From 008faf44cfc21cf5ef1f26de8b6ddce4a24ddb2a Mon Sep 17 00:00:00 2001
From: Jon Koops <jonkoops@gmail.com>
Date: Fri, 11 Oct 2024 13:25:25 +0200
Subject: [PATCH] Check if `deviceRepresentation` is set

Closes #33814

Signed-off-by: Jon Koops <jonkoops@gmail.com>
---
 .../keycloak/utils/SecureContextResolver.java |  2 +-
 .../utils/SecureContextResolverTest.java      | 41 +++++++++++--------
 2 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/services/src/main/java/org/keycloak/utils/SecureContextResolver.java b/services/src/main/java/org/keycloak/utils/SecureContextResolver.java
index ad6149994f..128c13c64c 100644
--- a/services/src/main/java/org/keycloak/utils/SecureContextResolver.java
+++ b/services/src/main/java/org/keycloak/utils/SecureContextResolver.java
@@ -38,7 +38,7 @@ public class SecureContextResolver {
         }
 
         DeviceRepresentation deviceRepresentation = deviceRepresentationSupplier.get();
-        String browser = deviceRepresentation.getBrowser();
+        String browser = deviceRepresentation != null ? deviceRepresentation.getBrowser() : null;
 
         // Safari has a bug where even a secure context is not able to set cookies with the 'Secure' directive.
         // Hence, we need to assume the worst case scenario and downgrade to an insecure context.
diff --git a/services/src/test/java/org/keycloak/utils/SecureContextResolverTest.java b/services/src/test/java/org/keycloak/utils/SecureContextResolverTest.java
index d4378a6055..55e96af86d 100644
--- a/services/src/test/java/org/keycloak/utils/SecureContextResolverTest.java
+++ b/services/src/test/java/org/keycloak/utils/SecureContextResolverTest.java
@@ -10,7 +10,16 @@ import java.util.function.Supplier;
 
 public class SecureContextResolverTest {
 
-    static final String BROWSER_SAFARI = "Safari/18.0.1";
+    static DeviceRepresentation DEVICE_UNKOWN;
+    static DeviceRepresentation DEVICE_SAFARI;
+
+    static {
+        DEVICE_UNKOWN = new DeviceRepresentation();
+        DEVICE_UNKOWN.setBrowser(DeviceRepresentation.UNKNOWN);
+
+        DEVICE_SAFARI = new DeviceRepresentation();
+        DEVICE_SAFARI.setBrowser("Safari/18.0.1");
+    }
 
     @Test
     public void testHttps() {
@@ -53,28 +62,28 @@ public class SecureContextResolverTest {
 
     @Test
     public void testQuirksSafari() {
-        assertSecureContext("https://127.0.0.1", BROWSER_SAFARI, true);
-        assertSecureContext("https://something", BROWSER_SAFARI, true);
-        assertSecureContext("http://[::1]", BROWSER_SAFARI,false);
-        assertSecureContext("http://[0000:0000:0000:0000:0000:0000:0000:0001]", BROWSER_SAFARI, false);
-        assertSecureContext("http://localhost", BROWSER_SAFARI, false);
-        assertSecureContext("http://localhost.", BROWSER_SAFARI, false);
-        assertSecureContext("http://test.localhost", BROWSER_SAFARI, false);
-        assertSecureContext("http://test.localhost.", BROWSER_SAFARI, false);
+        assertSecureContext("https://127.0.0.1", DEVICE_SAFARI, true);
+        assertSecureContext("https://something", DEVICE_SAFARI, true);
+        assertSecureContext("http://[::1]", DEVICE_SAFARI,false);
+        assertSecureContext("http://[0000:0000:0000:0000:0000:0000:0000:0001]", DEVICE_SAFARI, false);
+        assertSecureContext("http://localhost", DEVICE_SAFARI, false);
+        assertSecureContext("http://localhost.", DEVICE_SAFARI, false);
+        assertSecureContext("http://test.localhost", DEVICE_SAFARI, false);
+        assertSecureContext("http://test.localhost.", DEVICE_SAFARI, false);
+    }
+
+    @Test
+    public void testNoDeviceRepresentation() {
+        assertSecureContext("http://localhost", null, true);
     }
 
     void assertSecureContext(String url, boolean expectedSecureContext) {
-        assertSecureContext(url, null, expectedSecureContext);
+        assertSecureContext(url, DEVICE_UNKOWN, expectedSecureContext);
     }
 
-    void assertSecureContext(String url, String browser, boolean expectedSecureContext) {
-        DeviceRepresentation deviceRepresentation = new DeviceRepresentation();
+    void assertSecureContext(String url, DeviceRepresentation deviceRepresentation, boolean expectedSecureContext) {
         Supplier<DeviceRepresentation> deviceRepresentationSupplier = () -> deviceRepresentation;
 
-        if (browser != null) {
-            deviceRepresentation.setBrowser(browser);
-        }
-
         try {
             Assert.assertEquals(expectedSecureContext, SecureContextResolver.isSecureContext(new URI(url), deviceRepresentationSupplier));
         } catch (URISyntaxException e) {