Revert "Fix lowerCaseHostname to lower-case scheme and host properly"
This reverts commit 1241bd2919
.
Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
parent
5ce41a462b
commit
b6cdcb3c27
2 changed files with 15 additions and 57 deletions
|
@ -72,8 +72,10 @@ public class RedirectUtils {
|
|||
if (validRedirect.startsWith("/")) {
|
||||
validRedirect = relativeToAbsoluteURI(session, rootUrl, validRedirect);
|
||||
logger.debugv("replacing relative valid redirect with: {0}", validRedirect);
|
||||
resolveValidRedirects.add(validRedirect);
|
||||
} else {
|
||||
resolveValidRedirects.add(validRedirect);
|
||||
}
|
||||
resolveValidRedirects.add(lowerCaseHostname(validRedirect));
|
||||
}
|
||||
return resolveValidRedirects;
|
||||
}
|
||||
|
@ -114,7 +116,7 @@ public class RedirectUtils {
|
|||
// Make the validations against fully decoded and normalized redirect-url. This also allows wildcards (case when client configured "Valid redirect-urls" contain wildcards)
|
||||
String decodedRedirectUri = decodeRedirectUri(redirectUri);
|
||||
URI decodedRedirect = toUri(decodedRedirectUri);
|
||||
decodedRedirectUri = getNormalizedRedirectUri(decodedRedirect, true);
|
||||
decodedRedirectUri = getNormalizedRedirectUri(decodedRedirect);
|
||||
if (decodedRedirectUri == null) return null;
|
||||
|
||||
String r = decodedRedirectUri;
|
||||
|
@ -139,25 +141,21 @@ public class RedirectUtils {
|
|||
}
|
||||
|
||||
// Return the original redirectUri, which can be partially encoded - for example http://localhost:8280/foo/bar%20bar%2092%2F72/3 . Just make sure it is normalized
|
||||
redirectUri = getNormalizedRedirectUri(originalRedirect, false);
|
||||
redirectUri = getNormalizedRedirectUri(originalRedirect);
|
||||
|
||||
// We try to check validity also for original (encoded) redirectUrl, but just in case it exactly matches some "Valid Redirect URL" specified for client (not wildcards allowed)
|
||||
if (valid == null) {
|
||||
valid = matchesRedirects(resolveValidRedirects, redirectUri, false);
|
||||
}
|
||||
|
||||
if (valid != null && !originalRedirect.isAbsolute()) {
|
||||
// return absolute if the original URI is relative
|
||||
if (!redirectUri.startsWith("/")) {
|
||||
redirectUri = "/" + redirectUri;
|
||||
}
|
||||
if (valid != null && redirectUri.startsWith("/")) {
|
||||
redirectUri = relativeToAbsoluteURI(session, rootUrl, redirectUri);
|
||||
}
|
||||
|
||||
String scheme = decodedRedirect.getScheme();
|
||||
if (valid != null && scheme != null) {
|
||||
// check the scheme is valid, it should be http(s) or explicitly allowed by the validation
|
||||
if (!valid.startsWith(scheme.toLowerCase() + ":") && !"http".equalsIgnoreCase(scheme) && !"https".equalsIgnoreCase(scheme)) {
|
||||
if (!valid.startsWith(scheme + ":") && !"http".equalsIgnoreCase(scheme) && !"https".equalsIgnoreCase(scheme)) {
|
||||
logger.debugf("Invalid URI because scheme is not allowed: %s", redirectUri);
|
||||
valid = null;
|
||||
}
|
||||
|
@ -187,14 +185,12 @@ public class RedirectUtils {
|
|||
return uri;
|
||||
}
|
||||
|
||||
private static String getNormalizedRedirectUri(URI uri, boolean lower) {
|
||||
private static String getNormalizedRedirectUri(URI uri) {
|
||||
String redirectUri = null;
|
||||
if (uri != null) {
|
||||
redirectUri = uri.normalize().toString();
|
||||
if (lower) {
|
||||
redirectUri = lowerCaseHostname(redirectUri);
|
||||
}
|
||||
}
|
||||
return redirectUri;
|
||||
}
|
||||
|
||||
|
@ -208,11 +204,9 @@ public class RedirectUtils {
|
|||
KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(redirectUri, false).preserveDefaultPort();
|
||||
String origQuery = uriBuilder.getQuery();
|
||||
String origFragment = uriBuilder.getFragment();
|
||||
String origUserInfo = uriBuilder.getUserInfo();
|
||||
String encodedRedirectUri = uriBuilder
|
||||
.replaceQuery(null)
|
||||
.fragment(null)
|
||||
.userInfo(null)
|
||||
.buildAsString();
|
||||
String decodedRedirectUri = null;
|
||||
|
||||
|
@ -223,7 +217,6 @@ public class RedirectUtils {
|
|||
return KeycloakUriBuilder.fromUri(decodedRedirectUri, false).preserveDefaultPort()
|
||||
.replaceQuery(origQuery)
|
||||
.fragment(origFragment)
|
||||
.userInfo(origUserInfo)
|
||||
.buildAsString();
|
||||
} else {
|
||||
// Next attempt
|
||||
|
@ -238,15 +231,12 @@ public class RedirectUtils {
|
|||
}
|
||||
|
||||
private static String lowerCaseHostname(String redirectUri) {
|
||||
// lower case host and scheme which are case-insensitive by spec
|
||||
KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(redirectUri, false).preserveDefaultPort();
|
||||
if (uriBuilder.getScheme() != null) {
|
||||
uriBuilder.scheme(uriBuilder.getScheme().toLowerCase());
|
||||
int n = redirectUri.indexOf('/', 7);
|
||||
if (n == -1) {
|
||||
return redirectUri.toLowerCase();
|
||||
} else {
|
||||
return redirectUri.substring(0, n).toLowerCase() + redirectUri.substring(n);
|
||||
}
|
||||
if (uriBuilder.getHost() != null) {
|
||||
uriBuilder.host(uriBuilder.getHost().toLowerCase());
|
||||
}
|
||||
return uriBuilder.buildAsString();
|
||||
}
|
||||
|
||||
private static String relativeToAbsoluteURI(KeycloakSession session, String rootUrl, String relative) {
|
||||
|
|
|
@ -142,36 +142,4 @@ public class RedirectUtilsTest {
|
|||
Assert.assertNull(RedirectUtils.verifyRedirectUri(session, null, "https://keycloak.org/path<less/", set, false));
|
||||
Assert.assertNull(RedirectUtils.verifyRedirectUri(session, null, "https://keycloak.org/path/index.jsp?param=v1 v2", set, false));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testRelativeRedirectUri() {
|
||||
Set<String> set = Stream.of(
|
||||
"*"
|
||||
).collect(Collectors.toSet());
|
||||
|
||||
Assert.assertEquals("https://keycloak.org/path", RedirectUtils.verifyRedirectUri(session, "https://keycloak.org", "/path", set, false));
|
||||
Assert.assertEquals("https://keycloak.org/path", RedirectUtils.verifyRedirectUri(session, "https://keycloak.org", "path", set, false));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testVerifyDifferentCase() {
|
||||
Set<String> set = Stream.of(
|
||||
"no.host.Name.App://TEST",
|
||||
"no.host.Name.App:/Path/*",
|
||||
"HTTPS://KeyCloak.org/*",
|
||||
"HTTP://KeyCloak.org/with%20space/*",
|
||||
"HTTP://KeyCloak.org/áéíóú",
|
||||
"custom:*"
|
||||
).collect(Collectors.toSet());
|
||||
|
||||
Assert.assertEquals("no.host.Name.App://test", RedirectUtils.verifyRedirectUri(session, null, "no.host.Name.App://test", set, false));
|
||||
Assert.assertEquals("no.host.name.app://Test", RedirectUtils.verifyRedirectUri(session, null, "no.host.name.app://Test", set, false));
|
||||
Assert.assertEquals("no.host.name.app:/Path", RedirectUtils.verifyRedirectUri(session, null, "no.host.name.app:/Path", set, false));
|
||||
Assert.assertEquals("https://KEYCLOAK.ORG/Test", RedirectUtils.verifyRedirectUri(session, null, "https://KEYCLOAK.ORG/Test", set, false));
|
||||
Assert.assertEquals("https://KEYCLOAK.ORG", RedirectUtils.verifyRedirectUri(session, null, "https://KEYCLOAK.ORG", set, false));
|
||||
Assert.assertEquals("CUSTOM:test", RedirectUtils.verifyRedirectUri(session, null, "CUSTOM:test", set, false));
|
||||
Assert.assertEquals("Custom://userInfo@KeyCLOAK.org/Path", RedirectUtils.verifyRedirectUri(session, null, "Custom://userInfo@KeyCLOAK.org/Path", set, false));
|
||||
Assert.assertEquals("Custom://user%20Info@keycloak.ORG", RedirectUtils.verifyRedirectUri(session, null, "Custom://user%20Info@keycloak.ORG", set, false));
|
||||
Assert.assertEquals("http://keycloak.org/áéíóú", RedirectUtils.verifyRedirectUri(session, null, "http://keycloak.org/áéíóú", set, false));
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue