libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

[KEYCLOAK-13386] - SslRequired.EXTERNAL doesn't work for identity broker validations

Browse source
This commit is contained in:
Pedro Igor 2020-03-23 11:14:47 -03:00
parent 4279f5b54f
commit ec63245ac8
3 changed files with 52 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/src/main/java/org/keycloak/common/util/UriUtils.java
View file

@ -108,7 +108,7 @@ public class UriUtils {
throw new IllegalArgumentException("Invalid protocol/scheme for url [" + name + "]");
}
if (!"https".equals(protocol) && sslRequired.isRequired(url)) {
if (!"https".equals(protocol) && sslRequired.isRequired(parsed.getHost())) {
throw new IllegalArgumentException("The url [" + name + "] requires secure connections");
}
}

2
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/updaters/RealmAttributeUpdater.java
View file

@ -9,7 +9,7 @@ import java.util.List;
* Updater for realm attributes. See {@link ServerResourceUpdater} for further details.
* @author hmlnarik
*/
public class RealmAttributeUpdater extends ServerResourceUpdater<ServerResourceUpdater, RealmResource, RealmRepresentation> {
public class RealmAttributeUpdater extends ServerResourceUpdater<RealmAttributeUpdater, RealmResource, RealmRepresentation> {
public RealmAttributeUpdater(RealmResource resource) {
super(resource, resource::toRepresentation, resource::update);

103
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IdentityProviderTest.java
View file

@ -44,6 +44,7 @@ import org.keycloak.saml.common.exceptions.ParsingException;
import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.broker.OIDCIdentityProviderConfigRep;
import org.keycloak.testsuite.updaters.RealmAttributeUpdater;
import org.keycloak.testsuite.util.AdminEventPaths;
import org.w3c.dom.NodeList;
@ -83,6 +84,7 @@ import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
/**
@ -111,9 +113,6 @@ public class IdentityProviderTest extends AbstractAdminTest {
+ "vOU8TyqfZF5jpv0IcrviLl/DoFrbjByeHR+pu/vClcAOjL/u7oQELuuTfNsBI4tpexUj5G8q/YbEz0gk7idf"
+ "LXrAUVcsR73oTngrhRfwUSmPrjjK0kjcRb6HL9V/+wh3R/6mEd59U08ExT8N38rhmn0CI3ehMdebReprP7U8=";
@Rule
public ExpectedException expectedException = ExpectedException.none();
@Test
public void testFindAll() {
create(createRep("google", "google"));
@ -167,14 +166,11 @@ public class IdentityProviderTest extends AbstractAdminTest {
}
@Test
public void failCreateInvalidUrl() {
RealmRepresentation realmRep = realm.toRepresentation();
realmRep.setSslRequired(SslRequired.ALL.name());
try {
realm.update(realmRep);
public void failCreateInvalidUrl() throws Exception {
try (AutoCloseable c = new RealmAttributeUpdater(realmsResouce().realm("test"))
.updateWith(r -> r.setSslRequired(SslRequired.ALL.name()))
.update()
) {
IdentityProviderRepresentation newIdentityProvider = createRep("new-identity-provider", "oidc");
newIdentityProvider.getConfig().put("clientId", "clientId");
@ -226,9 +222,6 @@ public class IdentityProviderTest extends AbstractAdminTest {
assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() :
Response.Status.CREATED.getStatusCode(), response.getStatus());
}
} finally {
realmRep.setSslRequired(SslRequired.NONE.name());
realm.update(realmRep);
}
}
@ -347,14 +340,11 @@ public class IdentityProviderTest extends AbstractAdminTest {
}
@Test
public void failUpdateInvalidUrl() {
RealmRepresentation realmRep = realm.toRepresentation();
realmRep.setSslRequired(SslRequired.ALL.name());
try {
realm.update(realmRep);
public void failUpdateInvalidUrl() throws Exception {
try (RealmAttributeUpdater rau = new RealmAttributeUpdater(realm)
.updateWith(r -> r.setSslRequired(SslRequired.ALL.name()))
.update()
) {
IdentityProviderRepresentation representation = createRep(UUID.randomUUID().toString(), "oidc");
representation.getConfig().put("clientId", "clientId");
@ -370,57 +360,64 @@ public class IdentityProviderTest extends AbstractAdminTest {
OIDCIdentityProviderConfigRep oidcConfig = new OIDCIdentityProviderConfigRep(representation);
oidcConfig.setAuthorizationUrl("invalid://test");
this.expectedException.expect(
Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response",
Matchers.hasProperty("status", Matchers.is(
Response.Status.BAD_REQUEST.getStatusCode())))));
resource.update(representation);
try {
resource.update(representation);
fail("Invalid URL");
} catch (Exception e) {
assertTrue(e instanceof ClientErrorException);
assertEquals( Response.Status.BAD_REQUEST.getStatusCode(), ClientErrorException.class.cast(e).getResponse().getStatus());
}
oidcConfig.setAuthorizationUrl(null);
oidcConfig.setTokenUrl("http://test");
this.expectedException.expect(
Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response",
Matchers.hasProperty("status", Matchers.is(
Response.Status.BAD_REQUEST.getStatusCode())))));
resource.update(representation);
try {
resource.update(representation);
fail("Invalid URL");
} catch (Exception e) {
assertTrue(e instanceof ClientErrorException);
assertEquals( Response.Status.BAD_REQUEST.getStatusCode(), ClientErrorException.class.cast(e).getResponse().getStatus());
}
oidcConfig.setAuthorizationUrl(null);
oidcConfig.setTokenUrl(null);
oidcConfig.setJwksUrl("http://test");
this.expectedException.expect(
Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response",
Matchers.hasProperty("status", Matchers.is(
Response.Status.BAD_REQUEST.getStatusCode())))));
resource.update(representation);
try {
resource.update(representation);
fail("Invalid URL");
} catch (Exception e) {
assertTrue(e instanceof ClientErrorException);
assertEquals( Response.Status.BAD_REQUEST.getStatusCode(), ClientErrorException.class.cast(e).getResponse().getStatus());
}
oidcConfig.setAuthorizationUrl(null);
oidcConfig.setTokenUrl(null);
oidcConfig.setJwksUrl(null);
oidcConfig.setLogoutUrl("http://test");
this.expectedException.expect(
Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response",
Matchers.hasProperty("status", Matchers.is(
Response.Status.BAD_REQUEST.getStatusCode())))));
resource.update(representation);
try {
resource.update(representation);
fail("Invalid URL");
} catch (Exception e) {
assertTrue(e instanceof ClientErrorException);
assertEquals( Response.Status.BAD_REQUEST.getStatusCode(), ClientErrorException.class.cast(e).getResponse().getStatus());
}
oidcConfig.setAuthorizationUrl(null);
oidcConfig.setTokenUrl(null);
oidcConfig.setJwksUrl(null);
oidcConfig.setLogoutUrl(null);
oidcConfig.setUserInfoUrl("http://test");
oidcConfig.setUserInfoUrl("http://localhost");
this.expectedException.expect(
Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response",
Matchers.hasProperty("status", Matchers.is(
Response.Status.BAD_REQUEST.getStatusCode())))));
try {
resource.update(representation);
fail("Invalid URL");
} catch (Exception e) {
assertTrue(e instanceof ClientErrorException);
assertEquals( Response.Status.BAD_REQUEST.getStatusCode(), ClientErrorException.class.cast(e).getResponse().getStatus());
}
rau.updateWith(r -> r.setSslRequired(SslRequired.EXTERNAL.name())).update();
resource.update(representation);
} finally {
realmRep.setSslRequired(SslRequired.NONE.name());
realm.update(realmRep);
}
}