seg_yinzy
/
che-server
mirror of https://github.com/eclipse-che/che-server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move exclude of OIDCKeycloak.js to mapping instead of Filter class

6.19.x
Sergii Leshchenko 2018-08-23 16:55:47 +03:00
parent 2c755f2b1d
commit 2c7bfd4ff9
5 changed files with 21 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/AbstractKeycloakFilter.java
View File

@ -17,7 +17,6 @@ import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
@ -31,11 +30,7 @@ public abstract class AbstractKeycloakFilter implements Filter {
@Inject protected JwtParser jwtParser;
/** when a request came from a machine with valid token then auth is not required */
boolean shouldSkipAuthentication(HttpServletRequest request, String token) {
if (token == null) {
return request.getRequestURI() != null
&& request.getRequestURI().endsWith("api/keycloak/OIDCKeycloak.js");
}
boolean shouldSkipAuthentication(String token) {
try {
jwtParser.parse(token);
return false;

2
multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakAuthenticationFilter.java
View File

@ -52,7 +52,7 @@ public class KeycloakAuthenticationFilter extends AbstractKeycloakFilter {
Jws<Claims> jwt;
try {
if (shouldSkipAuthentication(request, token)) {
if (shouldSkipAuthentication(token)) {
chain.doFilter(req, res);
return;
}

2
multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitalizationFilter.java
View File

@ -68,7 +68,7 @@ public class KeycloakEnvironmentInitalizationFilter extends AbstractKeycloakFilt
final HttpServletRequest httpRequest = (HttpServletRequest) request;
final String token = tokenExtractor.getToken(httpRequest);
if (shouldSkipAuthentication(httpRequest, token)) {
if (shouldSkipAuthentication(token)) {
filterChain.doFilter(request, response);
return;
}

23
multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/deploy/KeycloakServletModule.java
View File

@ -19,18 +19,25 @@ import org.eclipse.che.multiuser.keycloak.server.KeycloakEnvironmentInitalizatio
import org.eclipse.che.multiuser.keycloak.server.UnavailableResourceInMultiUserFilter;
public class KeycloakServletModule extends ServletModule {
private static final String KEYCLOAK_FILTER_PATHS =
"^"
// not equals to /keycloak/OIDCKeycloak.js
+ "(?!/keycloak/OIDCKeycloak.js)"
// not contains /docs/ (for swagger)
+ "(?!.*(/docs/))"
// not ends with '/oauth/callback/' or '/keycloak/settings/' or '/system/state'
+ "(?!.*(/keycloak/settings/?|/oauth/callback/?|/system/state/?)$)"
// all other
+ ".*";
@Override
protected void configureServlets() {
bind(KeycloakAuthenticationFilter.class).in(Singleton.class);
// Not contains /docs/ (for swagger) and not ends with '/oauth/callback/' or
// '/keycloak/settings/' or '/system/state'
filterRegex("^(?!.*(/docs/))(?!.*(/keycloak/settings/?|/oauth/callback/?|/system/state/?)$).*")
.through(KeycloakAuthenticationFilter.class);
filterRegex("^(?!.*(/docs/))(?!.*(/keycloak/settings/?|/oauth/callback/?|/system/state/?)$).*")
.through(KeycloakEnvironmentInitalizationFilter.class);
filterRegex("^(?!.*(/docs/))(?!.*(/keycloak/settings/?|/api/oauth/callback/?)$).*")
.through(IdentityIdLoggerFilter.class);
filterRegex(KEYCLOAK_FILTER_PATHS).through(KeycloakAuthenticationFilter.class);
filterRegex(KEYCLOAK_FILTER_PATHS).through(KeycloakEnvironmentInitalizationFilter.class);
filterRegex(KEYCLOAK_FILTER_PATHS).through(IdentityIdLoggerFilter.class);
// Ban change password (POST /user/password) and create a user (POST /user/) methods
// but not remove user (DELETE /user/{USER_ID}

12
multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/AbstractKeycloakFilterTest.java
View File

@ -49,28 +49,22 @@ public class AbstractKeycloakFilterTest {
when(request.getRequestURI()).thenReturn(null);
}
@Test
public void testShouldSkipAuthWhenRetrievingOIDCKeycloakJsFile() {
when(request.getRequestURI()).thenReturn("https://localhost:8080/api/keycloak/OIDCKeycloak.js");
assertTrue(abstractKeycloakFilter.shouldSkipAuthentication(request, null));
}
@Test
public void testShouldNotSkipAuthWhenNullTokenProvided() {
assertFalse(abstractKeycloakFilter.shouldSkipAuthentication(request, null));
assertFalse(abstractKeycloakFilter.shouldSkipAuthentication(null));
}
@Test
public void testShouldNotSkipAuthWhenProvidedTokenIsNotMachine() {
Jwt mock = Mockito.mock(Jwt.class);
doReturn(mock).when(jwtParser).parse(anyString());
assertFalse(abstractKeycloakFilter.shouldSkipAuthentication(request, "token"));
assertFalse(abstractKeycloakFilter.shouldSkipAuthentication("token"));
}
@Test
public void testAuthIsNotNeededWhenMachineTokenProvided() {
when(jwtParser.parse(anyString())).thenThrow(MachineTokenJwtException.class);
assertTrue(abstractKeycloakFilter.shouldSkipAuthentication(request, "token"));
assertTrue(abstractKeycloakFilter.shouldSkipAuthentication("token"));
}
static class TestLoginFilter extends AbstractKeycloakFilter {