Skip to content

Commit

Permalink
KEYCLOAK-1103 - First draft
Browse files Browse the repository at this point in the history
  • Loading branch information
srose committed May 29, 2015
1 parent f61a9d7 commit 7659b1a
Show file tree
Hide file tree
Showing 5 changed files with 107 additions and 27 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -6,43 +6,58 @@
import org.keycloak.adapters.undertow.KeycloakUndertowAccount;
import org.keycloak.representations.IDToken;

import java.util.HashMap;
import java.util.Map;

/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class ConstraintAuthorizationHandler implements HttpHandler {
public static final HttpString KEYCLOAK_SUBJECT = new HttpString("KEYCLOAK-SUBJECT");
public static final HttpString KEYCLOAK_USERNAME = new HttpString("KEYCLOAK-USERNAME");
public static final HttpString KEYCLOAK_EMAIL = new HttpString("KEYCLOAK-EMAIL");
public static final HttpString KEYCLOAK_NAME = new HttpString("KEYCLOAK-NAME");
public static final HttpString KEYCLOAK_ACCESS_TOKEN = new HttpString("KEYCLOAK-ACCESS-TOKEN");

private final Map<String, HttpString> httpHeaderNames;
protected HttpHandler next;
protected String errorPage;
protected boolean sendAccessToken;

public ConstraintAuthorizationHandler(HttpHandler next, String errorPage, boolean sendAccessToken) {
public ConstraintAuthorizationHandler(HttpHandler next, String errorPage, boolean sendAccessToken, Map<String, String> headerNames) {
this.next = next;
this.errorPage = errorPage;
this.sendAccessToken = sendAccessToken;

this.httpHeaderNames = new HashMap<>();
this.httpHeaderNames.put("KEYCLOAK_SUBJECT", new HttpString(headerNames.getOrDefault("keycloak-subject", "KEYCLOAK_SUBJECT")));
this.httpHeaderNames.put("KEYCLOAK_USERNAME", new HttpString(headerNames.getOrDefault("keycloak-username", "KEYCLOAK_USERNAME")));
this.httpHeaderNames.put("KEYCLOAK_EMAIL", new HttpString(headerNames.getOrDefault("keycloak-email", "KEYCLOAK_EMAIL")));
this.httpHeaderNames.put("KEYCLOAK_NAME", new HttpString(headerNames.getOrDefault("keycloak-name", "KEYCLOAK_NAME")));
this.httpHeaderNames.put("KEYCLOAK_ACCESS_TOKEN", new HttpString(headerNames.getOrDefault("keycloak-access-token", "KEYCLOAK_ACCESS_TOKEN")));
}

@Override
public void handleRequest(HttpServerExchange exchange) throws Exception {

KeycloakUndertowAccount account = (KeycloakUndertowAccount)exchange.getSecurityContext().getAuthenticatedAccount();

SingleConstraintMatch match = exchange.getAttachment(ConstraintMatcherHandler.CONSTRAINT_KEY);
if (match == null || (match.getRequiredRoles().isEmpty() && match.getEmptyRoleSemantic() == SecurityInfo.EmptyRoleSemantic.AUTHENTICATE)) {
authenticatedRequest(account, exchange);
return;
}

if (match != null) {
for (String role : match.getRequiredRoles()) {
if (account.getRoles().contains(role)) {
authenticatedRequest(account, exchange);
return;
if(SecurityInfo.EmptyRoleSemantic.INJECT_IF_AUTHENTICATED.equals(match.getEmptyRoleSemantic())) {
authenticatedRequest(account, exchange);
return;
} else {
for (String role : match.getRequiredRoles()) {
if (account.getRoles().contains(role)) {
authenticatedRequest(account, exchange);
return;
}
}
}
}

if (errorPage != null) {
exchange.setRequestPath(errorPage);
exchange.setRelativePath(errorPage);
Expand All @@ -61,20 +76,20 @@ public void authenticatedRequest(KeycloakUndertowAccount account, HttpServerExch
IDToken idToken = account.getKeycloakSecurityContext().getToken();
if (idToken == null) return;
if (idToken.getSubject() != null) {
exchange.getRequestHeaders().put(KEYCLOAK_SUBJECT, idToken.getSubject());
exchange.getRequestHeaders().put(httpHeaderNames.get("KEYCLOAK_SUBJECT"), idToken.getSubject());
}

if (idToken.getPreferredUsername() != null) {
exchange.getRequestHeaders().put(KEYCLOAK_USERNAME, idToken.getPreferredUsername());
exchange.getRequestHeaders().put(httpHeaderNames.get("KEYCLOAK_USERNAME"), idToken.getPreferredUsername());
}
if (idToken.getEmail() != null) {
exchange.getRequestHeaders().put(KEYCLOAK_EMAIL, idToken.getEmail());
exchange.getRequestHeaders().put(httpHeaderNames.get("KEYCLOAK_EMAIL"), idToken.getEmail());
}
if (idToken.getName() != null) {
exchange.getRequestHeaders().put(KEYCLOAK_NAME, idToken.getName());
exchange.getRequestHeaders().put(httpHeaderNames.get("KEYCLOAK_NAME"), idToken.getName());
}
if (sendAccessToken) {
exchange.getRequestHeaders().put(KEYCLOAK_ACCESS_TOKEN, account.getKeycloakSecurityContext().getTokenString());
exchange.getRequestHeaders().put(httpHeaderNames.get("KEYCLOAK_ACCESS_TOKEN"), account.getKeycloakSecurityContext().getTokenString());
}
}
next.handleRequest(exchange);
Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
package org.keycloak.proxy;

import io.undertow.security.handlers.AuthenticationConstraintHandler;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.AttachmentKey;
import org.jboss.logging.Logger;
import org.keycloak.KeycloakSecurityContext;

import java.util.List;

/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
Expand Down Expand Up @@ -47,10 +48,41 @@ public void handleRequest(HttpServerExchange exchange) throws Exception {
}
return;
}

if (match.getRequiredRoles().isEmpty() && match.getEmptyRoleSemantic() == SecurityInfo.EmptyRoleSemantic.INJECT_IF_AUTHENTICATED) {

boolean successfulAuthenticatedMethodFound = isSuccessfulAuthenticatedMethodFound(exchange);

if(successfulAuthenticatedMethodFound) {
//in case of authenticated we go for injecting headers
exchange.putAttachment(CONSTRAINT_KEY, match);
securedHandler.handleRequest(exchange);
return;
} else {
//in case of not authenticated we just show the resource
unsecuredHandler.handleRequest(exchange);
return;
}
}

log.debug("found constraint");
exchange.getSecurityContext().setAuthenticationRequired();
exchange.putAttachment(CONSTRAINT_KEY, match);
securedHandler.handleRequest(exchange);

}

private boolean isSuccessfulAuthenticatedMethodFound(HttpServerExchange exchange) {
boolean successfulAuthenticatedMethodFound = false;
List<AuthenticationMechanism> authenticationMechanisms = exchange.getSecurityContext().getAuthenticationMechanisms();

for (AuthenticationMechanism authenticationMechanism : authenticationMechanisms) {
AuthenticationMechanism.AuthenticationMechanismOutcome authenticationMechanismOutcome =
authenticationMechanism.authenticate(exchange, exchange.getSecurityContext());
if(authenticationMechanismOutcome.equals(AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED)) {
successfulAuthenticatedMethodFound = true;
}
}
return successfulAuthenticatedMethodFound;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@
import org.codehaus.jackson.annotate.JsonProperty;
import org.keycloak.representations.adapters.config.AdapterConfig;

import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.*;

/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
Expand Down Expand Up @@ -41,6 +38,8 @@ public class ProxyConfig {
protected boolean sendAccessToken;
@JsonProperty("applications")
protected List<Application> applications = new LinkedList<Application>();
@JsonProperty("header-names")
private Map<String,String> headerNames = new HashMap<>();

public String getBindAddress() {
return bindAddress;
Expand Down Expand Up @@ -154,6 +153,14 @@ public void setSendAccessToken(boolean sendAccessToken) {
this.sendAccessToken = sendAccessToken;
}

public void setHeaderNames(Map<String, String> headerNames) {
this.headerNames = headerNames;
}

public Map<String, String> getHeaderNames() {
return headerNames;
}

public static class Application {
@JsonProperty("base-path")
protected String basePath;
Expand Down Expand Up @@ -212,6 +219,8 @@ public static class Constraint {
protected boolean permit;
@JsonProperty("authenticate")
protected boolean authenticate;
@JsonProperty("inject-if-authenticated")
protected boolean injectIfAuthenticated;

public String getPattern() {
return pattern;
Expand Down Expand Up @@ -253,6 +262,14 @@ public void setAuthenticate(boolean authenticate) {
this.authenticate = authenticate;
}

public boolean isInjectIfAuthenticated() {
return injectIfAuthenticated;
}

public void setInjectIfAuthenticated(boolean injectIfAuthenticated) {
this.injectIfAuthenticated = injectIfAuthenticated;
}

public Set<String> getMethods() {
return methods;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,7 @@
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.*;

/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
Expand All @@ -76,6 +73,8 @@ public void handleRequest(HttpServerExchange exchange) throws Exception {
protected HttpHandler proxyHandler;
protected boolean sendAccessToken;

protected Map<String, String> headerNameConfig;

public ProxyServerBuilder target(String uri) {
SimpleProxyClientProvider provider = null;
try {
Expand All @@ -98,6 +97,12 @@ public ProxyServerBuilder sendAccessToken(boolean flag) {
this.sendAccessToken = flag;
return this;
}

public ProxyServerBuilder headerNameConfig(Map<String, String> headerNameConfig) {
this.headerNameConfig = headerNameConfig;
return this;
}

public ApplicationBuilder application(AdapterConfig config) {
return new ApplicationBuilder(config);
}
Expand Down Expand Up @@ -169,6 +174,11 @@ public ConstraintBuilder authenticate() {
return this;
}

public ConstraintBuilder injectIfAuthenticated() {
semantic = SecurityInfo.EmptyRoleSemantic.INJECT_IF_AUTHENTICATED;
return this;
}

public ConstraintBuilder excludedMethods(Set<String> excludedMethods) {
this.excludedMethods = excludedMethods;
return this;
Expand Down Expand Up @@ -222,7 +232,7 @@ private HttpHandler addSecurity(final HttpHandler toWrap) {
errorPage = base + "/" + errorPage;
}
}
handler = new ConstraintAuthorizationHandler(handler, errorPage, sendAccessToken);
handler = new ConstraintAuthorizationHandler(handler, errorPage, sendAccessToken, headerNameConfig);
handler = new ProxyAuthenticationCallHandler(handler);
handler = new ConstraintMatcherHandler(matches, handler, toWrap, errorPage);
final List<AuthenticationMechanism> mechanisms = new LinkedList<AuthenticationMechanism>();
Expand Down Expand Up @@ -373,6 +383,7 @@ public static Undertow build(ProxyConfig config) {
if (constraint.isDeny()) constraintBuilder.deny();
if (constraint.isPermit()) constraintBuilder.permit();
if (constraint.isAuthenticate()) constraintBuilder.authenticate();
if (constraint.isInjectIfAuthenticated()) constraintBuilder.injectIfAuthenticated();
constraintBuilder.add();
}
}
Expand All @@ -383,6 +394,7 @@ public static Undertow build(ProxyConfig config) {

public static void initOptions(ProxyConfig config, ProxyServerBuilder builder) {
builder.sendAccessToken(config.isSendAccessToken());
builder.headerNameConfig(config.getHeaderNames());
if (config.getBufferSize() != null) builder.setBufferSize(config.getBufferSize());
if (config.getBuffersPerRegion() != null) builder.setBuffersPerRegion(config.getBuffersPerRegion());
if (config.getIoThreads() != null) builder.setIoThreads(config.getIoThreads());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,12 @@ public enum EmptyRoleSemantic {
/**
* Mandate authentication but authorize access as no roles to check against.
*/
AUTHENTICATE;
AUTHENTICATE,

/**
* Permit access in any case, but provide authorization info only if authorized.
*/
INJECT_IF_AUTHENTICATED;
}

private volatile EmptyRoleSemantic emptyRoleSemantic = EmptyRoleSemantic.DENY;
Expand Down

0 comments on commit 7659b1a

Please sign in to comment.