wip: move logic from validate to success
This commit is contained in:
parent
cd738a4a6f
commit
288029fe31
2
pom.xml
2
pom.xml
@ -32,7 +32,7 @@
|
|||||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||||
<maven.compiler.source>17</maven.compiler.source>
|
<maven.compiler.source>17</maven.compiler.source>
|
||||||
<maven.compiler.target>17</maven.compiler.target>
|
<maven.compiler.target>17</maven.compiler.target>
|
||||||
<keycloak.version>22.0.0</keycloak.version>
|
<keycloak.version>23.0.0</keycloak.version>
|
||||||
</properties>
|
</properties>
|
||||||
|
|
||||||
<dependencies>
|
<dependencies>
|
||||||
|
|||||||
@ -1,20 +1,24 @@
|
|||||||
package com.github.thomasdarimont.keycloak.auth;
|
package com.github.thomasdarimont.keycloak.auth;
|
||||||
//
|
//
|
||||||
import org.jboss.logging.Logger;
|
import org.jboss.logging.Logger;
|
||||||
|
import org.keycloak.authentication.AuthenticationFlowError;
|
||||||
|
import org.keycloak.authentication.AuthenticationFlowException;
|
||||||
import org.keycloak.authentication.FormAction;
|
import org.keycloak.authentication.FormAction;
|
||||||
import org.keycloak.authentication.ValidationContext;
|
import org.keycloak.authentication.ValidationContext;
|
||||||
import org.keycloak.authentication.forms.RegistrationPage;
|
import org.keycloak.authentication.forms.RegistrationPage;
|
||||||
import org.keycloak.authentication.forms.RegistrationProfile;
|
|
||||||
import org.keycloak.events.Details;
|
import org.keycloak.events.Details;
|
||||||
import org.keycloak.events.Errors;
|
import org.keycloak.events.Errors;
|
||||||
|
import org.keycloak.events.EventType;
|
||||||
import org.keycloak.models.AuthenticatorConfigModel;
|
import org.keycloak.models.AuthenticatorConfigModel;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.UserModel;
|
import org.keycloak.models.UserModel;
|
||||||
import org.keycloak.models.utils.FormMessage;
|
import org.keycloak.models.utils.FormMessage;
|
||||||
import org.keycloak.provider.ProviderConfigProperty;
|
import org.keycloak.provider.ProviderConfigProperty;
|
||||||
|
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
||||||
import org.keycloak.services.messages.Messages;
|
import org.keycloak.services.messages.Messages;
|
||||||
import org.keycloak.services.validation.Validation;
|
import org.keycloak.services.validation.Validation;
|
||||||
|
import org.keycloak.userprofile.UserProfile;
|
||||||
|
|
||||||
import jakarta.ws.rs.core.MultivaluedMap;
|
import jakarta.ws.rs.core.MultivaluedMap;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
@ -32,143 +36,195 @@ import com.google.auto.service.AutoService;
|
|||||||
|
|
||||||
@AutoService(FormActionFactory.class)
|
@AutoService(FormActionFactory.class)
|
||||||
public class RegistrationProfileDomainValidation extends RegistrationUserCreation {
|
public class RegistrationProfileDomainValidation extends RegistrationUserCreation {
|
||||||
protected static final Logger logger = Logger.getLogger(RegistrationProfileDomainValidation.class);
|
protected static final Logger logger = Logger.getLogger(RegistrationProfileDomainValidation.class);
|
||||||
|
|
||||||
protected static final String DEFAULT_DOMAIN_LIST = "example.org";
|
protected static final String DEFAULT_DOMAIN_LIST = "example.org";
|
||||||
protected static final String DOMAIN_LIST_SEPARATOR = "##";
|
protected static final String DOMAIN_LIST_SEPARATOR = "##";
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean isConfigurable() {
|
public boolean isConfigurable() {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected static final boolean globmatches(String text, String glob) {
|
protected static final boolean globmatches(String text, String glob) {
|
||||||
if (text.length() > 200) {
|
if (text.length() > 200) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
String rest = null;
|
String rest = null;
|
||||||
int pos = glob.indexOf('*');
|
int pos = glob.indexOf('*');
|
||||||
if (pos != -1) {
|
if (pos != -1) {
|
||||||
rest = glob.substring(pos + 1);
|
rest = glob.substring(pos + 1);
|
||||||
glob = glob.substring(0, pos);
|
glob = glob.substring(0, pos);
|
||||||
}
|
}
|
||||||
|
if (glob.length() > text.length())
|
||||||
|
return false;
|
||||||
|
// handle the part up to the first *
|
||||||
|
for (int i = 0; i < glob.length(); i++)
|
||||||
|
if (glob.charAt(i) != '?'
|
||||||
|
&& !glob.substring(i, i + 1).equalsIgnoreCase(text.substring(i, i + 1)))
|
||||||
|
return false;
|
||||||
|
|
||||||
if (glob.length() > text.length())
|
// recurse for the part after the first *, if any
|
||||||
return false;
|
if (rest == null) {
|
||||||
|
return glob.length() == text.length();
|
||||||
// handle the part up to the first *
|
} else {
|
||||||
for (int i = 0; i < glob.length(); i++)
|
for (int i = glob.length(); i <= text.length(); i++) {
|
||||||
if (glob.charAt(i) != '?'
|
if (globmatches(text.substring(i), rest))
|
||||||
&& !glob.substring(i, i + 1).equalsIgnoreCase(text.substring(i, i + 1)))
|
return true;
|
||||||
return false;
|
|
||||||
|
|
||||||
// recurse for the part after the first *, if any
|
|
||||||
if (rest == null) {
|
|
||||||
return glob.length() == text.length();
|
|
||||||
} else {
|
|
||||||
for (int i = glob.length(); i <= text.length(); i++) {
|
|
||||||
if (globmatches(text.substring(i), rest))
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void validate(ValidationContext context) {
|
|
||||||
MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
|
|
||||||
|
|
||||||
List<FormMessage> errors = new ArrayList<>();
|
|
||||||
String email = formData.getFirst(Validation.FIELD_EMAIL);
|
|
||||||
|
|
||||||
AuthenticatorConfigModel mailDomainConfig = context.getAuthenticatorConfig();
|
|
||||||
String eventError = Errors.INVALID_REGISTRATION;
|
|
||||||
|
|
||||||
if(email == null){
|
|
||||||
context.getEvent().detail(Details.EMAIL, email);
|
|
||||||
errors.add(new FormMessage(RegistrationPage.FIELD_EMAIL, Messages.INVALID_EMAIL));
|
|
||||||
context.error(eventError);
|
|
||||||
context.validationError(formData, errors);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
String[] domainList = getDomainList(mailDomainConfig);
|
|
||||||
|
|
||||||
boolean emailDomainValid = isEmailValid(email, domainList);
|
|
||||||
|
|
||||||
if (!emailDomainValid) {
|
|
||||||
super.success(context);
|
|
||||||
KeycloakSession session = context.getSession();
|
|
||||||
RealmModel realm = context.getRealm();
|
|
||||||
UserModel user = context.getUser();
|
|
||||||
user.addRequiredAction("USER_MUST_BE_APPROVED");
|
|
||||||
setRequiredActions(session, realm, user);
|
|
||||||
|
|
||||||
}
|
|
||||||
if (errors.size() > 0) {
|
|
||||||
context.error(eventError);
|
|
||||||
context.validationError(formData, errors);
|
|
||||||
} else {
|
|
||||||
context.success();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public String[] getDomainList(AuthenticatorConfigModel mailDomainConfig) {
|
|
||||||
return mailDomainConfig.getConfig().getOrDefault(domainListConfigName, DEFAULT_DOMAIN_LIST).split(DOMAIN_LIST_SEPARATOR);
|
|
||||||
}
|
|
||||||
|
|
||||||
public boolean isEmailValid(String email, String[] domains) {
|
|
||||||
for (String domain : domains) {
|
|
||||||
if (email.endsWith("@" + domain) || email.equals(domain) || globmatches(email, "*@" + domain)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void success(FormContext context) {
|
||||||
|
|
||||||
|
if (context.getUser() != null) {
|
||||||
|
// the user probably did some back navigation in the browser, hitting this page in a strange state
|
||||||
|
context.getEvent().detail(Details.EXISTING_USER, context.getUser().getUsername());
|
||||||
|
throw new AuthenticationFlowException(AuthenticationFlowError.GENERIC_AUTHENTICATION_ERROR, Errors.DIFFERENT_USER_AUTHENTICATING, Messages.EXPIRED_ACTION);
|
||||||
|
}
|
||||||
|
|
||||||
|
MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
|
||||||
|
|
||||||
|
String email = formData.getFirst(UserModel.EMAIL);
|
||||||
|
String username = formData.getFirst(UserModel.USERNAME);
|
||||||
|
|
||||||
|
if (context.getRealm().isRegistrationEmailAsUsername()) {
|
||||||
|
username = email;
|
||||||
|
}
|
||||||
|
// get the allowlist of mail domains
|
||||||
|
AuthenticatorConfigModel mailDomainConfig = context.getAuthenticatorConfig();
|
||||||
|
String eventError = Errors.INVALID_REGISTRATION;
|
||||||
|
|
||||||
|
String[] domainList = getDomainList(mailDomainConfig);
|
||||||
|
|
||||||
|
boolean emailDomainValid = isEmailValid(email, domainList);
|
||||||
|
|
||||||
|
context.getEvent().detail(Details.USERNAME, username).detail(Details.REGISTER_METHOD, "form").detail(Details.EMAIL, email);
|
||||||
|
|
||||||
|
UserProfile profile = getOrCreateUserProfile(context, formData);
|
||||||
|
UserModel user = profile.create();
|
||||||
|
if (!emailDomainValid)
|
||||||
|
user.addRequiredAction("USER_MUST_BE_APPROVED");
|
||||||
|
|
||||||
|
user.setEnabled(true);
|
||||||
|
|
||||||
|
context.setUser(user);
|
||||||
|
|
||||||
|
if (!emailDomainValid) {
|
||||||
|
user.addRequiredAction("USER_MUST_BE_APPROVED");
|
||||||
|
}
|
||||||
|
context.getAuthenticationSession().setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, username);
|
||||||
|
|
||||||
|
context.getEvent().user(user);
|
||||||
|
context.getEvent().success();
|
||||||
|
context.newEvent().event(EventType.LOGIN);
|
||||||
|
context.getEvent().client(context.getAuthenticationSession().getClient().getClientId())
|
||||||
|
.detail(Details.REDIRECT_URI, context.getAuthenticationSession().getRedirectUri())
|
||||||
|
.detail(Details.AUTH_METHOD, context.getAuthenticationSession().getProtocol());
|
||||||
|
String authType = context.getAuthenticationSession().getAuthNote(Details.AUTH_TYPE);
|
||||||
|
if (authType != null) {
|
||||||
|
context.getEvent().detail(Details.AUTH_TYPE, authType);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* @Override
|
||||||
|
public void validate(ValidationContext context) {
|
||||||
|
MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
|
||||||
|
|
||||||
|
List<FormMessage> errors = new ArrayList<>();
|
||||||
|
String email = formData.getFirst(Validation.FIELD_EMAIL);
|
||||||
|
|
||||||
|
AuthenticatorConfigModel mailDomainConfig = context.getAuthenticatorConfig();
|
||||||
|
String eventError = Errors.INVALID_REGISTRATION;
|
||||||
|
|
||||||
|
if(email == null){
|
||||||
|
context.getEvent().detail(Details.EMAIL, email);
|
||||||
|
errors.add(new FormMessage(RegistrationPage.FIELD_EMAIL, Messages.INVALID_EMAIL));
|
||||||
|
context.error(eventError);
|
||||||
|
context.validationError(formData, errors);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
String[] domainList = getDomainList(mailDomainConfig);
|
||||||
|
|
||||||
|
boolean emailDomainValid = isEmailValid(email, domainList);
|
||||||
|
|
||||||
|
if (!emailDomainValid) {
|
||||||
|
super.success(context);
|
||||||
|
KeycloakSession session = context.getSession();
|
||||||
|
RealmModel realm = context.getRealm();
|
||||||
|
UserModel user = context.getUser();
|
||||||
|
user.addRequiredAction("USER_MUST_BE_APPROVED");
|
||||||
|
setRequiredActions(session, realm, user);
|
||||||
|
|
||||||
|
}
|
||||||
|
if (errors.size() > 0) {
|
||||||
|
context.error(eventError);
|
||||||
|
context.validationError(formData, errors);
|
||||||
|
} else {
|
||||||
|
context.success();
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
public String[] getDomainList(AuthenticatorConfigModel mailDomainConfig) {
|
||||||
|
return mailDomainConfig.getConfig().getOrDefault(domainListConfigName, DEFAULT_DOMAIN_LIST).split(DOMAIN_LIST_SEPARATOR);
|
||||||
|
}
|
||||||
|
|
||||||
|
public boolean isEmailValid(String email, String[] domains) {
|
||||||
|
for (String domain : domains) {
|
||||||
|
if (email.endsWith("@" + domain) || email.equals(domain) || globmatches(email, "*@" + domain)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
public static final String PROVIDER_ID = "registration-mail-check-action";
|
public static final String PROVIDER_ID = "registration-mail-check-action";
|
||||||
|
|
||||||
private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = new ArrayList<>();
|
private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = new ArrayList<>();
|
||||||
|
|
||||||
public static String domainListConfigName = "validDomains";
|
public static String domainListConfigName = "validDomains";
|
||||||
|
|
||||||
static {
|
static {
|
||||||
ProviderConfigProperty property;
|
ProviderConfigProperty property;
|
||||||
property = new ProviderConfigProperty();
|
property = new ProviderConfigProperty();
|
||||||
property.setName(domainListConfigName);
|
property.setName(domainListConfigName);
|
||||||
property.setLabel("Valid domains for emails");
|
property.setLabel("Valid domains for emails");
|
||||||
property.setType(ProviderConfigProperty.STRING_TYPE);
|
property.setType(ProviderConfigProperty.STRING_TYPE);
|
||||||
property.setHelpText("List mail domains authorized to register, separated by '##'");
|
property.setHelpText("List mail domains authorized to register, separated by '##'");
|
||||||
CONFIG_PROPERTIES.add(property);
|
CONFIG_PROPERTIES.add(property);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getDisplayType() {
|
public String getDisplayType() {
|
||||||
return "Profile Validation with email domain check";
|
return "Profile Validation with email domain check";
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getId() {
|
public String getId() {
|
||||||
return PROVIDER_ID;
|
return PROVIDER_ID;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getHelpText() {
|
public String getHelpText() {
|
||||||
return "Adds validation of domain emails for registration";
|
return "Adds validation of domain emails for registration";
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public List<ProviderConfigProperty> getConfigProperties() {
|
public List<ProviderConfigProperty> getConfigProperties() {
|
||||||
return CONFIG_PROPERTIES;
|
return CONFIG_PROPERTIES;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void buildPage(FormContext context, LoginFormsProvider form) {
|
public void buildPage(FormContext context, LoginFormsProvider form) {
|
||||||
List<String> authorizedMailDomains = Arrays.asList(
|
List<String> authorizedMailDomains = Arrays.asList(
|
||||||
context.getAuthenticatorConfig().getConfig().getOrDefault(domainListConfigName,DEFAULT_DOMAIN_LIST).split(DOMAIN_LIST_SEPARATOR));
|
context.getAuthenticatorConfig().getConfig().getOrDefault(domainListConfigName,DEFAULT_DOMAIN_LIST).split(DOMAIN_LIST_SEPARATOR));
|
||||||
form.setAttribute("authorizedMailDomains", authorizedMailDomains);
|
form.setAttribute("authorizedMailDomains", authorizedMailDomains);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user