @@ public class KeycloakServerDeploymentProcessor implements DeploymentUnitProcesso } private void addInfinispanCaches(DeploymentPhaseContext context) { - // TODO Can be removed once we upgrade to WildFly 11 - ServiceName wf10CacheContainerService = ServiceName.of("jboss", "infinispan", "keycloak"); - boolean legacy = context.getServiceRegistry().getService(wf10CacheContainerService) != null; - - if (!legacy) { - ServiceTarget st = context.getServiceTarget(); - CapabilityServiceSupport support = context.getDeploymentUnit().getAttachment(Attachments.CAPABILITY_SERVICE_SUPPORT); - for (String c : CACHES) { - ServiceName sn = support.getCapabilityServiceName("org.wildfly.clustering.infinispan.cache.keycloak." + c); - st.addDependency(sn); - } - } else { - ServiceTarget st = context.getServiceTarget(); - for (String c : CACHES) { - st.addDependency(wf10CacheContainerService.append(c)); - } + ServiceTarget st = context.getServiceTarget(); + CapabilityServiceSupport support = context.getDeploymentUnit().getAttachment(Attachments.CAPABILITY_SERVICE_SUPPORT); + for (String c : CACHES) { + ServiceName sn = support.getCapabilityServiceName("org.wildfly.clustering.infinispan.cache", "keycloak", c); + st.addDependency(sn); } } From d4f870fbb423276e9c5f2d27f5e4bb2e09155a8d Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Fri, 19 May 2017 10:08:02 +0200 Subject: [PATCH 29/30] KEYCLOAK-4627 Nicer link texts in HTML variant of emails --- .../theme/base/email/messages/messages_en.properties | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/themes/src/main/resources/theme/base/email/messages/messages_en.properties b/themes/src/main/resources/theme/base/email/messages/messages_en.properties index 0f54719d82..9281bb7f7b 100755 --- a/themes/src/main/resources/theme/base/email/messages/messages_en.properties +++ b/themes/src/main/resources/theme/base/email/messages/messages_en.properties @@ -1,15 +1,15 @@ emailVerificationSubject=Verify email emailVerificationBody=Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address\n\n{0}\n\nThis link will expire within {1} minutes.\n\nIf you didn''t create this account, just ignore this message. -emailVerificationBodyHtml=

    Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address

    {0}

    This link will expire within {1} minutes.

    If you didn''t create this account, just ignore this message.

    +emailVerificationBodyHtml=

    Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address

    Link to e-mail address verification

    This link will expire within {1} minutes.

    If you didn''t create this account, just ignore this message.

    identityProviderLinkSubject=Link {0} identityProviderLinkBody=Someone wants to link your "{1}" account with "{0}" account of user {2} . If this was you, click the link below to link accounts\n\n{3}\n\nThis link will expire within {4} minutes.\n\nIf you don''t want to link account, just ignore this message. If you link accounts, you will be able to login to {1} through {0}. -identityProviderLinkBodyHtml=

    Someone wants to link your {1} account with {0} account of user {2} . If this was you, click the link below to link accounts

    {3}

    This link will expire within {4} minutes.

    If you don''t want to link account, just ignore this message. If you link accounts, you will be able to login to {1} through {0}.

    +identityProviderLinkBodyHtml=

    Someone wants to link your {1} account with {0} account of user {2} . If this was you, click the link below to link accounts

    Link to confirm account linking

    This link will expire within {4} minutes.

    If you don''t want to link account, just ignore this message. If you link accounts, you will be able to login to {1} through {0}.

    passwordResetSubject=Reset password passwordResetBody=Someone just requested to change your {2} account''s credentials. If this was you, click on the link below to reset them.\n\n{0}\n\nThis link and code will expire within {1} minutes.\n\nIf you don''t want to reset your credentials, just ignore this message and nothing will be changed. -passwordResetBodyHtml=

    Someone just requested to change your {2} account''s credentials. If this was you, click on the link below to reset them.

    {0}

    This link will expire within {1} minutes.

    If you don''t want to reset your credentials, just ignore this message and nothing will be changed.

    +passwordResetBodyHtml=

    Someone just requested to change your {2} account''s credentials. If this was you, click on the link below to reset them.

    Link to reset credentials

    This link will expire within {1} minutes.

    If you don''t want to reset your credentials, just ignore this message and nothing will be changed.

    executeActionsSubject=Update Your Account executeActionsBody=Your administrator has just requested that you update your {2} account. Click on the link below to start this process.\n\n{0}\n\nThis link will expire within {1} minutes.\n\nIf you are unaware that your admin has requested this, just ignore this message and nothing will be changed. -executeActionsBodyHtml=

    Your administrator has just requested that you update your {2} account. Click on the link below to start this process.

    {0}

    This link will expire within {1} minutes.

    If you are unaware that your admin has requested this, just ignore this message and nothing will be changed.

    +executeActionsBodyHtml=

    Your administrator has just requested that you update your {2} account. Click on the link below to start this process.

    Link to account update

    This link will expire within {1} minutes.

    If you are unaware that your admin has requested this, just ignore this message and nothing will be changed.

    eventLoginErrorSubject=Login error eventLoginErrorBody=A failed login attempt was detected to your account on {0} from {1}. If this was not you, please contact an admin. eventLoginErrorBodyHtml=

    A failed login attempt was detected to your account on {0} from {1}. If this was not you, please contact an admin.

    From e2a7b71cf33a151e4d6a30ba471a97ee1d8a9613 Mon Sep 17 00:00:00 2001 From: mposolda Date: Fri, 19 May 2017 14:00:42 +0200 Subject: [PATCH 30/30] KEYCLOAK-4939 ConcurrentLoginTest broken in latest master --- .../infinispan/AuthenticatedClientSessionAdapter.java | 4 ---- .../infinispan/InfinispanUserSessionProvider.java | 8 +++----- .../models/sessions/infinispan/UserSessionAdapter.java | 7 ++----- .../sessions/infinispan/entities/UserSessionEntity.java | 2 +- 4 files changed, 6 insertions(+), 15 deletions(-) diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java index 13352dfcab..7772bc20f2 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/AuthenticatedClientSessionAdapter.java @@ -69,10 +69,6 @@ public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSes } } else { this.userSession = (UserSessionAdapter) userSession; - - if (sessionEntity.getAuthenticatedClientSessions() == null) { - sessionEntity.setAuthenticatedClientSessions(new HashMap<>()); - } sessionEntity.getAuthenticatedClientSessions().put(clientUUID, entity); update(); } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java index 0e50a73d3d..0476698719 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java @@ -53,6 +53,7 @@ import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; import java.util.function.Consumer; import java.util.function.Predicate; import java.util.stream.Collectors; @@ -518,7 +519,8 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { entity.setBrokerUserId(userSession.getBrokerUserId()); entity.setIpAddress(userSession.getIpAddress()); entity.setLoginUsername(userSession.getLoginUsername()); - entity.setNotes(userSession.getNotes()); + entity.setNotes(userSession.getNotes()== null ? new ConcurrentHashMap<>() : userSession.getNotes()); + entity.setAuthenticatedClientSessions(new ConcurrentHashMap<>()); entity.setRememberMe(userSession.isRememberMe()); entity.setState(userSession.getState()); entity.setUser(userSession.getUser().getId()); @@ -555,10 +557,6 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { entity.setTimestamp(clientSession.getTimestamp()); Map clientSessions = importedUserSession.getEntity().getAuthenticatedClientSessions(); - if (clientSessions == null) { - clientSessions = new HashMap<>(); - importedUserSession.getEntity().setAuthenticatedClientSessions(clientSessions); - } clientSessions.put(clientSession.getClient().getId(), entity); diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java index 8ab15f7a0e..f35dea974a 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/UserSessionAdapter.java @@ -159,9 +159,6 @@ public class UserSessionAdapter implements UserSessionModel { @Override public void setNote(String name, String value) { - if (entity.getNotes() == null) { - entity.setNotes(new ConcurrentHashMap<>()); - } if (value == null) { if (entity.getNotes().containsKey(name)) { removeNote(name); @@ -201,8 +198,8 @@ public class UserSessionAdapter implements UserSessionModel { provider.updateSessionEntity(entity, realm, user, loginUsername, ipAddress, authMethod, rememberMe, brokerSessionId, brokerUserId); entity.setState(null); - entity.setNotes(null); - entity.setAuthenticatedClientSessions(null); + entity.getNotes().clear(); + entity.getAuthenticatedClientSessions().clear(); update(); } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java index 54d182f0d8..3c4746d846 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/UserSessionEntity.java @@ -50,7 +50,7 @@ public class UserSessionEntity extends SessionEntity { private Map notes = new ConcurrentHashMap<>(); - private Map authenticatedClientSessions; + private Map authenticatedClientSessions = new ConcurrentHashMap<>(); public String getUser() { return user;