libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Merge pull request #3516 from stianst/KEYCLOAK-3881

Browse source 
KEYCLOAK-3881 Fix login status iframe with * origin
This commit is contained in:
Stian Thorgersen 2016-11-18 14:09:02 +01:00 committed by GitHub
commit cca352fa9f
4 changed files with 39 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java
View file

@ -175,7 +175,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
replicationConfigBuilder.clustering().cacheMode(async ? CacheMode.REPL_ASYNC : CacheMode.REPL_SYNC); replicationConfigBuilder.clustering().cacheMode(async ? CacheMode.REPL_ASYNC : CacheMode.REPL_SYNC);
} }
boolean jdgEnabled = config.getBoolean("remoteStoreEnabled"); boolean jdgEnabled = config.getBoolean("remoteStoreEnabled", false);
if (jdgEnabled) { if (jdgEnabled) {
configureRemoteCacheStore(replicationConfigBuilder, async); configureRemoteCacheStore(replicationConfigBuilder, async);
} }

2
services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
View file

@ -75,7 +75,7 @@ public class LoginStatusIframeEndpoint {
if (client != null) { if (client != null) {
Set<String> validWebOrigins = WebOriginsUtils.resolveValidWebOrigins(uriInfo, client); Set<String> validWebOrigins = WebOriginsUtils.resolveValidWebOrigins(uriInfo, client);
validWebOrigins.add(UriUtils.getOrigin(uriInfo.getRequestUri())); validWebOrigins.add(UriUtils.getOrigin(uriInfo.getRequestUri()));
if (validWebOrigins.contains(origin)) { if (validWebOrigins.contains("*") || validWebOrigins.contains(origin)) {
return Response.noContent().build(); return Response.noContent().build();
} }
} }

14
services/src/main/java/org/keycloak/protocol/oidc/utils/WebOriginsUtils.java
View file

@ -21,6 +21,7 @@ import org.keycloak.common.util.UriUtils;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import javax.ws.rs.core.UriInfo; import javax.ws.rs.core.UriInfo;
import java.util.HashSet;
import java.util.Set; import java.util.Set;
/** /**
@ -31,17 +32,20 @@ public class WebOriginsUtils {
public static final String INCLUDE_REDIRECTS = "+"; public static final String INCLUDE_REDIRECTS = "+";
public static Set<String> resolveValidWebOrigins(UriInfo uriInfo, ClientModel client) { public static Set<String> resolveValidWebOrigins(UriInfo uriInfo, ClientModel client) {
Set<String> webOrigins = client.getWebOrigins(); Set<String> origins = new HashSet<>();
if (webOrigins != null && webOrigins.contains("+")) { if (client.getWebOrigins() != null) {
webOrigins.remove(INCLUDE_REDIRECTS); origins.addAll(client.getWebOrigins());
}
if (origins.contains("+")) {
origins.remove(INCLUDE_REDIRECTS);
client.getRedirectUris(); client.getRedirectUris();
for (String redirectUri : RedirectUtils.resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris())) { for (String redirectUri : RedirectUtils.resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris())) {
if (redirectUri.startsWith("http://") || redirectUri.startsWith("https://")) { if (redirectUri.startsWith("http://") || redirectUri.startsWith("https://")) {
webOrigins.add(UriUtils.getOrigin(redirectUri)); origins.add(UriUtils.getOrigin(redirectUri));
} }
} }
} }
return webOrigins; return origins;
} }
} }

28
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java
View file

@ -31,12 +31,15 @@ import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients; import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair; import org.apache.http.message.BasicNameValuePair;
import org.junit.Test; import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.models.Constants; import org.keycloak.models.Constants;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.AbstractKeycloakTest;
import java.io.IOException; import java.io.IOException;
import java.net.URLEncoder; import java.net.URLEncoder;
import java.util.Collections;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.regex.Matcher; import java.util.regex.Matcher;
@ -159,6 +162,31 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
} }
} }
@Test
public void checkIframeWildcardOrigin() throws IOException {
String id = adminClient.realm("master").clients().findByClientId(Constants.ADMIN_CONSOLE_CLIENT_ID).get(0).getId();
ClientResource master = adminClient.realm("master").clients().get(id);
ClientRepresentation rep = master.toRepresentation();
List<String> org = rep.getWebOrigins();
CloseableHttpClient client = HttpClients.createDefault();
try {
rep.setWebOrigins(Collections.singletonList("*"));
master.update(rep);
HttpGet get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?"
+ "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID
+ "&origin=" + "http://anything"
);
CloseableHttpResponse response = client.execute(get);
assertEquals(204, response.getStatusLine().getStatusCode());
response.close();
} finally {
rep.setWebOrigins(org);
master.update(rep);
client.close();
}
}
@Override @Override
public void addTestRealms(List<RealmRepresentation> testRealms) { public void addTestRealms(List<RealmRepresentation> testRealms) {
} }