From c05413fbe8d43dfa57401cb164ceeb493703a760 Mon Sep 17 00:00:00 2001
From: Johaney-s <johana.supikova@seznam.cz>
Date: Mon, 2 Dec 2024 08:40:06 +0100
Subject: [PATCH] IdP check in custom authenticator

We can set override option for first broker login per IdP in Keycloak
but as VO membership can expire anytime, we need to check for entitlements
also in other flows (browser, etc.) which cannot be overriden in IdP's configuration
directly. Therefor this check need to be in the code.
---
 .../java/cz/cesnet/keycloak/CustomAuthenticator.java   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/authenticator/src/main/java/cz/cesnet/keycloak/CustomAuthenticator.java b/authenticator/src/main/java/cz/cesnet/keycloak/CustomAuthenticator.java
index 0b79a37..489a84b 100644
--- a/authenticator/src/main/java/cz/cesnet/keycloak/CustomAuthenticator.java
+++ b/authenticator/src/main/java/cz/cesnet/keycloak/CustomAuthenticator.java
@@ -17,7 +17,6 @@ import org.slf4j.LoggerFactory;
 
 import jakarta.ws.rs.core.Response;
 
-import java.util.List;
 import java.util.Map;
 
 import static org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE;
@@ -30,6 +29,7 @@ public class CustomAuthenticator implements Authenticator {
     private final static String EDU_PERSON_ENTITLEMENT = "eduperson_entitlement";
     private final static String REQUIRED_ENTITLEMENT = "urn:mace:egi.eu:group:eval.c-scale.eu:role=member#aai.egi.eu";
     private final static String REDIRECT_URL = "https://perun.egi.eu/egi/registrar/?vo=eval.c-scale.eu";
+    private final static String IDP_ALIAS = "egicheckin";
 
     private final KeycloakSession session;
 
@@ -54,6 +54,13 @@ public class CustomAuthenticator implements Authenticator {
         }
         
         BrokeredIdentityContext brokerContext = serializedCtx.deserialize(context.getSession(), authSession);
+
+        String idpAlias = brokerContext.getIdp().getConfig().getAlias();
+        if (!IDP_ALIAS.equals(idpAlias)) {
+            context.success();
+            return;
+        }
+
         Map<String, Object> contextData = brokerContext.getContextData();
         if (contextData != null && contextData.containsKey(USER_INFO) && contextData.get(USER_INFO) != null) {
             Object userInfo = contextData.get(USER_INFO);
@@ -62,6 +69,7 @@ public class CustomAuthenticator implements Authenticator {
                 JsonNode entitlementsNode = userInfoNode.get(EDU_PERSON_ENTITLEMENT);
                 if (entitlementsNode != null && entitlementsNode.isArray()) {
                     for (JsonNode entitlement : entitlementsNode) {
+                        log.warn("EGI custom - entitlement: " + entitlement.asText());
                         if (entitlement.asText().equals(REQUIRED_ENTITLEMENT)) {
                             log.debug("EGI custom authenticator - entitlement found, user authenticated.");
                             context.success();
-- 
GitLab