Search in sources :

Example 1 with HttpFacade

use of org.keycloak.adapters.spi.HttpFacade in project keycloak by keycloak.

the class KeycloakAdapterPolicyEnforcer method challenge.

@Override
protected boolean challenge(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade httpFacade) {
    if (isBearerAuthorization(httpFacade)) {
        HttpFacade.Response response = httpFacade.getResponse();
        AuthzClient authzClient = getAuthzClient();
        String ticket = getPermissionTicket(pathConfig, methodConfig, authzClient, httpFacade);
        if (ticket != null) {
            response.setStatus(401);
            response.setHeader("WWW-Authenticate", new StringBuilder("UMA realm=\"").append(authzClient.getConfiguration().getRealm()).append("\"").append(",as_uri=\"").append(authzClient.getServerConfiguration().getIssuer()).append("\"").append(",ticket=\"").append(ticket).append("\"").toString());
        } else {
            response.setStatus(403);
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Sending challenge");
        }
        return true;
    }
    handleAccessDenied(httpFacade);
    return true;
}
Also used : AuthzClient(org.keycloak.authorization.client.AuthzClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) HttpFacade(org.keycloak.adapters.spi.HttpFacade)

Example 2 with HttpFacade

use of org.keycloak.adapters.spi.HttpFacade in project keycloak by keycloak.

the class AbstractSamlAuthenticationHandler method createChallenge.

protected AbstractInitiateLogin createChallenge() {
    return new AbstractInitiateLogin(deployment, sessionStore) {

        @Override
        protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder authnRequestBuilder, BaseSAML2BindingBuilder binding) throws ProcessingException, ConfigurationException, IOException {
            if (isAutodetectedBearerOnly(httpFacade.getRequest())) {
                httpFacade.getResponse().setStatus(401);
                httpFacade.getResponse().end();
            } else {
                Document document = authnRequestBuilder.toDocument();
                SamlDeployment.Binding samlBinding = deployment.getIDP().getSingleSignOnService().getRequestBinding();
                SamlUtil.sendSaml(true, httpFacade, deployment.getIDP().getSingleSignOnService().getRequestBindingUrl(), binding, document, samlBinding);
            }
        }
    };
}
Also used : AbstractInitiateLogin(org.keycloak.adapters.saml.AbstractInitiateLogin) HttpFacade(org.keycloak.adapters.spi.HttpFacade) BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) Document(org.w3c.dom.Document) SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder)

Example 3 with HttpFacade

use of org.keycloak.adapters.spi.HttpFacade in project keycloak by keycloak.

the class EcpAuthenticationHandler method createChallenge.

@Override
protected AbstractInitiateLogin createChallenge() {
    return new AbstractInitiateLogin(deployment, sessionStore) {

        @Override
        protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder authnRequestBuilder, BaseSAML2BindingBuilder binding) {
            try {
                MessageFactory messageFactory = MessageFactory.newInstance();
                SOAPMessage message = messageFactory.createMessage();
                SOAPEnvelope envelope = message.getSOAPPart().getEnvelope();
                envelope.addNamespaceDeclaration(NS_PREFIX_SAML_ASSERTION, JBossSAMLURIConstants.ASSERTION_NSURI.get());
                envelope.addNamespaceDeclaration(NS_PREFIX_SAML_PROTOCOL, JBossSAMLURIConstants.PROTOCOL_NSURI.get());
                envelope.addNamespaceDeclaration(NS_PREFIX_PAOS_BINDING, JBossSAMLURIConstants.PAOS_BINDING.get());
                envelope.addNamespaceDeclaration(NS_PREFIX_PROFILE_ECP, JBossSAMLURIConstants.ECP_PROFILE.get());
                createPaosRequestHeader(envelope);
                createEcpRequestHeader(envelope);
                SOAPBody body = envelope.getBody();
                body.addDocument(binding.postBinding(authnRequestBuilder.toDocument()).getDocument());
                message.writeTo(httpFacade.getResponse().getOutputStream());
            } catch (Exception e) {
                throw new RuntimeException("Could not create AuthnRequest.", e);
            }
        }

        private void createEcpRequestHeader(SOAPEnvelope envelope) throws SOAPException {
            SOAPHeader headers = envelope.getHeader();
            SOAPHeaderElement ecpRequestHeader = headers.addHeaderElement(envelope.createQName(JBossSAMLConstants.REQUEST.get(), NS_PREFIX_PROFILE_ECP));
            ecpRequestHeader.setMustUnderstand(true);
            ecpRequestHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next");
            ecpRequestHeader.addAttribute(envelope.createName("ProviderName"), deployment.getEntityID());
            ecpRequestHeader.addAttribute(envelope.createName("IsPassive"), "0");
            ecpRequestHeader.addChildElement(envelope.createQName("Issuer", "saml")).setValue(deployment.getEntityID());
            ecpRequestHeader.addChildElement(envelope.createQName("IDPList", "samlp")).addChildElement(envelope.createQName("IDPEntry", "samlp")).addAttribute(envelope.createName("ProviderID"), deployment.getIDP().getEntityID()).addAttribute(envelope.createName("Name"), deployment.getIDP().getEntityID()).addAttribute(envelope.createName("Loc"), deployment.getIDP().getSingleSignOnService().getRequestBindingUrl());
        }

        private void createPaosRequestHeader(SOAPEnvelope envelope) throws SOAPException {
            SOAPHeader headers = envelope.getHeader();
            SOAPHeaderElement paosRequestHeader = headers.addHeaderElement(envelope.createQName(JBossSAMLConstants.REQUEST.get(), NS_PREFIX_PAOS_BINDING));
            paosRequestHeader.setMustUnderstand(true);
            paosRequestHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next");
            paosRequestHeader.addAttribute(envelope.createName("service"), JBossSAMLURIConstants.ECP_PROFILE.get());
            paosRequestHeader.addAttribute(envelope.createName("responseConsumerURL"), getResponseConsumerUrl());
        }

        private String getResponseConsumerUrl() {
            return (deployment.getIDP() == null || deployment.getIDP().getSingleSignOnService() == null || deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl() == null) ? null : deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl().toString();
        }
    };
}
Also used : SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement) SOAPBody(javax.xml.soap.SOAPBody) MessageFactory(javax.xml.soap.MessageFactory) AbstractInitiateLogin(org.keycloak.adapters.saml.AbstractInitiateLogin) HttpFacade(org.keycloak.adapters.spi.HttpFacade) BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder) SOAPEnvelope(javax.xml.soap.SOAPEnvelope) SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder) SOAPMessage(javax.xml.soap.SOAPMessage) SOAPException(javax.xml.soap.SOAPException) SOAPHeader(javax.xml.soap.SOAPHeader)

Example 4 with HttpFacade

use of org.keycloak.adapters.spi.HttpFacade in project keycloak by keycloak.

the class ClaimInformationPointProviderTest method testHttpClaimInformationPointProviderWithClaims.

@Test
public void testHttpClaimInformationPointProviderWithClaims() {
    HttpFacade httpFacade = createHttpFacade();
    Map<String, List<String>> claims = getClaimInformationProviderForPath("/http-post-claim-provider", "http").resolve(httpFacade);
    assertEquals("a-value1", claims.get("claim-a").get(0));
    assertEquals("d-value1", claims.get("claim-d").get(0));
    assertEquals("d-value2", claims.get("claim-d").get(1));
    assertEquals("d-value1", claims.get("claim-d0").get(0));
    assertEquals("d-value1", claims.get("claim-d-all").get(0));
    assertEquals("d-value2", claims.get("claim-d-all").get(1));
    assertNull(claims.get("a"));
    assertNull(claims.get("b"));
    assertNull(claims.get("d"));
}
Also used : OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) HttpFacade(org.keycloak.adapters.spi.HttpFacade) List(java.util.List) Test(org.junit.Test) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)

Example 5 with HttpFacade

use of org.keycloak.adapters.spi.HttpFacade in project keycloak by keycloak.

the class ClaimInformationPointProviderTest method testBodyJsonObjectClaim.

@Test
public void testBodyJsonObjectClaim() throws Exception {
    Map<String, List<String>> headers = new HashMap<>();
    headers.put("Content-Type", Arrays.asList("application/json"));
    ObjectMapper mapper = JsonSerialization.mapper;
    JsonParser parser = mapper.getFactory().createParser("{\"Individual\" : {\n" + "\n" + "                \"Name\":  \"John\",\n" + "\n" + "                \"Lastname\": \"Doe\",\n" + "\n" + "                \"individualRoles\" : [ {\n" + "\n" + "                                \"roleSpec\": 2342,\n" + "\n" + "                                \"roleId\": 4234},\n" + "\n" + "{\n" + "\n" + "                                \"roleSpec\": 4223,\n" + "\n" + "                                \"roleId\": 523\n" + "\n" + "                }\n" + "\n" + "                ]\n" + "\n" + "}}");
    TreeNode treeNode = mapper.readTree(parser);
    HttpFacade httpFacade = createHttpFacade(headers, new ByteArrayInputStream(treeNode.toString().getBytes()));
    Map<String, List<String>> claims = getClaimInformationProviderForPath("/claims-from-body-json-object", "claims").resolve(httpFacade);
    assertEquals(1, claims.size());
    assertEquals(2, claims.get("individualRoles").size());
    assertEquals("{\"roleSpec\":2342,\"roleId\":4234}", claims.get("individualRoles").get(0));
    assertEquals("{\"roleSpec\":4223,\"roleId\":523}", claims.get("individualRoles").get(1));
    headers.put("Content-Type", Arrays.asList("application/json; charset=utf-8"));
    httpFacade = createHttpFacade(headers, new ByteArrayInputStream(treeNode.toString().getBytes()));
    claims = getClaimInformationProviderForPath("/claims-from-body-json-object", "claims").resolve(httpFacade);
    assertEquals(1, claims.size());
    assertEquals(2, claims.get("individualRoles").size());
    assertEquals("{\"roleSpec\":2342,\"roleId\":4234}", claims.get("individualRoles").get(0));
    assertEquals("{\"roleSpec\":4223,\"roleId\":523}", claims.get("individualRoles").get(1));
}
Also used : HashMap(java.util.HashMap) ByteArrayInputStream(java.io.ByteArrayInputStream) TreeNode(com.fasterxml.jackson.core.TreeNode) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) HttpFacade(org.keycloak.adapters.spi.HttpFacade) List(java.util.List) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) JsonParser(com.fasterxml.jackson.core.JsonParser) Test(org.junit.Test) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)

Aggregations

HttpFacade (org.keycloak.adapters.spi.HttpFacade)16 OIDCHttpFacade (org.keycloak.adapters.OIDCHttpFacade)8 List (java.util.List)6 Test (org.junit.Test)6 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)6 SimpleHttpFacade (org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade)5 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)4 ByteArrayInputStream (java.io.ByteArrayInputStream)3 SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)3 AuthChallenge (org.keycloak.adapters.spi.AuthChallenge)3 AuthOutcome (org.keycloak.adapters.spi.AuthOutcome)3 JsonParser (com.fasterxml.jackson.core.JsonParser)2 TreeNode (com.fasterxml.jackson.core.TreeNode)2 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)2 HashMap (java.util.HashMap)2 RefreshableKeycloakSecurityContext (org.keycloak.adapters.RefreshableKeycloakSecurityContext)2 AbstractInitiateLogin (org.keycloak.adapters.saml.AbstractInitiateLogin)2 SamlAuthenticator (org.keycloak.adapters.saml.SamlAuthenticator)2 SamlSession (org.keycloak.adapters.saml.SamlSession)2 SamlSessionStore (org.keycloak.adapters.saml.SamlSessionStore)2