CCCHH/keycloak-ssh-key-provider
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

simplify auth validation

Browse source 
Co-authored-by: June <june@jsts.xyz>
This commit is contained in:
kritzl 2025-11-01 02:05:53 +01:00 committed by June
commit 8d190c2970
No known key found for this signature in database
2 changed files with 22 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

51
ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/AuthHelper.java
View file

@ -1,51 +0,0 @@
package de.ccc.hamburg.keycloak.ssh_key;
import java.util.function.Function;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.managers.AuthenticationManager;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.NotAuthorizedException;
public class AuthHelper {
public static AuthenticationManager.AuthResult getAuthResult(KeycloakSession session, Function<AuthenticationManager.AuthResult, Boolean> authFn) {
AuthenticationManager.AuthResult auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
if (auth == null) {
throw new NotAuthorizedException("Bearer");
} else if (!authFn.apply(auth)) {
throw new ForbiddenException();
}
return auth;
}
public static Auth getAuth(KeycloakSession session, Function<AuthenticationManager.AuthResult, Boolean> authFn) {
return getAuth(session, getAuthResult(session, authFn));
}
public static Auth getAuth(KeycloakSession session, String clientId, Function<AuthenticationManager.AuthResult, Boolean> authFn) {
return getAuth(session, getAuthResult(session, authFn), clientId);
}
public static Auth getAuth(KeycloakSession session, AuthenticationManager.AuthResult authResult) {
return getAuth(session, authResult, null);
}
public static Auth getAuth(KeycloakSession session, AuthenticationManager.AuthResult authResult, String clientId) {
RealmModel realm = session.getContext().getRealm();
ClientModel client;
if (clientId == null) {
client = authResult.getClient();
} else {
client = realm.getClientByClientId(clientId);
}
return new Auth(realm, authResult.getToken(), authResult.getUser(), client, authResult.getSession(), false);
}
}

25
ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/SSHKeyResourceProvider.java
View file

@ -8,16 +8,23 @@ import java.util.regex.Pattern;
import java.util.stream.Stream; import java.util.stream.Stream;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.models.ClientModel;
import org.keycloak.models.GroupModel; import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider; import org.keycloak.models.UserProvider;
import org.keycloak.representations.userprofile.config.UPConfig; import org.keycloak.representations.userprofile.config.UPConfig;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AppAuthManager.BearerTokenAuthenticator;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.managers.AuthenticationManager.AuthResult;
import org.keycloak.services.resource.RealmResourceProvider; import org.keycloak.services.resource.RealmResourceProvider;
import org.keycloak.userprofile.UserProfileProvider; import org.keycloak.userprofile.UserProfileProvider;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.GET; import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.Path; import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam; import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces; import jakarta.ws.rs.Produces;
@ -50,9 +57,7 @@ public class SSHKeyResourceProvider implements RealmResourceProvider {
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
public Response exportKeys(@PathParam("group_id") String groupId) { public Response exportKeys(@PathParam("group_id") String groupId) {
try { try {
AuthHelper.getAuth( SSHKeyResourceProvider.getAuth(session);
session,
authResult -> authResult.getToken().getIssuedFor().equals("admin-cli"));
} catch (Exception e) { } catch (Exception e) {
System.err.println(e); System.err.println(e);
return Response.status(401, e.getMessage()).build(); return Response.status(401, e.getMessage()).build();
@ -95,4 +100,18 @@ public class SSHKeyResourceProvider implements RealmResourceProvider {
} }
private static Auth getAuth(KeycloakSession session) {
AuthResult auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
if (auth == null) {
throw new NotAuthorizedException("Bearer");
} else if (!auth.getToken().getIssuedFor().equals("admin-cli")) {
throw new ForbiddenException();
}
RealmModel realm = session.getContext().getRealm();
ClientModel client = auth.getClient();
return new Auth(realm, auth.getToken(), auth.getUser(), client, auth.getSession(), false);
}
} }