KEYCLOAK-7707

This commit is contained in:
vramik 2018-09-17 13:53:10 +02:00 committed by Stian Thorgersen
parent a957e118e6
commit 6564cebc0f
3 changed files with 61 additions and 3 deletions

View file

@ -55,7 +55,7 @@ public class RedirectUtils {
public static Set<String> resolveValidRedirects(UriInfo uriInfo, String rootUrl, Set<String> validRedirects) { public static Set<String> resolveValidRedirects(UriInfo uriInfo, String rootUrl, Set<String> validRedirects) {
// If the valid redirect URI is relative (no scheme, host, port) then use the request's scheme, host, and port // If the valid redirect URI is relative (no scheme, host, port) then use the request's scheme, host, and port
Set<String> resolveValidRedirects = new HashSet<String>(); Set<String> resolveValidRedirects = new HashSet<>();
for (String validRedirect : validRedirects) { for (String validRedirect : validRedirects) {
resolveValidRedirects.add(validRedirect); // add even relative urls. resolveValidRedirects.add(validRedirect); // add even relative urls.
if (validRedirect.startsWith("/")) { if (validRedirect.startsWith("/")) {
@ -70,7 +70,9 @@ public class RedirectUtils {
private static Set<String> getValidateRedirectUris(UriInfo uriInfo, RealmModel realm) { private static Set<String> getValidateRedirectUris(UriInfo uriInfo, RealmModel realm) {
Set<String> redirects = new HashSet<>(); Set<String> redirects = new HashSet<>();
for (ClientModel client : realm.getClients()) { for (ClientModel client : realm.getClients()) {
redirects.addAll(resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris())); if (client.isEnabled()) {
redirects.addAll(resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris()));
}
} }
return redirects; return redirects;
} }

View file

@ -36,7 +36,6 @@ import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.UserSessionRepresentation; import org.keycloak.representations.idm.UserSessionRepresentation;
import org.keycloak.util.TokenUtil; import org.keycloak.util.TokenUtil;
import javax.ws.rs.core.Response;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -150,6 +149,13 @@ public class AssertEvents implements TestRule {
.session(sessionId); .session(sessionId);
} }
public ExpectedEvent expectLogoutError(String error) {
return expect(EventType.LOGOUT_ERROR)
.error(error)
.client((String) null)
.user((String) null);
}
public ExpectedEvent expectRegister(String username, String email) { public ExpectedEvent expectRegister(String username, String email) {
UserRepresentation user = username != null ? getUser(username) : null; UserRepresentation user = username != null ? getUser(username) : null;
return expect(EventType.REGISTER) return expect(EventType.REGISTER)

View file

@ -18,23 +18,40 @@
package org.keycloak.testsuite.client; package org.keycloak.testsuite.client;
import org.junit.Test; import org.junit.Test;
import org.junit.Rule;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.constants.ServiceUrlConstants;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.RealmBuilder; import org.keycloak.testsuite.util.RealmBuilder;
import java.net.URI;
import javax.ws.rs.client.Client; import javax.ws.rs.client.Client;
import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.not;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertThat;
import static org.keycloak.testsuite.util.Matchers.statusCodeIs;
/** /**
* @author <a href="mailto:thomas.darimont@gmail.com">Thomas Darimont</a> * @author <a href="mailto:thomas.darimont@gmail.com">Thomas Darimont</a>
*/ */
public class ClientRedirectTest extends AbstractTestRealmKeycloakTest { public class ClientRedirectTest extends AbstractTestRealmKeycloakTest {
@Rule
public AssertEvents events = new AssertEvents(this);
@Override @Override
public void configureTestRealm(RealmRepresentation testRealm) { public void configureTestRealm(RealmRepresentation testRealm) {
RealmBuilder.edit(testRealm) RealmBuilder.edit(testRealm)
@ -73,4 +90,37 @@ public class ClientRedirectTest extends AbstractTestRealmKeycloakTest {
assertEquals(303, response.getStatus()); assertEquals(303, response.getStatus());
client.close(); client.close();
} }
// KEYCLOAK-7707
@Test
public void testRedirectToDisabledClientRedirectURI() throws Exception {
log.debug("Creating disabled-client with redirect uri \"*\"");
String clientId;
try (Response create = adminClient.realm("test").clients().create(ClientBuilder.create().clientId("disabled-client").enabled(false).redirectUris("*").build())) {
clientId = ApiUtil.getCreatedId(create);
assertThat(create, statusCodeIs(Status.CREATED));
}
try {
log.debug("log in");
oauth.doLogin("test-user@localhost", "password");
events.expectLogin().assertEvent();
URI logout = KeycloakUriBuilder.fromUri(suiteContext.getAuthServerInfo().getBrowserContextRoot().toURI())
.path("auth" + ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH)
.queryParam(OIDCLoginProtocol.REDIRECT_URI_PARAM, "http://example.org/redirected")
.build("test");
log.debug("log out using: " + logout.toURL());
driver.navigate().to(logout.toURL());
log.debug("Current URL: " + driver.getCurrentUrl());
log.debug("check logout_error");
events.expectLogoutError(OAuthErrorException.INVALID_REDIRECT_URI).assertEvent();
assertThat(driver.getCurrentUrl(), is(not(equalTo("http://example.org/redirected"))));
} finally {
log.debug("removing disabled-client");
adminClient.realm("test").clients().get(clientId).remove();
}
}
} }