RestPreActions.groovy 3.53 KB
import javax.servlet.http.HttpServletRequestWrapper

import org.keycloak.KeycloakSecurityContext
import org.keycloak.AuthorizationContext

import org.keycloak.representations.AccessToken
import org.keycloak.representations.IDToken
import org.keycloak.adapters.KeycloakDeployment
import org.keycloak.adapters.KeycloakDeploymentBuilder

import org.keycloak.adapters.AdapterDeploymentContext
import org.keycloak.adapters.AuthenticatedActionsHandler
import org.keycloak.adapters.KeycloakConfigResolver
import org.keycloak.adapters.NodesRegistrationManagement
import org.keycloak.adapters.PreAuthActionsHandler
import org.keycloak.adapters.spi.AuthChallenge
import org.keycloak.adapters.spi.AuthOutcome
import org.keycloak.adapters.spi.InMemorySessionIdMapper
import org.keycloak.adapters.spi.SessionIdMapper
import org.keycloak.adapters.spi.UserSessionManagement

import org.keycloak.adapters.servlet.OIDCServletHttpFacade
import org.keycloak.adapters.servlet.OIDCFilterSessionStore
import org.keycloak.adapters.servlet.FilterRequestAuthenticator

def cache = ec.getCache().getCache('moqui-keycloak:deployment')

ec.logger.info('rest:pre-actions')
def keycloakJsonUrl = 'component://moqui-keycloak/config/moqui-keycloak.json'
def keycloakDeployment = cache.get(keycloakJsonUrl)

def idMapper = cache.get('SessionIdMapper')
if (idMapper == null) {
    idMapper = new InMemorySessionIdMapper()
    cache.put('SessionIdMapper', idMapper)
    idMapper = cache.get('SessionIdMapper')
}

if (true || !keycloakDeployment) {
    def configStream = ec.getResource().getLocationStream(keycloakJsonUrl)
    keycloakDeployment = KeycloakDeploymentBuilder.build(configStream)
    cache.put(keycloakJsonUrl, keycloakDeployment)
}
def facade = new OIDCServletHttpFacade(ec.web.request, ec.web.response)
def tokenStore = new OIDCFilterSessionStore(ec.web.request, facade, 100000, keycloakDeployment, idMapper)

def authenticator = new FilterRequestAuthenticator(keycloakDeployment, tokenStore, facade, ec.web.request, 8443)
ec.logger.info("authenticator: ${authenticator}")
def outcome = authenticator.authenticate()
ec.logger.info("rest:outcome: ${outcome}")
ec.logger.info("request: ${ec.web.requestDetails}")
if (outcome == AuthOutcome.AUTHENTICATED) {
    if (facade.isEnded()) {
        ec.logger.info('facade has ended')
    } else {
        def actions = new AuthenticatedActionsHandler(keycloakDeployment, facade)
        ec.logger.info("actions: ${actions}")
        if (actions.handledRequest()) {
            ec.logger.info("actions.handledRequest")
            sri.stopRender()
            return
        }
    }
} else {
    AuthChallenge challenge = authenticator.getChallenge()
    ec.logger.info("challenge: ${challenge}")
    if (challenge != null) {
        if (challenge.challenge(facade)) {
            //sri.stopRender()
            //return
        }
    }
}

def ksc = ec.web.request.getAttribute(KeycloakSecurityContext.class.getName())
if (ksc) {
    def idToken = ksc.getIdToken()
    ec.logger.info("idToken: ${idToken}")
    if (idToken) {
        def subject = idToken.getSubject()
        ec.logger.info("subject: ${subject}")
    }
    def accessToken = ksc.getToken()
    ec.logger.info("accessToken: ${accessToken}")

    if (accessToken) {
        def subject = accessToken.getSubject()
    EntityValue userAccount = ec.entity.find('UserAccount').condition('externalUserId', subject).disableAuthz().one()
    ec.logger.info("userAccount: ${userAccount}")
    if (userAccount) {
        //ec.user.pushUser(userAccount.username)
        ec.user.internalLoginUser(userAccount.username)
    }
    }
}