Fix: iimplementing support to 23.0.x

Signed-off-by: Kleber Rocha <[email protected]>

Author: klinux

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: weekly
+    day: friday
+- package-ecosystem: gradle
+  directory: "/"
+  schedule:
+    interval: weekly
+    day: friday
+  open-pull-requests-limit: 99

.github/workflows/pr_workflow.yml

@@ -0,0 +1,19 @@
+# This workflow will build a Java project with Gradle
+# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
+
+name: Testing For PRs
+
+on: [ pull_request ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 17
+          distribution: temurin
+      - name: Build with Gradle
+        run: ./gradlew assemble check

.github/workflows/release.yml

@@ -0,0 +1,28 @@
+
+name: Create Stable Release
+
+# Controls when the action will run. Workflow runs when manually triggered using the UI
+# or API.
+on:
+  workflow_dispatch:
+    # Inputs the workflow accepts.
+    inputs:
+      prerelease:
+        description: 'The release should be an experimental release'
+        default: 'NO'
+        required: true
+
+jobs:
+  build_and_release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 17
+          distribution: temurin
+      - name: Release
+        run: ./gradlew githubRelease

.github/workflows/test_and_build.yml

@@ -0,0 +1,35 @@
+# This workflow will build a Java project with Gradle
+# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
+
+name: Test and Build
+
+on:
+  push:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 17
+          distribution: temurin
+      - name: Test with Gradle
+        run: ./gradlew assemble check
+  previewGithubRelease:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 17
+          distribution: temurin
+      - name: Test with Gradle
+        run: ./gradlew githubRelease

build.gradle

@@ -18,7 +18,7 @@ apply plugin: 'java'
 
 apply from: 'plugin-common.gradle'
 
-project.ext.pluginVersion = '1.0.3'
+project.ext.pluginVersion = '2.0.0'
 project.ext.fullVersion = project.distVersion ? "${project.pluginVersion}-${project.distVersion}" : project.pluginVersion
 
 version = project.fullVersion
@@ -27,7 +27,7 @@ group = 'cd.go'
 project.ext.pluginDesc = [
         id         : 'cd.go.authorization.keycloak',
         version    : project.fullVersion,
-        goCdVersion: '17.5.0',
+        goCdVersion: '19.2.0',
         name       : 'Keycloak oauth authorization plugin',
         description: 'Keycloak oauth authorization plugin for GoCD',
         vendorName : 'klinux',
@@ -39,18 +39,24 @@ repositories {
     mavenLocal()
 }
 
+java {
+    sourceCompatibility = JavaVersion.VERSION_11
+    targetCompatibility = JavaVersion.VERSION_11
+}
+
 dependencies {
-    compileOnly group: 'cd.go.plugin', name: 'go-plugin-api', version: '17.5.0'
-    compile group: 'com.google.code.gson', name: 'gson', version: '2.8.1'
-    compile group: 'com.squareup.okhttp3', name: 'okhttp', version: '3.8.1'
-
-    testCompile group: 'cd.go.plugin', name: 'go-plugin-api', version: '17.5.0'
-    testCompile group: 'junit', name: 'junit', version: '4.12'
-    testCompile group: 'org.mockito', name: 'mockito-core', version: '2.2.28'
-    testCompile group: 'org.hamcrest', name: 'hamcrest-library', version: '1.3'
-    testCompile group: 'org.skyscreamer', name: 'jsonassert', version: '1.4.0'
-    testCompile group: 'org.jsoup', name: 'jsoup', version: '1.10.2'
-    testCompile 'com.squareup.okhttp3:mockwebserver:3.8.1'
+    compileOnly group: 'cd.go.plugin', name: 'go-plugin-api', version: '19.2.0'
+    implementation group: 'com.google.code.gson', name: 'gson', version: '2.8.1'
+    implementation group: 'com.squareup.okhttp3', name: 'okhttp', version: '3.8.1'
+
+    testImplementation group: 'cd.go.plugin', name: 'go-plugin-api', version: '19.2.0'
+    testImplementation group: 'org.mockito', name: 'mockito-core', version: '2.2.28'
+    testImplementation group: 'org.hamcrest', name: 'hamcrest-library', version: '1.3'
+    testImplementation group: 'org.skyscreamer', name: 'jsonassert', version: '1.4.0'
+    testImplementation group: 'org.jsoup', name: 'jsoup', version: '1.10.2'
+    testImplementation 'com.squareup.okhttp3:mockwebserver:3.8.1'
+
+    testImplementation group: 'junit', name: 'junit', version: '4.12'
 }
 
 processResources {

docs/INSTALL.md

@@ -21,7 +21,7 @@ Provide details of the Keycloak server to connect to via an [Authorization Confi
 3. Click in **Clients** menu 
 4. Click **Add** button
 5. On the form insert the client name
-6. On the next page, set this configs:
+6. On the next page, set these configs:
     1. In **Access Type** select **Confidential**
     2. In **Valid Redirect URIs** insert the URL of GoCD, ex.: **http://localhost:8153**
     3. In **Credentials** tab copy value of **Secret**
@@ -32,10 +32,10 @@ Provide details of the Keycloak server to connect to via an [Authorization Confi
 2. Select the realm that you want to configure. Ex. **Master**
 3. Click in **Groups** menu
     1. Click **Add Group** button
-    2. Insert the name of **Group** and it description
+    2. Insert the name of **Group** and the description
     3. Save the **Group**
     4. Select the **user** that you want to configure this role
     5. Select **Groups** tab and select the group in **Available Groups**
 
 > Obs.: By default Keycloak do not provide group definition on user session, to get this, edit 
->**profile** scope and add groups in **Mappers** tab, thie scope needs to be added as builtin.
+>**profile** scope and add groups in **Mappers** tab, the scope needs to be added as builtin.

gocd/docker-compose.yaml

@@ -2,18 +2,24 @@ version: '3'
 
 services:
   keycloak:
-      image: jboss/keycloak:11.0.3
+      image: quay.io/keycloak/keycloak:17.0.1-legacy
       environment:
         ROOT_LOGLEVEL: INFO
         KEYCLOAK_USER: admin
         KEYCLOAK_PASSWORD: admin
         DB_VENDOR: h2
       ports:
         - 8080:8080
+      volumes:
+        - data:/opt/jboss/keycloak/standalone/data
   gocd:
-    image: gocd/gocd-server:v20.9.0
+    image: gocd/gocd-server:v22.3.0
     volumes:
+      - data:/godata
       - ./plugins:/godata/plugins
     ports:
       - 8153:8153
       - 8154:8154
+
+volumes:
+  data:

src/main/java/cd/go/authorization/keycloak/KeycloakApiClient.java

@@ -18,9 +18,13 @@
 
 import cd.go.authorization.keycloak.models.KeycloakConfiguration;
 import cd.go.authorization.keycloak.models.TokenInfo;
+import cd.go.authorization.keycloak.requests.UserAuthenticationRequest;
+import com.thoughtworks.go.plugin.api.response.DefaultGoPluginApiResponse;
+import com.thoughtworks.go.plugin.api.response.GoPluginApiResponse;
 import okhttp3.*;
 
 import java.io.IOException;
+import java.util.Base64;
 import java.util.Map;
 import java.util.UUID;
 import java.util.concurrent.TimeUnit;
@@ -112,6 +116,17 @@ public TokenInfo fetchAccessToken(Map<String, String> params) throws Exception {
 
     public KeycloakUser userProfile(TokenInfo tokenInfo) throws Exception {
         validateTokenInfo(tokenInfo);
+        String accessToken = tokenInfo.accessToken();
+
+        // Check status of token
+        LOG.info("[KeycloakApiClient] Token Before: " + tokenInfo.accessToken());
+        if (!introspectToken(tokenInfo.accessToken())) {
+            LOG.info("[KeycloakApiClient] Token status: Not Active");
+            if (fetchRefreshToken(tokenInfo.refreshToken()).responseCode() == 200) {
+                LOG.info("[KeycloakApiClient] Token After: " + tokenInfo.accessToken());
+                accessToken = tokenInfo.accessToken();
+            }
+        }
 
         LOG.debug("[KeycloakApiClient] Fetching user profile using access token.");
         String realm = keycloakConfiguration.keycloakRealm();
@@ -128,7 +143,7 @@ public KeycloakUser userProfile(TokenInfo tokenInfo) throws Exception {
 
         final Request request = new Request.Builder()
                 .url(userProfileUrl)
-                .addHeader("Authorization", "Bearer " + tokenInfo.accessToken())
+                .addHeader("Authorization", "Bearer " + accessToken)
                 .get()
                 .build();
 
@@ -156,4 +171,78 @@ private void validateTokenInfo(TokenInfo tokenInfo) {
             throw new RuntimeException("[KeycloakApiClient] TokenInfo must not be null.");
         }
     }
+
+    public Boolean introspectToken(String token) throws Exception {
+
+        LOG.debug("[KeycloakApiClient] Fetching status of the access token.");
+        String realm = keycloakConfiguration.keycloakRealm();
+        String client = keycloakConfiguration.clientId();
+        String secret = keycloakConfiguration.clientSecret();
+        String basicEncode = Base64.getEncoder().encodeToString((client + ":" + secret).getBytes());
+
+        final String introspectUrl = HttpUrl.parse(keycloakConfiguration.keycloakEndpoint())
+                .newBuilder()
+                .addPathSegments("auth")
+                .addPathSegments("realms")
+                .addPathSegments(realm)
+                .addPathSegments("protocol")
+                .addPathSegments("openid-connect")
+                .addPathSegments("token")
+                .addPathSegments("introspect")
+                .toString();
+
+        final FormBody formBody = new FormBody.Builder()
+                .add("token", token)
+                .build();
+
+        final Request request = new Request.Builder()
+                .url(introspectUrl)
+                .addHeader("Authorization", "Basic " + basicEncode)
+                .post(formBody)
+                .build();
+
+        KeycloakIntrospectToken getStatus = executeRequest(request, response -> KeycloakIntrospectToken.fromJSON(response.body().string()));
+
+        // Check token status and return true if state ok.
+        if (getStatus.getActive()) {
+            return true;
+        }
+
+        return false;
+    }
+
+    public GoPluginApiResponse fetchRefreshToken(String refresh_token) throws Exception {
+
+        LOG.debug("[KeycloakApiClient] Fetching token from refresh token.");
+        String realm = keycloakConfiguration.keycloakRealm();
+        String client = keycloakConfiguration.clientId();
+        String secret = keycloakConfiguration.clientSecret();
+        String basicEncode = Base64.getEncoder().encodeToString((client + ":" + secret).getBytes());
+
+        final String refreshTokenUrl = HttpUrl.parse(keycloakConfiguration.keycloakEndpoint())
+                .newBuilder()
+                .addPathSegments("auth")
+                .addPathSegments("realms")
+                .addPathSegments(realm)
+                .addPathSegments("protocol")
+                .addPathSegments("openid-connect")
+                .addPathSegments("token")
+                .build().toString();
+
+        final FormBody formBody = new FormBody.Builder()
+                .add("grant_type", "refresh_token")
+                .add("refresh_token", refresh_token)
+                .build();
+
+        final Request request = new Request.Builder()
+                .url(refreshTokenUrl)
+                .addHeader("Authorization", "Basic " + basicEncode)
+                .addHeader("Accept", "application/json")
+                .post(formBody)
+                .build();
+
+        TokenInfo tokenInfo = executeRequest(request, response -> TokenInfo.fromJSON(response.body().string()));
+        LOG.info("[KeycloakApiClient] Token Info: " + tokenInfo.toJSON().toString());
+        return DefaultGoPluginApiResponse.success(tokenInfo.toJSON());
+    }
 }

src/main/java/cd/go/authorization/keycloak/KeycloakIntrospectToken.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2017 ThoughtWorks, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cd.go.authorization.keycloak;
+
+import com.google.gson.annotations.Expose;
+import com.google.gson.annotations.SerializedName;
+
+import java.math.BigInteger;
+import java.util.List;
+
+import static cd.go.authorization.keycloak.utils.Util.GSON;
+
+public class KeycloakIntrospectToken {
+    @Expose
+    @SerializedName("exp")
+    private BigInteger exp;
+
+    @Expose
+    @SerializedName("aud")
+    private String aud;
+
+    @Expose
+    @SerializedName("active")
+    private boolean active;
+
+    KeycloakIntrospectToken() {
+    }
+
+    public BigInteger getExp() {
+        return exp;
+    }
+
+    public boolean getActive() {
+        return active;
+    }
+
+    public String getAudience() {
+        return aud;
+    }
+
+    public String toJSON() {
+        return GSON.toJson(this);
+    }
+
+    public static KeycloakIntrospectToken fromJSON(String json) {
+        return GSON.fromJson(json, KeycloakIntrospectToken.class);
+    }
+}