Exemplo n.º 1
0
  public ApplicationsBean(KeycloakSession session, RealmModel realm, UserModel user) {

    Set<ClientModel> offlineClients =
        new UserSessionManager(session).findClientsWithOfflineToken(realm, user);

    List<ClientModel> realmClients = realm.getClients();
    for (ClientModel client : realmClients) {
      // Don't show bearerOnly clients
      if (client.isBearerOnly()) {
        continue;
      }

      Set<RoleModel> availableRoles = TokenManager.getAccess(null, false, client, user);
      // Don't show applications, which user doesn't have access into (any available roles)
      if (availableRoles.isEmpty()) {
        continue;
      }
      List<RoleModel> realmRolesAvailable = new LinkedList<RoleModel>();
      MultivaluedHashMap<String, ClientRoleEntry> resourceRolesAvailable =
          new MultivaluedHashMap<String, ClientRoleEntry>();
      processRoles(availableRoles, realmRolesAvailable, resourceRolesAvailable);

      List<RoleModel> realmRolesGranted = new LinkedList<RoleModel>();
      MultivaluedHashMap<String, ClientRoleEntry> resourceRolesGranted =
          new MultivaluedHashMap<String, ClientRoleEntry>();
      List<String> claimsGranted = new LinkedList<String>();
      if (client.isConsentRequired()) {
        UserConsentModel consent = user.getConsentByClient(client.getId());

        if (consent != null) {
          processRoles(consent.getGrantedRoles(), realmRolesGranted, resourceRolesGranted);

          for (ProtocolMapperModel protocolMapper : consent.getGrantedProtocolMappers()) {
            claimsGranted.add(protocolMapper.getConsentText());
          }
        }
      }

      List<String> additionalGrants = new ArrayList<>();
      if (offlineClients.contains(client)) {
        additionalGrants.add("${offlineToken}");
      }

      ApplicationEntry appEntry =
          new ApplicationEntry(
              realmRolesAvailable,
              resourceRolesAvailable,
              realmRolesGranted,
              resourceRolesGranted,
              client,
              claimsGranted,
              additionalGrants);
      applications.add(appEntry);
    }
  }
Exemplo n.º 2
0
  private boolean showClientCredentialsAdapterConfig(ClientModel client) {
    if (client.isPublicClient()) {
      return false;
    }

    if (client.isBearerOnly() && client.getNodeReRegistrationTimeout() <= 0) {
      return false;
    }

    return true;
  }
Exemplo n.º 3
0
  public InstallationAdapterConfig toInstallationRepresentation(
      RealmModel realmModel, ClientModel clientModel, URI baseUri) {
    InstallationAdapterConfig rep = new InstallationAdapterConfig();
    rep.setAuthServerUrl(baseUri.toString());
    rep.setRealm(realmModel.getName());
    rep.setSslRequired(realmModel.getSslRequired().name().toLowerCase());

    if (clientModel.isPublicClient() && !clientModel.isBearerOnly()) rep.setPublicClient(true);
    if (clientModel.isBearerOnly()) rep.setBearerOnly(true);
    if (clientModel.getRoles().size() > 0) rep.setUseResourceRoleMappings(true);

    rep.setResource(clientModel.getClientId());

    if (showClientCredentialsAdapterConfig(clientModel)) {
      Map<String, Object> adapterConfig = getClientCredentialsAdapterConfig(clientModel);
      rep.setCredentials(adapterConfig);
    }

    return rep;
  }
Exemplo n.º 4
0
  public String toJBossSubsystemConfig(
      RealmModel realmModel, ClientModel clientModel, URI baseUri) {
    StringBuffer buffer = new StringBuffer();
    buffer.append("<secure-deployment name=\"WAR MODULE NAME.war\">\n");
    buffer.append("    <realm>").append(realmModel.getName()).append("</realm>\n");
    buffer
        .append("    <auth-server-url>")
        .append(baseUri.toString())
        .append("</auth-server-url>\n");
    if (clientModel.isBearerOnly()) {
      buffer.append("    <bearer-only>true</bearer-only>\n");

    } else if (clientModel.isPublicClient()) {
      buffer.append("    <public-client>true</public-client>\n");
    }
    buffer
        .append("    <ssl-required>")
        .append(realmModel.getSslRequired().name())
        .append("</ssl-required>\n");
    buffer.append("    <resource>").append(clientModel.getClientId()).append("</resource>\n");
    String cred = clientModel.getSecret();
    if (showClientCredentialsAdapterConfig(clientModel)) {
      Map<String, Object> adapterConfig = getClientCredentialsAdapterConfig(clientModel);
      for (Map.Entry<String, Object> entry : adapterConfig.entrySet()) {
        buffer.append("    <credential name=\"" + entry.getKey() + "\">");

        Object value = entry.getValue();
        if (value instanceof Map) {
          buffer.append("\n");
          Map<String, Object> asMap = (Map<String, Object>) value;
          for (Map.Entry<String, Object> credEntry : asMap.entrySet()) {
            buffer.append(
                "        <"
                    + credEntry.getKey()
                    + ">"
                    + credEntry.getValue().toString()
                    + "</"
                    + credEntry.getKey()
                    + ">\n");
          }
          buffer.append("    </credential>\n");
        } else {
          buffer.append(value.toString()).append("</credential>\n");
        }
      }
    }
    if (clientModel.getRoles().size() > 0) {
      buffer.append("    <use-resource-role-mappings>true</use-resource-role-mappings>\n");
    }
    buffer.append("</secure-deployment>\n");
    return buffer.toString();
  }
Exemplo n.º 5
0
    protected Response handleSamlRequest(String samlRequest, String relayState) {
      SAMLDocumentHolder documentHolder = extractRequestDocument(samlRequest);
      if (documentHolder == null) {
        event.event(EventType.LOGIN);
        event.error(Errors.INVALID_TOKEN);
        return ErrorPage.error(session, Messages.INVALID_REQUEST);
      }

      SAML2Object samlObject = documentHolder.getSamlObject();

      RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject;
      String issuer = requestAbstractType.getIssuer().getValue();
      ClientModel client = realm.getClientByClientId(issuer);

      if (client == null) {
        event.event(EventType.LOGIN);
        event.client(issuer);
        event.error(Errors.CLIENT_NOT_FOUND);
        return ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER);
      }

      if (!client.isEnabled()) {
        event.event(EventType.LOGIN);
        event.error(Errors.CLIENT_DISABLED);
        return ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED);
      }
      if (client.isBearerOnly()) {
        event.event(EventType.LOGIN);
        event.error(Errors.NOT_ALLOWED);
        return ErrorPage.error(session, Messages.BEARER_ONLY);
      }
      if (!client.isStandardFlowEnabled()) {
        event.event(EventType.LOGIN);
        event.error(Errors.NOT_ALLOWED);
        return ErrorPage.error(session, Messages.STANDARD_FLOW_DISABLED);
      }

      session.getContext().setClient(client);

      try {
        verifySignature(documentHolder, client);
      } catch (VerificationException e) {
        SamlService.logger.error("request validation failed", e);
        event.event(EventType.LOGIN);
        event.error(Errors.INVALID_SIGNATURE);
        return ErrorPage.error(session, Messages.INVALID_REQUESTER);
      }
      logger.debug("verified request");
      if (samlObject instanceof AuthnRequestType) {
        logger.debug("** login request");
        event.event(EventType.LOGIN);
        // Get the SAML Request Message
        AuthnRequestType authn = (AuthnRequestType) samlObject;
        return loginRequest(relayState, authn, client);
      } else if (samlObject instanceof LogoutRequestType) {
        logger.debug("** logout request");
        event.event(EventType.LOGOUT);
        LogoutRequestType logout = (LogoutRequestType) samlObject;
        return logoutRequest(logout, client, relayState);

      } else {
        event.event(EventType.LOGIN);
        event.error(Errors.INVALID_TOKEN);
        return ErrorPage.error(session, Messages.INVALID_REQUEST);
      }
    }
Exemplo n.º 6
0
 @Override
 public boolean isBearerOnly() {
   if (updated != null) return updated.isBearerOnly();
   return cached.isBearerOnly();
 }