RemoteStickySessionEncoderProviderFactory.java

/*
 * Copyright 2024 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.keycloak.models.sessions.infinispan.remote;

import java.lang.invoke.MethodHandles;
import java.util.List;

import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.connections.infinispan.InfinispanUtil;
import org.keycloak.infinispan.util.InfinispanUtils;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.EnvironmentDependentProviderFactory;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;
import org.keycloak.sessions.StickySessionEncoderProvider;
import org.keycloak.sessions.StickySessionEncoderProviderFactory;

public class RemoteStickySessionEncoderProviderFactory implements StickySessionEncoderProviderFactory, EnvironmentDependentProviderFactory {

    private static final Logger log = Logger.getLogger(MethodHandles.lookup().lookupClass());
    private static final char SEPARATOR = '.';

    private static final StickySessionEncoderProvider NO_ROUTER_PROVIDER = new BaseProvider() {
        @Override
        public String encodeSessionId(String sessionId) {
            return sessionId;
        }

        @Override
        public boolean shouldAttachRoute() {
            return false;
        }
    };

    private volatile boolean shouldAttachRoute;
    private volatile StickySessionEncoderProvider provider;

    @Override
    public StickySessionEncoderProvider create(KeycloakSession session) {
        return shouldAttachRoute ? provider : NO_ROUTER_PROVIDER;
    }

    @Override
    public void init(Config.Scope config) {
        setShouldAttachRoute(config.getBoolean("shouldAttachRoute", true));
    }

    @Override
    public void postInit(KeycloakSessionFactory factory) {
        try (var session = factory.create()) {
            provider = new AttachRouteProvider(getRoute(session));
        }
    }

    @Override
    public void close() {

    }

    @Override
    public String getId() {
        return InfinispanUtils.REMOTE_PROVIDER_ID;
    }

    @Override
    public int order() {
        return InfinispanUtils.PROVIDER_ORDER;
    }

    @Override
    public List<ProviderConfigProperty> getConfigMetadata() {
        return ProviderConfigurationBuilder.create()
                .property()
                .name("shouldAttachRoute")
                .type("boolean")
                .helpText("If the route should be attached to cookies to reflect the node that owns a particular session.")
                .defaultValue(true)
                .add()
                .build();
    }

    @Override
    public boolean isSupported(Config.Scope config) {
        return InfinispanUtils.isRemoteInfinispan();
    }

    @Override
    public void setShouldAttachRoute(boolean shouldAttachRoute) {
        this.shouldAttachRoute = shouldAttachRoute;
        log.debugf("Should attach route to the sticky session cookie: %b", shouldAttachRoute);
    }

    private static String getRoute(KeycloakSession session) {
        return InfinispanUtil.getTopologyInfo(session).getMyNodeName();
    }

    private static abstract class BaseProvider implements StickySessionEncoderProvider {

        @Override
        public final String decodeSessionId(String encodedSessionId) {
            // Try to decode regardless if shouldAttachRoute is true/false.
            // It is possible that some loadbalancers may forward the route information attached by them to the backend keycloak server.
            // We need to remove it then.
            int index = encodedSessionId.indexOf(SEPARATOR);
            return index == -1 ? encodedSessionId : encodedSessionId.substring(0, index);
        }

        @Override
        public final void close() {
        }
    }

    private static class AttachRouteProvider extends BaseProvider {

        private final String route;

        private AttachRouteProvider(String route) {
            this.route = route;
        }

        @Override
        public String encodeSessionId(String sessionId) {
            return sessionId + SEPARATOR + route;
        }

        @Override
        public boolean shouldAttachRoute() {
            return true;
        }
    }
}