Re-introduce force route option

2025-09-10 14:11:09 +00:00 · 2021-12-14 18:46:25 +01:00
parent a521dd87de
commit b02eaaa896
17 changed files with 294 additions and 55 deletions
--- a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties
+++ b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties
@@ -16,6 +16,7 @@ keycloak.authentication.silentRemoteUserValidationFailure=true
 keycloak.authentication.bodyBufferLimit=10485760

 keycloak.adapter.auth-server-url=http://localhost:8180/auth
+keycloak.adapter.forced-route-url=
 keycloak.adapter.proxy-url=
 keycloak.adapter.realm=alfresco
 keycloak.adapter.resource=alfresco
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/ExtendedAdapterConfig.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/ExtendedAdapterConfig.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright 2019 - 2021 Acosix GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.acosix.alfresco.keycloak.repo.spring;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+
+import org.keycloak.representations.adapters.config.AdapterConfig;
+
+/**
+ * Minorly extended configuration for Java based adapters
+ *
+ * @author Axel Faust
+ */
+@JsonPropertyOrder({ "realm", "realm-public-key", "auth-server-url", "ssl-required", "resource", "public-client", "credentials",
+        "use-resource-role-mappings", "enable-cors", "cors-max-age", "cors-allowed-methods", "cors-exposed-headers", "expose-token",
+        "bearer-only", "autodetect-bearer-only", "connection-pool-size", "socket-timeout-millis", "connection-ttl-millis",
+        "connection-timeout-millis", "allow-any-hostname", "disable-trust-manager", "truststore", "truststore-password", "client-keystore",
+        "client-keystore-password", "client-key-password", "always-refresh-token", "register-node-at-startup", "register-node-period",
+        "token-store", "adapter-state-cookie-path", "principal-attribute", "proxy-url", "forced-route-url",
+        "turn-off-change-session-id-on-login", "token-minimum-time-to-live", "min-time-between-jwks-requests", "public-key-cache-ttl",
+        "policy-enforcer", "ignore-oauth-query-parameter", "verify-token-audience" })
+public class ExtendedAdapterConfig extends AdapterConfig
+{
+
+    @JsonProperty("forced-route-url")
+    protected String forcedRouteUrl;
+
+    /**
+     * @return the forcedRouteUrl
+     */
+    public String getForcedRouteUrl()
+    {
+        return this.forcedRouteUrl;
+    }
+
+    /**
+     * @param forcedRouteUrl
+     *     the forcedRouteUrl to set
+     */
+    public void setForcedRouteUrl(final String forcedRouteUrl)
+    {
+        this.forcedRouteUrl = forcedRouteUrl;
+    }
+
+}
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakAdapterConfigBeanFactory.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakAdapterConfigBeanFactory.java
@@ -33,7 +33,6 @@ import java.util.Set;

 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.util.PropertyCheck;
-import org.keycloak.representations.adapters.config.AdapterConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.FactoryBean;
@@ -44,7 +43,7 @@ import org.springframework.util.PropertyPlaceholderHelper;
 /**
 * @author Axel Faust
 */
-public class KeycloakAdapterConfigBeanFactory implements FactoryBean<AdapterConfig>, InitializingBean
+public class KeycloakAdapterConfigBeanFactory implements FactoryBean<ExtendedAdapterConfig>, InitializingBean
 {

    private static final Logger LOGGER = LoggerFactory.getLogger(KeycloakAdapterConfigBeanFactory.class);
@@ -74,7 +73,7 @@ public class KeycloakAdapterConfigBeanFactory implements FactoryBean<AdapterConf
            primitiveWrapperTypeMap.put(primitiveTypes[i], wrapperTypes[i]);
        }

-        Class<?> cls = AdapterConfig.class;
+        Class<?> cls = ExtendedAdapterConfig.class;
        while (cls != null && !Object.class.equals(cls))
        {
            final Field[] fields = cls.getDeclaredFields();
@@ -152,7 +151,7 @@ public class KeycloakAdapterConfigBeanFactory implements FactoryBean<AdapterConf

    /**
     * @param propertiesSource
-     *            the propertiesSource to set
+     *     the propertiesSource to set
     */
    public void setPropertiesSource(final Properties propertiesSource)
    {
@@ -161,7 +160,7 @@ public class KeycloakAdapterConfigBeanFactory implements FactoryBean<AdapterConf

    /**
     * @param configPropertyPrefix
-     *            the configPropertyPrefix to set
+     *     the configPropertyPrefix to set
     */
    public void setConfigPropertyPrefix(final String configPropertyPrefix)
    {
@@ -170,7 +169,7 @@ public class KeycloakAdapterConfigBeanFactory implements FactoryBean<AdapterConf

    /**
     * @param placeholderPrefix
-     *            the placeholderPrefix to set
+     *     the placeholderPrefix to set
     */
    public void setPlaceholderPrefix(final String placeholderPrefix)
    {
@@ -179,7 +178,7 @@ public class KeycloakAdapterConfigBeanFactory implements FactoryBean<AdapterConf

    /**
     * @param placeholderSuffix
-     *            the placeholderSuffix to set
+     *     the placeholderSuffix to set
     */
    public void setPlaceholderSuffix(final String placeholderSuffix)
    {
@@ -188,7 +187,7 @@ public class KeycloakAdapterConfigBeanFactory implements FactoryBean<AdapterConf

    /**
     * @param valueSeparator
-     *            the valueSeparator to set
+     *     the valueSeparator to set
     */
    public void setValueSeparator(final String valueSeparator)
    {
@@ -199,9 +198,9 @@ public class KeycloakAdapterConfigBeanFactory implements FactoryBean<AdapterConf
     * {@inheritDoc}
     */
    @Override
-    public AdapterConfig getObject() throws Exception
+    public ExtendedAdapterConfig getObject() throws Exception
    {
-        final AdapterConfig adapterConfig = new AdapterConfig();
+        final ExtendedAdapterConfig adapterConfig = new ExtendedAdapterConfig();

        CONFIG_NAMES.forEach(configFieldName -> {
            final Class<?> valueType = VALUE_TYPE_BY_CONFIG_NAME.get(configFieldName);
@@ -248,7 +247,7 @@ public class KeycloakAdapterConfigBeanFactory implements FactoryBean<AdapterConf
    @Override
    public Class<?> getObjectType()
    {
-        return AdapterConfig.class;
+        return ExtendedAdapterConfig.class;
    }

    protected Object loadConfigValue(final String configFieldName, final Class<?> valueType)
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java
@@ -15,18 +15,27 @@
 */
 package de.acosix.alfresco.keycloak.repo.spring;

+import java.net.InetAddress;
+
 import org.alfresco.httpclient.HttpClientFactory.NonBlockingHttpParamsFactory;
 import org.alfresco.util.PropertyCheck;
 import org.apache.commons.httpclient.params.DefaultHttpParams;
+import org.apache.http.HttpHost;
+import org.apache.http.client.HttpClient;
+import org.apache.http.conn.params.ConnRoutePNames;
+import org.apache.http.conn.params.ConnRouteParams;
+import org.apache.http.conn.routing.HttpRoute;
+import org.apache.http.params.HttpParams;
+import org.keycloak.adapters.HttpClientBuilder;
 import org.keycloak.adapters.KeycloakDeployment;
 import org.keycloak.adapters.KeycloakDeploymentBuilder;
-import org.keycloak.representations.adapters.config.AdapterConfig;
 import org.springframework.beans.factory.FactoryBean;
 import org.springframework.beans.factory.InitializingBean;

 /**
 * @author Axel Faust
 */
+@SuppressWarnings("deprecation")
 public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeployment>, InitializingBean
 {

@@ -36,7 +45,7 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
        DefaultHttpParams.setHttpParamsFactory(new NonBlockingHttpParamsFactory());
    }

-    protected AdapterConfig adapterConfig;
+    protected ExtendedAdapterConfig adapterConfig;

    /**
     *
@@ -52,7 +61,7 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
     * @param adapterConfig
     *     the adapterConfig to set
     */
-    public void setAdapterConfig(final AdapterConfig adapterConfig)
+    public void setAdapterConfig(final ExtendedAdapterConfig adapterConfig)
    {
        this.adapterConfig = adapterConfig;
    }
@@ -63,7 +72,12 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
    @Override
    public KeycloakDeployment getObject() throws Exception
    {
-        return KeycloakDeploymentBuilder.build(this.adapterConfig);
+        final KeycloakDeployment keycloakDeployment = KeycloakDeploymentBuilder.build(this.adapterConfig);
+        final HttpClientBuilder httpClientBuilder = new HttpClientBuilder();
+        final HttpClient client = httpClientBuilder.build(this.adapterConfig);
+        this.configureForcedRouteIfNecessary(client, this.adapterConfig.getForcedRouteUrl());
+        keycloakDeployment.setClient(client);
+        return keycloakDeployment;
    }

    /**
@@ -86,4 +100,27 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
    {
        return KeycloakDeployment.class;
    }
+
+    protected void configureForcedRouteIfNecessary(final HttpClient client, final String forcedRoute)
+    {
+        if (forcedRoute != null && !forcedRoute.isEmpty())
+        {
+            final HttpHost forcedRouteHost = HttpHost.create(forcedRoute);
+            final HttpParams params = client.getParams();
+            final InetAddress local = ConnRouteParams.getLocalAddress(params);
+            final HttpHost defaultProxy = ConnRouteParams.getDefaultProxy(params);
+            final boolean secure = forcedRouteHost.getSchemeName().equalsIgnoreCase("https");
+
+            HttpRoute route;
+            if (defaultProxy == null)
+            {
+                route = new HttpRoute(forcedRouteHost, local, secure);
+            }
+            else
+            {
+                route = new HttpRoute(forcedRouteHost, local, defaultProxy, secure);
+            }
+            params.setParameter(ConnRoutePNames.FORCED_ROUTE, route);
+        }
+    }
 }
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/token/AccessTokenClient.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/token/AccessTokenClient.java
@@ -1,5 +1,7 @@
 package de.acosix.alfresco.keycloak.repo.token;

+import com.fasterxml.jackson.core.JsonParseException;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
@@ -327,6 +329,10 @@ public class AccessTokenClient
        {
            return JsonSerialization.readValue(is, responseCls);
        }
+        catch (final JsonParseException jpe)
+        {
+            throw new AccessTokenException("Failed to parse access token response", jpe);
+        }
        finally
        {
            try