mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-10-01 14:41:46 +00:00
ACS-4751 Keycloak Migration - OAuth2 Client Role (#1798)
This commit is contained in:
Piotr Żurek
GitHub
9
pom.xml
9
pom.xml
@@ -79,7 +79,7 @@
|
||||
<dependency.gytheio.version>0.17</dependency.gytheio.version>
|
||||
<dependency.groovy.version>3.0.16</dependency.groovy.version>
|
||||
<dependency.tika.version>2.4.1</dependency.tika.version>
|
||||
<dependency.spring-security.version>5.7.5</dependency.spring-security.version>
|
||||
<dependency.spring-security.version>5.8.2</dependency.spring-security.version>
|
||||
<dependency.truezip.version>7.7.10</dependency.truezip.version>
|
||||
<dependency.poi.version>5.2.2</dependency.poi.version>
|
||||
<dependency.poi-ooxml-lite.version>5.2.3</dependency.poi-ooxml-lite.version>
|
||||
@@ -901,6 +901,13 @@
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-bom</artifactId>
|
||||
<version>${dependency.spring-security.version}</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</dependencyManagement>
|
||||
|
||||
|
||||
@@ -387,14 +387,11 @@
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-core</artifactId>
|
||||
<version>${dependency.spring-security.version}</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-expression</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
<artifactId>spring-security-crypto</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-oauth2-client</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.quartz-scheduler</groupId>
|
||||
@@ -557,17 +554,6 @@
|
||||
</dependency>
|
||||
|
||||
<!-- Keycloak dependencies -->
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-authz-client</artifactId>
|
||||
<version>${dependency.keycloak.version}</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>*</groupId>
|
||||
<artifactId>*</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-core</artifactId>
|
||||
|
||||
@@ -1,119 +0,0 @@
|
||||
/*
|
||||
* #%L
|
||||
* Alfresco Repository
|
||||
* %%
|
||||
* Copyright (C) 2005 - 2018 Alfresco Software Limited
|
||||
* %%
|
||||
* This file is part of the Alfresco software.
|
||||
* If the software was purchased under a paid Alfresco license, the terms of
|
||||
* the paid license agreement will prevail. Otherwise, the software is
|
||||
* provided under the following open source license terms:
|
||||
*
|
||||
* Alfresco is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* Alfresco is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public License
|
||||
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
||||
* #L%
|
||||
*/
|
||||
package org.alfresco.repo.security.authentication.identityservice;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.apache.http.client.HttpClient;
|
||||
import org.keycloak.adapters.HttpClientBuilder;
|
||||
import org.keycloak.authorization.client.AuthzClient;
|
||||
import org.keycloak.authorization.client.Configuration;
|
||||
import org.springframework.beans.factory.FactoryBean;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
/**
|
||||
*
|
||||
* Creates an instance of {@link AuthzClient}. <br>
|
||||
* The creation of {@link AuthzClient} requires connection to a Keycloak server, disable this factory if Keycloak cannot be reached. <br>
|
||||
* This factory can return a null if it is disabled.
|
||||
*
|
||||
*/
|
||||
public class AuthenticatorAuthzClientFactoryBean implements FactoryBean<AuthzClient>
|
||||
{
|
||||
|
||||
private static Log logger = LogFactory.getLog(AuthenticatorAuthzClientFactoryBean.class);
|
||||
private IdentityServiceConfig identityServiceConfig;
|
||||
private boolean enabled;
|
||||
|
||||
public void setEnabled(boolean enabled)
|
||||
{
|
||||
this.enabled = enabled;
|
||||
}
|
||||
|
||||
public void setIdentityServiceConfig(IdentityServiceConfig identityServiceConfig)
|
||||
{
|
||||
this.identityServiceConfig = identityServiceConfig;
|
||||
}
|
||||
|
||||
@Override
|
||||
public AuthzClient getObject() throws Exception
|
||||
{
|
||||
// The creation of the client can be disabled for testing or when the username/password authentication is not required,
|
||||
// for instance when Keycloak is configured for 'bearer only' authentication or Direct Access Grants are disabled.
|
||||
if (!enabled)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
// Build default http client using the keycloak client builder.
|
||||
int conTimeout = identityServiceConfig.getClientConnectionTimeout();
|
||||
int socTimeout = identityServiceConfig.getClientSocketTimeout();
|
||||
HttpClient client = new HttpClientBuilder()
|
||||
.establishConnectionTimeout(conTimeout, TimeUnit.MILLISECONDS)
|
||||
.socketTimeout(socTimeout, TimeUnit.MILLISECONDS)
|
||||
.build(this.identityServiceConfig);
|
||||
|
||||
// Add secret to credentials if needed.
|
||||
// AuthzClient configuration needs credentials with a secret even if the client in Keycloak is configured as public.
|
||||
Map<String, Object> credentials = identityServiceConfig.getCredentials();
|
||||
if (credentials == null || !credentials.containsKey("secret"))
|
||||
{
|
||||
credentials = credentials == null ? new HashMap<>() : new HashMap<>(credentials);
|
||||
credentials.put("secret", "");
|
||||
}
|
||||
|
||||
// Create default AuthzClient for authenticating users against keycloak
|
||||
String authServerUrl = identityServiceConfig.getAuthServerUrl();
|
||||
String realm = identityServiceConfig.getRealm();
|
||||
String resource = identityServiceConfig.getResource();
|
||||
Configuration authzConfig = new Configuration(authServerUrl, realm, resource, credentials, client);
|
||||
AuthzClient authzClient = AuthzClient.create(authzConfig);
|
||||
|
||||
if (logger.isDebugEnabled())
|
||||
{
|
||||
logger.debug(" Created Keycloak AuthzClient");
|
||||
logger.debug(" Keycloak AuthzClient server URL: " + authzClient.getConfiguration().getAuthServerUrl());
|
||||
logger.debug(" Keycloak AuthzClient realm: " + authzClient.getConfiguration().getRealm());
|
||||
logger.debug(" Keycloak AuthzClient resource: " + authzClient.getConfiguration().getResource());
|
||||
}
|
||||
return authzClient;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Class<?> getObjectType()
|
||||
{
|
||||
return AuthenticatorAuthzClientFactoryBean.class;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isSingleton()
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
@@ -2,7 +2,7 @@
|
||||
* #%L
|
||||
* Alfresco Repository
|
||||
* %%
|
||||
* Copyright (C) 2005 - 2018 Alfresco Software Limited
|
||||
* Copyright (C) 2005 - 2023 Alfresco Software Limited
|
||||
* %%
|
||||
* This file is part of the Alfresco software.
|
||||
* If the software was purchased under a paid Alfresco license, the terms of
|
||||
@@ -25,38 +25,35 @@
|
||||
*/
|
||||
package org.alfresco.repo.security.authentication.identityservice;
|
||||
|
||||
import java.net.ConnectException;
|
||||
|
||||
import org.alfresco.error.ExceptionStackUtil;
|
||||
import org.alfresco.repo.management.subsystems.ActivateableBean;
|
||||
import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationException;
|
||||
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client.CredentialsVerificationException;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.keycloak.authorization.client.AuthzClient;
|
||||
import org.keycloak.authorization.client.util.HttpResponseException;
|
||||
|
||||
/**
|
||||
*
|
||||
* Authenticates a user against Keycloak.
|
||||
* Keycloak's {@link AuthzClient} is used to retrieve an access token for the provided user credentials,
|
||||
* user is set as the current user if the user's access token can be obtained.
|
||||
* Authenticates a user against Identity Service (Keycloak).
|
||||
* {@link OAuth2Client} is used to verify provided user credentials. User is set as the current user if the user
|
||||
* credentials are valid.
|
||||
* <br>
|
||||
* The AuthzClient can be null in which case this authenticator will just fall through to the next one in the chain.
|
||||
* The {@link IdentityServiceAuthenticationComponent#oAuth2Client} can be null in which case this authenticator will
|
||||
* just fall through to the next one in the chain.
|
||||
*
|
||||
*/
|
||||
public class IdentityServiceAuthenticationComponent extends AbstractAuthenticationComponent implements ActivateableBean
|
||||
{
|
||||
private final Log logger = LogFactory.getLog(IdentityServiceAuthenticationComponent.class);
|
||||
/** client used to authenticate user credentials against Keycloak **/
|
||||
private AuthzClient authzClient;
|
||||
private final Log LOGGER = LogFactory.getLog(IdentityServiceAuthenticationComponent.class);
|
||||
/** client used to authenticate user credentials against Authorization Server **/
|
||||
private OAuth2Client oAuth2Client;
|
||||
/** enabled flag for the identity service subsystem**/
|
||||
private boolean active;
|
||||
private boolean allowGuestLogin;
|
||||
|
||||
public void setAuthenticatorAuthzClient(AuthzClient authenticatorAuthzClient)
|
||||
public void setOAuth2Client(OAuth2Client oAuth2Client)
|
||||
{
|
||||
this.authzClient = authenticatorAuthzClient;
|
||||
this.oAuth2Client = oAuth2Client;
|
||||
}
|
||||
|
||||
public void setAllowGuestLogin(boolean allowGuestLogin)
|
||||
@@ -67,49 +64,31 @@ public class IdentityServiceAuthenticationComponent extends AbstractAuthenticati
|
||||
public void authenticateImpl(String userName, char[] password) throws AuthenticationException
|
||||
{
|
||||
|
||||
if (authzClient == null)
|
||||
if (oAuth2Client == null)
|
||||
{
|
||||
if (logger.isDebugEnabled())
|
||||
if (LOGGER.isDebugEnabled())
|
||||
{
|
||||
logger.debug("AuthzClient was not set, possibly due to the 'identity-service.authentication.enable-username-password-authentication=false' property. ");
|
||||
LOGGER.debug("OAuth2Client was not set, possibly due to the 'identity-service.authentication.enable-username-password-authentication=false' property.");
|
||||
}
|
||||
|
||||
throw new AuthenticationException("User not authenticated because AuthzClient was not set.");
|
||||
throw new AuthenticationException("User not authenticated because OAuth2Client was not set.");
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
// Attempt to get an access token using the user credentials
|
||||
authzClient.obtainAccessToken(userName, new String(password));
|
||||
// Attempt to verify user credentials
|
||||
oAuth2Client.verifyCredentials(userName, new String(password));
|
||||
|
||||
// Successfully obtained access token so treat as authenticated user
|
||||
// Verification was successful so treat as authenticated user
|
||||
setCurrentUser(userName);
|
||||
}
|
||||
catch (HttpResponseException e)
|
||||
catch (CredentialsVerificationException e)
|
||||
{
|
||||
if (logger.isDebugEnabled())
|
||||
{
|
||||
logger.debug("Failed to authenticate user against Keycloak. Status: " + e.getStatusCode() + " Reason: "+ e.getReasonPhrase());
|
||||
}
|
||||
|
||||
throw new AuthenticationException("Failed to authenticate user against Keycloak.", e);
|
||||
throw new AuthenticationException("Failed to verify user credentials against the OAuth2 Authorization Server.", e);
|
||||
}
|
||||
catch (RuntimeException e)
|
||||
{
|
||||
Throwable cause = ExceptionStackUtil.getCause(e, ConnectException.class);
|
||||
if (cause != null)
|
||||
{
|
||||
if (logger.isWarnEnabled())
|
||||
{
|
||||
logger.warn("Couldn't connect to Keycloak server to authenticate user. Reason: " + cause.getMessage());
|
||||
}
|
||||
throw new AuthenticationException("Couldn't connect to Keycloak server to authenticate user.", cause);
|
||||
}
|
||||
if (logger.isDebugEnabled())
|
||||
{
|
||||
logger.debug("Error occurred while authenticating user against Keycloak. Reason: " + e.getMessage());
|
||||
}
|
||||
throw new AuthenticationException("Error occurred while authenticating user against Keycloak.", e);
|
||||
throw new AuthenticationException("Failed to verify user credentials.", e);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -129,4 +108,32 @@ public class IdentityServiceAuthenticationComponent extends AbstractAuthenticati
|
||||
{
|
||||
return allowGuestLogin;
|
||||
}
|
||||
|
||||
/**
|
||||
* An abstraction for acting as an OAuth2 Client
|
||||
*/
|
||||
interface OAuth2Client
|
||||
{
|
||||
/**
|
||||
* The OAuth2's Client role is only used to verify the user credentials (Resource Owner Password
|
||||
* Credentials Flow) this is why there is an explicit method for verifying these.
|
||||
* @param userName user's name
|
||||
* @param password user's password
|
||||
* @throws CredentialsVerificationException when the verification failed or couldn't be performed
|
||||
*/
|
||||
void verifyCredentials(String userName, String password);
|
||||
|
||||
class CredentialsVerificationException extends RuntimeException
|
||||
{
|
||||
CredentialsVerificationException(String message)
|
||||
{
|
||||
super(message);
|
||||
}
|
||||
|
||||
CredentialsVerificationException(String message, Throwable cause)
|
||||
{
|
||||
super(message, cause);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
* #%L
|
||||
* Alfresco Repository
|
||||
* %%
|
||||
* Copyright (C) 2005 - 2016 Alfresco Software Limited
|
||||
* Copyright (C) 2005 - 2023 Alfresco Software Limited
|
||||
* %%
|
||||
* This file is part of the Alfresco software.
|
||||
* If the software was purchased under a paid Alfresco license, the terms of
|
||||
@@ -26,6 +26,7 @@
|
||||
package org.alfresco.repo.security.authentication.identityservice;
|
||||
|
||||
import java.util.Map;
|
||||
import java.util.Optional;
|
||||
import java.util.Properties;
|
||||
import java.util.TreeMap;
|
||||
|
||||
@@ -33,6 +34,7 @@ import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.keycloak.representations.adapters.config.AdapterConfig;
|
||||
import org.springframework.beans.factory.InitializingBean;
|
||||
import org.springframework.web.util.UriComponentsBuilder;
|
||||
|
||||
/**
|
||||
* Class to hold configuration for the Identity Service.
|
||||
@@ -41,8 +43,9 @@ import org.springframework.beans.factory.InitializingBean;
|
||||
*/
|
||||
public class IdentityServiceConfig extends AdapterConfig implements InitializingBean
|
||||
{
|
||||
private static Log logger = LogFactory.getLog(IdentityServiceConfig.class);
|
||||
|
||||
private static final Log LOGGER = LogFactory.getLog(IdentityServiceConfig.class);
|
||||
private static final String REALMS = "realms";
|
||||
private static final String SECRET = "secret";
|
||||
private static final String CREDENTIALS_SECRET = "identity-service.credentials.secret";
|
||||
private static final String CREDENTIALS_PROVIDER = "identity-service.credentials.provider";
|
||||
|
||||
@@ -95,13 +98,13 @@ public class IdentityServiceConfig extends AdapterConfig implements Initializing
|
||||
@Override
|
||||
public void afterPropertiesSet() throws Exception
|
||||
{
|
||||
// programatically build the more complex objects i.e. credentials
|
||||
// programmatically build the more complex objects i.e. credentials
|
||||
Map<String, Object> credentials = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
|
||||
|
||||
String secret = this.globalProperties.getProperty(CREDENTIALS_SECRET);
|
||||
if (secret != null && !secret.isEmpty())
|
||||
{
|
||||
credentials.put("secret", secret);
|
||||
credentials.put(SECRET, secret);
|
||||
}
|
||||
|
||||
String provider = this.globalProperties.getProperty(CREDENTIALS_PROVIDER);
|
||||
@@ -116,10 +119,27 @@ public class IdentityServiceConfig extends AdapterConfig implements Initializing
|
||||
{
|
||||
this.setCredentials(credentials);
|
||||
|
||||
if (logger.isDebugEnabled())
|
||||
if (LOGGER.isDebugEnabled())
|
||||
{
|
||||
logger.debug("Created credentials map from config: " + credentials);
|
||||
LOGGER.debug("Created credentials map from config: " + credentials);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
String getIssuerUrl()
|
||||
{
|
||||
return UriComponentsBuilder.fromUriString(getAuthServerUrl())
|
||||
.pathSegment(REALMS, getRealm())
|
||||
.build()
|
||||
.toString();
|
||||
}
|
||||
|
||||
public String getClientSecret()
|
||||
{
|
||||
return Optional.ofNullable(getCredentials())
|
||||
.map(c -> c.get(SECRET))
|
||||
.filter(String.class::isInstance)
|
||||
.map(String.class::cast)
|
||||
.orElse("");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,270 @@
|
||||
/*
|
||||
* #%L
|
||||
* Alfresco Repository
|
||||
* %%
|
||||
* Copyright (C) 2005 - 2023 Alfresco Software Limited
|
||||
* %%
|
||||
* This file is part of the Alfresco software.
|
||||
* If the software was purchased under a paid Alfresco license, the terms of
|
||||
* the paid license agreement will prevail. Otherwise, the software is
|
||||
* provided under the following open source license terms:
|
||||
*
|
||||
* Alfresco is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* Alfresco is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public License
|
||||
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
||||
* #L%
|
||||
*/
|
||||
package org.alfresco.repo.security.authentication.identityservice;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Objects;
|
||||
import java.util.concurrent.atomic.AtomicReference;
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.springframework.beans.factory.FactoryBean;
|
||||
import org.springframework.http.client.SimpleClientHttpRequestFactory;
|
||||
import org.springframework.http.converter.FormHttpMessageConverter;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizationContext;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder.PasswordGrantBuilder;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
|
||||
import org.springframework.security.oauth2.client.endpoint.DefaultPasswordTokenResponseClient;
|
||||
import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistrations;
|
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
||||
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
|
||||
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
/**
|
||||
*
|
||||
* Creates an instance of {@link OAuth2Client}. <br>
|
||||
* The creation of {@link OAuth2Client} requires connection to the Identity Service (Keycloak), disable this factory if
|
||||
* the server cannot be reached. <br>
|
||||
* This factory can return a null if it is disabled.
|
||||
*
|
||||
*/
|
||||
public class OAuth2ClientFactoryBean implements FactoryBean<OAuth2Client>
|
||||
{
|
||||
|
||||
private static final Log LOGGER = LogFactory.getLog(OAuth2ClientFactoryBean.class);
|
||||
private IdentityServiceConfig identityServiceConfig;
|
||||
private boolean enabled;
|
||||
|
||||
public void setEnabled(boolean enabled)
|
||||
{
|
||||
this.enabled = enabled;
|
||||
}
|
||||
|
||||
public void setIdentityServiceConfig(IdentityServiceConfig identityServiceConfig)
|
||||
{
|
||||
this.identityServiceConfig = identityServiceConfig;
|
||||
}
|
||||
|
||||
@Override
|
||||
public OAuth2Client getObject() throws Exception
|
||||
{
|
||||
// The creation of the client can be disabled for testing or when the username/password authentication is not required,
|
||||
// for instance when Keycloak is configured for 'bearer only' authentication or Direct Access Grants are disabled.
|
||||
if (!enabled)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
// The OAuth2AuthorizedClientManager isn't created upfront to make the code resilient to Identity Service being down.
|
||||
// If it's down the Application Context will start and when it's back online it can be used.
|
||||
return new SpringOAuth2Client(this::createOAuth2AuthorizedClientManager);
|
||||
}
|
||||
|
||||
private OAuth2AuthorizedClientManager createOAuth2AuthorizedClientManager()
|
||||
{
|
||||
//Here we preserve the behaviour of previously used Keycloak Adapter
|
||||
// * Client is authenticating itself using basic auth
|
||||
// * Resource Owner Password Credentials Flow is used to authenticate Resource Owner
|
||||
// * There is no caching of authenticated clients (NoStoredAuthorizedClient)
|
||||
// * There is only one Authorization Server/Client pair (SingleClientRegistration)
|
||||
|
||||
final ClientRegistration clientRegistration = ClientRegistrations
|
||||
.fromIssuerLocation(identityServiceConfig.getIssuerUrl())
|
||||
.clientId(identityServiceConfig.getResource())
|
||||
.clientSecret(identityServiceConfig.getClientSecret())
|
||||
.authorizationGrantType(AuthorizationGrantType.PASSWORD)
|
||||
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
|
||||
.registrationId(SpringOAuth2Client.CLIENT_REGISTRATION_ID)
|
||||
.build();
|
||||
|
||||
final AuthorizedClientServiceOAuth2AuthorizedClientManager oauth2 =
|
||||
new AuthorizedClientServiceOAuth2AuthorizedClientManager(
|
||||
new SingleClientRegistration(clientRegistration),
|
||||
new NoStoredAuthorizedClient());
|
||||
oauth2.setContextAttributesMapper(OAuth2AuthorizeRequest::getAttributes);
|
||||
oauth2.setAuthorizedClientProvider(OAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.password(this::configureTimeouts)
|
||||
.build());
|
||||
|
||||
if (LOGGER.isDebugEnabled())
|
||||
{
|
||||
LOGGER.debug(" Created OAuth2 Client");
|
||||
LOGGER.debug(" OAuth2 Issuer URL: " + clientRegistration.getProviderDetails().getIssuerUri());
|
||||
LOGGER.debug(" OAuth2 ClientId: " + clientRegistration.getClientId());
|
||||
}
|
||||
|
||||
return oauth2;
|
||||
}
|
||||
|
||||
private void configureTimeouts(PasswordGrantBuilder builder)
|
||||
{
|
||||
final SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory();
|
||||
requestFactory.setConnectTimeout(identityServiceConfig.getClientConnectionTimeout());
|
||||
requestFactory.setReadTimeout(identityServiceConfig.getClientSocketTimeout());
|
||||
|
||||
final RestTemplate restTemplate = new RestTemplate(Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter()));
|
||||
restTemplate.setRequestFactory(requestFactory);
|
||||
restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
|
||||
|
||||
final DefaultPasswordTokenResponseClient client = new DefaultPasswordTokenResponseClient();
|
||||
client.setRestOperations(restTemplate);
|
||||
|
||||
builder.accessTokenResponseClient(client);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Class<?> getObjectType()
|
||||
{
|
||||
return OAuth2Client.class;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isSingleton()
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
static class SpringOAuth2Client implements OAuth2Client
|
||||
{
|
||||
private static final String CLIENT_REGISTRATION_ID = "ids";
|
||||
private final Supplier<OAuth2AuthorizedClientManager> authorizedClientManagerSupplier;
|
||||
private final AtomicReference<OAuth2AuthorizedClientManager> authorizedClientManager = new AtomicReference<>();
|
||||
|
||||
public SpringOAuth2Client(Supplier<OAuth2AuthorizedClientManager> authorizedClientManagerSupplier)
|
||||
{
|
||||
this.authorizedClientManagerSupplier = Objects.requireNonNull(authorizedClientManagerSupplier);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void verifyCredentials(String userName, String password)
|
||||
{
|
||||
final OAuth2AuthorizedClientManager clientManager;
|
||||
try
|
||||
{
|
||||
clientManager = getAuthorizedClientManager();
|
||||
}
|
||||
catch (RuntimeException e)
|
||||
{
|
||||
LOGGER.warn("Failed to instantiate OAuth2AuthorizedClientManager.", e);
|
||||
throw new CredentialsVerificationException("Unable to use the Authorization Server.", e);
|
||||
}
|
||||
|
||||
final OAuth2AuthorizedClient authorizedClient;
|
||||
try
|
||||
{
|
||||
final OAuth2AuthorizeRequest authRequest = createPasswordCredentialsRequest(userName, password);
|
||||
authorizedClient = clientManager.authorize(authRequest);
|
||||
}
|
||||
catch (OAuth2AuthorizationException e)
|
||||
{
|
||||
LOGGER.debug("Failed to authorize against Authorization Server. Reason: " + e.getError() + ".");
|
||||
throw new CredentialsVerificationException("Authorization against the Authorization Server failed with " + e.getError() + ".", e);
|
||||
}
|
||||
catch (RuntimeException e)
|
||||
{
|
||||
LOGGER.warn("Failed to authorize against Authorization Server. Reason: " + e.getMessage());
|
||||
throw new CredentialsVerificationException("Failed to authorize against Authorization Server.", e);
|
||||
}
|
||||
|
||||
if (authorizedClient == null || authorizedClient.getAccessToken() == null)
|
||||
{
|
||||
throw new CredentialsVerificationException("Resource Owner Password Credentials is not supported by the Authorization Server.");
|
||||
}
|
||||
}
|
||||
|
||||
private OAuth2AuthorizedClientManager getAuthorizedClientManager()
|
||||
{
|
||||
final OAuth2AuthorizedClientManager current = authorizedClientManager.get();
|
||||
if (current != null)
|
||||
{
|
||||
return current;
|
||||
}
|
||||
return authorizedClientManager
|
||||
.updateAndGet(prev -> prev != null ? prev : authorizedClientManagerSupplier.get());
|
||||
}
|
||||
|
||||
private OAuth2AuthorizeRequest createPasswordCredentialsRequest(String userName, String password)
|
||||
{
|
||||
return OAuth2AuthorizeRequest
|
||||
.withClientRegistrationId(CLIENT_REGISTRATION_ID)
|
||||
.principal(userName)
|
||||
.attribute(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, userName)
|
||||
.attribute(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password)
|
||||
.build();
|
||||
}
|
||||
}
|
||||
|
||||
private static class NoStoredAuthorizedClient implements OAuth2AuthorizedClientService
|
||||
{
|
||||
|
||||
@Override
|
||||
public <T extends OAuth2AuthorizedClient> T loadAuthorizedClient(String clientRegistrationId, String principalName)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void saveAuthorizedClient(OAuth2AuthorizedClient authorizedClient, Authentication principal)
|
||||
{
|
||||
//do nothing
|
||||
}
|
||||
|
||||
@Override
|
||||
public void removeAuthorizedClient(String clientRegistrationId, String principalName)
|
||||
{
|
||||
//do nothing
|
||||
}
|
||||
}
|
||||
|
||||
private static class SingleClientRegistration implements ClientRegistrationRepository
|
||||
{
|
||||
private final ClientRegistration clientRegistration;
|
||||
|
||||
private SingleClientRegistration(ClientRegistration clientRegistration)
|
||||
{
|
||||
this.clientRegistration = Objects.requireNonNull(clientRegistration);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ClientRegistration findByRegistrationId(String registrationId)
|
||||
{
|
||||
return Objects.equals(registrationId, clientRegistration.getRegistrationId()) ? clientRegistration : null;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -21,12 +21,12 @@
|
||||
<property name="allowGuestLogin">
|
||||
<value>${identity-service.authentication.allowGuestLogin}</value>
|
||||
</property>
|
||||
<property name="authenticatorAuthzClient">
|
||||
<ref bean="authenticatorAuthzClient"/>
|
||||
<property name="oAuth2Client">
|
||||
<ref bean="oAuth2Client"/>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean name="authenticatorAuthzClient" class="org.alfresco.repo.security.authentication.identityservice.AuthenticatorAuthzClientFactoryBean">
|
||||
<bean name="oAuth2Client" class="org.alfresco.repo.security.authentication.identityservice.OAuth2ClientFactoryBean">
|
||||
<property name="identityServiceConfig">
|
||||
<ref bean="identityServiceConfig" />
|
||||
</property>
|
||||
|
||||
@@ -136,6 +136,7 @@ import org.junit.runners.Suite;
|
||||
org.alfresco.repo.search.impl.solr.facet.FacetQNameUtilsTest.class,
|
||||
org.alfresco.util.BeanExtenderUnitTest.class,
|
||||
org.alfresco.repo.solr.SOLRTrackingComponentUnitTest.class,
|
||||
org.alfresco.repo.security.authentication.identityservice.SpringOAuth2ClientUnitTest.class,
|
||||
org.alfresco.repo.security.authentication.CompositePasswordEncoderTest.class,
|
||||
org.alfresco.repo.security.authentication.PasswordHashingTest.class,
|
||||
org.alfresco.repo.security.authority.script.ScriptAuthorityService_RegExTest.class,
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
* #%L
|
||||
* Alfresco Repository
|
||||
* %%
|
||||
* Copyright (C) 2005 - 2018 Alfresco Software Limited
|
||||
* Copyright (C) 2005 - 2023 Alfresco Software Limited
|
||||
* %%
|
||||
* This file is part of the Alfresco software.
|
||||
* If the software was purchased under a paid Alfresco license, the terms of
|
||||
@@ -25,14 +25,17 @@
|
||||
*/
|
||||
package org.alfresco.repo.security.authentication.identityservice;
|
||||
|
||||
import static org.mockito.Mockito.doNothing;
|
||||
import static org.mockito.Mockito.doThrow;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import java.net.ConnectException;
|
||||
|
||||
import org.alfresco.error.ExceptionStackUtil;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationContext;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationException;
|
||||
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client;
|
||||
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client.CredentialsVerificationException;
|
||||
import org.alfresco.repo.security.sync.UserRegistrySynchronizer;
|
||||
import org.alfresco.service.cmr.repository.NodeService;
|
||||
import org.alfresco.service.cmr.security.PersonService;
|
||||
@@ -41,9 +44,6 @@ import org.alfresco.util.BaseSpringTest;
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.authorization.client.AuthzClient;
|
||||
import org.keycloak.authorization.client.util.HttpResponseException;
|
||||
import org.keycloak.representations.AccessTokenResponse;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
|
||||
public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
|
||||
@@ -65,7 +65,7 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
|
||||
@Autowired
|
||||
private PersonService personService;
|
||||
|
||||
private AuthzClient mockAuthzClient;
|
||||
private OAuth2Client mockOAuth2Client;
|
||||
|
||||
@Before
|
||||
public void setUp()
|
||||
@@ -76,8 +76,8 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
|
||||
authComponent.setNodeService(nodeService);
|
||||
authComponent.setPersonService(personService);
|
||||
|
||||
mockAuthzClient = mock(AuthzClient.class);
|
||||
authComponent.setAuthenticatorAuthzClient(mockAuthzClient);
|
||||
mockOAuth2Client = mock(OAuth2Client.class);
|
||||
authComponent.setOAuth2Client(mockOAuth2Client);
|
||||
}
|
||||
|
||||
@After
|
||||
@@ -89,8 +89,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
|
||||
@Test (expected=AuthenticationException.class)
|
||||
public void testAuthenticationFail()
|
||||
{
|
||||
when(mockAuthzClient.obtainAccessToken("username", "password"))
|
||||
.thenThrow(new HttpResponseException("Unauthorized", 401, "Unauthorized", null));
|
||||
doThrow(new CredentialsVerificationException("Failed"))
|
||||
.when(mockOAuth2Client)
|
||||
.verifyCredentials("username", "password");
|
||||
|
||||
authComponent.authenticateImpl("username", "password".toCharArray());
|
||||
}
|
||||
@@ -98,8 +99,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
|
||||
@Test(expected = AuthenticationException.class)
|
||||
public void testAuthenticationFail_connectionException()
|
||||
{
|
||||
when(mockAuthzClient.obtainAccessToken("username", "password")).thenThrow(
|
||||
new RuntimeException("Couldn't connect to server", new ConnectException("ConnectionRefused")));
|
||||
doThrow(new CredentialsVerificationException("Couldn't connect to server", new ConnectException("ConnectionRefused")))
|
||||
.when(mockOAuth2Client)
|
||||
.verifyCredentials("username", "password");
|
||||
|
||||
try
|
||||
{
|
||||
@@ -116,8 +118,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
|
||||
@Test (expected=AuthenticationException.class)
|
||||
public void testAuthenticationFail_otherException()
|
||||
{
|
||||
when(mockAuthzClient.obtainAccessToken("username", "password"))
|
||||
.thenThrow(new RuntimeException("Some other errors!"));
|
||||
doThrow(new RuntimeException("Some other errors!"))
|
||||
.when(mockOAuth2Client)
|
||||
.verifyCredentials("username", "password");
|
||||
|
||||
authComponent.authenticateImpl("username", "password".toCharArray());
|
||||
}
|
||||
@@ -125,8 +128,7 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
|
||||
@Test
|
||||
public void testAuthenticationPass()
|
||||
{
|
||||
when(mockAuthzClient.obtainAccessToken("username", "password"))
|
||||
.thenReturn(new AccessTokenResponse());
|
||||
doNothing().when(mockOAuth2Client).verifyCredentials("username", "password");
|
||||
|
||||
authComponent.authenticateImpl("username", "password".toCharArray());
|
||||
|
||||
@@ -135,9 +137,9 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
|
||||
}
|
||||
|
||||
@Test (expected= AuthenticationException.class)
|
||||
public void testFallthroughWhenAuthzClientIsNull()
|
||||
public void testFallthroughWhenOAuth2ClientIsNull()
|
||||
{
|
||||
authComponent.setAuthenticatorAuthzClient(null);
|
||||
authComponent.setOAuth2Client(null);
|
||||
authComponent.authenticateImpl("username", "password".toCharArray());
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,124 @@
|
||||
/*
|
||||
* #%L
|
||||
* Alfresco Repository
|
||||
* %%
|
||||
* Copyright (C) 2005 - 2023 Alfresco Software Limited
|
||||
* %%
|
||||
* This file is part of the Alfresco software.
|
||||
* If the software was purchased under a paid Alfresco license, the terms of
|
||||
* the paid license agreement will prevail. Otherwise, the software is
|
||||
* provided under the following open source license terms:
|
||||
*
|
||||
* Alfresco is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* Alfresco is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public License
|
||||
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
||||
* #L%
|
||||
*/
|
||||
package org.alfresco.repo.security.authentication.identityservice;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.ArgumentMatchers.argThat;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.times;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoInteractions;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceAuthenticationComponent.OAuth2Client.CredentialsVerificationException;
|
||||
import org.alfresco.repo.security.authentication.identityservice.OAuth2ClientFactoryBean.SpringOAuth2Client;
|
||||
import org.junit.Test;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
|
||||
public class SpringOAuth2ClientUnitTest
|
||||
{
|
||||
private static final String USER_NAME = "user";
|
||||
private static final String PASSWORD = "password";
|
||||
|
||||
@Test
|
||||
public void shouldRecoverFromInitialAuthorizationServerUnavailability()
|
||||
{
|
||||
final OAuth2AuthorizedClient authorizedClient = mock(OAuth2AuthorizedClient.class);
|
||||
when(authorizedClient.getAccessToken()).thenReturn(mock(OAuth2AccessToken.class));
|
||||
final OAuth2AuthorizedClientManager authClientManager = mock(OAuth2AuthorizedClientManager.class);
|
||||
when(authClientManager.authorize(any())).thenReturn(authorizedClient);
|
||||
|
||||
final SpringOAuth2Client client = new SpringOAuth2Client(faultySupplier(3, authClientManager));
|
||||
|
||||
assertThatExceptionOfType(CredentialsVerificationException.class)
|
||||
.isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD))
|
||||
.havingCause().withNoCause().withMessage("Expected failure #1");
|
||||
verifyNoInteractions(authClientManager);
|
||||
|
||||
assertThatExceptionOfType(CredentialsVerificationException.class)
|
||||
.isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD))
|
||||
.havingCause().withNoCause().withMessage("Expected failure #2");
|
||||
verifyNoInteractions(authClientManager);
|
||||
|
||||
assertThatExceptionOfType(CredentialsVerificationException.class)
|
||||
.isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD))
|
||||
.havingCause().withNoCause().withMessage("Expected failure #3");
|
||||
verifyNoInteractions(authClientManager);
|
||||
|
||||
client.verifyCredentials(USER_NAME, PASSWORD);
|
||||
verify(authClientManager).authorize(argThat(r -> r.getPrincipal() != null && USER_NAME.equals(r.getPrincipal().getPrincipal())));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldThrowVerificationExceptionOnFailure()
|
||||
{
|
||||
final OAuth2AuthorizedClientManager authClientManager = mock(OAuth2AuthorizedClientManager.class);
|
||||
when(authClientManager.authorize(any())).thenThrow(new RuntimeException("Expected"));
|
||||
|
||||
final SpringOAuth2Client client = new SpringOAuth2Client(() -> authClientManager);
|
||||
|
||||
assertThatExceptionOfType(CredentialsVerificationException.class)
|
||||
.isThrownBy(() -> client.verifyCredentials(USER_NAME, PASSWORD))
|
||||
.havingCause().withNoCause().withMessage("Expected");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldAvoidCreatingMultipleInstanceOfOAuth2AuthorizedClientManager()
|
||||
{
|
||||
final OAuth2AuthorizedClient authorizedClient = mock(OAuth2AuthorizedClient.class);
|
||||
when(authorizedClient.getAccessToken()).thenReturn(mock(OAuth2AccessToken.class));
|
||||
final OAuth2AuthorizedClientManager authClientManager = mock(OAuth2AuthorizedClientManager.class);
|
||||
when(authClientManager.authorize(any())).thenReturn(authorizedClient);
|
||||
final Supplier<OAuth2AuthorizedClientManager> supplier = mock(Supplier.class);
|
||||
when(supplier.get()).thenReturn(authClientManager);
|
||||
|
||||
final SpringOAuth2Client client = new SpringOAuth2Client(supplier);
|
||||
|
||||
client.verifyCredentials(USER_NAME, PASSWORD);
|
||||
client.verifyCredentials(USER_NAME, PASSWORD);
|
||||
client.verifyCredentials(USER_NAME, PASSWORD);
|
||||
verify(supplier, times(1)).get();
|
||||
verify(authClientManager, times(3)).authorize(any());
|
||||
}
|
||||
|
||||
private Supplier<OAuth2AuthorizedClientManager> faultySupplier(int numberOfInitialFailures, OAuth2AuthorizedClientManager authClientManager)
|
||||
{
|
||||
final int[] counter = new int[]{0};
|
||||
return () -> {
|
||||
if (counter[0]++ < numberOfInitialFailures)
|
||||
{
|
||||
throw new RuntimeException("Expected failure #" + counter[0]);
|
||||
}
|
||||
return authClientManager;
|
||||
};
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user