getIgnoredGroupProtectionClients not called if clientid matches pattern regex
Bug
Description
When adding an existing group protect client to the group protection ignore list, it is not ignored.
To reproduce: configure a client as you always would, setup the groups, etc. Then, add the client to the groupProtectionIgnoreClients list in the customreg.yaml file. Reboot pods so it takes. Client will still not authenticate due to user not being in the group.
BigBang Version
2.43
Investigation
I did some digging and found the logic this centers on is at https://repo1.dso.mil/big-bang/product/plugins/keycloak-p1-auth-plugin/-/tree/main/p1-keycloak-plugin/src/main/java/dod/p1/keycloak/authentication?ref_type=heads#L60.
// Match the pattern "test_b4e4ae70-5b78-47ff-ad5c-7ebf3c10e452_app"
// where "test" is the short name and "b4e4ae70-5b78-47ff-ad5c-7ebf3c10e452" is the group id
String clientIdPatternMatch =
"^[a-z0-9-]+_([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})_[_a-z0-9-]+$";
Pattern pattern = Pattern.compile(clientIdPatternMatch);
Matcher matcher = pattern.matcher(clientId);
// Check for a valid match
if (matcher.find() && matcher.groupCount() == 1) {
String groupId = matcher.group(1);
checkIfUserIsAuthorized(context, realm, user, logPrefix, groupId);
} else {
if (CommonConfig.getInstance(session, realm).getIgnoredGroupProtectionClients().contains(clientId)
&& user != null) {
LOGGER.info("{} matched authorized ignored group protect client", logPrefix);
success(context, user);
} else {
LOGGER.warn("{} failed ignored group protect client test", logPrefix);
context.failure(AuthenticationFlowError.CLIENT_DISABLED);
}
}
}The check for getIgnoredGroupProtectionClients() is only if the regex doesn't return a match. I'd argue that the ignore should be checked first as an administrative override, then spend logic cycles on having the regex search and enumerate the users groups to compare.