simplify auth validation

Co-authored-by: June <june@jsts.xyz>
2025-11-01 02:05:53 +01:00 · 2025-11-01 02:05:53 +01:00 · 8d190c2970
commit 8d190c2970
parent 9fe298a899
2 changed files with 22 additions and 54 deletions
--- a/ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/AuthHelper.java
+++ b/ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/AuthHelper.java
@ -1,51 +0,0 @@
-package de.ccc.hamburg.keycloak.ssh_key;
-
-import java.util.function.Function;
-
-import org.keycloak.models.ClientModel;
-import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.RealmModel;
-import org.keycloak.services.managers.AppAuthManager;
-import org.keycloak.services.managers.Auth;
-import org.keycloak.services.managers.AuthenticationManager;
-
-import jakarta.ws.rs.ForbiddenException;
-import jakarta.ws.rs.NotAuthorizedException;
-
-public class AuthHelper {
-
-	public static AuthenticationManager.AuthResult getAuthResult(KeycloakSession session, Function<AuthenticationManager.AuthResult, Boolean> authFn) {
-		AuthenticationManager.AuthResult auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
-
-		if (auth == null) {
-			throw new NotAuthorizedException("Bearer");
-		} else if (!authFn.apply(auth)) {
-			throw new ForbiddenException();
-		}
-		return auth;
-	}
-
-	public static Auth getAuth(KeycloakSession session, Function<AuthenticationManager.AuthResult, Boolean> authFn) {
-		return getAuth(session, getAuthResult(session, authFn));
-	}
-
-	public static Auth getAuth(KeycloakSession session, String clientId, Function<AuthenticationManager.AuthResult, Boolean> authFn) {
-		return getAuth(session, getAuthResult(session, authFn), clientId);
-	}
-
-	public static Auth getAuth(KeycloakSession session, AuthenticationManager.AuthResult authResult) {
-		return getAuth(session, authResult, null);
-	}
-
-	public static Auth getAuth(KeycloakSession session, AuthenticationManager.AuthResult authResult, String clientId) {
-		RealmModel realm = session.getContext().getRealm();
-		ClientModel client;
-		if (clientId == null) {
-			client = authResult.getClient();
-		} else {
-			client = realm.getClientByClientId(clientId);
-		}
-		return new Auth(realm, authResult.getToken(), authResult.getUser(), client, authResult.getSession(), false);
-	}
-
-}
--- a/ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/SSHKeyResourceProvider.java
+++ b/ssh-key-provider/src/main/java/de/ccc/hamburg/keycloak/ssh_key/SSHKeyResourceProvider.java
@ -8,16 +8,23 @@ import java.util.regex.Pattern;
 import java.util.stream.Stream;

 import org.jboss.logging.Logger;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.GroupModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserProvider;
 import org.keycloak.representations.userprofile.config.UPConfig;
+import org.keycloak.services.managers.AppAuthManager;
+import org.keycloak.services.managers.AppAuthManager.BearerTokenAuthenticator;
+import org.keycloak.services.managers.Auth;
+import org.keycloak.services.managers.AuthenticationManager.AuthResult;
 import org.keycloak.services.resource.RealmResourceProvider;
 import org.keycloak.userprofile.UserProfileProvider;

+import jakarta.ws.rs.ForbiddenException;
 import jakarta.ws.rs.GET;
+import jakarta.ws.rs.NotAuthorizedException;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
@ -50,9 +57,7 @@ public class SSHKeyResourceProvider implements RealmResourceProvider {
    @Produces(MediaType.APPLICATION_JSON)
    public Response exportKeys(@PathParam("group_id") String groupId) {
        try {
-            AuthHelper.getAuth(
-                    session,
-                    authResult -> authResult.getToken().getIssuedFor().equals("admin-cli"));
+            SSHKeyResourceProvider.getAuth(session);
        } catch (Exception e) {
            System.err.println(e);
            return Response.status(401, e.getMessage()).build();
@ -95,4 +100,18 @@ public class SSHKeyResourceProvider implements RealmResourceProvider {

    }

+    private static Auth getAuth(KeycloakSession session) {
+    	AuthResult auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
+    
+    	if (auth == null) {
+    		throw new NotAuthorizedException("Bearer");
+    	} else if (!auth.getToken().getIssuedFor().equals("admin-cli")) {
+    		throw new ForbiddenException();
+    	}
+    	
+    	RealmModel realm = session.getContext().getRealm();
+    	ClientModel client = auth.getClient();
+    	return new Auth(realm, auth.getToken(), auth.getUser(), client, auth.getSession(), false);
+    }
+
 }