From 7043ecc21be5ea31fb2dd1244bef1cc18fefb819 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 18 Nov 2016 12:50:52 +0100 Subject: [PATCH] KEYCLOAK-3881 Fix login status iframe with * origin --- ...ltInfinispanConnectionProviderFactory.java | 2 +- .../endpoints/LoginStatusIframeEndpoint.java | 2 +- .../protocol/oidc/utils/WebOriginsUtils.java | 14 ++++++---- .../oauth/LoginStatusIframeEndpointTest.java | 28 +++++++++++++++++++ 4 files changed, 39 insertions(+), 7 deletions(-) diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java index 473aab9e9b..7781e3ac7d 100755 --- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java +++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java @@ -175,7 +175,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon replicationConfigBuilder.clustering().cacheMode(async ? CacheMode.REPL_ASYNC : CacheMode.REPL_SYNC); } - boolean jdgEnabled = config.getBoolean("remoteStoreEnabled"); + boolean jdgEnabled = config.getBoolean("remoteStoreEnabled", false); if (jdgEnabled) { configureRemoteCacheStore(replicationConfigBuilder, async); } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java index 5d2d054fbd..605047f7f4 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java @@ -75,7 +75,7 @@ public class LoginStatusIframeEndpoint { if (client != null) { Set validWebOrigins = WebOriginsUtils.resolveValidWebOrigins(uriInfo, client); validWebOrigins.add(UriUtils.getOrigin(uriInfo.getRequestUri())); - if (validWebOrigins.contains(origin)) { + if (validWebOrigins.contains("*") || validWebOrigins.contains(origin)) { return Response.noContent().build(); } } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/utils/WebOriginsUtils.java b/services/src/main/java/org/keycloak/protocol/oidc/utils/WebOriginsUtils.java index f606bfc602..83f90f05a0 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/utils/WebOriginsUtils.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/utils/WebOriginsUtils.java @@ -21,6 +21,7 @@ import org.keycloak.common.util.UriUtils; import org.keycloak.models.ClientModel; import javax.ws.rs.core.UriInfo; +import java.util.HashSet; import java.util.Set; /** @@ -31,17 +32,20 @@ public class WebOriginsUtils { public static final String INCLUDE_REDIRECTS = "+"; public static Set resolveValidWebOrigins(UriInfo uriInfo, ClientModel client) { - Set webOrigins = client.getWebOrigins(); - if (webOrigins != null && webOrigins.contains("+")) { - webOrigins.remove(INCLUDE_REDIRECTS); + Set origins = new HashSet<>(); + if (client.getWebOrigins() != null) { + origins.addAll(client.getWebOrigins()); + } + if (origins.contains("+")) { + origins.remove(INCLUDE_REDIRECTS); client.getRedirectUris(); for (String redirectUri : RedirectUtils.resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris())) { if (redirectUri.startsWith("http://") || redirectUri.startsWith("https://")) { - webOrigins.add(UriUtils.getOrigin(redirectUri)); + origins.add(UriUtils.getOrigin(redirectUri)); } } } - return webOrigins; + return origins; } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java index 4bb437c0b9..7a01e4e291 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java @@ -31,12 +31,15 @@ import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.message.BasicNameValuePair; import org.junit.Test; +import org.keycloak.admin.client.resource.ClientResource; import org.keycloak.models.Constants; +import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.testsuite.AbstractKeycloakTest; import java.io.IOException; import java.net.URLEncoder; +import java.util.Collections; import java.util.LinkedList; import java.util.List; import java.util.regex.Matcher; @@ -159,6 +162,31 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest { } } + @Test + public void checkIframeWildcardOrigin() throws IOException { + String id = adminClient.realm("master").clients().findByClientId(Constants.ADMIN_CONSOLE_CLIENT_ID).get(0).getId(); + ClientResource master = adminClient.realm("master").clients().get(id); + ClientRepresentation rep = master.toRepresentation(); + List org = rep.getWebOrigins(); + CloseableHttpClient client = HttpClients.createDefault(); + try { + rep.setWebOrigins(Collections.singletonList("*")); + master.update(rep); + + HttpGet get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?" + + "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID + + "&origin=" + "http://anything" + ); + CloseableHttpResponse response = client.execute(get); + assertEquals(204, response.getStatusLine().getStatusCode()); + response.close(); + } finally { + rep.setWebOrigins(org); + master.update(rep); + client.close(); + } + } + @Override public void addTestRealms(List testRealms) { }