KEYCLOAK-14197 Client Policy - Condition : Client - Client Host

2020-11-19 11:44:54 +09:00 · 2020-11-19 11:44:54 +09:00 · a51e0cc484
commit a51e0cc484
parent cd9e01af90
6 changed files with 305 additions and 216 deletions
--- a/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientIpAddressCondition.java
+++ b/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientIpAddressCondition.java
@ -1,90 +0,0 @@
-/*
- * Copyright 2020 Red Hat, Inc. and/or its affiliates
- * and other contributors as indicated by the @author tags.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.keycloak.services.clientpolicy.condition;
-
-import java.util.Collections;
-import java.util.List;
-
-import org.jboss.logging.Logger;
-
-import org.keycloak.component.ComponentModel;
-import org.keycloak.models.KeycloakSession;
-import org.keycloak.services.clientpolicy.ClientPolicyContext;
-import org.keycloak.services.clientpolicy.ClientPolicyException;
-import org.keycloak.services.clientpolicy.ClientPolicyLogger;
-import org.keycloak.services.clientpolicy.ClientPolicyVote;
-
-public class ClientIpAddressCondition implements ClientPolicyConditionProvider {
-
-    private static final Logger logger = Logger.getLogger(ClientIpAddressCondition.class);
-
-    private final KeycloakSession session;
-    private final ComponentModel componentModel;
-
-    public ClientIpAddressCondition(KeycloakSession session, ComponentModel componentModel) {
-        this.session = session;
-        this.componentModel = componentModel;
-    }
-
-    @Override
-    public String getName() {
-        return componentModel.getName();
-    }
-
-    @Override
-    public String getProviderId() {
-        return componentModel.getProviderId();
-    }
-
-    @Override
-    public ClientPolicyVote applyPolicy(ClientPolicyContext context) throws ClientPolicyException {
-        switch (context.getEvent()) {
-            case TOKEN_REQUEST:
-            case TOKEN_REFRESH:
-            case TOKEN_REVOKE:
-            case TOKEN_INTROSPECT:
-            case USERINFO_REQUEST:
-            case LOGOUT_REQUEST:
-                if (isIpAddressMatched()) return ClientPolicyVote.YES;
-                return ClientPolicyVote.NO;
-            default:
-                return ClientPolicyVote.ABSTAIN;
-        }
-    }
-
-    private boolean isIpAddressMatched() {
-        String ipAddr = session.getContext().getConnection().getRemoteAddr();
-
-        List<String> expectedIpAddresses = componentModel.getConfig().get(ClientIpAddressConditionFactory.IPADDR);
-        if (expectedIpAddresses == null) expectedIpAddresses = Collections.emptyList();
-
-        if (logger.isTraceEnabled()) {
-            ClientPolicyLogger.log(logger, "ip address = " + ipAddr);
-            expectedIpAddresses.stream().forEach(i -> ClientPolicyLogger.log(logger, "ip address expected = " + i));
-        }
-
-        boolean isMatched = expectedIpAddresses.stream().anyMatch(i -> i.equals(ipAddr));
-        if (isMatched) {
-           ClientPolicyLogger.log(logger, "ip address matched.");
-        }  else {
-           ClientPolicyLogger.log(logger, "ip address unmatched.");
-        }
-        return isMatched;
-    }
-
-}
--- a/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientIpAddressConditionFactory.java
+++ b/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientIpAddressConditionFactory.java
@ -1,74 +0,0 @@
-/*
- * Copyright 2020 Red Hat, Inc. and/or its affiliates
- * and other contributors as indicated by the @author tags.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.keycloak.services.clientpolicy.condition;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.keycloak.Config.Scope;
-import org.keycloak.component.ComponentModel;
-import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.KeycloakSessionFactory;
-import org.keycloak.provider.ProviderConfigProperty;
-
-public class ClientIpAddressConditionFactory  implements ClientPolicyConditionProviderFactory {
-
-    public static final String PROVIDER_ID = "client-ipaddr-condition";
-    public static final String IPADDR = "ipaddr";
-
-    private static final List<ProviderConfigProperty> configProperties = new ArrayList<ProviderConfigProperty>();
-
-    static {
-        ProviderConfigProperty property;
-        property = new ProviderConfigProperty(IPADDR, PROVIDER_ID + ".label", PROVIDER_ID + ".tooltip", ProviderConfigProperty.MULTIVALUED_STRING_TYPE, "0.0.0.0");
-        configProperties.add(property);
-    }
-
-    @Override
-    public ClientPolicyConditionProvider create(KeycloakSession session, ComponentModel model) {
-        return new ClientIpAddressCondition(session, model);
-    }
-
-    @Override
-    public void init(Scope config) {
-    }
-
-    @Override
-    public void postInit(KeycloakSessionFactory factory) {
-    }
-
-    @Override
-    public void close() {
-    }
-
-    @Override
-    public String getId() {
-        return PROVIDER_ID;
-    }
-
-    @Override
-    public String getHelpText() {
-        return "It uses the client's IP address to determine whether the policy is applied.";
-    }
-
-    @Override
-    public List<ProviderConfigProperty> getConfigProperties() {
-        return configProperties;
-    }
-
-}
--- a/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientUpdateSourceHostsCondition.java
+++ b/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientUpdateSourceHostsCondition.java
@ -0,0 +1,164 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy.condition;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.jboss.logging.Logger;
+import org.keycloak.component.ComponentModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.services.clientpolicy.ClientPolicyContext;
+import org.keycloak.services.clientpolicy.ClientPolicyException;
+import org.keycloak.services.clientpolicy.ClientPolicyLogger;
+import org.keycloak.services.clientpolicy.ClientPolicyVote;
+
+public class ClientUpdateSourceHostsCondition implements ClientPolicyConditionProvider {
+
+    private static final Logger logger = Logger.getLogger(ClientUpdateSourceHostsCondition.class);
+
+    private final KeycloakSession session;
+    private final ComponentModel componentModel;
+
+    public ClientUpdateSourceHostsCondition(KeycloakSession session, ComponentModel componentModel) {
+        this.session = session;
+        this.componentModel = componentModel;
+    }
+
+    @Override
+    public String getName() {
+        return componentModel.getName();
+    }
+
+    @Override
+    public String getProviderId() {
+        return componentModel.getProviderId();
+    }
+
+    @Override
+    public ClientPolicyVote applyPolicy(ClientPolicyContext context) throws ClientPolicyException {
+        switch (context.getEvent()) {
+        case REGISTER:
+        case UPDATE:
+            if (!isHostMustMatch()) return ClientPolicyVote.ABSTAIN;
+            if (isHostMatched()) return ClientPolicyVote.YES;
+            return ClientPolicyVote.NO;
+        default:
+            return ClientPolicyVote.ABSTAIN;
+        }
+    }
+
+    private boolean isHostMatched() {
+        String hostAddress = session.getContext().getConnection().getRemoteAddr();
+
+        ClientPolicyLogger.logv(logger, "Verifying remote host {0}", hostAddress);
+
+        List<String> trustedHosts = getTrustedHosts();
+        List<String> trustedDomains = getTrustedDomains();
+
+        // Verify trustedHosts by their IP addresses
+        String verifiedHost = verifyHostInTrustedHosts(hostAddress, trustedHosts);
+        if (verifiedHost != null) {
+            return true;
+        }
+
+        // Verify domains if hostAddress hostname belongs to the domain. This assumes proper DNS setup
+        verifiedHost = verifyHostInTrustedDomains(hostAddress, trustedDomains);
+        if (verifiedHost != null) {
+            return true;
+        }
+
+        return false;
+    }
+
+    protected List<String> getTrustedHosts() {
+        List<String> trustedHostsConfig = componentModel.getConfig().getList(ClientUpdateSourceHostsConditionFactory.TRUSTED_HOSTS);
+        return trustedHostsConfig.stream().filter((String hostname) -> {
+
+            return !hostname.startsWith("*.");
+
+        }).collect(Collectors.toList());
+    }
+
+    protected List<String> getTrustedDomains() {
+        List<String> trustedHostsConfig = componentModel.getConfig().getList(ClientUpdateSourceHostsConditionFactory.TRUSTED_HOSTS);
+        List<String> domains = new LinkedList<>();
+
+        for (String hostname : trustedHostsConfig) {
+            if (hostname.startsWith("*.")) {
+                hostname = hostname.substring(2);
+                domains.add(hostname);
+            }
+        }
+
+        return domains;
+    }
+
+    protected String verifyHostInTrustedHosts(String hostAddress, List<String> trustedHosts) {
+        for (String confHostName : trustedHosts) {
+            try {
+                String hostIPAddress = InetAddress.getByName(confHostName).getHostAddress();
+
+                ClientPolicyLogger.logv(logger, "Trying host {0} of address {1}", confHostName, hostIPAddress);
+                if (hostIPAddress.equals(hostAddress)) {
+                    ClientPolicyLogger.logv(logger, "Successfully verified host : {0}", confHostName);
+                    return confHostName;
+                }
+            } catch (UnknownHostException uhe) {
+                ClientPolicyLogger.logv(logger, "Unknown host from realm configuration: {0}", confHostName);
+            }
+        }
+
+        return null;
+    }
+
+    protected String verifyHostInTrustedDomains(String hostAddress, List<String> trustedDomains) {
+        if (!trustedDomains.isEmpty()) {
+            try {
+                String hostname = InetAddress.getByName(hostAddress).getHostName();
+
+                ClientPolicyLogger.logv(logger, "Trying verify request from address {0} of host {1} by domains", hostAddress, hostname);
+
+                for (String confDomain : trustedDomains) {
+                    if (hostname.endsWith(confDomain)) {
+                        ClientPolicyLogger.logv(logger, "Successfully verified host {0} by trusted domain {1}", hostname, confDomain);
+                        return hostname;
+                    }
+                }
+            } catch (UnknownHostException uhe) {
+                ClientPolicyLogger.logv(logger, "Request of address {0} came from unknown host. Skip verification by domains", hostAddress);
+            }
+        }
+
+        return null;
+    }
+
+    boolean isHostMustMatch() {
+        return parseBoolean(ClientUpdateSourceHostsConditionFactory.HOST_SENDING_REQUEST_MUST_MATCH);
+    }
+
+    // True by default
+    private boolean parseBoolean(String propertyKey) {
+        String val = componentModel.getConfig().getFirst(propertyKey);
+        return val==null || Boolean.parseBoolean(val);
+    }
+
+}
--- a/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientUpdateSourceHostsConditionFactory.java
+++ b/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientUpdateSourceHostsConditionFactory.java
@ -0,0 +1,88 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy.condition;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.keycloak.Config.Scope;
+import org.keycloak.component.ComponentModel;
+import org.keycloak.component.ComponentValidationException;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.models.RealmModel;
+import org.keycloak.provider.ConfigurationValidationHelper;
+import org.keycloak.provider.ProviderConfigProperty;
+
+public class ClientUpdateSourceHostsConditionFactory implements ClientPolicyConditionProviderFactory {
+
+    public static final String PROVIDER_ID = "clientupdatesourcehost-condition";
+
+    public static final String TRUSTED_HOSTS = "trusted-hosts";
+
+    public static final String HOST_SENDING_REQUEST_MUST_MATCH = "host-sending-request-must-match";
+
+    private static final ProviderConfigProperty TRUSTED_HOSTS_PROPERTY = new ProviderConfigProperty(TRUSTED_HOSTS, "clientupdate-trusted-hosts.label", "clientupdate-trusted-hosts.tooltip", ProviderConfigProperty.MULTIVALUED_STRING_TYPE, null);
+
+    private static final ProviderConfigProperty HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH_PROPERTY = new ProviderConfigProperty(HOST_SENDING_REQUEST_MUST_MATCH, "host-sending-request-must-match.label",
+            "host-sending-request-must-match.tooltip", ProviderConfigProperty.BOOLEAN_TYPE, "true");
+
+    @Override
+    public ClientPolicyConditionProvider create(KeycloakSession session, ComponentModel model) {
+        return new ClientUpdateSourceHostsCondition(session, model);
+    }
+
+    @Override
+    public void init(Scope config) {
+    }
+
+    @Override
+    public void postInit(KeycloakSessionFactory factory) {
+    }
+
+    @Override
+    public void close() {
+    }
+
+    @Override
+    public String getId() {
+        return PROVIDER_ID;
+    }
+
+    @Override
+    public String getHelpText() {
+        return "The condition checks the host/domain of the entity who tries to create/update the client to determine whether the policy is applied.";
+    }
+
+    @Override
+    public List<ProviderConfigProperty> getConfigProperties() {
+        return Arrays.asList(TRUSTED_HOSTS_PROPERTY, HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH_PROPERTY);
+    }
+
+    @Override
+    public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel config) throws ComponentValidationException {
+        ConfigurationValidationHelper.check(config)
+                .checkBoolean(HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH_PROPERTY, true);
+
+        ClientUpdateSourceHostsCondition policy = new ClientUpdateSourceHostsCondition(session, config);
+        if (!policy.isHostMustMatch()) {
+            throw new ComponentValidationException("At least one of hosts verification must be enabled");
+        }
+
+    }
+}
--- a/services/src/main/resources/META-INF/services/org.keycloak.services.clientpolicy.condition.ClientPolicyConditionProviderFactory
+++ b/services/src/main/resources/META-INF/services/org.keycloak.services.clientpolicy.condition.ClientPolicyConditionProviderFactory
@ -1,5 +1,5 @@
 org.keycloak.services.clientpolicy.condition.ClientUpdateContextConditionFactory
 org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory
-org.keycloak.services.clientpolicy.condition.ClientIpAddressConditionFactory
 org.keycloak.services.clientpolicy.condition.ClientScopesConditionFactory
-org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory
+org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory
+org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPolicyBasicsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPolicyBasicsTest.java
@ -81,9 +81,9 @@ import org.keycloak.services.clientpolicy.ClientPolicyException;
 import org.keycloak.services.clientpolicy.ClientPolicyProvider;
 import org.keycloak.services.clientpolicy.DefaultClientPolicyProviderFactory;
 import org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory;
-import org.keycloak.services.clientpolicy.condition.ClientIpAddressConditionFactory;
 import org.keycloak.services.clientpolicy.condition.ClientPolicyConditionProvider;
 import org.keycloak.services.clientpolicy.condition.ClientUpdateContextConditionFactory;
+import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory;
 import org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory;
 import org.keycloak.services.clientpolicy.condition.ClientScopesConditionFactory;
 import org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorProvider;
@ -97,7 +97,9 @@ import org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmEnforce
 import org.keycloak.testsuite.AbstractKeycloakTest;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.admin.ApiUtil;
+import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
+import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
 import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
 import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
 import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject;
@ -733,43 +735,6 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {

    }

-    @Test
-    public void testClientIpAddressCondition() throws ClientRegistrationException, ClientPolicyException {
-        String policyName = "MyPolicy";
-        createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
-        logger.info("... Created Policy : " + policyName);
-
-        createCondition("ClientIpAddressCondition", ClientIpAddressConditionFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
-            setConditionClientIpAddress(provider, new ArrayList<>(Arrays.asList("0.0.0.0", "127.0.0.1")));
-        });
-        registerCondition("ClientIpAddressCondition", policyName);
-        logger.info("... Registered Condition : ClientIpAddressCondition");
-
-        createExecutor("PKCEEnforceExecutor", PKCEEnforceExecutorFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
-            setExecutorAugmentDeactivate(provider);
-        });
-        registerExecutor("PKCEEnforceExecutor", policyName);
-        logger.info("... Registered Executor : PKCEEnforceExecutor");
-
-        String clientId = "Zahlungs-App";
-        String clientSecret = "secret";
-        String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
-            clientRep.setSecret(clientSecret);
-        });
-
-        try { 
-            failTokenRequestByNotFollowingPKCE(clientId, clientSecret);
-
-            updateCondition("ClientIpAddressCondition", (ComponentRepresentation provider) -> {
-                setConditionClientIpAddress(provider, new ArrayList<>(Arrays.asList("10.255.255.255")));
-            });
-
-            successfulLoginAndLogout(clientId, clientSecret);
-        } finally {
-            deleteClientByAdmin(cid);
-        }
-    }
-
    @Test
    public void testSecureSessionEnforceExecutor() throws ClientRegistrationException, ClientPolicyException {
        String policyBetaName = "MyPolicy-beta";
@ -1031,14 +996,6 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
        registerCondition("ClientAccessTypeCondition", policyName);
        logger.info("... Registered Condition : ClientAccessTypeCondition");

-        policyName = "MyPolicy-ClientIpAddressCondition";
-        createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
-        logger.info("... Created Policy : " + policyName);
-        createCondition("ClientIpAddressCondition", ClientIpAddressConditionFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
-        });
-        registerCondition("ClientIpAddressCondition", policyName);
-        logger.info("... Registered Condition : ClientIpAddressCondition");
-
        policyName = "MyPolicy-ClientScopesCondition";
        createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
        logger.info("... Created Policy : " + policyName);
@ -1078,6 +1035,49 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
        }
    }

+    @AuthServerContainerExclude(AuthServer.REMOTE)
+    public void testClientUpdateSourceHostsCondition() throws ClientRegistrationException, ClientPolicyException {
+        String policyName = "MyPolicy";
+        createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
+        logger.info("... Created Policy : " + policyName);
+
+        createCondition("ClientUpdateSourceHostsCondition", ClientUpdateSourceHostsConditionFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
+            setConditionClientUpdateSourceHosts(provider, new ArrayList<>(Arrays.asList("localhost", "127.0.0.1")));
+        });
+        registerCondition("ClientUpdateSourceHostsCondition", policyName);
+        logger.info("... Registered Condition : ClientUpdateSourceHostsCondition");
+
+        createExecutor("SecureClientAuthEnforceExecutor", SecureClientAuthEnforceExecutorFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
+            setExecutorAcceptedClientAuthMethods(provider, new ArrayList<>(Arrays.asList(
+                    JWTClientAuthenticator.PROVIDER_ID, JWTClientSecretAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID)));
+        });
+        registerExecutor("SecureClientAuthEnforceExecutor", policyName);
+        logger.info("... Registered Executor : SecureClientAuthEnforceExecutor");
+
+        String clientAlphaId = "Alpha-App";
+        String clientAlphaSecret = "secretAlpha";
+        try {
+            createClientByAdmin(clientAlphaId, (ClientRepresentation clientRep) -> {
+                clientRep.setSecret(clientAlphaSecret);
+            });
+            fail();
+        } catch (ClientPolicyException e) {
+            assertEquals(Errors.INVALID_REGISTRATION, e.getMessage());
+        }
+
+        String cAlphaId = null;
+        try {
+            updateCondition("ClientUpdateSourceHostsCondition", (ComponentRepresentation provider) -> {
+                setConditionClientUpdateSourceHosts(provider, new ArrayList<>(Arrays.asList("example.com")));
+            });
+            cAlphaId = createClientByAdmin(clientAlphaId, (ClientRepresentation clientRep) -> {
+                clientRep.setSecret(clientAlphaSecret);
+            });
+        } finally {
+            deleteClientByAdmin(cAlphaId);
+        }
+    }
+
    private AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor(String clientId) throws URISyntaxException {
        AuthorizationEndpointRequestObject requestObject = new AuthorizationEndpointRequestObject();
        requestObject.id(KeycloakModelUtils.generateId());
@ -1529,10 +1529,6 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
        provider.getConfig().put(ClientRolesConditionFactory.ROLES, clientRoles);
    }

-    private void setConditionClientIpAddress(ComponentRepresentation provider, List<String> clientIpAddresses) {
-        provider.getConfig().put(ClientIpAddressConditionFactory.IPADDR, clientIpAddresses);
-    }
-
    private void setConditionClientScopes(ComponentRepresentation provider, List<String> clientScopes) {
        provider.getConfig().put(ClientScopesConditionFactory.SCOPES, clientScopes);
    }
@ -1541,6 +1537,11 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
        provider.getConfig().put(ClientAccessTypeConditionFactory.TYPE, clientAccessTypes);
    }

+    private void setConditionClientUpdateSourceHosts(ComponentRepresentation provider, List<String> hosts) {
+        provider.getConfig().putSingle(ClientUpdateSourceHostsConditionFactory.HOST_SENDING_REQUEST_MUST_MATCH, "true");
+        provider.getConfig().put(ClientUpdateSourceHostsConditionFactory.TRUSTED_HOSTS, hosts);
+    }
+
    private void setExecutorAugmentActivate(ComponentRepresentation provider) {
        provider.getConfig().putSingle("is-augment", Boolean.TRUE.toString());
    }