KEYCLOAK-7278 KEYCLOAK-7280 CXF/Undertow integration

2018-05-18 15:14:04 +02:00 · 2018-05-18 15:14:04 +02:00 · b2df872ad4
commit b2df872ad4
parent fea4201f46
2 changed files with 176 additions and 1 deletions
--- a/adapters/oidc/fuse7/undertow/pom.xml
+++ b/adapters/oidc/fuse7/undertow/pom.xml
@ -41,6 +41,7 @@
            org.ops4j.pax.web.*;version="[3.0,8)",
            javax.servlet.*;version="[2.5,4)";resolution:=optional,
            org.apache.cxf.transport.http;resolution:=optional;version="[3,4)",
+            org.apache.cxf.transport.http_undertow;resolution:=optional;version="[3,4)",
            org.apache.cxf.transport.servlet;resolution:=optional;version="[3,4)",
            io.undertow.*,
            *;resolution:=optional
@ -88,7 +89,7 @@
        <dependency>
            <groupId>org.apache.cxf</groupId>
            <artifactId>cxf-rt-transports-http-undertow</artifactId>
-            <version>3.1.11.fuse-000199-redhat-1</version>
+            <version>${cxf.version}</version>
            <scope>provided</scope>
        </dependency>

--- a/adapters/oidc/fuse7/undertow/src/main/java/org/keycloak/adapters/osgi/undertow/CxfKeycloakAuthHandler.java
+++ b/adapters/oidc/fuse7/undertow/src/main/java/org/keycloak/adapters/osgi/undertow/CxfKeycloakAuthHandler.java
@ -0,0 +1,174 @@
+/*
+ * Copyright 2018 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.adapters.osgi.undertow;
+
+import org.keycloak.adapters.AdapterDeploymentContext;
+import org.keycloak.adapters.KeycloakConfigResolver;
+import org.keycloak.adapters.KeycloakDeployment;
+import org.keycloak.adapters.KeycloakDeploymentBuilder;
+import org.keycloak.adapters.NodesRegistrationManagement;
+import org.keycloak.adapters.spi.InMemorySessionIdMapper;
+import org.keycloak.adapters.spi.SessionIdMapper;
+import org.keycloak.adapters.undertow.UndertowAuthenticationMechanism;
+import org.keycloak.adapters.undertow.UndertowUserSessionManagement;
+import org.keycloak.representations.adapters.config.AdapterConfig;
+import io.undertow.security.api.AuthenticationMechanism;
+import io.undertow.security.api.AuthenticationMode;
+import io.undertow.security.handlers.AuthenticationCallHandler;
+import io.undertow.security.handlers.AuthenticationConstraintHandler;
+import io.undertow.security.handlers.AuthenticationMechanismsHandler;
+import io.undertow.security.handlers.SecurityInitialHandler;
+import io.undertow.security.idm.Account;
+import io.undertow.security.idm.Credential;
+import io.undertow.security.idm.IdentityManager;
+import io.undertow.server.HttpHandler;
+import io.undertow.server.HttpServerExchange;
+import java.util.Collections;
+import java.util.List;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Pattern;
+import org.apache.cxf.transport.http_undertow.CXFUndertowHttpHandler;
+
+/**
+ *
+ * @author hmlnarik
+ */
+public class CxfKeycloakAuthHandler implements CXFUndertowHttpHandler {
+
+    private static final Logger LOG = Logger.getLogger(CxfKeycloakAuthHandler.class.getName());
+
+    private static final IdentityManager IDENTITY_MANAGER = new IdentityManager() {
+        @Override
+        public Account verify(Account account) {
+            return account;
+        }
+
+        @Override
+        public Account verify(String id, Credential credential) {
+            throw new IllegalStateException("Should never be called in Keycloak flow");
+        }
+
+        @Override
+        public Account verify(Credential credential) {
+            throw new IllegalStateException("Should never be called in Keycloak flow");
+        }
+    };
+
+    private final UndertowUserSessionManagement userSessionManagement = new UndertowUserSessionManagement();
+
+    protected final NodesRegistrationManagement nodesRegistrationManagement = new NodesRegistrationManagement();
+
+    protected final SessionIdMapper idMapper = new InMemorySessionIdMapper();
+
+    private final AtomicReference<HttpHandler> securityHandler = new AtomicReference<>();
+
+    private Pattern skipPattern;
+
+    private int confidentialPort = 8443;
+
+    private HttpHandler next;
+
+    private KeycloakConfigResolver configResolver;
+
+    private AdapterConfig adapterConfig;
+
+    @Override
+    public void handleRequest(HttpServerExchange exchange) throws Exception {
+        if (shouldSkip(exchange.getRequestPath())) {
+            next.handleRequest(exchange);
+        } else {
+            getSecurityHandler().handleRequest(exchange);
+        }
+    }
+
+    private HttpHandler getSecurityHandler() {
+        if (this.securityHandler.get() == null) {
+            HttpHandler handler = this.next;
+
+            handler = new AuthenticationCallHandler(handler);
+            handler = new AuthenticationConstraintHandler(handler);
+
+            AdapterDeploymentContext deploymentContext = buildDeploymentContext();
+
+            final List<AuthenticationMechanism> mechanisms
+                = Collections.<AuthenticationMechanism>singletonList(
+                  new UndertowAuthenticationMechanism(deploymentContext, userSessionManagement, nodesRegistrationManagement, confidentialPort, null));
+            handler = new AuthenticationMechanismsHandler(handler, mechanisms);
+
+            this.securityHandler.compareAndSet(null, new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, IDENTITY_MANAGER, "KEYCLOAK", handler));
+        }
+
+        return this.securityHandler.get();
+    }
+
+    private AdapterDeploymentContext buildDeploymentContext() {
+        if (configResolver != null) {
+            LOG.log(Level.INFO, "Using {0} to resolve Keycloak configuration on a per-request basis.", configResolver.getClass());
+            return new AdapterDeploymentContext(configResolver);
+        } else if (adapterConfig != null) {
+            KeycloakDeployment kd = KeycloakDeploymentBuilder.build(adapterConfig);
+            return new AdapterDeploymentContext(kd);
+        }
+
+        LOG.warning("Adapter is unconfigured, Keycloak will deny every request");
+        return new AdapterDeploymentContext();
+    }
+
+    @Override
+    public void setNext(HttpHandler nextHandler) {
+        this.next = nextHandler;
+    }
+
+    private boolean shouldSkip(String requestPath) {
+        return skipPattern != null && skipPattern.matcher(requestPath).matches();
+    }
+
+    public KeycloakConfigResolver getConfigResolver() {
+        return configResolver;
+    }
+
+    public void setConfigResolver(KeycloakConfigResolver configResolver) {
+        this.configResolver = configResolver;
+    }
+
+    public int getConfidentialPort() {
+        return confidentialPort;
+    }
+
+    public void setConfidentialPort(int confidentialPort) {
+        this.confidentialPort = confidentialPort;
+    }
+
+    public AdapterConfig getAdapterConfig() {
+        return adapterConfig;
+    }
+
+    public void setAdapterConfig(AdapterConfig adapterConfig) {
+        this.adapterConfig = adapterConfig;
+    }
+
+    public String getSkipPattern() {
+        return skipPattern.pattern();
+    }
+
+    public void setSkipPattern(String skipPattern) {
+        this.skipPattern = Pattern.compile(skipPattern, Pattern.DOTALL);
+    }
+
+}