KEYCLOAK-3373 Remove SAML IdP descriptor from client installation and…

… publicize it in realm endpoint instead
keycloak · Mar 19, 2019 · 1c906c8 · 1c906c8
1 parent a868b8b
commit 1c906c8
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 189 deletions.
diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java
@@ -37,7 +37,6 @@
 import org.keycloak.events.Errors;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.events.EventType;
-import org.keycloak.keys.RsaKeyMetadata;
 import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeyManager;
@@ -80,13 +79,18 @@
 import java.util.Set;
 import java.util.TreeSet;
 import org.keycloak.common.util.StringPropertyReplacer;
+import org.keycloak.crypto.Algorithm;
+import org.keycloak.crypto.KeyUse;
+import org.keycloak.crypto.KeyWrapper;
 import org.keycloak.dom.saml.v2.metadata.KeyTypes;
 import org.keycloak.rotation.HardcodedKeyLocator;
 import org.keycloak.rotation.KeyLocator;
 import org.keycloak.saml.SPMetadataDescriptor;
 import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
 import org.keycloak.saml.validators.DestinationValidator;
 import org.keycloak.sessions.AuthenticationSessionModel;
+import java.nio.charset.StandardCharsets;
+import java.util.logging.Level;
 
 /**
  * Resource class for the saml connect token service
@@ -590,27 +594,33 @@ public String getDescriptor() throws Exception {
 
     }
 
-    public static String getIDPMetadataDescriptor(UriInfo uriInfo, KeycloakSession session, RealmModel realm) throws IOException {
+    public static String getIDPMetadataDescriptor(UriInfo uriInfo, KeycloakSession session, RealmModel realm) {
         InputStream is = SamlService.class.getResourceAsStream("/idp-metadata-template.xml");
-        String template = StreamUtil.readString(is);
+        String template;
+        try {
+            template = StreamUtil.readString(is, StandardCharsets.UTF_8);
+        } catch (IOException ex) {
+            logger.error("Cannot generate IdP metadata", ex);
+            return "";
+        }
         Properties props = new Properties();
         props.put("idp.entityID", RealmsResource.realmBaseUrl(uriInfo).build(realm.getName()).toString());
         props.put("idp.sso.HTTP-POST", RealmsResource.protocolUrl(uriInfo).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString());
         props.put("idp.sso.HTTP-Redirect", RealmsResource.protocolUrl(uriInfo).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString());
         props.put("idp.sls.HTTP-POST", RealmsResource.protocolUrl(uriInfo).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString());
         StringBuilder keysString = new StringBuilder();
-        Set<RsaKeyMetadata> keys = new TreeSet<>((o1, o2) -> o1.getStatus() == o2.getStatus() // Status can be only PASSIVE OR ACTIVE, push PASSIVE to end of list
+        Set<KeyWrapper> keys = new TreeSet<>((o1, o2) -> o1.getStatus() == o2.getStatus() // Status can be only PASSIVE OR ACTIVE, push PASSIVE to end of list
           ? (int) (o2.getProviderPriority() - o1.getProviderPriority())
           : (o1.getStatus() == KeyStatus.PASSIVE ? 1 : -1));
-        keys.addAll(session.keys().getRsaKeys(realm));
+        keys.addAll(session.keys().getKeys(realm, KeyUse.SIG, Algorithm.RS256));
-        for (RsaKeyMetadata key : keys) {
+        for (KeyWrapper key : keys) {
             addKeyInfo(keysString, key, KeyTypes.SIGNING.value());
         }
         props.put("idp.signing.certificates", keysString.toString());
         return StringPropertyReplacer.replaceProperties(template, props);
     }
 
-    private static void addKeyInfo(StringBuilder target, RsaKeyMetadata key, String purpose) {
+    private static void addKeyInfo(StringBuilder target, KeyWrapper key, String purpose) {
         if (key == null) {
             return;
         }

diff --git a/...rc/main/java/org/keycloak/protocol/saml/installation/ModAuthMellonClientInstallation.java b/...rc/main/java/org/keycloak/protocol/saml/installation/ModAuthMellonClientInstallation.java
@@ -26,6 +26,7 @@
 import org.keycloak.protocol.saml.SamlClient;
 import org.keycloak.protocol.saml.SamlProtocol;
 
+import org.keycloak.protocol.saml.SamlService;
 import javax.ws.rs.core.Response;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -43,7 +44,7 @@ public Response generateInstallation(KeycloakSession session, RealmModel realm,
         SamlClient samlClient = new SamlClient(client);
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
         ZipOutputStream zip = new ZipOutputStream(baos);
-        String idpDescriptor = SamlIDPDescriptorClientInstallation.getIDPDescriptorForClient(session, realm, client, serverBaseUri);
+        String idpDescriptor = SamlService.getIDPMetadataDescriptor(session.getContext().getUri(), session, realm);
         String spDescriptor = SamlSPDescriptorClientInstallation.getSPDescriptorForClient(client);
         String clientDirName = client.getClientId()
                 .replace('/', '_')

diff --git a/...ain/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java b/...ain/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java
diff --git a/...ces/src/main/resources/META-INF/services/org.keycloak.protocol.ClientInstallationProvider b/...ces/src/main/resources/META-INF/services/org.keycloak.protocol.ClientInstallationProvider
@@ -19,7 +19,6 @@ org.keycloak.protocol.oidc.installation.KeycloakOIDCClientInstallation
 org.keycloak.protocol.oidc.installation.KeycloakOIDCJbossSubsystemClientInstallation
 org.keycloak.protocol.saml.installation.KeycloakSamlClientInstallation
 org.keycloak.protocol.saml.installation.SamlSPDescriptorClientInstallation
-org.keycloak.protocol.saml.installation.SamlIDPDescriptorClientInstallation
 org.keycloak.protocol.saml.installation.ModAuthMellonClientInstallation
 org.keycloak.protocol.saml.installation.KeycloakSamlSubsystemInstallation
 org.keycloak.protocol.docker.installation.DockerVariableOverrideInstallationProvider

diff --git a/...illian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/InstallationTest.java b/...illian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/InstallationTest.java
@@ -27,6 +27,7 @@
 import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.util.AdminEventPaths;
 
+import javax.ws.rs.NotFoundException;
 import static org.junit.Assert.assertThat;
 import static org.hamcrest.Matchers.*;
 
@@ -139,13 +140,9 @@ private void assertOidcInstallationConfig(String config) {
         assertThat(config, containsString(authServerUrl()));
     }
 
-    @Test
+    @Test(expected = NotFoundException.class)
     public void testSamlMetadataIdpDescriptor() {
-        String xml = samlClient.getInstallationProvider("saml-idp-descriptor");
+        samlClient.getInstallationProvider("saml-idp-descriptor");
-        assertThat(xml, containsString("<EntityDescriptor"));
-        assertThat(xml, containsString("<IDPSSODescriptor"));
-        assertThat(xml, containsString(ApiUtil.findActiveKey(testRealmResource()).getCertificate()));
-        assertThat(xml, containsString(samlUrl()));
     }
 
     @Test

diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@@ -24,7 +24,9 @@ endpoints=Endpoints
 
 # Realm settings
 realm-detail.enabled.tooltip=Users and clients can only access a realm if it's enabled
-realm-detail.oidc-endpoints.tooltip=Shows the configuration of the OpenID Connect endpoints
+realm-detail.protocol-endpoints.tooltip=Shows the configuration of the protocol endpoints
+realm-detail.protocol-endpoints.oidc=OpenID Endpoint Configuration
+realm-detail.protocol-endpoints.saml=SAML 2.0 Identity Provider Metadata
 realm-detail.userManagedAccess.tooltip=If enabled, users are allowed to manage their resources and permissions using the Account Management Console.
 userManagedAccess=User-Managed Access
 registrationAllowed=User registration

diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/realm-detail.html b/themes/src/main/resources/theme/base/admin/resources/partials/realm-detail.html
@@ -50,9 +50,11 @@
             <div class="form-group">
                 <label class="col-md-2 control-label">{{:: 'endpoints' | translate}}</label>
                 <div class="col-md-6">
-                    <a class="form-control" ng-href="{{authUrl}}/realms/{{realm.realm}}/.well-known/openid-configuration" target="_blank">OpenID Endpoint Configuration</a>
+                    <a class="form-control" ng-href="{{authUrl}}/realms/{{realm.realm}}/.well-known/openid-configuration" target="_blank">{{:: 'realm-detail.protocol-endpoints.oidc' | translate}}</a>
+
+                    <a class="form-control" ng-href="{{authUrl}}/realms/{{realm.realm}}/protocol/saml/descriptor" target="_blank">{{:: 'realm-detail.protocol-endpoints.saml' | translate}}</a>
                 </div>
-                <kc-tooltip>{{:: 'realm-detail.oidc-endpoints.tooltip' | translate}}</kc-tooltip>
+                <kc-tooltip>{{:: 'realm-detail.protocol-endpoints.tooltip' | translate}}</kc-tooltip>
             </div>
 
             <div class="form-group">