From 35d07b1616a1e9fbcca9a83d5c96fcee5553c10b Mon Sep 17 00:00:00 2001
From: AFaust <axel.faust@acosix.org>
Date: Sun, 17 Jan 2021 23:20:29 +0100
Subject: [PATCH] Extend utility flexible authenticator with access token
 awareness

---
 pom.xml                                       |  2 +-
 repository/module.properties                  |  2 +-
 ...AccessTokenAwareAlfrescoAuthenticator.java | 63 +++++++++++++++++++
 .../web-extension/share-config-custom.xml     |  8 +++
 4 files changed, 73 insertions(+), 2 deletions(-)
 create mode 100644 share/src/main/java/de/acosix/alfresco/keycloak/share/remote/AccessTokenAwareAlfrescoAuthenticator.java

diff --git a/pom.xml b/pom.xml
index f7b0464..1799048 100644
--- a/pom.xml
+++ b/pom.xml
@@ -79,7 +79,7 @@
         <apache.httpclient.version>4.5.1</apache.httpclient.version>
         <apache.httpcore.version>4.4.3</apache.httpcore.version>
 
-        <acosix.utility.version>1.2.3</acosix.utility.version>
+        <acosix.utility.version>1.2.5-SNAPSHOT</acosix.utility.version>
         <ootbee.support-tools.version>1.1.0.0</ootbee.support-tools.version>
     </properties>
 
diff --git a/repository/module.properties b/repository/module.properties
index 85caf06..ca5c4af 100644
--- a/repository/module.properties
+++ b/repository/module.properties
@@ -5,4 +5,4 @@ module.version=${noSnapshotVersion}
 
 module.repo.version.min=5
 
-module.depends.acosix-utility=1.2.3-*
\ No newline at end of file
+module.depends.acosix-utility=1.2.5-*
\ No newline at end of file
diff --git a/share/src/main/java/de/acosix/alfresco/keycloak/share/remote/AccessTokenAwareAlfrescoAuthenticator.java b/share/src/main/java/de/acosix/alfresco/keycloak/share/remote/AccessTokenAwareAlfrescoAuthenticator.java
new file mode 100644
index 0000000..9e5f8ac
--- /dev/null
+++ b/share/src/main/java/de/acosix/alfresco/keycloak/share/remote/AccessTokenAwareAlfrescoAuthenticator.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2019 - 2020 Acosix GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.acosix.alfresco.keycloak.share.remote;
+
+import javax.servlet.http.HttpSession;
+
+import org.keycloak.adapters.OidcKeycloakAccount;
+import org.keycloak.adapters.spi.KeycloakAccount;
+import org.springframework.extensions.surf.ServletUtil;
+import org.springframework.extensions.webscripts.connector.ConnectorSession;
+
+import de.acosix.alfresco.keycloak.share.util.RefreshableAccessTokenHolder;
+import de.acosix.alfresco.keycloak.share.web.KeycloakAuthenticationFilter;
+import de.acosix.alfresco.utility.share.connector.FlexibleAlfrescoAuthenticator;
+
+/**
+ * @author Axel Faust
+ */
+public class AccessTokenAwareAlfrescoAuthenticator extends FlexibleAlfrescoAuthenticator
+{
+
+    /**
+     *
+     * {@inheritDoc}
+     */
+    @Override
+    public boolean isAuthenticated(final String endpoint, final ConnectorSession connectorSession)
+    {
+        boolean authenticated = super.isAuthenticated(endpoint, connectorSession);
+
+        if (!authenticated)
+        {
+            final HttpSession session = ServletUtil.getSession();
+            final KeycloakAccount keycloakAccount = (KeycloakAccount) (session != null
+                    ? session.getAttribute(KeycloakAuthenticationFilter.KEYCLOAK_ACCOUNT_SESSION_KEY)
+                    : null);
+            final RefreshableAccessTokenHolder accessToken = (RefreshableAccessTokenHolder) (session != null
+                    ? session.getAttribute(KeycloakAuthenticationFilter.ACCESS_TOKEN_SESSION_KEY)
+                    : null);
+            final RefreshableAccessTokenHolder endpointSpecificAccessToken = (RefreshableAccessTokenHolder) (session != null
+                    ? session.getAttribute(KeycloakAuthenticationFilter.BACKEND_ACCESS_TOKEN_SESSION_KEY)
+                    : null);
+
+            authenticated = endpointSpecificAccessToken != null && endpointSpecificAccessToken.isActive()
+                    || keycloakAccount instanceof OidcKeycloakAccount || accessToken != null;
+        }
+
+        return authenticated;
+    }
+}
diff --git a/share/src/test/docker/alfresco/web-extension/share-config-custom.xml b/share/src/test/docker/alfresco/web-extension/share-config-custom.xml
index e1afad4..07da1de 100644
--- a/share/src/test/docker/alfresco/web-extension/share-config-custom.xml
+++ b/share/src/test/docker/alfresco/web-extension/share-config-custom.xml
@@ -23,7 +23,15 @@
                 <name>Alfresco Connector</name>
                 <description>Connects to an Alfresco instance using cookie-based authentication and awareness of Keycloak access tokens</description>
                 <class>de.acosix.alfresco.keycloak.share.remote.AccessTokenAwareSlingshotAlfrescoConnector</class>
+                <authenticator-id>acosix-kc-authenticator</authenticator-id>
             </connector>
+            
+            <authenticator>
+                <id>acosix-kc-authenticator</id>
+                <name>Acosix Keycloak Authenticator</name>
+                <description>Authenticator with flexible support for ticket, cookie, remote user, and access token</description>
+                <class>de.acosix.alfresco.keycloak.share.remote.AccessTokenAwareAlfrescoAuthenticator</class>
+            </authenticator>
 
             <endpoint>
                 <id>alfresco</id>