libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Disabling strict https if hostname is diasabled

Browse source 
Closes #15287
This commit is contained in:
Pedro Igor 2022-11-08 16:47:08 -03:00
parent 30cc16e648
commit 0c4ac62a5f
4 changed files with 40 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/hostname/DefaultHostnameProvider.java
View file

@ -108,10 +108,10 @@ public final class DefaultHostnameProvider implements HostnameProvider, Hostname
@Override
public int getPort(UriInfo originalUriInfo, UrlType urlType) {
if (ADMIN.equals(urlType)) {
return fromBaseUriOrDefault(URI::getPort, adminBaseUri, getRequestPort());
return fromBaseUriOrDefault(URI::getPort, adminBaseUri, getRequestPort(originalUriInfo));
}
Integer port = forNonStrictBackChannel(originalUriInfo, urlType, this::getPort, this::getPort);
Integer port = forNonStrictBackChannel(originalUriInfo, urlType, this::getPort, this::getRequestPort);
if (port != null) {
return port;
@ -126,7 +126,7 @@ public final class DefaultHostnameProvider implements HostnameProvider, Hostname
@Override
public int getPort(UriInfo originalUriInfo) {
return noProxy && strictHttps ? defaultTlsPort : getRequestPort();
return noProxy && strictHttps ? defaultTlsPort : getRequestPort(originalUriInfo);
}
private <T> T forNonStrictBackChannel(UriInfo originalUriInfo, UrlType urlType,
@ -234,7 +234,7 @@ public final class DefaultHostnameProvider implements HostnameProvider, Hostname
hostnameEnabled = (frontEndHostName != null || frontEndBaseUri != null);
if (frontEndBaseUri == null) {
strictHttps = config.getBoolean("strict-https", false);
strictHttps = hostnameEnabled && config.getBoolean("strict-https", false);
} else {
frontEndHostName = frontEndBaseUri.getHost();
strictHttps = "https".equals(frontEndBaseUri.getScheme());
@ -292,7 +292,7 @@ public final class DefaultHostnameProvider implements HostnameProvider, Hostname
!noProxy);
}
private int getRequestPort() {
private int getRequestPort(UriInfo uriInfo) {
KeycloakSession session = Resteasy.getContextData(KeycloakSession.class);
return session.getContext().getHttpRequest().getUri().getBaseUri().getPort();
}

4
quarkus/tests/integration/src/main/java/org/keycloak/it/junit5/extension/CLITestExtension.java
View file

@ -32,6 +32,8 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import io.quarkus.deployment.util.FileUtil;
import io.quarkus.runtime.configuration.QuarkusConfigFactory;
@ -102,7 +104,7 @@ public class CLITestExtension extends QuarkusMainTestExtension {
onBeforeStartDistribution(context.getRequiredTestMethod().getAnnotation(BeforeStartDistribution.class));
if (launch != null) {
result = dist.run(List.of(launch.value()));
result = dist.run(Stream.concat(List.of(launch.value()).stream(), List.of(distConfig.defaultOptions()).stream()).collect(Collectors.toList()));
}
} else {
configureProfile(context);

5
quarkus/tests/integration/src/main/java/org/keycloak/it/junit5/extension/DistributionTest.java
View file

@ -56,5 +56,10 @@ public @interface DistributionTest {
* If any build option must be unset after the running the build command.
*/
boolean removeBuildOptionsAfterBuild() default false;
/**
* If any option must be set when starting the server.
*/
String[] defaultOptions() default {};
}

47
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/HostnameDistTest.java vendored
View file

@ -31,7 +31,7 @@ import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentatio
import io.quarkus.test.junit.main.Launch;
import io.restassured.RestAssured;
@DistributionTest(keepAlive = true)
@DistributionTest(keepAlive = true, defaultOptions = { "--http-enabled=true" })
@BeforeStartDistribution(CopyTLSKeystore.class)
@RawDistOnly(reason = "Containers are immutable")
public class HostnameDistTest {
@ -42,7 +42,7 @@ public class HostnameDistTest {
}
@Test
@Launch({ "start", "--hostname=mykeycloak.org", "--http-enabled=true", "--hostname-strict-https=false" })
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-strict-https=false" })
public void testSchemeAndPortFromRequestWhenNoProxySet() {
assertFrontEndUrl("http://mykeycloak.org:8080", "http://mykeycloak.org:8080/");
assertFrontEndUrl("http://localhost:8080", "http://mykeycloak.org:8080/");
@ -50,17 +50,17 @@ public class HostnameDistTest {
}
@Test
@Launch({ "start", "--hostname=mykeycloak.org", "--http-enabled=true" })
@Launch({ "start", "--hostname=mykeycloak.org" })
public void testForceHttpsSchemeAndPortWhenStrictHttpsEnabled() {
assertFrontEndUrl("http://mykeycloak.org:8080", "https://mykeycloak.org:8443/");
assertFrontEndUrl("http://localhost:8080", "https://mykeycloak.org:8443/");
}
@Test
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-port=8443", "--http-enabled=true", "--hostname-strict-https=false" })
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-port=1234" })
public void testForceHostnamePortWhenNoProxyIsSet() {
assertFrontEndUrl("http://mykeycloak.org:8080", "http://mykeycloak.org:8443/");
assertFrontEndUrl("https://mykeycloak.org:8443", "https://mykeycloak.org:8443/");
assertFrontEndUrl("http://mykeycloak.org:8080", "https://mykeycloak.org:1234/");
assertFrontEndUrl("https://mykeycloak.org:8443", "https://mykeycloak.org:1234/");
}
@Test
@ -84,32 +84,33 @@ public class HostnameDistTest {
}
@Test
@Launch({ "start", "--hostname=mykeycloak.org", "--http-enabled=true", "--hostname-strict-https=false" })
@Launch({ "start", "--hostname=mykeycloak.org" })
public void testBackEndUrlFromRequest() {
assertBackEndUrl("http://localhost:8080", "http://localhost:8080/");
assertBackEndUrl("https://localhost:8443", "https://localhost:8443/");
}
@Test
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-strict-backchannel=true", "--http-enabled=true", "--hostname-strict-https=false" })
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-strict-backchannel=true" })
public void testBackEndUrlSameAsFrontEndUrl() {
assertBackEndUrl("http://localhost:8080", "http://mykeycloak.org:8080/");
assertBackEndUrl("http://localhost:8080", "https://mykeycloak.org:8443/");
}
@Test
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-path=/auth", "--hostname-strict=true", "--hostname-strict-backchannel=true", "--http-enabled=true", "--hostname-strict-https=false" })
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-path=/auth", "--hostname-strict-backchannel=true" })
public void testSetHostnamePath() {
assertFrontEndUrl("http://localhost:8080", "http://mykeycloak.org:8080/auth/");
assertBackEndUrl("http://localhost:8080", "http://mykeycloak.org:8080/auth/");
assertFrontEndUrl("http://localhost:8080", "https://mykeycloak.org:8443/auth/");
assertBackEndUrl("http://localhost:8080", "https://mykeycloak.org:8443/auth/");
}
@Test
@Launch({ "start", "--hostname=mykeycloak.org", "--https-port=8543", "--hostname-strict-https=true", "--http-enabled=true" })
@Launch({ "start", "--hostname=mykeycloak.org", "--https-port=8543", "--hostname-strict-https=true" })
public void testDefaultTlsPortChangeWhenHttpPortSet() {
assertFrontEndUrl("http://mykeycloak.org:8080", "https://mykeycloak.org:8543/");
}
@Test
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-strict-https=true", "--hostname-port=8543", "--http-enabled=true" })
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-port=8543" })
public void testWelcomePageAdminUrl() {
Assert.assertTrue(when().get("http://mykeycloak.org:8080").asString().contains("http://mykeycloak.org:8080/admin/"));
Assert.assertTrue(when().get("https://mykeycloak.org:8443").asString().contains("https://mykeycloak.org:8443/admin/"));
@ -118,14 +119,14 @@ public class HostnameDistTest {
}
@Test
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-admin=mykeycloakadmin.127.0.0.1.nip.io", "--http-enabled=true" })
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-admin=mykeycloakadmin.org" })
public void testHostnameAdminSet() {
Assert.assertTrue(when().get("https://mykeycloak.org:8443/admin/master/console").asString().contains("\"authUrl\": \"https://mykeycloakadmin.127.0.0.1.nip.io:8443\""));
Assert.assertTrue(when().get("https://mykeycloak.org:8443/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https://mykeycloakadmin.127.0.0.1.nip.io:8443/admin/master/console&state=02234324-d91e-4bf2-8396-57498e96b12a&response_mode=fragment&response_type=code&scope=openid&nonce=f8f3812e-e349-4bbf-8d15-cbba4927f5e5&code_challenge=7qjD_v11WGkt1ig-ZFHxJdrEvuTlzjFRgRGQ_5ADcko&code_challenge_method=S256").asString().contains("Sign in to your account"));
Assert.assertTrue(when().get("https://mykeycloak.org:8443/admin/master/console").asString().contains("\"authUrl\": \"https://mykeycloakadmin.org:8443\""));
Assert.assertTrue(when().get("https://mykeycloak.org:8443/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https://mykeycloakadmin.org:8443/admin/master/console&state=02234324-d91e-4bf2-8396-57498e96b12a&response_mode=fragment&response_type=code&scope=openid&nonce=f8f3812e-e349-4bbf-8d15-cbba4927f5e5&code_challenge=7qjD_v11WGkt1ig-ZFHxJdrEvuTlzjFRgRGQ_5ADcko&code_challenge_method=S256").asString().contains("Sign in to your account"));
}
@Test
@Launch({ "start", "--hostname=mykeycloak.org", "--http-enabled=true" })
@Launch({ "start", "--hostname=mykeycloak.org" })
public void testInvalidRedirectUriWhenAdminNotSet() {
Assert.assertTrue(when().get("https://mykeycloak.org:8443/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https://mykeycloakadmin.127.0.0.1.nip.io:8443/admin/master/console&state=02234324-d91e-4bf2-8396-57498e96b12a&response_mode=fragment&response_type=code&scope=openid&nonce=f8f3812e-e349-4bbf-8d15-cbba4927f5e5&code_challenge=7qjD_v11WGkt1ig-ZFHxJdrEvuTlzjFRgRGQ_5ADcko&code_challenge_method=S256").asString().contains("Invalid parameter: redirect_uri"));
}
@ -137,9 +138,15 @@ public class HostnameDistTest {
}
@Test
@Launch({ "start", "--proxy=edge", "--hostname=mykeycloak.org", "--hostname-admin-url=http://mykeycloakadmin.127.0.0.1.nip.io:1234" })
@Launch({ "start", "--proxy=edge", "--hostname=mykeycloak.org", "--hostname-admin-url=http://mykeycloakadmin.org:1234" })
public void testAdminUrl() {
Assert.assertTrue(when().get("https://mykeycloak.org:8443").asString().contains("http://mykeycloakadmin.127.0.0.1.nip.io:1234/admin/"));
Assert.assertTrue(when().get("https://mykeycloak.org:8443").asString().contains("http://mykeycloakadmin.org:1234/admin/"));
}
@Test
@Launch({ "start", "--hostname-strict=false" })
public void testStrictHttpsDisabledIfHostnameDisabled() {
assertFrontEndUrl("http://mykeycloak.org:8080", "http://mykeycloak.org:8080/");
}
private OIDCConfigurationRepresentation getServerMetadata(String baseUrl) {