Merge pull request #3516 from stianst/KEYCLOAK-3881

KEYCLOAK-3881 Fix login status iframe with * origin
2016-11-18 14:09:02 +01:00 · 2016-11-18 14:09:02 +01:00 · cca352fa9f
commit cca352fa9f
parent c384b8a81f 7043ecc21b
4 changed files with 39 additions and 7 deletions
--- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java
+++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java
@ -175,7 +175,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
            replicationConfigBuilder.clustering().cacheMode(async ? CacheMode.REPL_ASYNC : CacheMode.REPL_SYNC);
        }

-        boolean jdgEnabled = config.getBoolean("remoteStoreEnabled");
+        boolean jdgEnabled = config.getBoolean("remoteStoreEnabled", false);
        if (jdgEnabled) {
            configureRemoteCacheStore(replicationConfigBuilder, async);
        }
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
@ -75,7 +75,7 @@ public class LoginStatusIframeEndpoint {
            if (client != null) {
                Set<String> validWebOrigins = WebOriginsUtils.resolveValidWebOrigins(uriInfo, client);
                validWebOrigins.add(UriUtils.getOrigin(uriInfo.getRequestUri()));
-                if (validWebOrigins.contains(origin)) {
+                if (validWebOrigins.contains("*") || validWebOrigins.contains(origin)) {
                    return Response.noContent().build();
                }
            }
--- a/services/src/main/java/org/keycloak/protocol/oidc/utils/WebOriginsUtils.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/utils/WebOriginsUtils.java
@ -21,6 +21,7 @@ import org.keycloak.common.util.UriUtils;
 import org.keycloak.models.ClientModel;

 import javax.ws.rs.core.UriInfo;
+import java.util.HashSet;
 import java.util.Set;

 /**
@ -31,17 +32,20 @@ public class WebOriginsUtils {
    public static final String INCLUDE_REDIRECTS = "+";

    public static Set<String> resolveValidWebOrigins(UriInfo uriInfo, ClientModel client) {
-        Set<String> webOrigins = client.getWebOrigins();
-        if (webOrigins != null && webOrigins.contains("+")) {
-            webOrigins.remove(INCLUDE_REDIRECTS);
+        Set<String> origins = new HashSet<>();
+        if (client.getWebOrigins() != null) {
+            origins.addAll(client.getWebOrigins());
+        }
+        if (origins.contains("+")) {
+            origins.remove(INCLUDE_REDIRECTS);
            client.getRedirectUris();
            for (String redirectUri : RedirectUtils.resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris())) {
                if (redirectUri.startsWith("http://") || redirectUri.startsWith("https://")) {
-                    webOrigins.add(UriUtils.getOrigin(redirectUri));
+                    origins.add(UriUtils.getOrigin(redirectUri));
                }
            }
        }
-        return webOrigins;
+        return origins;
    }

 }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java
@ -31,12 +31,15 @@ import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.message.BasicNameValuePair;
 import org.junit.Test;
+import org.keycloak.admin.client.resource.ClientResource;
 import org.keycloak.models.Constants;
+import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.testsuite.AbstractKeycloakTest;

 import java.io.IOException;
 import java.net.URLEncoder;
+import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.regex.Matcher;
@ -159,6 +162,31 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
        }
    }

+    @Test
+    public void checkIframeWildcardOrigin() throws IOException {
+        String id = adminClient.realm("master").clients().findByClientId(Constants.ADMIN_CONSOLE_CLIENT_ID).get(0).getId();
+        ClientResource master = adminClient.realm("master").clients().get(id);
+        ClientRepresentation rep = master.toRepresentation();
+        List<String> org = rep.getWebOrigins();
+        CloseableHttpClient client = HttpClients.createDefault();
+        try {
+            rep.setWebOrigins(Collections.singletonList("*"));
+            master.update(rep);
+
+            HttpGet get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?"
+                    + "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID
+                    + "&origin=" + "http://anything"
+            );
+            CloseableHttpResponse response = client.execute(get);
+            assertEquals(204, response.getStatusLine().getStatusCode());
+            response.close();
+        } finally {
+            rep.setWebOrigins(org);
+            master.update(rep);
+            client.close();
+        }
+    }
+
    @Override
    public void addTestRealms(List<RealmRepresentation> testRealms) {
    }