diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java index 5840543d66..057da2c694 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java @@ -89,7 +89,8 @@ public class AuthenticatedActionsHandler { return true; } // Don't allow a CORS request if we're not validating CORS requests. - if (!deployment.isCors() && facade.getRequest().getHeader(CorsHeaders.ORIGIN) != null) { + String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN); + if (!deployment.isCors() && origin != null && !origin.equals("null")) { facade.getResponse().setStatus(200); facade.getResponse().end(); return true; @@ -101,6 +102,7 @@ public class AuthenticatedActionsHandler { if (!deployment.isCors()) return false; KeycloakSecurityContext securityContext = facade.getSecurityContext(); String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN); + origin = "null".equals(origin) ? null : origin; String exposeHeaders = deployment.getCorsExposedHeaders(); if (deployment.getPolicyEnforcer() != null) { diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java index f3c3c6abec..42fdd90905 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java @@ -103,13 +103,13 @@ public class PreAuthActionsHandler { if (!facade.getRequest().getMethod().equalsIgnoreCase("OPTIONS")) { return false; } - if (facade.getRequest().getHeader(CorsHeaders.ORIGIN) == null) { + String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN); + if (origin == null || origin.equals("null")) { log.debug("checkCorsPreflight: no origin header"); return false; } log.debug("Preflight request returning"); facade.getResponse().setStatus(200); - String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN); facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin); facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true"); String requestMethods = facade.getRequest().getHeader(CorsHeaders.ACCESS_CONTROL_REQUEST_METHOD); diff --git a/services/src/main/java/org/keycloak/services/resources/Cors.java b/services/src/main/java/org/keycloak/services/resources/Cors.java index 33c90e79f9..dd5431a8c5 100755 --- a/services/src/main/java/org/keycloak/services/resources/Cors.java +++ b/services/src/main/java/org/keycloak/services/resources/Cors.java @@ -137,7 +137,7 @@ public class Cors { public Response build() { String origin = request.getHttpHeaders().getRequestHeaders().getFirst(ORIGIN_HEADER); - if (origin == null) { + if (origin == null || origin.equals("null")) { logger.trace("No origin header ignoring"); return builder.build(); } @@ -184,7 +184,7 @@ public class Cors { public void build(HttpResponse response) { String origin = request.getHttpHeaders().getRequestHeaders().getFirst(ORIGIN_HEADER); - if (origin == null) { + if (origin == null || origin.equals("null")) { logger.trace("No origin header ignoring"); return; } diff --git a/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java b/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java index a2f7932a40..00d59006ed 100755 --- a/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java +++ b/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java @@ -157,7 +157,7 @@ public class AccountFormService extends AbstractSecuredLocalService { String requestOrigin = UriUtils.getOrigin(session.getContext().getUri().getBaseUri()); String origin = headers.getRequestHeaders().getFirst("Origin"); - if (origin != null && !requestOrigin.equals(origin)) { + if (origin != null && !origin.equals("null") && !requestOrigin.equals(origin)) { throw new ForbiddenException(); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountFormServiceTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountFormServiceTest.java index 9f82b0289e..8cbb27d92e 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountFormServiceTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountFormServiceTest.java @@ -80,9 +80,13 @@ import java.util.Map; import org.hamcrest.Matchers; import org.junit.Assume; + +import static org.hamcrest.Matchers.anyOf; import static org.hamcrest.Matchers.containsInAnyOrder; import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasItems; +import static org.hamcrest.Matchers.hasSize; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertThat; @@ -1152,8 +1156,8 @@ public class AccountFormServiceTest extends AbstractTestRealmKeycloakTest { Assert.assertTrue(sessionsPage.isCurrent()); List> sessions = sessionsPage.getSessions(); - Assert.assertEquals(1, sessions.size()); - Assert.assertEquals("127.0.0.1", sessions.get(0).get(0)); + assertThat(sessions, hasSize(1)); + assertThat(sessions.get(0).get(0), anyOf(equalTo("127.0.0.1"), equalTo("0:0:0:0:0:0:0:1"))); // Create second session try { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/SessionRestServiceTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/SessionRestServiceTest.java index 82e1d78a7b..9e9512ce24 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/SessionRestServiceTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/SessionRestServiceTest.java @@ -16,10 +16,13 @@ */ package org.keycloak.testsuite.account; +import static org.hamcrest.Matchers.anyOf; +import static org.hamcrest.Matchers.equalTo; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertThat; import static org.junit.Assert.assertTrue; +import static org.junit.Assume.assumeTrue; import java.io.IOException; import java.util.List; @@ -132,18 +135,20 @@ public class SessionRestServiceTest extends AbstractRestServiceTest { for (SessionRepresentation session : sessions) { assertNotNull(session.getId()); - assertEquals("127.0.0.1", session.getIpAddress()); + assertThat(session.getIpAddress(), anyOf(equalTo("127.0.0.1"), equalTo("0:0:0:0:0:0:0:1"))); assertTrue(session.getLastAccess() > 0); assertTrue(session.getExpires() > 0); assertTrue(session.getStarted() > 0); assertThat(session.getClients(), Matchers.hasItem(Matchers.hasProperty("clientId", - Matchers.anyOf(Matchers.is("direct-grant"), Matchers.is("public-client-0"))))); + anyOf(Matchers.is("direct-grant"), Matchers.is("public-client-0"))))); } } @Test @AuthServerContainerExclude(AuthServer.REMOTE) public void testGetDevicesResponse() throws Exception { + assumeTrue("Browser must be htmlunit. Otherwise we are not able to set desired BrowserHeaders", + System.getProperty("browser").equals("htmlUnit")); oauth.setBrowserHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/15.0.1"); OAuthClient.AccessTokenResponse tokenResponse = codeGrant("public-client-0"); joinSsoSession("public-client-1"); @@ -168,14 +173,17 @@ public class SessionRestServiceTest extends AbstractRestServiceTest { List clients = session.getClients(); assertEquals(2, clients.size()); assertThat(session.getClients(), Matchers.hasItem(Matchers.hasProperty("clientId", - Matchers.anyOf(Matchers.is("public-client-0"), Matchers.is("public-client-1"))))); + anyOf(Matchers.is("public-client-0"), Matchers.is("public-client-1"))))); assertThat(session.getClients(), Matchers.hasItem(Matchers.hasProperty("clientName", - Matchers.anyOf(Matchers.is("Public Client 0"), Matchers.is("Public Client 1"))))); + anyOf(Matchers.is("Public Client 0"), Matchers.is("Public Client 1"))))); } @Test public void testGetDevicesSessions() throws Exception { ContainerAssume.assumeAuthServerUndertow(); + assumeTrue("Browser must be htmlunit. Otherwise we are not able to set desired BrowserHeaders", + System.getProperty("browser").equals("htmlUnit")); + WebDriver firstBrowser = oauth.getDriver(); // first browser authenticates from Fedora @@ -343,6 +351,9 @@ public class SessionRestServiceTest extends AbstractRestServiceTest { @Test @AuthServerContainerExclude(AuthServer.REMOTE) public void testNullOrEmptyUserAgent() throws Exception { + assumeTrue("Browser must be htmlunit. Otherwise we are not able to set desired BrowserHeaders", + System.getProperty("browser").equals("htmlUnit")); + oauth.setBrowserHeader("User-Agent", null); OAuthClient.AccessTokenResponse tokenResponse = codeGrant("public-client-0"); @@ -367,6 +378,9 @@ public class SessionRestServiceTest extends AbstractRestServiceTest { @Test public void testNonBrowserSession() throws Exception { + assumeTrue("Browser must be htmlunit. Otherwise we are not able to set desired BrowserHeaders", + System.getProperty("browser").equals("htmlUnit")); + // one device oauth.setBrowserHeader("User-Agent", "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1"); codeGrant("public-client-0"); @@ -382,7 +396,7 @@ public class SessionRestServiceTest extends AbstractRestServiceTest { assertEquals(2, devices.size()); assertThat(devices, - Matchers.hasItems(Matchers.hasProperty("os", Matchers.anyOf(Matchers.is("Fedora"), Matchers.is("Other"))))); + Matchers.hasItems(Matchers.hasProperty("os", anyOf(Matchers.is("Fedora"), Matchers.is("Other"))))); // three because tests use another client when booting tests assertEquals(3, devices.stream().filter(deviceRepresentation -> "Other".equals(deviceRepresentation.getOs())) diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetCredentialsAlternativeFlowsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetCredentialsAlternativeFlowsTest.java index dbb4b51046..50d643c3b0 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetCredentialsAlternativeFlowsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetCredentialsAlternativeFlowsTest.java @@ -18,6 +18,7 @@ package org.keycloak.testsuite.forms; +import org.hamcrest.Matchers; import org.jboss.arquillian.graphene.page.Page; import org.junit.Assert; import org.junit.Before; @@ -52,13 +53,17 @@ import org.keycloak.testsuite.util.GreenMailRule; import org.keycloak.testsuite.util.MailUtils; import org.keycloak.testsuite.util.URLUtils; import org.keycloak.testsuite.util.UserBuilder; +import org.openqa.selenium.By; +import org.openqa.selenium.WebElement; import javax.mail.internet.MimeMessage; import java.util.Arrays; import java.util.List; import java.util.regex.Pattern; +import java.util.stream.Collectors; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThat; import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE; /** @@ -434,8 +439,8 @@ public class ResetCredentialsAlternativeFlowsTest extends AbstractTestRealmKeycl pageSource = driver.getPageSource(); // Check if OTP credential with empty label was created successfully - final String emptyOtpLabelPresentInAuthenticatorTable = "(?s)"; - Assert.assertTrue(Pattern.compile(emptyOtpLabelPresentInAuthenticatorTable).matcher(pageSource).find()); + assertThat(driver.findElements(By.className("provider")).stream() + .map(WebElement::getText).collect(Collectors.toList()), Matchers.hasItem("")); accountTotpPage.removeTotp(); // Logout @@ -473,11 +478,9 @@ public class ResetCredentialsAlternativeFlowsTest extends AbstractTestRealmKeycl accountTotpPage.open(); Assert.assertTrue(accountTotpPage.isCurrent()); - // Get the updated Account TOTP page source post OTP credential creation - pageSource = driver.getPageSource(); - // Check if OTP credential with empty label was created successfully - Assert.assertTrue(Pattern.compile(emptyOtpLabelPresentInAuthenticatorTable).matcher(pageSource).find()); + assertThat(driver.findElements(By.className("provider")).stream() + .map(WebElement::getText).collect(Collectors.toList()), Matchers.hasItem(""));; // Logout oauth.openLogout();