add realm parameter for service account, add user agent requirement

#11 #12

Author: nilsbehlen

src/main/java/org/privacyidea/Configuration.java

@@ -10,10 +10,13 @@ class Configuration {
     boolean doSSLVerify = true;
     String serviceAccountName = "";
     String serviceAccountPass = "";
+    String serviceAccountRealm = "";
     List<Integer> pollingIntervals = new ArrayList<>();
     boolean disableLog = false;
+    String userAgent = "";
 
-    public Configuration(String serverURL) {
+    public Configuration(String serverURL, String userAgent) {
         this.serverURL = serverURL;
+        this.userAgent = userAgent;
     }
 }

src/main/java/org/privacyidea/Endpoint.java

@@ -18,27 +18,20 @@
 class Endpoint {
 
     private final PrivacyIDEA privacyIDEA;
-    private String authToken; // lazy init
     private List<String> logExcludedEndpointPrints = Collections.emptyList(); //Arrays.asList(org.privacyidea.Constants.ENDPOINT_AUTH, org.privacyidea.Constants.ENDPOINT_POLL_TRANSACTION);
-    private boolean doSSLVerify = true;
-    private final String hostname;
-    private final String serviceAccountName;
-    private final String serviceAccountPass;
-
-    Endpoint(PrivacyIDEA privacyIDEA, String hostname, boolean doSSLVerify, String serviceAccountName, String serviceAccountPass) {
-        this.hostname = hostname;
-        this.doSSLVerify = doSSLVerify;
-        this.serviceAccountName = serviceAccountName;
-        this.serviceAccountPass = serviceAccountPass;
+    private final Configuration configuration;
+
+    Endpoint(PrivacyIDEA privacyIDEA, Configuration configuration) {
         this.privacyIDEA = privacyIDEA;
+        this.configuration = configuration;
     }
 
     /**
      * Make a https call to the specified path, the URL is taken from the config.
-     * If SSL Verification is turned off in the config, the endpoints certificate will not be verified.
+     * If SSL verification is set to false in the config, the endpoints certificate will not be verified.
      *
-     * @param path              Path to the API endpoint
-     * @param params            All necessary parameters for request
+     * @param path              path to the API endpoint
+     * @param params            all necessary parameters for the request
      * @param authTokenRequired whether the authorization header should be set
      * @param method            "POST" or "GET"
      * @return String containing the whole response
@@ -67,7 +60,7 @@ String sendRequest(String path, Map<String, String> params, boolean authTokenReq
         HttpURLConnection con = null;
         String response = null;
         try {
-            String strURL = hostname + path;
+            String strURL = configuration.serverURL + path;
 
             if (method.equals("GET")) {
                 strURL += "?" + paramsSB.toString();
@@ -80,23 +73,25 @@ String sendRequest(String path, Map<String, String> params, boolean authTokenReq
                 con = (HttpURLConnection) (url.openConnection());
             }
 
-            if (!doSSLVerify && (con instanceof HttpsURLConnection)) {
+            if (!configuration.doSSLVerify && (con instanceof HttpsURLConnection)) {
                 con = disableSSLVerification((HttpsURLConnection) con);
             }
 
             if (method.equals("POST")) {
                 con.setDoOutput(true);
             }
+
             con.setRequestMethod(method);
+            con.addRequestProperty("User-Agent", configuration.userAgent);
 
-            if (authToken == null && authTokenRequired) {
-                getAuthTokenFromServer();
-            }
+            if (authTokenRequired) {
+                String authToken = getAuthTokenFromServer();
+                if (authToken.isEmpty()) {
+                    privacyIDEA.log("Failed to fetch authorization token from server!");
+                    return "";
+                }
 
-            if (authToken != null && authTokenRequired) {
                 con.setRequestProperty("Authorization", authToken);
-            } else if (authTokenRequired) {
-                throw new IllegalStateException("Authorization token could not be acquired, but it is needed!");
             }
 
             con.connect();
@@ -132,10 +127,10 @@ String sendRequest(String path, Map<String, String> params, boolean authTokenReq
                             response = br.lines().reduce("", (a, s) -> a += s);
                         }
                     }
-                    privacyIDEA.log("Reponse from error: " + response);
+                    privacyIDEA.log("Response from ErrorStream: " + response);
                 }
             } catch (IOException ioe) {
-                privacyIDEA.log("Exception while getting ErrorStream: " + e.getMessage());
+                privacyIDEA.log("Exception getting ErrorStream: " + ioe.getMessage());
             }
 
         }
@@ -178,35 +173,31 @@ public java.security.cert.X509Certificate[] getAcceptedIssuers() {
         return con;
     }
 
-    private void getAuthTokenFromServer() {
-        if (authToken != null) {
-            // The TTL of the AuthToken should be long enough for the usage (default is 60min)
-            //log.info("Auth token already set.");
-            return;
-        }
-
+    String getAuthTokenFromServer() {
         if (!privacyIDEA.checkServiceAccountAvailable()) {
             privacyIDEA.log("Service account information not set, cannot retrieve auth token");
-            return;
+            return "";
         }
 
-        //log.info("Getting auth token from PI");
         Map<String, String> params = new LinkedHashMap<>();
-        params.put(Constants.PARAM_KEY_USERNAME, serviceAccountName);
-        params.put(Constants.PARAM_KEY_PASSWORD, serviceAccountPass);
+        params.put(Constants.PARAM_KEY_USERNAME, configuration.serviceAccountName);
+        params.put(Constants.PARAM_KEY_PASSWORD, configuration.serviceAccountPass);
+
+        if (configuration.serviceAccountRealm != null && !configuration.serviceAccountRealm.isEmpty()) {
+            params.put(Constants.PARAM_KEY_REALM, configuration.serviceAccountRealm);
+        } else if (configuration.realm != null && !configuration.realm.isEmpty()) {
+            params.put(Constants.PARAM_KEY_REALM, configuration.realm);
+        }
+
         String response = sendRequest(Constants.ENDPOINT_AUTH, params, false, Constants.POST);
 
         JsonObject obj = JsonParser.parseString(response).getAsJsonObject();
         if (obj != null) {
-            authToken = obj.getAsJsonObject("result").getAsJsonObject("value").getAsJsonPrimitive("token").getAsString();
-        }
-    }
-
-    String getAuthToken() {
-        if (authToken == null) {
-            getAuthTokenFromServer();
+            return obj.getAsJsonObject("result").getAsJsonObject("value").getAsJsonPrimitive("token").getAsString();
+        } else {
+            privacyIDEA.log("Response did not contain an authorization token: " + response);
+            return "";
         }
-        return authToken;
     }
 
     public static String prettyPrintJson(String json) {
@@ -221,7 +212,6 @@ public static String prettyPrintJson(String json) {
             return json;
         }
 
-        //return sw.toString();
         return gson.toJson(obj);
     }
 

src/main/java/org/privacyidea/PrivacyIDEA.java

@@ -20,8 +20,7 @@ private PrivacyIDEA(Configuration configuration, PILoggerBridge logger, PISimple
         this.log = logger;
         this.simpleLog = simpleLog;
         this.configuration = configuration;
-        this.endpoint = new Endpoint(this, configuration.serverURL, configuration.doSSLVerify,
-                configuration.serviceAccountName, configuration.serviceAccountPass);
+        this.endpoint = new Endpoint(this, configuration);
     }
 
     /**
@@ -167,14 +166,14 @@ public void asyncPollTransaction(String transactionID, String username, PIPollTr
     /**
      * Get the Authorization token for the service account.
      *
-     * @return the AuthToken or null if error
+     * @return the AuthToken or empty string if error
      */
     public String getAuthToken() {
         if (!checkServiceAccountAvailable()) {
             logError("Cannot retrieve auth token without service account!");
             return null;
         }
-        return endpoint.getAuthToken();
+        return endpoint.getAuthTokenFromServer();
     }
 
     /*
@@ -317,15 +316,19 @@ public static class Builder {
         private boolean doSSLVerify = true;
         private String serviceAccountName = "";
         private String serviceAccountPass = "";
+        private String serviceAccountRealm = "";
+        private String userAgent = "";
         private List<Integer> pollingIntervals = Collections.singletonList(1);
         private PILoggerBridge logger = null;
         private boolean disableLog = false;
         private PISimpleLogBridge simpleLogBridge = null;
 
         /**
          * @param serverURL the server URL is mandatory to communicate with privacyIDEA.
+         * @param userAgent the user agent that should be used in the http requests. Should refer to the plugin, something like "privacyIDEA-Keycloak"
          */
-        public Builder(String serverURL) {
+        public Builder(String serverURL, String userAgent) {
+            this.userAgent = userAgent;
             this.serverURL = serverURL;
         }
 
@@ -382,11 +385,22 @@ public Builder setServiceAccount(String serviceAccountName, String serviceAccoun
             return this;
         }
 
+        /**
+         * Set the realm for the service account if the account is found in a separate realm from the realm set in {@link Builder#setRealm(String)}.
+         *
+         * @param serviceAccountRealm realm of the service account
+         * @return Builder
+         */
+        public Builder setServiceAccountRealm(String serviceAccountRealm) {
+            this.serviceAccountRealm = serviceAccountRealm;
+            return this;
+        }
+
         /**
          * Set the intervals at which the polling is done when using asyncPollTransaction.
          * The last number will be repeated if the end of the list is reached.
          *
-         * @param intervals list of ints that represent seconds
+         * @param intervals list of integers that represent seconds
          * @return Builder
          */
         public Builder setPollingIntervals(List<Integer> intervals) {
@@ -400,11 +414,12 @@ public Builder disableLog() {
         }
 
         public PrivacyIDEA build() {
-            Configuration configuration = new Configuration(serverURL);
+            Configuration configuration = new Configuration(serverURL, userAgent);
             configuration.realm = realm;
             configuration.doSSLVerify = doSSLVerify;
             configuration.serviceAccountName = serviceAccountName;
             configuration.serviceAccountPass = serviceAccountPass;
+            configuration.serviceAccountRealm = serviceAccountRealm;
             configuration.pollingIntervals = pollingIntervals;
             configuration.disableLog = disableLog;
             return new PrivacyIDEA(configuration, logger, simpleLogBridge);

src/test/java/org/privacyidea/TestCRnoServiceAcc.java

@@ -29,7 +29,7 @@ public class TestCRnoServiceAcc implements PILoggerBridge {
     public void setup() {
         mockServer = ClientAndServer.startClientAndServer(1080);
 
-        privacyIDEA = new PrivacyIDEA.Builder("https://127.0.0.1:1080")
+        privacyIDEA = new PrivacyIDEA.Builder("https://127.0.0.1:1080", "test")
                 .setSSLVerify(false)
                 .setLogger(this)
                 .setSimpleLog(System.out::println)

src/test/java/org/privacyidea/TestOTP.java

@@ -28,7 +28,7 @@ public class TestOTP implements PILoggerBridge {
     public void setup() {
         mockServer = ClientAndServer.startClientAndServer(1080);
 
-        privacyIDEA = new PrivacyIDEA.Builder("https://127.0.0.1:1080")
+        privacyIDEA = new PrivacyIDEA.Builder("https://127.0.0.1:1080", "test")
                 .setSSLVerify(false)
                 .setLogger(this)
                 .build();

src/test/java/org/privacyidea/TestRollout.java

@@ -19,7 +19,7 @@ public class TestRollout {
     public void setup() {
         mockServer = ClientAndServer.startClientAndServer(1080);
 
-        privacyIDEA = new PrivacyIDEA.Builder("https://127.0.0.1:1080")
+        privacyIDEA = new PrivacyIDEA.Builder("https://127.0.0.1:1080", "test")
                 .setSSLVerify(false)
                 .setServiceAccount("admin", "admin")
                 .setLogger(new PILoggerBridge() {

src/test/java/org/privacyidea/TestSerialAuthentication.java

@@ -9,7 +9,7 @@ public class TestSerialAuthentication implements PILoggerBridge {
 
     @Test
     public void test() {
-        PrivacyIDEA privacyIDEA = new PrivacyIDEA.Builder("https://127.0.0.1")
+        PrivacyIDEA privacyIDEA = new PrivacyIDEA.Builder("https://127.0.0.1", "test")
                 .setSSLVerify(false)
                 .setServiceAccount("admin", "admin")
                 .setLogger(this)

src/test/java/org/privacyidea/TestServiceAccount.java

@@ -25,7 +25,7 @@ public class TestServiceAccount implements PILoggerBridge {
     public void setup() {
         mockServer = ClientAndServer.startClientAndServer(1080);
 
-        privacyIDEA = new PrivacyIDEA.Builder("https://127.0.0.1:1080")
+        privacyIDEA = new PrivacyIDEA.Builder("https://127.0.0.1:1080", "test")
                 .setServiceAccount(serviceUser, servicePass)
                 .setSSLVerify(false)
                 .setLogger(this)