KEYCLOAK-3881 Fix login status iframe with * origin

This commit is contained in:
Stian Thorgersen 2016-11-18 12:50:52 +01:00
parent 3e71aeddf3
commit 7043ecc21b
4 changed files with 39 additions and 7 deletions

View file

@ -175,7 +175,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
replicationConfigBuilder.clustering().cacheMode(async ? CacheMode.REPL_ASYNC : CacheMode.REPL_SYNC);
}
boolean jdgEnabled = config.getBoolean("remoteStoreEnabled");
boolean jdgEnabled = config.getBoolean("remoteStoreEnabled", false);
if (jdgEnabled) {
configureRemoteCacheStore(replicationConfigBuilder, async);
}

View file

@ -75,7 +75,7 @@ public class LoginStatusIframeEndpoint {
if (client != null) {
Set<String> validWebOrigins = WebOriginsUtils.resolveValidWebOrigins(uriInfo, client);
validWebOrigins.add(UriUtils.getOrigin(uriInfo.getRequestUri()));
if (validWebOrigins.contains(origin)) {
if (validWebOrigins.contains("*") || validWebOrigins.contains(origin)) {
return Response.noContent().build();
}
}

View file

@ -21,6 +21,7 @@ import org.keycloak.common.util.UriUtils;
import org.keycloak.models.ClientModel;
import javax.ws.rs.core.UriInfo;
import java.util.HashSet;
import java.util.Set;
/**
@ -31,17 +32,20 @@ public class WebOriginsUtils {
public static final String INCLUDE_REDIRECTS = "+";
public static Set<String> resolveValidWebOrigins(UriInfo uriInfo, ClientModel client) {
Set<String> webOrigins = client.getWebOrigins();
if (webOrigins != null && webOrigins.contains("+")) {
webOrigins.remove(INCLUDE_REDIRECTS);
Set<String> origins = new HashSet<>();
if (client.getWebOrigins() != null) {
origins.addAll(client.getWebOrigins());
}
if (origins.contains("+")) {
origins.remove(INCLUDE_REDIRECTS);
client.getRedirectUris();
for (String redirectUri : RedirectUtils.resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris())) {
if (redirectUri.startsWith("http://") || redirectUri.startsWith("https://")) {
webOrigins.add(UriUtils.getOrigin(redirectUri));
origins.add(UriUtils.getOrigin(redirectUri));
}
}
}
return webOrigins;
return origins;
}
}

View file

@ -31,12 +31,15 @@ import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.models.Constants;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import java.io.IOException;
import java.net.URLEncoder;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.regex.Matcher;
@ -159,6 +162,31 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
}
}
@Test
public void checkIframeWildcardOrigin() throws IOException {
String id = adminClient.realm("master").clients().findByClientId(Constants.ADMIN_CONSOLE_CLIENT_ID).get(0).getId();
ClientResource master = adminClient.realm("master").clients().get(id);
ClientRepresentation rep = master.toRepresentation();
List<String> org = rep.getWebOrigins();
CloseableHttpClient client = HttpClients.createDefault();
try {
rep.setWebOrigins(Collections.singletonList("*"));
master.update(rep);
HttpGet get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?"
+ "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID
+ "&origin=" + "http://anything"
);
CloseableHttpResponse response = client.execute(get);
assertEquals(204, response.getStatusLine().getStatusCode());
response.close();
} finally {
rep.setWebOrigins(org);
master.update(rep);
client.close();
}
}
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
}