add ChoiceAuthenticator and Enhanced Conditional Role Authenticator, some refactoring

Author: instipod

src/main/java/com/instipod/keycloakauthenticators/ChoiceAuthenticator.java

@@ -0,0 +1,78 @@
+package com.instipod.keycloakauthenticators;
+
+import org.jboss.logging.Logger;
+import org.keycloak.authentication.AuthenticationFlowContext;
+import org.keycloak.authentication.AuthenticationFlowError;
+import org.keycloak.forms.login.LoginFormsProvider;
+import org.keycloak.models.AuthenticatorConfigModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+
+public class ChoiceAuthenticator implements org.keycloak.authentication.Authenticator {
+    public static final ChoiceAuthenticator SINGLETON = new ChoiceAuthenticator();
+
+    @Override
+    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
+        LoginFormsProvider form = authenticationFlowContext.form();
+        Response response = form.createForm(ChoiceAuthenticatorFactory.CHOICE_FILE);
+        authenticationFlowContext.challenge(response);
+    }
+
+    @Override
+    public void action(AuthenticationFlowContext authenticationFlowContext) {
+        AuthenticatorConfigModel authConfig = authenticationFlowContext.getAuthenticatorConfig();
+        MultivaluedMap<String, String> formData = authenticationFlowContext.getHttpRequest().getDecodedFormParameters();
+
+        if (authConfig==null || authConfig.getConfig()==null) {
+            authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR);
+            return;
+        }
+
+        String noteName = authConfig.getConfig().get(ChoiceAuthenticatorFactory.NOTE_NAME);
+
+        if (noteName.length() == 0) {
+            authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR);
+            return;
+        }
+
+        if (!formData.containsKey("choice")) {
+            //no choice returned
+            LoginFormsProvider form = authenticationFlowContext.form();
+            form.setError("You must make a selection to continue.");
+            Response response = form.createForm(ChoiceAuthenticatorFactory.CHOICE_FILE);
+            authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, response);
+        } else {
+            //choice returned
+            String choice = formData.getFirst("choice");
+            //remove any nonalphanumeric characters
+            choice = choice.replaceAll("[^a-zA-Z0-9]", "");
+
+            authenticationFlowContext.getAuthenticationSession().setAuthNote(noteName, choice);
+            authenticationFlowContext.success();
+        }
+    }
+
+    @Override
+    public boolean requiresUser() {
+        return false;
+    }
+
+    @Override
+    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
+        return true;
+    }
+
+    @Override
+    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
+
+    }
+
+    @Override
+    public void close() {
+
+    }
+}

src/main/java/com/instipod/keycloakauthenticators/ChoiceAuthenticatorFactory.java

@@ -0,0 +1,90 @@
+package com.instipod.keycloakauthenticators;
+
+import org.keycloak.Config;
+import org.keycloak.authentication.Authenticator;
+import org.keycloak.models.AuthenticationExecutionModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.provider.ProviderConfigProperty;
+import org.keycloak.provider.ProviderConfigurationBuilder;
+
+import java.util.Collections;
+import java.util.List;
+
+public class ChoiceAuthenticatorFactory implements org.keycloak.authentication.AuthenticatorFactory {
+    public static final String PROVIDER_ID = "user-choice";
+    protected static final String NOTE_NAME = "choiceNoteName";
+    protected static final String CHOICE_FILE = "user-choice.ftl";
+    private static List<ProviderConfigProperty> commonConfig;
+
+    static {
+        commonConfig = Collections.unmodifiableList(ProviderConfigurationBuilder.create()
+                .property().name(NOTE_NAME).label("Note Name").helpText("Note to store the users choice in").type(ProviderConfigProperty.STRING_TYPE).add()
+                .build()
+        );
+    }
+
+    @Override
+    public String getDisplayType() {
+        return "User Choice";
+    }
+
+    @Override
+    public String getReferenceCategory() {
+        return "generic";
+    }
+
+    @Override
+    public boolean isConfigurable() {
+        return true;
+    }
+
+    private static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
+            AuthenticationExecutionModel.Requirement.REQUIRED, AuthenticationExecutionModel.Requirement.DISABLED
+    };
+
+    @Override
+    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
+        return REQUIREMENT_CHOICES;
+    }
+
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
+    @Override
+    public String getHelpText() {
+        return "Shows a template to the user to make a choice, stores choice in selected note";
+    }
+
+    @Override
+    public List<ProviderConfigProperty> getConfigProperties() {
+        return commonConfig;
+    }
+
+    @Override
+    public Authenticator create(KeycloakSession keycloakSession) {
+        return ChoiceAuthenticator.SINGLETON;
+    }
+
+    @Override
+    public void init(Config.Scope scope) {
+        //noop
+    }
+
+    @Override
+    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
+        //noop
+    }
+
+    @Override
+    public void close() {
+        //noop
+    }
+
+    @Override
+    public String getId() {
+        return PROVIDER_ID;
+    }
+}

src/main/java/com/instipod/keycloakauthenticators/ConditionalRoleEnhancedAuthenticator.java

@@ -0,0 +1,55 @@
+package com.instipod.keycloakauthenticators;
+
+import com.instipod.keycloakauthenticators.utils.IPAddressMatcher;
+import com.instipod.keycloakauthenticators.utils.AuthenticatorUtils;
+import org.keycloak.authentication.AuthenticationFlowContext;
+import org.keycloak.models.UserModel;
+import org.keycloak.models.AuthenticatorConfigModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+
+public class ConditionalRoleEnhancedAuthenticator implements org.keycloak.authentication.authenticators.conditional.ConditionalAuthenticator {
+    public static final ConditionalRoleEnhancedAuthenticator SINGLETON = new ConditionalRoleEnhancedAuthenticator();
+
+    @Override
+    public boolean matchCondition(AuthenticationFlowContext context) {
+        AuthenticatorConfigModel authConfig = context.getAuthenticatorConfig();
+
+        if (authConfig!=null && authConfig.getConfig()!=null) {
+            //evaluate
+            String not = authConfig.getConfig().get(ConditionalRoleEnhancedAuthenticatorFactory.CONDITIONAL_NOT);
+            String role = authConfig.getConfig().get(ConditionalRoleEnhancedAuthenticatorFactory.CONDITIONAL_ROLE);
+            role = AuthenticatorUtils.variableReplace(context, role);
+
+            if (not.equalsIgnoreCase("true")) {
+                //does not have role
+                return !(AuthenticatorUtils.hasRole(context.getUser(), role));
+            } else {
+                //has role
+                return (AuthenticatorUtils.hasRole(context.getUser(), role));
+            }
+        }
+
+        return false;
+    }
+
+    @Override
+    public void action(AuthenticationFlowContext context) {
+        // Not used
+    }
+
+    @Override
+    public boolean requiresUser() {
+        return true;
+    }
+
+    @Override
+    public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
+        // Not used
+    }
+
+    @Override
+    public void close() {
+        // Does nothing
+    }
+}

src/main/java/com/instipod/keycloakauthenticators/ConditionalRoleEnhancedAuthenticatorFactory.java

@@ -0,0 +1,92 @@
+package com.instipod.keycloakauthenticators;
+
+import org.keycloak.Config.Scope;
+import org.keycloak.authentication.authenticators.conditional.ConditionalAuthenticator;
+import org.keycloak.models.AuthenticationExecutionModel;
+import org.keycloak.models.AuthenticationExecutionModel.Requirement;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.provider.ProviderConfigProperty;
+import org.keycloak.provider.ProviderConfigurationBuilder;
+
+import java.util.Collections;
+import java.util.List;
+
+public class ConditionalRoleEnhancedAuthenticatorFactory implements org.keycloak.authentication.authenticators.conditional.ConditionalAuthenticatorFactory {
+    public static final String PROVIDER_ID = "conditional-role-ehnd";
+    protected static final String CONDITIONAL_ROLE = "condRole";
+    protected static final String CONDITIONAL_NOT = "condNot";
+
+    private static List<ProviderConfigProperty> commonConfig;
+
+    static {
+        commonConfig = Collections.unmodifiableList(ProviderConfigurationBuilder.create()
+                .property().name(CONDITIONAL_ROLE).label("Role").helpText("Role to check for (supports variables)").type(ProviderConfigProperty.STRING_TYPE).add()
+                .property().name(CONDITIONAL_NOT).label("Not").helpText("If we should match on NOT having this role").type(ProviderConfigProperty.BOOLEAN_TYPE).add()
+                .build()
+        );
+    }
+
+    @Override
+    public void init(Scope config) {
+        // no-op
+    }
+
+    @Override
+    public void postInit(KeycloakSessionFactory factory) {
+        // no-op
+    }
+
+    @Override
+    public void close() {
+        // no-op
+    }
+
+    @Override
+    public String getId() {
+        return PROVIDER_ID;
+    }
+
+    @Override
+    public String getDisplayType() {
+        return "Condition - Role (Enhanced)";
+    }
+
+    @Override
+    public String getReferenceCategory() {
+        return "condition";
+    }
+
+    @Override
+    public boolean isConfigurable() {
+        return true;
+    }
+
+    private static final Requirement[] REQUIREMENT_CHOICES = {
+            AuthenticationExecutionModel.Requirement.REQUIRED, AuthenticationExecutionModel.Requirement.DISABLED
+    };
+
+    @Override
+    public Requirement[] getRequirementChoices() {
+        return REQUIREMENT_CHOICES;
+    }
+
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+
+    @Override
+    public String getHelpText() {
+        return "Flow is executed only if user has specified role.";
+    }
+
+    @Override
+    public List<ProviderConfigProperty> getConfigProperties() {
+        return commonConfig;
+    }
+
+    @Override
+    public ConditionalAuthenticator getSingleton() {
+        return ConditionalRoleEnhancedAuthenticator.SINGLETON;
+    }
+}

src/main/java/com/instipod/keycloakauthenticators/QRCodeAuthenticator.java

@@ -64,6 +64,8 @@ public void action(AuthenticationFlowContext authenticationFlowContext) {
 
         String attributeName = authConfig.getConfig().get(QRCodeAuthenticatorFactory.QR_KEY_ATTRIBUTE);
         String qrCodeData = formData.getFirst("qrCodeData");
+        //remove all nonalphanumeric characters from data
+        qrCodeData = qrCodeData.replaceAll("[^a-zA-Z0-9]", "");
 
         if (attributeName.length() == 0) {
             logger.error("No attribute name to search was specified in QR Code Authenticator!");

src/main/java/com/instipod/keycloakauthenticators/SetNoteAuthenticator.java

@@ -1,6 +1,6 @@
 package com.instipod.keycloakauthenticators;
 
-import com.instipod.keycloakauthenticators.utils.ValueUtils;
+import com.instipod.keycloakauthenticators.utils.AuthenticatorUtils;
 import org.keycloak.authentication.AuthenticationFlowContext;
 import org.keycloak.authentication.AuthenticationFlowError;
 import org.keycloak.models.AuthenticatorConfigModel;
@@ -20,7 +20,7 @@ public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
             String noteName = authConfig.getConfig().get(SetNoteAuthenticatorFactory.NOTE_NAME);
             String noteValue = authConfig.getConfig().get(SetNoteAuthenticatorFactory.NOTE_VALUE);
 
-            noteValue = ValueUtils.variableReplace(authenticationFlowContext, noteValue);
+            noteValue = AuthenticatorUtils.variableReplace(authenticationFlowContext, noteValue);
 
             authenticationFlowContext.getAuthenticationSession().setAuthNote(noteName, noteValue);
             authenticationFlowContext.success();

src/main/java/com/instipod/keycloakauthenticators/SlackMessageAuthenticator.java

@@ -1,6 +1,6 @@
 package com.instipod.keycloakauthenticators;
 
-import com.instipod.keycloakauthenticators.utils.ValueUtils;
+import com.instipod.keycloakauthenticators.utils.AuthenticatorUtils;
 import in.ashwanthkumar.slack.webhook.Slack;
 import in.ashwanthkumar.slack.webhook.SlackMessage;
 import org.keycloak.authentication.AuthenticationFlowContext;
@@ -26,7 +26,7 @@ public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
             String isCritical = authConfig.getConfig().get(SlackMessageAuthenticatorFactory.SLACK_IS_CRITICAL);
             String webhook = authConfig.getConfig().get(SlackMessageAuthenticatorFactory.SLACK_WEBHOOK_URL);
 
-            message = ValueUtils.variableReplace(authenticationFlowContext, message);
+            message = AuthenticatorUtils.variableReplace(authenticationFlowContext, message);
 
             SlackMessage slackMessage = new SlackMessage(message);
 

src/main/java/com/instipod/keycloakauthenticators/utils/ValueUtils.java renamed to src/main/java/com/instipod/keycloakauthenticators/utils/AuthenticatorUtils.java

@@ -1,9 +1,12 @@
 package com.instipod.keycloakauthenticators.utils;
 
 import org.keycloak.authentication.AuthenticationFlowContext;
+import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
 
-public class ValueUtils {
+import java.util.Set;
+
+public class AuthenticatorUtils {
     public static String variableReplace(AuthenticationFlowContext context, String message) {
         UserModel user = null;
         try {
@@ -34,4 +37,16 @@ public static String variableReplace(AuthenticationFlowContext context, String m
 
         return message;
     }
+
+    public static boolean hasRole(UserModel user, String roleName) {
+        Set<RoleModel> roles = user.getRoleMappings();
+
+        for (RoleModel role : roles) {
+            if (role.getName().equalsIgnoreCase(roleName)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
 }