-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add user-enabled-authenticator * Use OpenJDK 21 and bump version * Add CSM Authenticator and Authorization Authenticator * Include version in jar name * Make name shorter * Replace getAttribute with getFirstAttribute
- Loading branch information
Showing
7 changed files
with
87 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); | ||
|
|
||
| function authenticate(context) { | ||
|
|
||
| if (!authenticationSession.getClient()) { | ||
| context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND); | ||
| return; | ||
| } | ||
| var client = authenticationSession.getClient().getClientId(); | ||
| LOG.info(script.name + " evalute authorization for user=" + user.username + " client=" + client); | ||
| /* | ||
| Use employeeStatus verification for service-now which allows some disabled | ||
| states to still authenticate. | ||
| Also allow class-dev for testing purposes. | ||
| */ | ||
| if (client && (client.contains("service-now") || client.contains("class-dev"))) { | ||
| var allowed = /(REQAPPROVAL|ACTIVE|WEBONLY|RESTRICTED)/; | ||
| var employeeStatus = user.getFirstAttribute("employeeStatus"); | ||
| if (employeeStatus && !allowed.test(employeeStatus)) { | ||
| context.failure(AuthenticationFlowError.INVALID_USER); | ||
| return; | ||
| } | ||
| } else { | ||
| /* | ||
| All other clients will authorize if the user account is not disabled or locked | ||
| */ | ||
| if (user.getFirstAttribute("nsAccountLock") == "TRUE" || user.getFirstAttribute("loginDisabled") == "TRUE") { | ||
| context.failure(AuthenticationFlowError.INVALID_USER); | ||
| return; | ||
| } | ||
| } | ||
|
|
||
| context.success(); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,6 @@ | ||
| FROM rockylinux:8 | ||
| RUN dnf -y install java-17-openjdk-devel maven && yum clean all && rm -rf /var/cache/yum/* | ||
| RUN alternatives --set java $(alternatives --display java | grep 'family java-17-openjdk' | cut -d' ' -f1) | ||
| RUN alternatives --set javac $(alternatives --display javac | grep 'family java-17-openjdk' | cut -d' ' -f1) | ||
| RUN dnf -y install java-21-openjdk-devel maven && yum clean all && rm -rf /var/cache/yum/* | ||
| RUN alternatives --set java $(alternatives --display java | grep 'family java-21-openjdk' | cut -d' ' -f1) | ||
| RUN alternatives --set javac $(alternatives --display javac | grep 'family java-21-openjdk' | cut -d' ' -f1) | ||
| RUN mkdir /build | ||
| ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); | ||
|
|
||
| function authenticate(context) { | ||
|
|
||
| LOG.info(script.name + " --> trace auth for: " + user.username); | ||
|
|
||
| const allowed = /(REQAPPROVAL|ACTIVE|WEBONLY|RESTRICTED)/; | ||
| if (user.getFirstAttribute("employeeStatus") && allowed.test(user.getFirstAttribute("employeeStatus"))) { | ||
| context.success(); | ||
| } else { | ||
| context.failure(AuthenticationFlowError.INVALID_USER); | ||
| return; | ||
| } | ||
|
|
||
| context.success(); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); | ||
|
|
||
| function authenticate(context) { | ||
|
|
||
| LOG.info(script.name + " --> trace auth for: " + user.username); | ||
|
|
||
| if (user.getFirstAttribute("nsAccountLock") == "TRUE" || user.getFirstAttribute("loginDisabled") == "TRUE") { | ||
| context.failure(AuthenticationFlowError.INVALID_USER); | ||
| return; | ||
| } | ||
|
|
||
| context.success(); | ||
| } |