I need to create a Protocol Mapper of type Script Mapper in Keycloak. The script should get a user attribute, check its size, and put it on the token. I found no documentation or examples of how a script should be created. From the bits and pieces I could gather, I guess I the script would need to look something like:
var value = user.getAttribute("myAttribute");
if (value.length > LIMIT) {
value = value.substring(0,LIMIT);
}
token.setOtherClaims("myAttribute",value);
Is this right? I made up user.getAttribute("myAttribute"). Is there a source of documentation where I can find how to get a Keycloak user attribute?
does the script need to return anything?
Any help would be mostly welcome.
The magic of Script Mappers can be understood by looking at the keycloak sources here: Source
The script can return something by using the exports variable like this
exports = "Claim Value"
The different types:
user: Source JavaDoc
realm: Source JavaDoc
token: Source JavaDoc
userSession: Source JavaDoc
keycloakSession: Source JavaDoc
Here is an example script:
// you can set standard fields in token
token.setAcr("test value");
// you can set claims in the token
token.getOtherClaims().put("claimName", "claim value");
// multi-valued claim (thanks to #ErwinRooijakkers)
token.getOtherClaims().put('foo', Java.to(['bars'], "java.lang.String[]"))
// work with variables and return multivalued token value
var ArrayList = Java.type("java.util.ArrayList");
var roles = new ArrayList();
var client = keycloakSession.getContext().getClient();
var forEach = Array.prototype.forEach;
forEach.call(user.getClientRoleMappings(client).toArray(), function(roleModel) {
roles.add(roleModel.getName());
});
exports = roles;
Hope it helps!
I needed this feature but could not find this "script mapper" thing in my freshly installed 10.0.2. Turns out it is not enabled by default, as seen in the docs here : https://www.keycloak.org/docs/latest/server_installation/#profiles
To enable it, you can either :
Create a file standalone/configuration/profile.properties with feature.scripts=enabled
or
start the server with bin/standalone.sh|bat -Dkeycloak.profile.feature.scripts=enabled
And it seems from the source code
public boolean isSupported() {
return Profile.isFeatureEnabled(Profile.Feature.SCRIPTS) && Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS);
}
that the upload_scripts should be enabled likewise
I hope it will help someone
Related
I'm using closure-compiler which is provided by Google. I have JavaScript's in the string variable. need to compress the string using closure-compiler in java
I already tried the code from the following link http://blog.bolinfest.com/2009/11/calling-closure-compiler-from-java.html
This is the code I used "source" variable has the value of the javascript
Compiler compiler = new Compiler();
CompilerOptions options = new CompilerOptions();
// Advanced mode is used here, but additional options could be set, too.
CompilationLevel.SIMPLE_OPTIMIZATIONS.setOptionsForCompilationLevel(options);
compiler.compile(source, options);
return compiler.toSource();
I have error in the following line: compiler.compile(source, options);
Compiler.complier() method does not require 2 parameters but it requires 3 parameters.
Have a look at this link.
You will understand the number and kind of parameters required for the method you are calling.
How to set following config "gpu_options.allow_growth = True" for Tensorflow, using Java API?
I tried in this way:
model.session().runner()
.setOptions("gpu_options.allow_growth = True".getBytes())
.feed("image_tensor", input).fetch("detection_scores")
.fetch("detection_classes").fetch("detection_boxes").fetch("num_detections").run();
I get the following error: Unparseable RunOptions proto.
I think this is the way to configure:
ConfigProto config = ConfigProto.newBuilder()
.setGpuOptions(GPUOptions.newBuilder().setAllowGrowth(true))
.build();
model.session().runner()
.setOptions(config.toByteArray())
.feed("image_tensor", input).fetch("detection_scores")
.fetch("detection_classes").fetch("detection_boxes").fetch("num_detections").run();
The API documentation says:
public Session.Runner setOptions (byte[] options)
(Experimental method): set options (typically for debugging) for this run.
The options are presented as a serialized RunOptions protocol buffer.
Still looking for an exact example, but I assume: just taking a string and turning that into an array of bytes isn't what you should be doing.
These examples indicate that you need something like:
Session.Run r = runner.setOptions(RunStats.runOptions()).runAndFetchMetadata();
fetchTensors = r.outputs;
if (runStats == null) {
runStats = new RunStats();
}
Long story short: you have to dig into RunStats to figure how to get your options in there, to then provide an object of that class to the setOptions() method.
I am working on fixing Veracode issues in my application. Veracode has highlighted the flaw "External Control of File Name or Path (CWE ID 73) " in below code.
Thread.currentThread().getContextClassLoader().getResourceAsStream(lookupName)
How do I validate the parameter? If I need to use below ESAPI validation, then what is the exact parameter I should be passing in getValidFileName() method. Currently I am passing the parameters as below.
ESAPI.validator().getValidFileName(lookupName, lookupName,
ESAPI.securityConfiguration().getAllowedFileExtensions(), false);
Correct me whether I am following the right approach for fixing this issue.
There are several suggestions at: https://community.veracode.com/s/article/how-do-i-fix-cwe-73-external-control-of-file-name-or-path-in-java
You can use hardcoded values, if these files are stored in the server side.
(i.e.: in a HashMap).
Another solution is to use a custom validator (from veracode page) :
// GOOD Code
String extension = request.getParameter("extension");
File f = new File(buildValidAvatarPath(extension))
#FilePathCleanser
public String buildValidAvatarPath(extension) {
String[] allowedExtensions = new String[]{"jpg","gif","png"};
String extension = "png"; // Default extension
for (String allowedExtension: allowedExtensions) {
if (allowedExtension.equals(request.getParameter("extension"))) {
extension = request.getParameter("extension");
}
}
// See "Note on authorization"
User user = getCurrentUser();
if (!userMayAccessFile(user, path)) {
throw new AuthorizationException("User may not access this file", user);
}
File(configPath + "avatar." + extension)
return path;
}
Okay, so the problem is that you are allowing user-control of that file path. Imagine its on a UNIX box and they enter:
../../../../../../../etc/shadow
Whatever user privileges are granted to the user running that java Thread is possible to expose to the user in question. I don't know what processing is going on in your application, but the danger is that you need to prevent user control of that lookup variable.
The call you're making is consistent with the single test in ValidatorTest.java, which is definitely a deficiency in code coverage on our behalf.
Now, there's an excellent chance that even if you use this call that Veracode might still flag it: the default file list in ESAPI.properties will need to be either truncated for your use case, or you'll have to create your own Validator rule for legal file extensions for your specific use case.
Which brings up the next bit: There's a lot of mischief that can happen in regards to file uploads.
In short, to be actually secure about file uploads will require more than what ESAPI currently offers, which is unfortunately, only an extension check. In your particular case, make sure you try some directory traversal attacks. And use that OWASP link to help analyze your application.
Given that the OP wants to clear the issue in Veracode, you would want to chain a couple calls:
ESAPI.validator().getValidDirectoryPath() and ESAPI.Validator.getValidFileName()
But be sure you've properly truncated the extension list in HttpUtilities.ApprovedUploadExtensions in validator.properties as the default list is too permissive, at least until we release 2.1.0.2.
I have to stress however that even with this particular combination there is absolutely nothing ESAPI does to prevent a user from renaming "netcat.exe" to "puppies.xlsx" and bypassing your validation check, that's why the rant on the first part of this answer.
ESAPI's file validation is NOT secure, it's quite simply better than nothing at all.
Doing this correctly requires more work than just using 1-2 calls to ESAPI.
DISCLAIMER: as of this writing I am the project co-lead for ESAPI.
You can change file name by sanitizing it as below code snippet:
private static String sanitizeFileName(String name) {
return name
.chars()
.mapToObj(i -> (char) i)
.map(c -> Character.isWhitespace(c) ? '_' : c)
.filter(c -> Character.isLetterOrDigit(c) || c == '-' || c == '_' || c == ':')
.map(String::valueOf)
.collect(Collectors.joining());
}
I am using the service account model and Google's Admin SDK Java API to retrieve and modify users.
The goal is to add an alias for an existing user.
Alias newAlias = new Alias();
newAlias.setId(userID);
newAlias.setAlias(alias);
Directory.Users.Aliases.Insert request = directory.users().aliases().insert(userID, newAlias);
request.execute();
execute() fails 100% of the time with the error message:
"Value set through a parameter is inconsistent with a value set in the request"
but of course does not identify the problem parameter or value, or provide a suggestion.
I tried all 8 combinations of scoped (or not scoped) userID and alias in newAlias, and userID in the request, with the same result. By all 8 combinations, I mean:
newAlias.setId(userID);
newAlias.setAlias(alias);
insert(userID, newAlias);
newAlias.setId(userID#domain.com);
newAlias.setAlias(alias#domain.com);
insert(userID#domain.com, newAlias);
and so on...
Any ideas greatly appreciated.
I think it is worth adding that, while I believe the above approach is correct (using Directory.Aliases.Insert) and that I am missing some critical information or made a mistake, I also attempted to add the alias by updating the User object instead of Aliases, something like this:
List<String> aliases = new ArrayList<String>();
aliases.add(scopedAlias); //userid#domain.com
User user = new User();
user = retrieveUser(uid); //Gets current record from Google
user.setAliases(aliases);
Directory.Users.Update request
= directory.users().update(uid, user);
request.execute();
That did not work either.
Anyone have an example of working code?
I've gotten aliases inserted using the following:
Alias alias = new Alias();
alias.setAlias(aliasString);
directory.users().aliases().insert(userId, alias).execute();
I don't have anything in the way of insight as to why your approach isn't working or why my approach works, but there you go.
S. McKinley's suggestion worked.
The key difference:
I had been including the call:
alias.setId(userId);
or
alias.setId(scopedUserId); //userId#domain
Either one resulted in the "parameter is inconsistent with a value" error. Leave it out and the alias gets created.
I was able to find the customerId as follows
Go to admin.google.com
Security -> Set up single sign-on (SSO)
You will see URLs like this:
https://accounts.google.com/o/saml2/idp?idpid=Cxxxxxxxx
That Cxxxxxxxx is your customerId
Hey there,
I've got a small problem. I am creating a plugin for Bukkit. I tried to code a in-game config editor - that means that one can change configuration options with a command from inside the game. I already got it to work, but as of the build I'm using (#2879), the method YamlConfiguration.set(String, Object) doesn't seem to work. Here is the essential part of my code for setting and saving the YamlConfiguration I've got.
plugin.debug("option = "+option); // the configuration option
plugin.debug("newvalue = "+value); // the new value
config.set(option, value); // this should set the value of 'option' to 'value'
plugin.debug("savedvalue = "+config.get(option)); // the value saved in the config
As I tested my plugin, I've got the following output.
option = debug
newvalue = false
savedvalue = true
If you need the full and detailed code, look into it on GitHub: GeneralCommands.java, function config(CommandSender, String, String) (line 1074).
Kind regards.
My bad, it was a problem with another method I used (plugin.getConfig()).