gCubeSystem
/
keycloak-client-legacy-is
17
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

First release as refactoring of the `keycloak-client` library; moved the discovery functionality (to be compatible with SGv4) here to provide the backward compatibility. (#23478)

This commit is contained in:
Mauro Mugnaini 2022-06-08 19:24:14 +02:00
commit 8a7f4d98f0
17 changed files with 1395 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
.classpath
.project
.settings
target

6
CHANGELOG.md Normal file
View File

@ -0,0 +1,6 @@
This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
# Changelog for "keycloak-client"
## [v1.0.0-SNAPSHOT]
- First release as refactoring of the `keycloak-client` library; moved the discovery functionality (to be compatible with SGv4) here to provide the backward compatibility. (#23478)

26
FUNDING.md Normal file
View File

@ -0,0 +1,26 @@
# Acknowledgments
The projects leading to this software have received funding from a series of European Union programmes including:
- the Sixth Framework Programme for Research and Technological Development
- [DILIGENT](https://cordis.europa.eu/project/id/004260) (grant no. 004260).
- the Seventh Framework Programme for research, technological development and demonstration
- [D4Science](https://cordis.europa.eu/project/id/212488) (grant no. 212488);
- [D4Science-II](https://cordis.europa.eu/project/id/239019) (grant no.239019);
- [ENVRI](https://cordis.europa.eu/project/id/283465) (grant no. 283465);
- [iMarine](https://cordis.europa.eu/project/id/283644) (grant no. 283644);
- [EUBrazilOpenBio](https://cordis.europa.eu/project/id/288754) (grant no. 288754).
- the H2020 research and innovation programme
- [SoBigData](https://cordis.europa.eu/project/id/654024) (grant no. 654024);
- [PARTHENOS](https://cordis.europa.eu/project/id/654119) (grant no. 654119);
- [EGI-Engage](https://cordis.europa.eu/project/id/654142) (grant no. 654142);
- [ENVRI PLUS](https://cordis.europa.eu/project/id/654182) (grant no. 654182);
- [BlueBRIDGE](https://cordis.europa.eu/project/id/675680) (grant no. 675680);
- [PerformFISH](https://cordis.europa.eu/project/id/727610) (grant no. 727610);
- [AGINFRA PLUS](https://cordis.europa.eu/project/id/731001) (grant no. 731001);
- [DESIRA](https://cordis.europa.eu/project/id/818194) (grant no. 818194);
- [ARIADNEplus](https://cordis.europa.eu/project/id/823914) (grant no. 823914);
- [RISIS 2](https://cordis.europa.eu/project/id/824091) (grant no. 824091);
- [EOSC-Pillar](https://cordis.europa.eu/project/id/857650) (grant no. 857650);
- [Blue Cloud](https://cordis.europa.eu/project/id/862409) (grant no. 862409);
- [SoBigData-PlusPlus](https://cordis.europa.eu/project/id/871042) (grant no. 871042);

311
LICENSE.md Normal file
View File

@ -0,0 +1,311 @@
#European Union Public Licence V.1.1
##*EUPL © the European Community 2007*
This **European Union Public Licence** (the **“EUPL”**) applies to the Work or Software
(as defined below) which is provided under the terms of this Licence. Any use of
the Work, other than as authorised under this Licence is prohibited (to the
extent such use is covered by a right of the copyright holder of the Work).
The Original Work is provided under the terms of this Licence when the Licensor
(as defined below) has placed the following notice immediately following the
copyright notice for the Original Work:
**Licensed under the EUPL V.1.1**
or has expressed by any other mean his willingness to license under the EUPL.
##1. Definitions
In this Licence, the following terms have the following meaning:
- The Licence: this Licence.
- The Original Work or the Software: the software distributed and/or
communicated by the Licensor under this Licence, available as Source Code and
also as Executable Code as the case may be.
- Derivative Works: the works or software that could be created by the Licensee,
based upon the Original Work or modifications thereof. This Licence does not
define the extent of modification or dependence on the Original Work required
in order to classify a work as a Derivative Work; this extent is determined by
copyright law applicable in the country mentioned in Article 15.
- The Work: the Original Work and/or its Derivative Works.
- The Source Code: the human-readable form of the Work which is the most
convenient for people to study and modify.
- The Executable Code: any code which has generally been compiled and which is
meant to be interpreted by a computer as a program.
- The Licensor: the natural or legal person that distributes and/or communicates
the Work under the Licence.
- Contributor(s): any natural or legal person who modifies the Work under the
Licence, or otherwise contributes to the creation of a Derivative Work.
- The Licensee or “You”: any natural or legal person who makes any usage of the
Software under the terms of the Licence.
- Distribution and/or Communication: any act of selling, giving, lending,
renting, distributing, communicating, transmitting, or otherwise making
available, on-line or off-line, copies of the Work or providing access to its
essential functionalities at the disposal of any other natural or legal
person.
##2. Scope of the rights granted by the Licence
The Licensor hereby grants You a world-wide, royalty-free, non-exclusive,
sub-licensable licence to do the following, for the duration of copyright vested
in the Original Work:
- use the Work in any circumstance and for all usage, reproduce the Work, modify
- the Original Work, and make Derivative Works based upon the Work, communicate
- to the public, including the right to make available or display the Work or
- copies thereof to the public and perform publicly, as the case may be, the
- Work, distribute the Work or copies thereof, lend and rent the Work or copies
- thereof, sub-license rights in the Work or copies thereof.
Those rights can be exercised on any media, supports and formats, whether now
known or later invented, as far as the applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to
exercise his moral right to the extent allowed by law in order to make effective
the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non exclusive usage rights to
any patents held by the Licensor, to the extent necessary to make use of the
rights granted on the Work under this Licence.
##3. Communication of the Source Code
The Licensor may provide the Work either in its Source Code form, or as
Executable Code. If the Work is provided as Executable Code, the Licensor
provides in addition a machine-readable copy of the Source Code of the Work
along with each copy of the Work that the Licensor distributes or indicates, in
a notice following the copyright notice attached to the Work, a repository where
the Source Code is easily and freely accessible for as long as the Licensor
continues to distribute and/or communicate the Work.
##4. Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from
any exception or limitation to the exclusive rights of the rights owners in the
Original Work or Software, of the exhaustion of those rights or of other
applicable limitations thereto.
##5. Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and
obligations imposed on the Licensee. Those obligations are the following:
Attribution right: the Licensee shall keep intact all copyright, patent or
trademarks notices and all notices that refer to the Licence and to the
disclaimer of warranties. The Licensee must include a copy of such notices and a
copy of the Licence with every copy of the Work he/she distributes and/or
communicates. The Licensee must cause any Derivative Work to carry prominent
notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes and/or communicates copies of the
Original Works or Derivative Works based upon the Original Work, this
Distribution and/or Communication will be done under the terms of this Licence
or of a later version of this Licence unless the Original Work is expressly
distributed only under this version of the Licence. The Licensee (becoming
Licensor) cannot offer or impose any additional terms or conditions on the Work
or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes and/or Communicates Derivative
Works or copies thereof based upon both the Original Work and another work
licensed under a Compatible Licence, this Distribution and/or Communication can
be done under the terms of this Compatible Licence. For the sake of this clause,
“Compatible Licence” refers to the licences listed in the appendix attached to
this Licence. Should the Licensees obligations under the Compatible Licence
conflict with his/her obligations under this Licence, the obligations of the
Compatible Licence shall prevail.
Provision of Source Code: When distributing and/or communicating copies of the
Work, the Licensee will provide a machine-readable copy of the Source Code or
indicate a repository where this Source will be easily and freely available for
as long as the Licensee continues to distribute and/or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names,
trademarks, service marks, or names of the Licensor, except as required for
reasonable and customary use in describing the origin of the Work and
reproducing the content of the copyright notice.
##6. Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted
hereunder is owned by him/her or licensed to him/her and that he/she has the
power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings
to the Work are owned by him/her or licensed to him/her and that he/she has the
power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent
Contributors grant You a licence to their contributions to the Work, under the
terms of this Licence.
##7. Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous
contributors. It is not a finished work and may therefore contain defects or
“bugs” inherent to this type of software development.
For the above reason, the Work is provided under the Licence on an “as is” basis
and without warranties of any kind concerning the Work, including without
limitation merchantability, fitness for a particular purpose, absence of defects
or errors, accuracy, non-infringement of intellectual property rights other than
copyright as stated in Article 6 of this Licence.
This disclaimer of warranty is an essential part of the Licence and a condition
for the grant of any rights to the Work.
##8. Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural
persons, the Licensor will in no event be liable for any direct or indirect,
material or moral, damages of any kind, arising out of the Licence or of the use
of the Work, including without limitation, damages for loss of goodwill, work
stoppage, computer failure or malfunction, loss of data or any commercial
damage, even if the Licensor has been advised of the possibility of such
damage. However, the Licensor will be liable under statutory product liability
laws as far such laws apply to the Work.
##9. Additional agreements
While distributing the Original Work or Derivative Works, You may choose to
conclude an additional agreement to offer, and charge a fee for, acceptance of
support, warranty, indemnity, or other liability obligations and/or services
consistent with this Licence. However, in accepting such obligations, You may
act only on your own behalf and on your sole responsibility, not on behalf of
the original Licensor or any other Contributor, and only if You agree to
indemnify, defend, and hold each Contributor harmless for any liability incurred
by, or claims asserted against such Contributor by the fact You have accepted
any such warranty or additional liability.
##10. Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon “I agree”
placed under the bottom of a window displaying the text of this Licence or by
affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable
acceptance of this Licence and all of its terms and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and
conditions by exercising any rights granted to You by Article 2 of this Licence,
such as the use of the Work, the creation by You of a Derivative Work or the
Distribution and/or Communication by You of the Work or copies thereof.
##11. Information to the public
In case of any Distribution and/or Communication of the Work by means of
electronic communication by You (for example, by offering to download the Work
from a remote location) the distribution channel or media (for example, a
website) must at least provide to the public the information requested by the
applicable law regarding the Licensor, the Licence and the way it may be
accessible, concluded, stored and reproduced by the Licensee.
##12. Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon
any breach by the Licensee of the terms of the Licence.
Such a termination will not terminate the licences of any person who has
received the Work from the Licensee under the Licence, provided such persons
remain in full compliance with the Licence.
##13. Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete
agreement between the Parties as to the Work licensed hereunder.
If any provision of the Licence is invalid or unenforceable under applicable
law, this will not affect the validity or enforceability of the Licence as a
whole. Such provision will be construed and/or reformed so as necessary to make
it valid and enforceable.
The European Commission may publish other linguistic versions and/or new
versions of this Licence, so far this is required and reasonable, without
reducing the scope of the rights granted by the Licence. New versions of the
Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission,
have identical value. Parties can take advantage of the linguistic version of
their choice.
##14. Jurisdiction
Any litigation resulting from the interpretation of this License, arising
between the European Commission, as a Licensor, and any Licensee, will be
subject to the jurisdiction of the Court of Justice of the European Communities,
as laid down in article 238 of the Treaty establishing the European Community.
Any litigation arising between Parties, other than the European Commission, and
resulting from the interpretation of this License, will be subject to the
exclusive jurisdiction of the competent court where the Licensor resides or
conducts its primary business.
##15. Applicable Law
This Licence shall be governed by the law of the European Union country where
the Licensor resides or has his registered office.
This licence shall be governed by the Belgian law if:
- a litigation arises between the European Commission, as a Licensor, and any
- Licensee; the Licensor, other than the European Commission, has no residence
- or registered office inside a European Union country.
---
##Appendix
**“Compatible Licences”** according to article 5 EUPL are:
- GNU General Public License (GNU GPL) v. 2
- Open Software License (OSL) v. 2.1, v. 3.0
- Common Public License v. 1.0
- Eclipse Public License v. 1.0
- Cecill v. 2.0

44
README.md Normal file
View File

@ -0,0 +1,44 @@
# Keycloak Client
**Keycloak Clienty Legacy IS** extends the functionnalities provided by the `keycloak-client` library adding the endpoints discovery functions against the legacy Information System based on context's scope. For this reason the compatibility is with Smart Gears v.3 and not with SGv4 or newer.
## Structure of the project
The source code is present in `src` folder.
## Built With
* [OpenJDK](https://openjdk.java.net/) - The JDK used
* [Maven](https://maven.apache.org/) - Dependency Management
## Documentation
To build the library JAR it is sufficient to type
mvn clean package
## Change log
See [Releases](https://code-repo.d4science.org/gCubeSystem/authorization-client/releases).
## Authors
* **Mauro Mugnaini** ([Nubisware S.r.l.](http://www.nubisware.com))
## How to Cite this Software
[Intentionally left blank]
## License
This project is licensed under the EUPL V.1.1 License - see the [LICENSE.md](LICENSE.md) file for details.
## About the gCube Framework
This software is part of the [gCubeFramework](https://www.gcube-system.org/ "gCubeFramework"): an
open-source software toolkit used for building and operating Hybrid Data
Infrastructures enabling the dynamic deployment of Virtual Research Environments
by favouring the realisation of reuse oriented policies.
The projects leading to this software have received funding from a series of European Union programmes see [FUNDING.md](FUNDING.md)
## Acknowledgments
[Intentionally left blank]

119
pom.xml Normal file
View File

@ -0,0 +1,119 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<artifactId>maven-parent</artifactId>
<groupId>org.gcube.tools</groupId>
<version>1.1.0</version>
<relativePath />
</parent>
<groupId>org.gcube.common</groupId>
<artifactId>keycloak-client-legacy-is</artifactId>
<version>1.0.0-SNAPSHOT</version>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.gcube.distribution</groupId>
<artifactId>gcube-bom</artifactId>
<version>2.0.1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<scm>
<connection>scm:git:https://code-repo.d4science.org/gCubeSystem/${project.artifactId}.git</connection>
<developerConnection>scm:git:https://code-repo.d4science.org/gCubeSystem/${project.artifactId}.git</developerConnection>
<url>https://code-repo.d4science.org/gCubeSystem/${project.artifactId}</url>
</scm>
<dependencies>
<dependency>
<groupId>org.gcube.common</groupId>
<artifactId>keycloak-client</artifactId>
<version>[2.0.0-SNAPSHOT,)</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
<dependency>
<groupId>org.gcube.common</groupId>
<artifactId>gcube-jackson-databind</artifactId>
</dependency>
<dependency>
<groupId>org.gcube.common</groupId>
<artifactId>gcube-jackson-annotations</artifactId>
</dependency>
<dependency>
<groupId>org.gcube.common</groupId>
<artifactId>gcube-jackson-core</artifactId>
</dependency>
<dependency>
<groupId>org.gcube.common</groupId>
<artifactId>gxJRS</artifactId>
</dependency>
<dependency>
<groupId>org.gcube.core</groupId>
<artifactId>common-fw-clients</artifactId>
</dependency>
<dependency>
<groupId>org.gcube.resources.discovery</groupId>
<artifactId>ic-client</artifactId>
</dependency>
<dependency>
<groupId>org.gcube.core</groupId>
<artifactId>common-scope-maps</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.25</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.16</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.core</groupId>
<artifactId>jersey-common</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.core</groupId>
<artifactId>jersey-client</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build />
</project>

163
src/main/java/org/gcube/common/keycloak/DefaultKeycloakClientLegacyIS.java Normal file
View File

@ -0,0 +1,163 @@
package org.gcube.common.keycloak;
import static org.gcube.resources.discovery.icclient.ICFactory.clientFor;
import static org.gcube.resources.discovery.icclient.ICFactory.queryFor;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.List;
import org.gcube.common.keycloak.model.ModelUtils;
import org.gcube.common.keycloak.model.TokenIntrospectionResponse;
import org.gcube.common.keycloak.model.TokenResponse;
import org.gcube.common.resources.gcore.ServiceEndpoint;
import org.gcube.common.resources.gcore.ServiceEndpoint.AccessPoint;
import org.gcube.common.scope.api.ScopeProvider;
import org.gcube.resources.discovery.client.api.DiscoveryClient;
import org.gcube.resources.discovery.client.queries.api.SimpleQuery;
@SuppressWarnings("deprecation")
public class DefaultKeycloakClientLegacyIS extends DefaultKeycloakClient implements KeycloakClientLegacyIS {
@Override
public URL findTokenEndpointURL() throws KeycloakClientException {
logger.debug("Checking ScopeProvider's scope presence and format");
String originalScope = ScopeProvider.instance.get();
if (originalScope == null || !originalScope.startsWith("/") || originalScope.length() < 2) {
throw new KeycloakClientException(originalScope == null ? "Scope not found in ScopeProvider"
: "Bad scope name found: " + originalScope);
}
logger.debug("Assuring use the rootVO to query the endpoint simple query. Actual scope is: {}", originalScope);
String rootVOScope = "/" + originalScope.split("/")[1];
logger.debug("Setting rootVO scope into provider as: {}", rootVOScope);
List<AccessPoint> accessPoints = null;
// trying to be thread safe at least for these calls
synchronized (ScopeProvider.instance) {
boolean scopeModified = false;
if (!ScopeProvider.instance.get().equals(rootVOScope)) {
logger.debug("Overriding scope in the provider with rootVO scope : {}", rootVOScope);
ScopeProvider.instance.set(rootVOScope);
scopeModified = true;
}
logger.debug("Creating simple query");
SimpleQuery query = queryFor(ServiceEndpoint.class);
query.addCondition(
String.format("$resource/Profile/Category/text() eq '%s'", CATEGORY))
.addCondition(String.format("$resource/Profile/Name/text() eq '%s'", NAME))
.setResult(String.format("$resource/Profile/AccessPoint[Description/text() eq '%s']", DESCRIPTION));
logger.debug("Creating client for AccessPoint");
DiscoveryClient<AccessPoint> client = clientFor(AccessPoint.class);
logger.trace("Submitting query: {}", query);
accessPoints = client.submit(query);
if (scopeModified) {
logger.debug("Resetting scope into provider to the original value: {}", originalScope);
ScopeProvider.instance.set(originalScope);
}
}
if (accessPoints.size() == 0) {
throw new KeycloakClientException("Service endpoint not found");
} else if (accessPoints.size() > 1) {
throw new KeycloakClientException("Found more than one endpoint with query");
}
String address = accessPoints.iterator().next().address();
logger.debug("Found address: {}", address);
try {
return new URL(address);
} catch (MalformedURLException e) {
throw new KeycloakClientException("Cannot create URL from address: " + address, e);
}
}
@Override
public URL computeIntrospectionEndpointURL() throws KeycloakClientException {
return computeIntrospectionEndpointURL(findTokenEndpointURL());
}
@Override
public TokenResponse queryOIDCToken(String clientId, String clientSecret) throws KeycloakClientException {
return queryOIDCToken(findTokenEndpointURL(), clientId, clientSecret);
}
@Override
public TokenResponse queryUMAToken(String clientId, String clientSecret, List<String> permissions)
throws KeycloakClientException {
return queryUMAToken(clientId, clientSecret, ScopeProvider.instance.get(), permissions);
}
@Override
public TokenResponse queryUMAToken(TokenResponse oidcTokenResponse, String audience, List<String> permissions)
throws KeycloakClientException {
return queryUMAToken(findTokenEndpointURL(), constructBeareAuthenticationHeader(oidcTokenResponse), audience,
permissions);
}
@Override
public TokenResponse queryUMAToken(String clientId, String clientSecret, String audience,
List<String> permissions) throws KeycloakClientException {
return queryUMAToken(findTokenEndpointURL(), clientId, clientSecret, audience, permissions);
}
@Override
public TokenResponse refreshToken(TokenResponse tokenResponse) throws KeycloakClientException {
return refreshToken((String) null, tokenResponse);
}
@Override
public TokenResponse refreshToken(String clientId, TokenResponse tokenResponse) throws KeycloakClientException {
return refreshToken(clientId, null, tokenResponse);
}
@Override
public TokenResponse refreshToken(String clientId, String clientSecret, TokenResponse tokenResponse)
throws KeycloakClientException {
return refreshToken(findTokenEndpointURL(), clientId, clientSecret, tokenResponse);
}
@Override
public TokenResponse refreshToken(String refreshTokenJWTString) throws KeycloakClientException {
try {
String clientId = ModelUtils.getClientIdFromToken(ModelUtils.getRefreshTokenFrom(refreshTokenJWTString));
return refreshToken(clientId, refreshTokenJWTString);
} catch (Exception e) {
throw new KeycloakClientException("Cannot construct access token object from token response", e);
}
}
@Override
public TokenResponse refreshToken(String clientId, String refreshTokenJWTString) throws KeycloakClientException {
return refreshToken(clientId, null, refreshTokenJWTString);
}
@Override
public TokenResponse refreshToken(String clientId, String clientSecret, String refreshTokenJWTString)
throws KeycloakClientException {
return refreshToken(findTokenEndpointURL(), clientId, clientSecret, refreshTokenJWTString);
}
@Override
public TokenIntrospectionResponse introspectAccessToken(String clientId, String clientSecret,
String accessTokenJWTString) throws KeycloakClientException {
return introspectAccessToken(computeIntrospectionEndpointURL(), clientId, clientSecret, accessTokenJWTString);
}
@Override
public boolean isAccessTokenVerified(String clientId, String clientSecret, String accessTokenJWTString)
throws KeycloakClientException {
return isAccessTokenVerified(computeIntrospectionEndpointURL(), clientId, clientSecret, accessTokenJWTString);
}
}

187
src/main/java/org/gcube/common/keycloak/KeycloakClientLegacyIS.java Normal file
View File

@ -0,0 +1,187 @@
package org.gcube.common.keycloak;
import java.net.URL;
import java.util.List;
import org.gcube.common.keycloak.model.TokenIntrospectionResponse;
import org.gcube.common.keycloak.model.TokenResponse;
import org.gcube.common.scope.api.ScopeProvider;
@SuppressWarnings("deprecation")
public interface KeycloakClientLegacyIS extends KeycloakClient {
String CATEGORY = "Auth";
String NAME = "IAM";
String DESCRIPTION = "oidc-token endpoint";
/**
* Finds the keycloak <code>token</code> endpoint {@link URL} discovering it in the current scope provided by {@link ScopeProvider}
*
* @return the keycloak <code>token</code> endpoint URL in the current scope
* @throws KeycloakClientException if something goes wrong discovering the endpoint URL
*/
URL findTokenEndpointURL() throws KeycloakClientException;
/**
* Compute the keycloak <code>introspection</code> endpoint {@link URL} starting from the discovered token endpoint it in the current scope provided by {@link ScopeProvider}.
*
* @return the keycloak <code>introspection</code> endpoint URL in the current scope
* @throws KeycloakClientException if something goes wrong discovering the endpoint URL
*/
URL computeIntrospectionEndpointURL() throws KeycloakClientException;
/**
* Queries an OIDC token from the Keycloak server discovered in the current scope, by using provided clientId and client secret.
*
* @param clientId the client id
* @param clientSecret the client secret
* @return the issued token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the query
*/
TokenResponse queryOIDCToken(String clientId, String clientSecret) throws KeycloakClientException;
/**
* Queries an UMA token from the Keycloak server discovered in the current scope, by using access-token provided by the {@link TokenResponse} object
* for the given audience (context), in URLEncoded form or not, and optionally a list of permissions.
*
* @param clientId the client id
* @param clientSecret the client secret
* @param audience the audience (context) where to request the issuing of the ticket
* @param permissions a list of permissions, can be <code>null</code>
* @return the issued token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the query
*/
TokenResponse queryUMAToken(TokenResponse oidcTokenResponse, String audience, List<String> permissions)
throws KeycloakClientException;
/**
* Queries an UMA token from the Keycloak server discovered in the current scope, by using provided clientId and client secret
* for the given audience (context), in URLEncoded form or not, and optionally a list of permissions.
*
* @param clientId the client id
* @param clientSecret the client secret
* @param audience the audience (context) where to request the issuing of the ticket
* @param permissions a list of permissions, can be <code>null</code>
* @return the issued token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the query
*/
TokenResponse queryUMAToken(String clientId, String clientSecret, String audience, List<String> permissions)
throws KeycloakClientException;
/**
* Queries an UMA token from the Keycloak server discovered in the current scope, by using provided clientId and client secret
* for the current scope as audience (context), in URLEncoded form or not, and optionally a list of permissions.
*
* @param clientId the client id
* @param clientSecret the client secret
* @param permissions a list of permissions, can be <code>null</code>
* @return the issued token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the query
*/
TokenResponse queryUMAToken(String clientId, String clientSecret, List<String> permissions)
throws KeycloakClientException;
/**
* Refreshes a previously issued token from the Keycloak server discovered in the current scope using the refresh
* token JWT encoded string in the token response object.
*
* Client id will be read from "issued for" access token's claim and client secret will be not sent.
* <br><b>NOTE</b>: For <code>public</code> clients types only.
*
* @param tokenResponse the previously issued token as {@link TokenResponse} object
* @return the refreshed token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the refresh query
*/
TokenResponse refreshToken(TokenResponse tokenResponse) throws KeycloakClientException;
/**
* Refreshes a previously issued token from the Keycloak server discovered in the current scope using the refresh
* token JWT encoded string in the token response object and the provided client id.
*
* Client secret will be not sent.
* <br><b>NOTE</b>: For <code>public</code> clients types only.
*
* @param clientId the requestor client id, may be <code>null</code> and in this case will be take from the access token "issued for" claim
* @param tokenResponse the previously issued token as {@link TokenResponse} object
* @return the refreshed token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the refresh query
*/
TokenResponse refreshToken(String clientId, TokenResponse tokenResponse) throws KeycloakClientException;
/**
* Refreshes a previously issued token from the Keycloak server discovered in the current scope using the refresh
* token JWT encoded string in the token response object and the provided client id and secret.
*
* @param clientId the requestor client id, may be <code>null</code> and in this case will be take from the access token "issued for" claim
* @param clientSecret the requestor client secret, may be <code>null</code> for non-confidential clients
* @param tokenResponse the previously issued token as {@link TokenResponse} object
* @return the refreshed token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the refresh query
*/
TokenResponse refreshToken(String clientId, String clientSecret, TokenResponse tokenResponse)
throws KeycloakClientException;
/**
* Refreshes a previously issued token from the Keycloak server discovered in the current scope using the the refresh token JWT encoded string obtained with the access token in the previous token response.
*
* Client id will be read from "issued for" refresh token's claim and client secret will be not sent.
* <br><b>NOTE</b>: For <code>public</code> clients types only.
*
* @param refreshTokenJWTString the previously issued refresh token JWT string taken from the same token response of the access token parameter
* @return the refreshed token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the refresh query
*/
TokenResponse refreshToken(String refreshTokenJWTString) throws KeycloakClientException;
/**
* Refreshes a previously issued token from the Keycloak server discovered in the current scope using the provided
* client id and the refresh token JWT encoded string obtained with the access token in the previous token response.
*
* Client secret will be not used.
* <br><b>NOTE</b>: For <code>public</code> clients types only.
*
* @param clientId the requestor client id
* @param refreshTokenJWTString the previously issued refresh token JWT string taken from the same token response of the access token parameter
* @return the refreshed token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the refresh query
*/
TokenResponse refreshToken(String clientId, String refreshTokenJWTString) throws KeycloakClientException;
/**
* Refreshes a previously issued token from the Keycloak server discovered in the current scope using the provided
* client id and secret and the refresh token JWT encoded string obtained with the access token in the previous
* token response.
*
* @param clientId the requestor client id
* @param clientSecret the requestor client secret, may be <code>null</code> for non-confidential clients
* @param refreshTokenJWTString the previously issued refresh token JWT string taken from the same token response of the access token parameter
* @return the refreshed token as {@link TokenResponse} object
* @throws KeycloakClientException if something goes wrong performing the refresh query
*/
TokenResponse refreshToken(String clientId, String clientSecret, String refreshTokenJWTString)
throws KeycloakClientException;
/**
* Introspects an access token against the Keycloak server discovered in the current scope.
*
* @param clientId the requestor client id
* @param clientSecret the requestor client secret
* @param accessTokenJWTString the access token to verify
* @return <code>true</code> if the token is valid, <code>false</code> otherwise
* @throws KeycloakClientException if something goes wrong performing the verification
*/
TokenIntrospectionResponse introspectAccessToken(String clientId, String clientSecret, String accessTokenJWTString) throws KeycloakClientException;
/**
* Verifies an access token against the Keycloak server discovered in the current scope.
*
* @param clientId the requestor client id
* @param clientSecret the requestor client secret
* @param accessTokenJWTString the access token to verify
* @return a {@link TokenIntrospectionResponse} object with the introspection results; in particular, the <code>active</code> field represents the token validity
* @throws KeycloakClientException if something goes wrong performing the verification
*/
boolean isAccessTokenVerified(String clientId, String clientSecret, String accessTokenJWTString) throws KeycloakClientException;
}

15
src/main/java/org/gcube/common/keycloak/KeycloakClientLegacyISFactory.java Normal file
View File

@ -0,0 +1,15 @@
package org.gcube.common.keycloak;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class KeycloakClientLegacyISFactory {
protected static final Logger logger = LoggerFactory.getLogger(KeycloakClientLegacyISFactory.class);
public static KeycloakClientLegacyIS newInstance() {
logger.debug("Instantiating a new keycloak client for legacy IS instance");
return new DefaultKeycloakClientLegacyIS();
}
}

215
src/test/java/org/gcube/common/keycloak/TestKeycloakClientLegacyIS.java Normal file
View File

@ -0,0 +1,215 @@
package org.gcube.common.keycloak;
import java.net.URL;
import org.gcube.common.keycloak.model.ModelUtils;
import org.gcube.common.keycloak.model.TokenIntrospectionResponse;
import org.gcube.common.keycloak.model.TokenResponse;
import org.gcube.common.scope.api.ScopeProvider;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.FixMethodOrder;
import org.junit.Test;
import org.junit.runners.MethodSorters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@SuppressWarnings("deprecation")
@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class TestKeycloakClientLegacyIS {
protected static final Logger logger = LoggerFactory.getLogger(TestKeycloakClientLegacyIS.class);
protected static final String DEV_TOKEN_ENDPOINT = "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
protected static final String DEV_INTROSPECTION_ENDPOINT = DEV_TOKEN_ENDPOINT + "/introspect";
protected static final String CLIENT_ID = "keycloak-client-unit-test";
protected static final String CLIENT_SECRET = "ebf6f82e-9511-408e-8321-203081e472d8";
protected static final String TEST_AUDIENCE = "conductor-server";
protected static final String OLD_OIDC_ACCESS_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2NTI5Nzk4NDUsImlhdCI6MTY1Mjk3OTU0NSwianRpIjoiMzQ2MjgwMWItODg4NS00YTM4LWJkNDUtNWExM2U1MGE5MGU5IiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOlsiJTJGZ2N1YmUiLCIlMkZnY3ViZSUyRmRldnNlYyUyRmRldlZSRSIsImFjY291bnQiXSwic3ViIjoiYTQ3ZGZlMTYtYjRlZC00NGVkLWExZDktOTdlY2Q1MDQzNjBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2V5Y2xvYWstY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6ImQ4MDk3MDBmLWEyNDUtNDI3Zi1hYzhjLTQxYjFkZDNkYTQ3MCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsIkluZnJhc3RydWN0dXJlLUNsaWVudCIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiJTJGZ2N1YmUiOnsicm9sZXMiOlsiTWVtYmVyIl19LCJrZXljbG9hay1jbGllbnQiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sIiUyRmdjdWJlJTJGZGV2c2VjJTJGZGV2VlJFIjp7InJvbGVzIjpbIk1lbWJlciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SWQiOiJrZXljbG9hay1jbGllbnQiLCJjbGllbnRIb3N0IjoiOTMuNjYuMTg1Ljc1IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQta2V5Y2xvYWstY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjkzLjY2LjE4NS43NSJ9.FQu4ox2HWeqeaY7nHYVGeJVpkJOcASfOb8tbOUeG-GB6sMjRB2S8PjLLaw63r_c42yxKszP04XdxGqIWqXTtoD9QCiUHTT5yJTkIpio4tMMGHth9Fbx-9dwk0yy_IFi1_OsCvZFmOQRdjMuUkj1lSqslCzAw-2E5q1Zt415-au5pEVJYNTFqIsG72ChJwh6eq1Dh1XBy8krb7YVPQyIwxO_awgAYO5hbsdvXYlRfCrnB38kk2V6-CQ-XYoL1m7xIB-gjhKCiFvDmmntQSRCZFgb0qi8eOmh9FdzPxZgx7yPJwAAj17dS4B_gz9FpZBVciNzpA6Lf4P2bqvoD9-R6ow";
protected static final String OLD_UMA_ACCESS_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2NTI5ODA0NzgsImlhdCI6MTY1Mjk4MDE3OCwianRpIjoiNjBkNzU3MGMtZmQxOC00NGQ1LTg1MzUtODhlMmFmOGQ1ZTgwIiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJjb25kdWN0b3Itc2VydmVyIiwic3ViIjoiYTQ3ZGZlMTYtYjRlZC00NGVkLWExZDktOTdlY2Q1MDQzNjBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2V5Y2xvYWstY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjI3NDUyN2M5LWNkZjMtNGM2Yi1iNTUxLTFmMTRkZGE5ZGVlZiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiSW5mcmFzdHJ1Y3R1cmUtQ2xpZW50Il19LCJhdXRob3JpemF0aW9uIjp7InBlcm1pc3Npb25zIjpbeyJzY29wZXMiOlsiZ2V0Il0sInJzaWQiOiIyNDlmZDQ2OS03OWM1LTRiODUtYjE5NS1mMjliM2ViNjAzNDUiLCJyc25hbWUiOiJtZXRhZGF0YSJ9LHsic2NvcGVzIjpbImdldCIsInN0YXJ0IiwidGVybWluYXRlIl0sInJzaWQiOiJhNmYzZWFkZS03NDA0LTRlNWQtOTA3MC04MDBhZGI1YWFjNGUiLCJyc25hbWUiOiJ3b3JrZmxvdyJ9LHsicnNpZCI6IjFiNmMwMGI3LTkxMzktNGVhYS1hYWM3LTIwMjMxZmVlMDVhNSIsInJzbmFtZSI6IkRlZmF1bHQgUmVzb3VyY2UifV19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJjbGllbnRJZCI6ImtleWNsb2FrLWNsaWVudCIsImNsaWVudEhvc3QiOiI5My42Ni4xODUuNzUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1rZXljbG9hay1jbGllbnQiLCJjbGllbnRBZGRyZXNzIjoiOTMuNjYuMTg1Ljc1In0.Hh62E56R-amHwoDPFQEylMvrvmNzWnC_4bDI7_iQYAPJ5YzCNH9d7zcdGaQ96kRmps_JRc2Giv_1W9kYorOhlXl-5QLDrSoqrqFxrNpEGG5r5jpNJbusbu4wNUKiCt_GMnM1UmztgXiQeuggNGkmeBIjotj0eubnmIbUV9ukHj3v7Z5PwNKKX3BCpsghd1u8lg6Nfqk_Oho4GXUfdaFY_AR3SNqzVI_9YLhND_a03MNNWlnfOvj8T4nDCKBZIs91tVyiu98d2TjnQt8PdlVwokMP3LA58m0Khy2cmUm1KF2k0zlzP8MxV9wTxNrpovMr-PnbtEPZ_IlVQIzHwjHfwQ";
private static TokenResponse oidcTR = null;
private static TokenResponse umaTR = null;
@Before
public void setUp() throws Exception {
ScopeProvider.instance.set("/gcube");
}
@After
public void tearDown() throws Exception {
}
@Test
public void test00TokenEndpointDiscovery() throws Exception {
logger.info("*** [0.0] Start testing Keycloak token endpoint discovery...");
URL url = KeycloakClientLegacyISFactory.newInstance().findTokenEndpointURL();
Assert.assertNotNull(url);
Assert.assertTrue(url.getProtocol().equals("https"));
Assert.assertEquals(new URL(DEV_TOKEN_ENDPOINT), url);
logger.info("Discovered URL is: {}", url);
}
@Test
public void test01IntrospectEndpointComputeFromDiscovered() throws Exception {
logger.info("*** [0.1] Start testing Keycloak userinfo endpoint computed from discovered URL...");
URL url = KeycloakClientLegacyISFactory.newInstance().computeIntrospectionEndpointURL();
Assert.assertNotNull(url);
Assert.assertTrue(url.getProtocol().equals("https"));
Assert.assertEquals(new URL(DEV_INTROSPECTION_ENDPOINT), url);
logger.info("Discovered URL is: {}", url);
}
@Test
public void test11QueryOIDCTokenWithDiscoveryInCurrentScope() throws Exception {
logger.info(
"*** [1.1] Start testing query OIDC token from Keycloak with endpoint discovery and current scope...");
oidcTR = KeycloakClientLegacyISFactory.newInstance().queryOIDCToken(CLIENT_ID,
CLIENT_SECRET);
logger.info("*** [1.1] OIDC access token: {}", oidcTR.getAccessToken());
logger.info("*** [1.1] OIDC refresh token: {}", oidcTR.getRefreshToken());
TestModels.checkTokenResponse(oidcTR);
TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(oidcTR),
"service-account-" + CLIENT_ID, false);
}
@Test
public void test13RefreshOIDCTokenWithDiscovery() throws Exception {
logger.info("*** [1.3] Start testing refresh OIDC token from Keycloak with endpoint discovery...");
TokenResponse refreshedTR = KeycloakClientLegacyISFactory.newInstance().refreshToken(
CLIENT_ID, CLIENT_SECRET,
oidcTR);
logger.info("*** [1.3] Refreshed OIDC access token: {}", refreshedTR.getAccessToken());
logger.info("*** [1.3] Refreshed OIDC refresh token: {}", refreshedTR.getRefreshToken());
TestModels.checkTokenResponse(refreshedTR);
TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(refreshedTR),
"service-account-" + CLIENT_ID, false);
TestModels.checkRefreshToken(ModelUtils.getRefreshTokenFrom(refreshedTR));
}
@Test
public void test21QueryUMATokenWithDiscoveryInCurrentScope() throws Exception {
logger.info(
"*** [2.1] Start testing query UMA token from Keycloak with endpoint discovery and current scope as audience...");
umaTR = KeycloakClientLegacyISFactory.newInstance().queryUMAToken(CLIENT_ID,
CLIENT_SECRET, null);
logger.info("*** [2.1] UMA access token: {}", umaTR.getAccessToken());
logger.info("*** [2.1] UMA refresh token: {}", umaTR.getRefreshToken());
TestModels.checkTokenResponse(umaTR);
TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR),
"service-account-" + CLIENT_ID, true);
}
@Test
public void test22QueryUMATokenWithDiscovery() throws Exception {
logger.info("*** [2.2] Start testing query UMA token from Keycloak with endpoint discovery...");
umaTR = KeycloakClientLegacyISFactory.newInstance().queryUMAToken(CLIENT_ID,
CLIENT_SECRET, TEST_AUDIENCE,
null);
logger.info("*** [2.2] UMA access token: {}", umaTR.getAccessToken());
logger.info("*** [2.2] UMA refresh token: {}", umaTR.getRefreshToken());
TestModels.checkTokenResponse(umaTR);
TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR),
"service-account-" + CLIENT_ID, true);
}
@Test
public void test23QueryUMATokenWithDiscoveryWithOIDCAuthorization() throws Exception {
logger.info(
"*** [2.3] Start testing query UMA token from Keycloak with endpoint discovery and OIDC access token for authorization...");
umaTR = KeycloakClientLegacyISFactory.newInstance().queryUMAToken(oidcTR, TEST_AUDIENCE,
null);
logger.info("*** [2.3] UMA access token: {}", umaTR.getAccessToken());
logger.info("*** [2.3] UMA refresh token: {}", umaTR.getRefreshToken());
TestModels.checkTokenResponse(umaTR);
TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR),
"service-account-" + CLIENT_ID, true);
}
@Test
public void test25RefreshUMATokenWithDiscovery() throws Exception {
logger.info("*** [2.5] Start testing refresh UMA token from Keycloak with endpoint discovery...");
TokenResponse refreshedTR = KeycloakClientLegacyISFactory.newInstance().refreshToken(
CLIENT_ID, CLIENT_SECRET,
umaTR);
logger.info("*** [2.5] Refreshed UMA access token: {}", refreshedTR.getAccessToken());
logger.info("*** [2.5] Refreshed UMA refresh token: {}", refreshedTR.getRefreshToken());
TestModels.checkTokenResponse(refreshedTR);
TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(refreshedTR),
"service-account-" + CLIENT_ID, true);
TestModels.checkRefreshToken(ModelUtils.getRefreshTokenFrom(refreshedTR));
}
@Test(expected = KeycloakClientException.class)
public void test26RefreshTokenWithDiscoveryAndClientIdFromRefreshToken() throws Exception {
logger.info("*** [2.6] Start testing refresh UMA token *with error* since is not a public client...");
KeycloakClientLegacyISFactory.newInstance().refreshToken(umaTR.getRefreshToken());
}
@Test
public void test301IntrospectOIDCAccessTokenWithDiscovery() throws Exception {
logger.info("*** [3.1] Start testing introspect OIDC access token with endpoint discovery...");
TokenIntrospectionResponse tir = KeycloakClientLegacyISFactory.newInstance().introspectAccessToken(
CLIENT_ID,
CLIENT_SECRET, oidcTR.getAccessToken());
TestModels.checkTokenIntrospectionResponse(tir);
}
@Test
public void test303IntrospectUMAAccessTokenWithDiscovery() throws Exception {
logger.info("*** [3.3] Start testing introspect UMA access token with endpoint discovery...");
TokenIntrospectionResponse tir = KeycloakClientLegacyISFactory.newInstance().introspectAccessToken(
CLIENT_ID,
CLIENT_SECRET, umaTR.getAccessToken());
TestModels.checkTokenIntrospectionResponse(tir);
}
@Test
public void test305OIDCAccessTokenVerificationWithDiscovery() throws Exception {
logger.info("*** [3.5] Start OIDC access token verification with endpoint discovery...");
Assert.assertTrue(
KeycloakClientLegacyISFactory.newInstance().isAccessTokenVerified(CLIENT_ID,
CLIENT_SECRET, oidcTR.getAccessToken()));
}
@Test
public void test307OIDCAccessTokenNonVerificationWithDiscovery() throws Exception {
logger.info("*** [3.7] Start OIDC access token NON verification...");
Assert.assertFalse(KeycloakClientLegacyISFactory.newInstance().isAccessTokenVerified(
CLIENT_ID, CLIENT_SECRET,
OLD_OIDC_ACCESS_TOKEN));
}
@Test
public void test308UMAAccessTokenVerificationWithDiscovery() throws Exception {
logger.info("*** [3.8] Start UMA access token verification with endpoint discovery...");
Assert.assertTrue(
KeycloakClientLegacyISFactory.newInstance().isAccessTokenVerified(CLIENT_ID,
CLIENT_SECRET, umaTR.getAccessToken()));
}
@Test
public void test309UMAAccessTokenVerification() throws Exception {
logger.info("*** [3.9] Start UMA access token verification...");
Assert.assertTrue(KeycloakClientLegacyISFactory.newInstance().isAccessTokenVerified(
new URL(DEV_INTROSPECTION_ENDPOINT), CLIENT_ID,
CLIENT_SECRET, umaTR.getAccessToken()));
}
@Test
public void test310UMAAccessTokenNonVerificationWithDiscovery() throws Exception {
logger.info("*** [3.10] Start UMA access token NON verification...");
Assert.assertFalse(KeycloakClientLegacyISFactory.newInstance().isAccessTokenVerified(
CLIENT_ID, CLIENT_SECRET,
OLD_UMA_ACCESS_TOKEN));
}
}

117
src/test/java/org/gcube/common/keycloak/TestModels.java Normal file
View File

@ -0,0 +1,117 @@
package org.gcube.common.keycloak;
import java.io.File;
import org.gcube.com.fasterxml.jackson.databind.ObjectMapper;
import org.gcube.common.keycloak.model.AccessToken;
import org.gcube.common.keycloak.model.ModelUtils;
import org.gcube.common.keycloak.model.RefreshToken;
import org.gcube.common.keycloak.model.TokenIntrospectionResponse;
import org.gcube.common.keycloak.model.TokenResponse;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.FixMethodOrder;
import org.junit.Test;
import org.junit.runners.MethodSorters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class TestModels {
protected static final Logger logger = LoggerFactory.getLogger(TestModels.class);
@Before
public void setUp() throws Exception {
}
@After
public void tearDown() throws Exception {
}
@Test
public void testTokenResponseForOIDC() throws Exception {
logger.info("Start testing OIDC token response object binding...");
TokenResponse tr = new ObjectMapper().readValue(new File("src/test/resources/oidc-token-response.json"),
TokenResponse.class);
logger.debug("OIDC token response:\n{}", ModelUtils.toJSONString(tr, true));
checkTokenResponse(tr);
}
@Test
public void testTokenResponseForUMA() throws Exception {
logger.info("Start testing UMA token response object binding...");
TokenResponse tr = new ObjectMapper().readValue(new File("src/test/resources/uma-token-response.json"),
TokenResponse.class);
logger.debug("UMA token response:\n{}", ModelUtils.toJSONString(tr, true));
checkTokenResponse(tr);
}
@Test
public void testUMAAccessToken() throws Exception {
logger.info("Start testing access token object binding...");
AccessToken at = new ObjectMapper().readValue(new File("src/test/resources/uma-access-token.json"),
AccessToken.class);
checkAccessToken(at, null, true);
}
@Test
public void testRemoveBearerPrefixInHeader() throws Exception {
TokenResponse tr = new ObjectMapper().readValue(new File("src/test/resources/oidc-token-response.json"),
TokenResponse.class);
AccessToken at1 = ModelUtils.getAccessTokenFrom(tr.getAccessToken());
AccessToken at2 = ModelUtils.getAccessTokenFrom("Bearer " + tr.getAccessToken());
AccessToken at3 = ModelUtils.getAccessTokenFrom("bearer " + tr.getAccessToken());
checkAccessToken(at1, null, true);
checkAccessToken(at2, null, true);
checkAccessToken(at3, null, true);
Assert.assertEquals(ModelUtils.toJSONString(at1), ModelUtils.toJSONString(at2));
Assert.assertEquals(ModelUtils.toJSONString(at2), ModelUtils.toJSONString(at3));
}
@Test
public void testUMARefreshToken() throws Exception {
logger.info("Start testing refresh token object binding...");
RefreshToken rt = new ObjectMapper().readValue(new File("src/test/resources/uma-refresh-token.json"),
RefreshToken.class);
checkRefreshToken(rt);
}
public static void checkTokenResponse(TokenResponse tr) throws Exception {
Assert.assertNotNull(tr);
Assert.assertEquals("bearer", tr.getTokenType().toLowerCase());
Assert.assertNotNull(tr.getAccessToken());
Assert.assertNotNull(tr.getRefreshToken());
}
public static void checkAccessToken(AccessToken at, String preferredUsername, boolean checkAudience) {
logger.debug("Access token:\n{}", ModelUtils.toJSONString(at, true));
Assert.assertNotNull(at.getPreferredUsername());
if (preferredUsername != null) {
Assert.assertEquals(preferredUsername, at.getPreferredUsername());
}
if (checkAudience) {
Assert.assertNotNull(at.getAudience());
}
}
public static void checkRefreshToken(RefreshToken rt) {
logger.debug("Refresh token:\n{}", ModelUtils.toJSONString(rt, true));
Assert.assertNotNull(rt.getOtherClaims());
Assert.assertNotNull(rt.getAudience());
}
public static void checkTokenIntrospectionResponse(TokenIntrospectionResponse tir) {
logger.debug("Token introspection response :\n{}", ModelUtils.toJSONString(tir, true));
Assert.assertTrue(tir.isActive());
}
}

30
src/test/resources/log4j.xml Normal file
View File

@ -0,0 +1,30 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
<log4j:configuration
xmlns="http://jakarta.apache.org/log4j/"
xmlns:log4j="http://jakarta.apache.org/log4j/">
<appender name="console"
class="org.apache.log4j.ConsoleAppender">
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern"
value="%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n" />
</layout>
</appender>
<logger name="org.gcube.common.keycloak" additivity="false">
<level value="TRACE" />
<appender-ref ref="console" />
</logger>
<logger>
<level value="INFO" />
<appender-ref ref="console" />
</logger>
<root>
<level value="DEBUG" />
<appender-ref ref="console" />
</root>
</log4j:configuration>

40
src/test/resources/oidc-access-token.json Normal file
View File

@ -0,0 +1,40 @@
{
"exp": 1622216161,
"iat": 1622215861,
"jti": "d391d814-a1f6-4a40-9aa3-3f51ec59988c",
"iss": "https://accounts.dev.d4science.org/auth/realms/d4science",
"aud": "account",
"sub": "1c84108a-201d-4e20-8ad2-d72b08d58f8a",
"typ": "Bearer",
"azp": "lr62_portal",
"session_state": "1a054bb7-4d87-44a9-ad1f-1746ef2dd522",
"acr": "1",
"allowed-origins": [
"https://dev.d4science.org"
],
"realm_access": {
"roles": [
"offline_access",
"Infrastructure-Client",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "email profile",
"email_verified": true,
"name": "Gino Stilla",
"groups": [],
"preferred_username": "gino.stilla",
"given_name": "Gino",
"locale": "it",
"family_name": "Stilla",
"email": "gino@stilla.com"
}

10
src/test/resources/oidc-token-response.json Normal file
View File

@ -0,0 +1,10 @@
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2MjIyMTYxNjEsImlhdCI6MTYyMjIxNTg2MSwianRpIjoiZDM5MWQ4MTQtYTFmNi00YTQwLTlhYTMtM2Y1MWVjNTk5ODhjIiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMWM4NDEwOGEtMjAxZC00ZTIwLThhZDItZDcyYjA4ZDU4ZjhhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibHI2Ml9wb3J0YWwiLCJzZXNzaW9uX3N0YXRlIjoiMWEwNTRiYjctNGQ4Ny00NGE5LWFkMWYtMTc0NmVmMmRkNTIyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2Rldi5kNHNjaWVuY2Uub3JnIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsIkluZnJhc3RydWN0dXJlLUNsaWVudCIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJHaW5vIFN0aWxsYSIsImdyb3VwcyI6W10sInByZWZlcnJlZF91c2VybmFtZSI6Imdpbm8uc3RpbGxhIiwiZ2l2ZW5fbmFtZSI6Ikdpbm8iLCJsb2NhbGUiOiJpdCIsImZhbWlseV9uYW1lIjoiU3RpbGxhIiwiZW1haWwiOiJnaW5vQHN0aWxsYS5jb20ifQ.C43CAMgoHFhRNPACXPKDr_b1ytZeYeB2_AxTOl0jhG5YUpzoigtjwdrYptJbDtlO0fO3Ex9-KgKKBpUROMb0tC7YjuVgK6uGmaBcXGvA2S9mMLVlpl8u0KWJrrvzjPSSBHqH1fKZ6RHhZYkukMAeEeN5nT5SJoftiBNfnQi0wdjsN6fWUDLVQ3kYFQ_8C2RuO-yivSc9TyVpV-1M6ij7PEplWf2UjoygJKchs9R6x_sLHbaQHPTE24PMEY7GcEsgUwBXR3bkcWZ9cVuxAnbcIYITT-qC6V4YXodS2cYew3WoSaMl8LfTmIl7oFiv3lIDYvQ3dd-X8h1QkkbTPlVLOQ",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjOTk5YmVjNC1iNDc4LTQ4Y2YtYmI5OS0wMWMxODY5NzcwNGIifQ.eyJleHAiOjE2MjIyMTc2NjEsImlhdCI6MTYyMjIxNTg2MSwianRpIjoiNzA2YzEyZjUtZDk3OS00MjVmLWI1NzctMzgxNWU4ZTdlNWM2IiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJodHRwczovL2FjY291bnRzLmRldi5kNHNjaWVuY2Uub3JnL2F1dGgvcmVhbG1zL2Q0c2NpZW5jZSIsInN1YiI6IjFjODQxMDhhLTIwMWQtNGUyMC04YWQyLWQ3MmIwOGQ1OGY4YSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJscjYyX3BvcnRhbCIsInNlc3Npb25fc3RhdGUiOiIxYTA1NGJiNy00ZDg3LTQ0YTktYWQxZi0xNzQ2ZWYyZGQ1MjIiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUifQ.2nYaWSEIbzr56vKx39AxomfiWoSQweAnepf7p3maZMs",
"token_type": "bearer",
"not-before-policy": 1618317421,
"session_state": "1a054bb7-4d87-44a9-ad1f-1746ef2dd522",
"scope": "email profile"
}

63
src/test/resources/uma-access-token.json Normal file
View File

@ -0,0 +1,63 @@
{
"exp": 1621960710,
"iat": 1621960410,
"jti": "5a2a2240-8a32-40c9-8cc2-456dd8b089d9",
"iss": "https://accounts.dev.d4science.org/auth/realms/d4science",
"aud": "conductor-server",
"sub": "a47dfe16-b4ed-44ed-a1d9-97ecd504360c",
"typ": "Bearer",
"azp": "keycloak-client",
"session_state": "1550e4ef-5a92-430d-aa0f-242e5f8048de",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"Infrastructure-Client",
"uma_authorization"
]
},
"resource_access": {
"keycloak-client": {
"roles": [
"uma_protection"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"authorization": {
"permissions": [
{
"scopes": [
"get"
],
"rsid": "249fd469-79c5-4b85-b195-f29b3eb60345",
"rsname": "metadata"
},
{
"scopes": [
"get",
"start",
"terminate"
],
"rsid": "a6f3eade-7404-4e5d-9070-800adb5aac4e",
"rsname": "workflow"
},
{
"rsid": "1b6c00b7-9139-4eaa-aac7-20231fee05a5",
"rsname": "Default Resource"
}
]
},
"scope": "email profile",
"clientId": "keycloak-client",
"clientHost": "2.231.31.240",
"email_verified": false,
"preferred_username": "service-account-keycloak-client",
"clientAddress": "2.231.31.240"
}

36
src/test/resources/uma-refresh-token.json Normal file
View File

@ -0,0 +1,36 @@
{
"exp": 1621962210,
"iat": 1621960410,
"jti": "ca223961-22a2-4171-af3e-f109749e83ea",
"iss": "https://accounts.dev.d4science.org/auth/realms/d4science",
"aud": "https://accounts.dev.d4science.org/auth/realms/d4science",
"sub": "a47dfe16-b4ed-44ed-a1d9-97ecd504360c",
"typ": "Refresh",
"azp": "keycloak-client",
"session_state": "1550e4ef-5a92-430d-aa0f-242e5f8048de",
"authorization": {
"permissions": [
{
"scopes": [
"get"
],
"rsid": "249fd469-79c5-4b85-b195-f29b3eb60345",
"rsname": "metadata"
},
{
"scopes": [
"get",
"start",
"terminate"
],
"rsid": "a6f3eade-7404-4e5d-9070-800adb5aac4e",
"rsname": "workflow"
},
{
"rsid": "1b6c00b7-9139-4eaa-aac7-20231fee05a5",
"rsname": "Default Resource"
}
]
},
"scope": "email profile"
}

9
src/test/resources/uma-token-response.json Normal file
View File

@ -0,0 +1,9 @@
{
"upgraded": false,
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2MjE5NjA3MTAsImlhdCI6MTYyMTk2MDQxMCwianRpIjoiNWEyYTIyNDAtOGEzMi00MGM5LThjYzItNDU2ZGQ4YjA4OWQ5IiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJjb25kdWN0b3Itc2VydmVyIiwic3ViIjoiYTQ3ZGZlMTYtYjRlZC00NGVkLWExZDktOTdlY2Q1MDQzNjBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2V5Y2xvYWstY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjE1NTBlNGVmLTVhOTItNDMwZC1hYTBmLTI0MmU1ZjgwNDhkZSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJJbmZyYXN0cnVjdHVyZS1DbGllbnQiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImtleWNsb2FrLWNsaWVudCI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwiYXV0aG9yaXphdGlvbiI6eyJwZXJtaXNzaW9ucyI6W3sic2NvcGVzIjpbImdldCJdLCJyc2lkIjoiMjQ5ZmQ0NjktNzljNS00Yjg1LWIxOTUtZjI5YjNlYjYwMzQ1IiwicnNuYW1lIjoibWV0YWRhdGEifSx7InNjb3BlcyI6WyJnZXQiLCJzdGFydCIsInRlcm1pbmF0ZSJdLCJyc2lkIjoiYTZmM2VhZGUtNzQwNC00ZTVkLTkwNzAtODAwYWRiNWFhYzRlIiwicnNuYW1lIjoid29ya2Zsb3cifSx7InJzaWQiOiIxYjZjMDBiNy05MTM5LTRlYWEtYWFjNy0yMDIzMWZlZTA1YTUiLCJyc25hbWUiOiJEZWZhdWx0IFJlc291cmNlIn1dfSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SWQiOiJrZXljbG9hay1jbGllbnQiLCJjbGllbnRIb3N0IjoiMi4yMzEuMzEuMjQwIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQta2V5Y2xvYWstY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjIuMjMxLjMxLjI0MCJ9.UKcREwcaJc9tpfUIsIfqbN-uON1lrtAcVQSoZan29hyQ-t8o6tjWS4-ix8JnWN8YBxU0Gbo1XcGx2NEnX7QCcAt9R46I9jpd5D9LBF-DF1G5zTVc1Cwm9-XcQ9vU_KDJ_qOzhcbPe1ZeAkYV4LpRXuPS7bBSUiNYExHoWBQTUTjNUc7rJRGWk14YKNjEgvri46RZw3ZZQ19JdjktyLz4WNGF8asSAmLXTeJ4q7O1kWttDzxjiz6QMW1378lYCb_GfXWsnAWbm7zpfz2-Fs3NmZO35BUw_jba_l_8Uog35X9qhsgcw2-_sWEB0vGLEHvz2zowpy70zjpoeHZYq6LeBw",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjOTk5YmVjNC1iNDc4LTQ4Y2YtYmI5OS0wMWMxODY5NzcwNGIifQ.eyJleHAiOjE2MjE5NjIyMTAsImlhdCI6MTYyMTk2MDQxMCwianRpIjoiY2EyMjM5NjEtMjJhMi00MTcxLWFmM2UtZjEwOTc0OWU4M2VhIiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJodHRwczovL2FjY291bnRzLmRldi5kNHNjaWVuY2Uub3JnL2F1dGgvcmVhbG1zL2Q0c2NpZW5jZSIsInN1YiI6ImE0N2RmZTE2LWI0ZWQtNDRlZC1hMWQ5LTk3ZWNkNTA0MzYwYyIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJrZXljbG9hay1jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiMTU1MGU0ZWYtNWE5Mi00MzBkLWFhMGYtMjQyZTVmODA0OGRlIiwiYXV0aG9yaXphdGlvbiI6eyJwZXJtaXNzaW9ucyI6W3sic2NvcGVzIjpbImdldCJdLCJyc2lkIjoiMjQ5ZmQ0NjktNzljNS00Yjg1LWIxOTUtZjI5YjNlYjYwMzQ1IiwicnNuYW1lIjoibWV0YWRhdGEifSx7InNjb3BlcyI6WyJnZXQiLCJzdGFydCIsInRlcm1pbmF0ZSJdLCJyc2lkIjoiYTZmM2VhZGUtNzQwNC00ZTVkLTkwNzAtODAwYWRiNWFhYzRlIiwicnNuYW1lIjoid29ya2Zsb3cifSx7InJzaWQiOiIxYjZjMDBiNy05MTM5LTRlYWEtYWFjNy0yMDIzMWZlZTA1YTUiLCJyc25hbWUiOiJEZWZhdWx0IFJlc291cmNlIn1dfSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIn0.63dE64hNYpxQRV-M5zOrLLWt9cehJI4DcIbHia977r4",
"token_type": "Bearer",
"not-before-policy": 1618317421
}