KEYCLOAK-3823 KEYCLOAK-3824 Added public-key-cache-ttl for OIDC adapt…

…ers. Invalidate cache when notBefore sent
alainlompo · Dec 1, 2016 · a385447 · a385447
1 parent c9cf7f6
commit a385447
Show file tree

Hide file tree

Showing 27 changed files with 663 additions and 138 deletions.
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AdapterDeploymentContext.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AdapterDeploymentContext.java
@@ -446,6 +446,16 @@ public void setMinTimeBetweenJwksRequests(int minTimeBetweenJwksRequests) {
         public int getMinTimeBetweenJwksRequests() {
             return delegate.getMinTimeBetweenJwksRequests();
         }
+
+        @Override
+        public int getPublicKeyCacheTtl() {
+            return delegate.getPublicKeyCacheTtl();
+        }
+
+        @Override
+        public void setPublicKeyCacheTtl(int publicKeyCacheTtl) {
+            delegate.setPublicKeyCacheTtl(publicKeyCacheTtl);
+        }
     }
 
     protected KeycloakUriBuilder getBaseBuilder(HttpFacade facade, String base) {

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/HttpAdapterUtils.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/HttpAdapterUtils.java
@@ -46,14 +46,7 @@ public static <T> T sendJsonHttpRequest(KeycloakDeployment deployment, HttpReque
             }
             InputStream is = entity.getContent();
             try {
-                ByteArrayOutputStream os = new ByteArrayOutputStream();
-                int c;
-                while ((c = is.read()) != -1) {
-                    os.write(c);
-                }
-                byte[] bytes = os.toByteArray();
-                String json = new String(bytes);
-                return JsonSerialization.readValue(json, clazz);
+                return JsonSerialization.readValue(is, clazz);
             } finally {
                 try {
                     is.close();

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
@@ -81,6 +81,7 @@ public class KeycloakDeployment {
     protected volatile int notBefore;
     protected int tokenMinimumTimeToLive;
     protected int minTimeBetweenJwksRequests;
+    protected int publicKeyCacheTtl;
     private PolicyEnforcer policyEnforcer;
 
     public KeycloakDeployment() {
@@ -384,6 +385,14 @@ public void setMinTimeBetweenJwksRequests(int minTimeBetweenJwksRequests) {
         this.minTimeBetweenJwksRequests = minTimeBetweenJwksRequests;
     }
 
+    public int getPublicKeyCacheTtl() {
+        return publicKeyCacheTtl;
+    }
+
+    public void setPublicKeyCacheTtl(int publicKeyCacheTtl) {
+        this.publicKeyCacheTtl = publicKeyCacheTtl;
+    }
+
     public void setPolicyEnforcer(PolicyEnforcer policyEnforcer) {
         this.policyEnforcer = policyEnforcer;
     }

diff --git a/...ters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java b/...ters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java
@@ -105,6 +105,7 @@ protected KeycloakDeployment internalBuild(AdapterConfig adapterConfig) {
         deployment.setRegisterNodePeriod(adapterConfig.getRegisterNodePeriod());
         deployment.setTokenMinimumTimeToLive(adapterConfig.getTokenMinimumTimeToLive());
         deployment.setMinTimeBetweenJwksRequests(adapterConfig.getMinTimeBetweenJwksRequests());
+        deployment.setPublicKeyCacheTtl(adapterConfig.getPublicKeyCacheTtl());
 
         if (realmKeyPem == null && adapterConfig.isBearerOnly() && adapterConfig.getAuthServerUrl() == null) {
             throw new IllegalArgumentException("For bearer auth, you must set the realm-public-key or auth-server-url");

diff --git a/...s/oidc/adapter-core/src/main/java/org/keycloak/adapters/rotation/JWKPublicKeyLocator.java b/...s/oidc/adapter-core/src/main/java/org/keycloak/adapters/rotation/JWKPublicKeyLocator.java
@@ -25,7 +25,6 @@
 import org.keycloak.common.util.Time;
 import org.keycloak.jose.jwk.JSONWebKeySet;
 import org.keycloak.jose.jwk.JWK;
-import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.util.JWKSUtils;
 
 import java.security.PublicKey;
@@ -48,15 +47,15 @@ public class JWKPublicKeyLocator implements PublicKeyLocator {
     @Override
     public PublicKey getPublicKey(String kid, KeycloakDeployment deployment) {
         int minTimeBetweenRequests = deployment.getMinTimeBetweenJwksRequests();
+        int publicKeyCacheTtl = deployment.getPublicKeyCacheTtl();
+        int currentTime = Time.currentTime();
 
         // Check if key is in cache.
-        PublicKey publicKey = currentKeys.get(kid);
+        PublicKey publicKey = lookupCachedKey(publicKeyCacheTtl, currentTime, kid);
         if (publicKey != null) {
             return publicKey;
         }
 
-        int currentTime = Time.currentTime();
-
         // Check if we are allowed to send request
         if (currentTime > lastRequestTime + minTimeBetweenRequests) {
             synchronized (this) {
@@ -70,11 +69,20 @@ public PublicKey getPublicKey(String kid, KeycloakDeployment deployment) {
             }
         }
 
-        return currentKeys.get(kid);
+        return lookupCachedKey(publicKeyCacheTtl, currentTime, kid);
 
     }
 
 
+    private PublicKey lookupCachedKey(int publicKeyCacheTtl, int currentTime, String kid) {
+        if (lastRequestTime + publicKeyCacheTtl > currentTime) {
+            return currentKeys.get(kid);
+        } else {
+            return null;
+        }
+    }
+
+
     private void sendRequest(KeycloakDeployment deployment) {
         if (log.isTraceEnabled()) {
             log.tracef("Going to send request to retrieve new set of realm public keys for client %s", deployment.getResourceName());

diff --git a/.../oidc/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java b/.../oidc/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java
@@ -69,6 +69,7 @@ public void load() throws Exception {
         assertEquals("email", deployment.getPrincipalAttribute());
         assertEquals(10, deployment.getTokenMinimumTimeToLive());
         assertEquals(20, deployment.getMinTimeBetweenJwksRequests());
+        assertEquals(120, deployment.getPublicKeyCacheTtl());
     }
 
     @Test
@@ -78,6 +79,7 @@ public void loadNoClientCredentials() throws Exception {
 
         assertTrue(deployment.getPublicKeyLocator() instanceof JWKPublicKeyLocator);
         assertEquals(10, deployment.getMinTimeBetweenJwksRequests());
+        assertEquals(86400, deployment.getPublicKeyCacheTtl());
     }
 
     @Test

diff --git a/adapters/oidc/adapter-core/src/test/resources/keycloak.json b/adapters/oidc/adapter-core/src/test/resources/keycloak.json
@@ -30,5 +30,6 @@
     "token-store": "cookie",
     "principal-attribute": "email",
     "token-minimum-time-to-live": 10,
-    "min-time-between-jwks-requests": 20
+    "min-time-between-jwks-requests": 20,
+    "public-key-cache-ttl": 120
 }
diff --git a/core/src/main/java/org/keycloak/representations/adapters/config/AdapterConfig.java b/core/src/main/java/org/keycloak/representations/adapters/config/AdapterConfig.java
@@ -36,7 +36,8 @@
         "client-keystore", "client-keystore-password", "client-key-password",
         "always-refresh-token",
         "register-node-at-startup", "register-node-period", "token-store", "principal-attribute",
-        "proxy-url", "turn-off-change-session-id-on-login", "token-minimum-time-to-live", "min-time-between-jwks-requests",
+        "proxy-url", "turn-off-change-session-id-on-login", "token-minimum-time-to-live",
+        "min-time-between-jwks-requests", "public-key-cache-ttl",
         "policy-enforcer"
 })
 public class AdapterConfig extends BaseAdapterConfig implements AdapterHttpClientConfig {
@@ -73,6 +74,8 @@ public class AdapterConfig extends BaseAdapterConfig implements AdapterHttpClien
     protected int tokenMinimumTimeToLive = 0;
     @JsonProperty("min-time-between-jwks-requests")
     protected int minTimeBetweenJwksRequests = 10;
+    @JsonProperty("public-key-cache-ttl")
+    protected int publicKeyCacheTtl = 86400; // 1 day
     @JsonProperty("policy-enforcer")
     protected PolicyEnforcerConfig policyEnforcerConfig;
 
@@ -233,4 +236,12 @@ public int getMinTimeBetweenJwksRequests() {
     public void setMinTimeBetweenJwksRequests(int minTimeBetweenJwksRequests) {
         this.minTimeBetweenJwksRequests = minTimeBetweenJwksRequests;
     }
+
+    public int getPublicKeyCacheTtl() {
+        return publicKeyCacheTtl;
+    }
+
+    public void setPublicKeyCacheTtl(int publicKeyCacheTtl) {
+        this.publicKeyCacheTtl = publicKeyCacheTtl;
+    }
 }
diff --git a/...undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertow.java b/...undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/KeycloakOnUndertow.java
@@ -50,8 +50,8 @@
 
 import java.lang.reflect.Field;
 import java.util.Collection;
-import java.util.HashMap;
 import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 
 public class KeycloakOnUndertow implements DeployableContainer<KeycloakOnUndertowConfiguration> {
 
@@ -61,7 +61,7 @@ public class KeycloakOnUndertow implements DeployableContainer<KeycloakOnUnderto
     private KeycloakOnUndertowConfiguration configuration;
     private KeycloakSessionFactory sessionFactory;
 
-    Map<String, String> deployedArchivesToContextPath = new HashMap<>();
+    Map<String, String> deployedArchivesToContextPath = new ConcurrentHashMap<>();
 
     private DeploymentInfo createAuthServerDeploymentInfo() {
         ResteasyDeployment deployment = new ResteasyDeployment();

diff --git a/...ps/servlets/src/main/java/org/keycloak/testsuite/adapter/filter/AdapterActionsFilter.java b/...ps/servlets/src/main/java/org/keycloak/testsuite/adapter/filter/AdapterActionsFilter.java
@@ -23,12 +23,14 @@
 import org.keycloak.adapters.KeycloakDeployment;
 import org.keycloak.adapters.rotation.JWKPublicKeyLocator;
 import org.keycloak.common.util.Time;
+import org.keycloak.common.util.reflections.Reflections;
 
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.lang.reflect.Field;
 
 /**
  * Filter to handle "special" requests to perform actions on adapter side (for example setting time offset )
@@ -38,7 +40,7 @@
 public class AdapterActionsFilter implements Filter {
 
     public static final String TIME_OFFSET_PARAM = "timeOffset";
-    public static final String RESET_PUBLIC_KEY_PARAM = "resetPublicKey";
+    public static final String RESET_DEPLOYMENT_PARAM = "resetDeployment";
 
     private static final Logger log = Logger.getLogger(AdapterActionsFilter.class);
 
@@ -54,19 +56,28 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 
         //Accept timeOffset as argument to enforce timeouts
         String timeOffsetParam = request.getParameter(TIME_OFFSET_PARAM);
-        String resetPublicKey = request.getParameter(RESET_PUBLIC_KEY_PARAM);
+        String resetDeploymentParam = request.getParameter(RESET_DEPLOYMENT_PARAM);
 
         if (timeOffsetParam != null && !timeOffsetParam.isEmpty()) {
             int timeOffset = Integer.parseInt(timeOffsetParam);
             log.infof("Time offset updated to %d for application %s", timeOffset, servletReq.getRequestURI());
             Time.setOffset(timeOffset);
             writeResponse(servletResp, "Offset set successfully");
-        } else if (resetPublicKey != null && !resetPublicKey.isEmpty()) {
+        } else if (resetDeploymentParam != null && !resetDeploymentParam.isEmpty()) {
             AdapterDeploymentContext deploymentContext = (AdapterDeploymentContext) request.getServletContext().getAttribute(AdapterDeploymentContext.class.getName());
-            KeycloakDeployment deployment = deploymentContext.resolveDeployment(null);
-            deployment.setPublicKeyLocator(new JWKPublicKeyLocator());
-            log.infof("Restarted publicKey locator for application %s", servletReq.getRequestURI());
-            writeResponse(servletResp, "PublicKeyLocator restarted successfully");
+
+            Field field = Reflections.findDeclaredField(AdapterDeploymentContext.class, "deployment");
+            Reflections.setAccessible(field);
+            KeycloakDeployment deployment = (KeycloakDeployment) Reflections.getFieldValue(field, deploymentContext);
+
+            Time.setOffset(0);
+            deployment.setNotBefore(0);
+            if (deployment.getPublicKeyLocator() instanceof JWKPublicKeyLocator) {
+                deployment.setPublicKeyLocator(new JWKPublicKeyLocator());
+            }
+
+            log.infof("Restarted PublicKeyLocator, notBefore and timeOffset for application %s", servletReq.getRequestURI());
+            writeResponse(servletResp, "Restarted PublicKeyLocator, notBefore and timeOffset successfully");
         } else {
             // Continue request
             chain.doFilter(request, response);

diff --git a/...vlets/src/main/java/org/keycloak/testsuite/adapter/servlet/AbstractShowTokensServlet.java b/...vlets/src/main/java/org/keycloak/testsuite/adapter/servlet/AbstractShowTokensServlet.java
@@ -49,6 +49,7 @@ protected String renderTokens(HttpServletRequest req)  throws ServletException,
 
         return new StringBuilder("<span id=\"accessToken\">" + accessTokenPretty + "</span>")
                 .append("<span id=\"refreshToken\">" + refreshTokenPretty + "</span>")
+                .append("<span id=\"accessTokenString\">" + ctx.getTokenString() + "</span>")
                 .toString();
     }
 

diff --git a/.../tests/base/src/main/java/org/keycloak/testsuite/adapter/page/AbstractShowTokensPage.java b/.../tests/base/src/main/java/org/keycloak/testsuite/adapter/page/AbstractShowTokensPage.java
@@ -38,6 +38,9 @@ public abstract class AbstractShowTokensPage extends AbstractPageWithInjectedUrl
     @FindBy(id = "refreshToken")
     private WebElement refreshToken;
 
+    @FindBy(id = "accessTokenString")
+    private WebElement accessTokenString;
+
 
     public AccessToken getAccessToken() {
         try {
@@ -51,13 +54,25 @@ public AccessToken getAccessToken() {
         return null;
     }
 
+
     public RefreshToken getRefreshToken() {
         try {
             return JsonSerialization.readValue(refreshToken.getText(), RefreshToken.class);
         } catch (IOException e) {
             e.printStackTrace();
         } catch (NoSuchElementException nsee) {
-            log.warn("No idToken element found on the page");
+            log.warn("No refreshToken element found on the page");
+        }
+
+        return null;
+    }
+
+
+    public String getAccessTokenString() {
+        try {
+            return accessTokenString.getText();
+        } catch (NoSuchElementException nsee) {
+            log.warn("No accessTokenString element found on the page");
         }
 
         return null;

diff --git a/.../tests/base/src/test/java/org/keycloak/testsuite/adapter/AbstractServletsAdapterTest.java b/.../tests/base/src/test/java/org/keycloak/testsuite/adapter/AbstractServletsAdapterTest.java
@@ -111,14 +111,17 @@ public void setDefaultPageUriParameters() {
         testRealmPage.setAuthRealm(DEMO);
     }
 
-    protected void setAdapterAndServerTimeOffset(int timeOffset, String servletUri) {
+    protected void setAdapterAndServerTimeOffset(int timeOffset, String... servletUris) {
         setTimeOffset(timeOffset);
-        String timeOffsetUri = UriBuilder.fromUri(servletUri)
-                .queryParam(AdapterActionsFilter.TIME_OFFSET_PARAM, timeOffset)
-                .build().toString();
 
-        driver.navigate().to(timeOffsetUri);
-        WaitUtils.waitUntilElement(By.tagName("body")).is().visible();
+        for (String servletUri : servletUris) {
+            String timeOffsetUri = UriBuilder.fromUri(servletUri)
+                    .queryParam(AdapterActionsFilter.TIME_OFFSET_PARAM, timeOffset)
+                    .build().toString();
+
+            driver.navigate().to(timeOffsetUri);
+            WaitUtils.waitUntilElement(By.tagName("body")).is().visible();
+        }
     }
 
 }
diff --git a/...est/java/org/keycloak/testsuite/adapter/servlet/AbstractDemoFilterServletAdapterTest.java b/...est/java/org/keycloak/testsuite/adapter/servlet/AbstractDemoFilterServletAdapterTest.java
@@ -27,10 +27,4 @@ public void testOIDCParamsForwarding() {
 
     }
 
-    @Test
-    @Override
-    @Ignore
-    public void testClientWithJwksUri() {
-
-    }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -27,10 +27,4 @@ public void testOIDCParamsForwarding() { @@
         }
-        @Test
-        @Override
-        @Ignore
-        public void testClientWithJwksUri() {
-        }
     }