From f674631149c9265e1c89d56b118ccd5485d4384e Mon Sep 17 00:00:00 2001
From: Harvey Kandola <harvey@documize.com>
Date: Fri, 17 Mar 2017 11:02:04 +0000
Subject: [PATCH] implemented keycloak RSA PK token checking

---
 app/app/components/auth-settings.js          | 18 +++---
 app/app/pods/auth/keycloak/route.js          |  6 --
 app/app/pods/auth/login/route.js             | 12 ++++
 app/app/pods/auth/login/template.hbs         | 46 ++++++++-------
 app/app/routes/application.js                |  4 +-
 core/api/endpoint/authentication_endpoint.go | 60 --------------------
 6 files changed, 48 insertions(+), 98 deletions(-)

diff --git a/app/app/components/auth-settings.js b/app/app/components/auth-settings.js
index 6c2ae662..2f815dd4 100644
--- a/app/app/components/auth-settings.js
+++ b/app/app/components/auth-settings.js
@@ -90,18 +90,18 @@ export default Ember.Component.extend({
 						return;
 					}
 
-					let pk = this.get('keycloakConfig.publicKey');
-					if (is.not.startWith(pk, '-----BEGIN PUBLIC KEY-----')) {
-						pk = '-----BEGIN PUBLIC KEY-----' + pk;
-					}
-					if (is.not.endWith(pk, '-----END PUBLIC KEY-----')) {
-						pk = pk + '-----END PUBLIC KEY-----' ;
-					}
+					// let pk = this.get('keycloakConfig.publicKey');
+					// if (is.not.startWith(pk, '-----BEGIN PUBLIC KEY-----')) {
+					// 	pk = '-----BEGIN PUBLIC KEY-----' + pk;
+					// }
+					// if (is.not.endWith(pk, '-----END PUBLIC KEY-----')) {
+					// 	pk = pk + '-----END PUBLIC KEY-----' ;
+					// }
 
-					this.set('keycloakConfig.publicKey', pk);
+					// this.set('keycloakConfig.publicKey', pk);
 
 					config = Ember.copy(this.get('keycloakConfig'));
-					Ember.set(config, 'publicKey', encoding.Base64.encode(pk));
+					Ember.set(config, 'publicKey', encoding.Base64.encode(this.get('keycloakConfig.publicKey')));
 					break;
 			}
 
diff --git a/app/app/pods/auth/keycloak/route.js b/app/app/pods/auth/keycloak/route.js
index b577eb97..f1445dd1 100644
--- a/app/app/pods/auth/keycloak/route.js
+++ b/app/app/pods/auth/keycloak/route.js
@@ -43,13 +43,7 @@ export default Ember.Route.extend({
 
 			this.get('kcAuth').fetchProfile(kc).then((profile) => {
 				let data = this.get('kcAuth').mapProfile(kc, profile);
-
-				// console.log(kc);
-				// console.log(profile);
-				// console.log(data);
-
 				this.get("session").authenticate('authenticator:keycloak', data).then(() => {
-					debugger;
 					this.get('audit').record("logged-in-keycloak");
 					this.transitionTo('folders');
 				}, (reject) => {
diff --git a/app/app/pods/auth/login/route.js b/app/app/pods/auth/login/route.js
index fe15df2e..53a14bcc 100644
--- a/app/app/pods/auth/login/route.js
+++ b/app/app/pods/auth/login/route.js
@@ -15,6 +15,7 @@ import constants from '../../../utils/constants';
 export default Ember.Route.extend({
     appMeta: Ember.inject.service(),
 	kcAuth: Ember.inject.service(),
+	showLogin: false,
 
 	beforeModel(/*transition*/) {
 		let authProvider = this.get('appMeta.authProvider');
@@ -22,6 +23,8 @@ export default Ember.Route.extend({
 
 		switch (authProvider) {
 			case constants.AuthProvider.Keycloak:
+				this.set('showLogin', false);
+
 				this.get('kcAuth').boot(JSON.parse(authConfig)).then(() => {
 					this.get('kcAuth').login().then(() => {
 					}, (reject) => {
@@ -31,10 +34,19 @@ export default Ember.Route.extend({
 					console.log(reject);
 				});
 
+				break;
+			default:
+				this.set('showLogin', true);
 				break;
 		}
 	},
 
+	model() {
+		return  {
+			showLogin: this.get('showLogin')
+		};
+	},
+
 	setupController: function (controller, model) {
 		controller.set('model', model);
 		controller.reset();
diff --git a/app/app/pods/auth/login/template.hbs b/app/app/pods/auth/login/template.hbs
index 30fe58a9..7f342bd1 100644
--- a/app/app/pods/auth/login/template.hbs
+++ b/app/app/pods/auth/login/template.hbs
@@ -1,23 +1,25 @@
-<div class="auth-box">
-    <div class="logo">
-        <img src="/assets/img/logo-color.png" title="Documize" alt="Documize" class="responsive-img" />
+{{#if model.showLogin}}
+    <div class="auth-box">
+        <div class="logo">
+            <img src="/assets/img/logo-color.png" title="Documize" alt="Documize" class="responsive-img" />
+        </div>
+        <div class="login-form">
+            <form id="login-form" {{action 'login' on="submit"}}>
+                <div class="input-control">
+                    <label>Email</label>
+                    {{focus-input type="email" value=email id="authEmail"}}
+                </div>
+                <div class="input-control">
+                    <label>Password</label>
+                    {{input type="password" value=password id="authPassword"}}
+                </div>
+                <div class="clearfix" />
+                <div class="margin-top-10 margin-bottom-20">
+                    <button type="submit" class="regular-button button-blue">Sign in</button>
+                    <span class="{{unless invalidCredentials "hide"}} color-red margin-left-20">Invalid credentials</span>
+                </div>
+                {{#link-to 'auth.forgot'}}Forgot your password?{{/link-to}}
+            </form>
+        </div>
     </div>
-    <div class="login-form">
-        <form id="login-form" {{action 'login' on="submit"}}>
-            <div class="input-control">
-                <label>Email</label>
-                {{focus-input type="email" value=email id="authEmail"}}
-            </div>
-            <div class="input-control">
-                <label>Password</label>
-                {{input type="password" value=password id="authPassword"}}
-            </div>
-            <div class="clearfix" />
-            <div class="margin-top-10 margin-bottom-20">
-                <button type="submit" class="regular-button button-blue">Sign in</button>
-                <span class="{{unless invalidCredentials "hide"}} color-red margin-left-20">Invalid credentials</span>
-            </div>
-            {{#link-to 'auth.forgot'}}Forgot your password?{{/link-to}}
-        </form>
-    </div>
-</div>
+{{/if}}
\ No newline at end of file
diff --git a/app/app/routes/application.js b/app/app/routes/application.js
index d1860722..f5522139 100644
--- a/app/app/routes/application.js
+++ b/app/app/routes/application.js
@@ -25,7 +25,9 @@ export default Ember.Route.extend(ApplicationRouteMixin, TooltipMixin, {
 
 	beforeModel(transition) {
 		return this.get('appMeta').boot(transition.targetName).then(data => {
-			if (this.get('session.session.authenticator') !== "authenticator:documize" && data.allowAnonymousAccess) {
+			if (this.get('session.session.authenticator') !== "authenticator:documize" &&
+				this.get('session.session.authenticator') !== "authenticator:keycloak" && 
+				data.allowAnonymousAccess) {
 				return this.get('session').authenticate('authenticator:anonymous', data);
 			}
 
diff --git a/core/api/endpoint/authentication_endpoint.go b/core/api/endpoint/authentication_endpoint.go
index 28f8fe74..44bd8bd7 100644
--- a/core/api/endpoint/authentication_endpoint.go
+++ b/core/api/endpoint/authentication_endpoint.go
@@ -24,7 +24,6 @@ import (
 	"github.com/documize/community/core/api/request"
 	"github.com/documize/community/core/api/util"
 	"github.com/documize/community/core/log"
-	// "github.com/documize/community/core/section/provider"
 	"github.com/documize/community/core/utility"
 	"github.com/documize/community/core/web"
 )
@@ -244,62 +243,3 @@ func preAuthorizeStaticAssets(r *http.Request) bool {
 
 	return false
 }
-
-// // ValidateAuthToken checks the auth token and returns the corresponding user.
-// func ValidateAuthToken(w http.ResponseWriter, r *http.Request) {
-
-// 	// TODO should this go after token validation?
-// 	if s := r.URL.Query().Get("section"); s != "" {
-// 		if err := provider.Callback(s, w, r); err != nil {
-// 			log.Error("section validation failure", err)
-// 			w.WriteHeader(http.StatusUnauthorized)
-// 		}
-// 		return
-// 	}
-
-// 	method := "ValidateAuthToken"
-
-// 	context, claims, err := decodeJWT(findJWT(r))
-
-// 	if err != nil {
-// 		log.Error("token validation", err)
-// 		w.WriteHeader(http.StatusUnauthorized)
-// 		return
-// 	}
-
-// 	request.SetContext(r, context)
-// 	p := request.GetPersister(r)
-
-// 	org, err := p.GetOrganization(context.OrgID)
-
-// 	if err != nil {
-// 		log.Error("token validation", err)
-// 		w.WriteHeader(http.StatusUnauthorized)
-// 		return
-// 	}
-
-// 	domain := request.GetSubdomainFromHost(r)
-
-// 	if org.Domain != domain || claims["domain"] != domain {
-// 		log.Error("token validation", err)
-// 		w.WriteHeader(http.StatusUnauthorized)
-// 		return
-// 	}
-
-// 	user, err := getSecuredUser(p, context.OrgID, context.UserID)
-
-// 	if err != nil {
-// 		log.Error("get user error for token validation", err)
-// 		w.WriteHeader(http.StatusUnauthorized)
-// 		return
-// 	}
-
-// 	json, err := json.Marshal(user)
-
-// 	if err != nil {
-// 		writeJSONMarshalError(w, method, "user", err)
-// 		return
-// 	}
-
-// 	writeSuccessBytes(w, json)
-// }