KEYCLOAK-942 Incorrect condition in ResourceAdminManager could cause global logout

services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java

@@ -184,7 +184,12 @@ public class ResourceAdminManager {
                 }
             }
 
-            if (managementUrl.contains(APPLICATION_SESSION_HOST_PROPERTY) && adapterSessionIds != null) {
+            if (adapterSessionIds == null || adapterSessionIds.isEmpty()) {
+                logger.debugv("Can't logout {0}: no logged adapter sessions", resource.getName());
+                return false;
+            }
+
+            if (managementUrl.contains(APPLICATION_SESSION_HOST_PROPERTY)) {
                 boolean allPassed = true;
                 // Send logout separately to each host (needed for single-sign-out in cluster for non-distributable apps - KEYCLOAK-748)
                 for (Map.Entry<String, List<String>> entry : adapterSessionIds.entrySet()) {
@@ -197,13 +202,11 @@ public class ResourceAdminManager {
                 return allPassed;
             } else {
                 // Send single logout request
-                List<String> allSessionIds = null;
-                if (adapterSessionIds != null) {
-                    allSessionIds = new ArrayList<String>();
-                    for (List<String> currentIds : adapterSessionIds.values()) {
-                        allSessionIds.addAll(currentIds);
-                    }
+                List<String> allSessionIds = new ArrayList<String>();
+                for (List<String> currentIds : adapterSessionIds.values()) {
+                    allSessionIds.addAll(currentIds);
                 }
+
                 return sendLogoutRequest(realm, resource, allSessionIds, client, 0, managementUrl);
             }
         } else {

testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/AdapterTest.java

@@ -79,9 +79,7 @@ public class AdapterTest {
     public static AbstractKeycloakRule keycloakRule = new AbstractKeycloakRule() {
         @Override
         protected void configure(KeycloakSession session, RealmManager manager, RealmModel adminRealm) {
-            RealmRepresentation representation = KeycloakServer.loadJson(getClass().getResourceAsStream("/adapter-test/demorealm.json"), RealmRepresentation.class);
-            RealmModel realm = manager.importRealm(representation);
-
+            RealmModel realm = AdapterTestStrategy.baseAdapterTestInitialization(session, manager, adminRealm, getClass());
             realmPublicKey = realm.getPublicKey();
 
             URL url = getClass().getResource("/adapter-test/cust-app-keycloak.json");
@@ -184,4 +182,12 @@ public class AdapterTest {
 
     }
 
+    /**
+     * KEYCLOAK-942
+     */
+    @Test
+    public void testAdminApplicationLogout() throws Throwable {
+        testStrategy.testAdminApplicationLogout();
+    }
+
 }

testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/AdapterTestStrategy.java

@@ -28,6 +28,7 @@ import org.junit.rules.ExternalResource;
 import org.keycloak.Config;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.Version;
+import org.keycloak.admin.client.Keycloak;
 import org.keycloak.constants.AdapterConstants;
 import org.keycloak.models.ApplicationModel;
 import org.keycloak.models.Constants;
@@ -38,15 +39,20 @@ import org.keycloak.models.UserSessionModel;
 import org.keycloak.protocol.oidc.OpenIDConnectService;
 import org.keycloak.protocol.oidc.TokenManager;
 import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.services.managers.ResourceAdminManager;
 import org.keycloak.services.resources.admin.AdminRoot;
+import org.keycloak.services.resources.admin.ApplicationsResource;
+import org.keycloak.services.resources.admin.RealmAdminResource;
+import org.keycloak.services.resources.admin.RealmsAdminResource;
 import org.keycloak.testsuite.OAuthClient;
 import org.keycloak.testsuite.pages.LoginPage;
 import org.keycloak.testsuite.rule.AbstractKeycloakRule;
 import org.keycloak.testsuite.rule.KeycloakRule;
 import org.keycloak.testsuite.rule.WebResource;
 import org.keycloak.testsuite.rule.WebRule;
+import org.keycloak.testutils.KeycloakServer;
 import org.keycloak.util.BasicAuthHelper;
 import org.openqa.selenium.WebDriver;
 
@@ -106,6 +112,15 @@ public class AdapterTestStrategy extends ExternalResource {
         if (addSlash) slash = "/";
     }
 
+    public static RealmModel baseAdapterTestInitialization(KeycloakSession session, RealmManager manager, RealmModel adminRealm, Class<?> clazz) {
+        // Required by admin client
+        adminRealm.setPasswordCredentialGrantAllowed(true);
+
+        RealmRepresentation representation = KeycloakServer.loadJson(clazz.getResourceAsStream("/adapter-test/demorealm.json"), RealmRepresentation.class);
+        RealmModel demoRealm = manager.importRealm(representation);
+        return demoRealm;
+    }
+
     @Override
     protected void before() throws Throwable {
         super.before();
@@ -562,6 +577,25 @@ public class AdapterTestStrategy extends ExternalResource {
         }, "demo");
     }
 
+    /**
+     * KEYCLOAK-942
+     */
+    @Test
+    public void testAdminApplicationLogout() throws Throwable {
+        // login as bburke
+        loginAndCheckSession(driver, loginPage);
+
+        // logout mposolda with admin client
+        Keycloak keycloakAdmin = Keycloak.getInstance(AUTH_SERVER_URL, "master", "admin", "admin", Constants.ADMIN_CONSOLE_APPLICATION);
+        keycloakAdmin.realm("demo").applications().get("session-portal").logoutUser("mposolda");
+
+        // bburke should be still logged with original httpSession in our browser window
+        driver.navigate().to(APP_SERVER_BASE_URL + "/session-portal");
+        Assert.assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/session-portal" + slash);
+        String pageSource = driver.getPageSource();
+        Assert.assertTrue(pageSource.contains("Counter=3"));
+    }
+
     protected void loginAndCheckSession(WebDriver driver, LoginPage loginPage) {
         driver.navigate().to(APP_SERVER_BASE_URL + "/session-portal");
         String currentUrl = driver.getCurrentUrl();

testsuite/integration/src/test/resources/adapter-test/demorealm.json

@@ -28,6 +28,21 @@
             "applicationRoles": {
                 "account": [ "manage-account" ]
             }
+        },
+        {
+            "username" : "mposolda",
+            "enabled": true,
+            "email" : "mposolda@redhat.com",
+            "firstName": "Marek",
+            "lastName": "Posolda",
+            "credentials" : [
+                { "type" : "password",
+                  "value" : "password" }
+            ],
+            "realmRoles": [ "user" ],
+            "applicationRoles": {
+                "account": [ "manage-account" ]
+            }
         }
     ],
     "roles" : {

testsuite/jetty/jetty81/src/test/java/org/keycloak/testsuite/Jetty8Test.java

@@ -21,62 +21,35 @@
  */
 package org.keycloak.testsuite;
 
-import org.eclipse.jetty.security.ConstraintMapping;
-import org.eclipse.jetty.security.ConstraintSecurityHandler;
-import org.eclipse.jetty.security.HashLoginService;
 import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.handler.HandlerCollection;
-import org.eclipse.jetty.servlet.ServletHolder;
-import org.eclipse.jetty.util.security.Constraint;
 import org.eclipse.jetty.webapp.WebAppContext;
 import org.junit.AfterClass;
-import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
-import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
-import org.keycloak.KeycloakSecurityContext;
-import org.keycloak.OAuth2Constants;
-import org.keycloak.adapters.jetty.AbstractKeycloakJettyAuthenticator;
-import org.keycloak.adapters.jetty.KeycloakJettyAuthenticator;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
-import org.keycloak.protocol.oidc.OpenIDConnectService;
-import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.testsuite.adapter.AdapterTestStrategy;
-import org.keycloak.testsuite.pages.LoginPage;
 import org.keycloak.testsuite.rule.AbstractKeycloakRule;
-import org.keycloak.testsuite.rule.WebResource;
-import org.keycloak.testsuite.rule.WebRule;
-import org.keycloak.testutils.KeycloakServer;
-import org.openqa.selenium.WebDriver;
 
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.core.UriBuilder;
 import java.io.File;
-import java.io.IOException;
-import java.io.OutputStream;
 import java.net.URL;
-import java.security.Principal;
 import java.util.ArrayList;
 import java.util.List;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
  */
-public class Jetty9Test {
+public class Jetty8Test {
     @ClassRule
     public static AbstractKeycloakRule keycloakRule = new AbstractKeycloakRule() {
         @Override
         protected void configure(KeycloakSession session, RealmManager manager, RealmModel adminRealm) {
-            RealmRepresentation representation = KeycloakServer.loadJson(getClass().getResourceAsStream("/adapter-test/demorealm.json"), RealmRepresentation.class);
-            RealmModel realm = manager.importRealm(representation);
+            AdapterTestStrategy.baseAdapterTestInitialization(session, manager, adminRealm, getClass());
         }
     };
 
@@ -89,7 +62,7 @@ public class Jetty9Test {
         List<Handler> list = new ArrayList<Handler>();
         System.setProperty("app.server.base.url", "http://localhost:8082");
         System.setProperty("my.host.name", "localhost");
-        URL dir = Jetty9Test.class.getResource("/adapter-test/demorealm.json");
+        URL dir = Jetty8Test.class.getResource("/adapter-test/demorealm.json");
         File base = new File(dir.getFile()).getParentFile();
         list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal"));
         list.add(new WebAppContext(new File(base, "customer-db").toString(), "/customer-db"));
@@ -190,4 +163,13 @@ public class Jetty9Test {
     public void testSessionInvalidatedAfterFailedRefresh() throws Throwable {
         testStrategy.testSessionInvalidatedAfterFailedRefresh();
 
-    }}
+    }
+
+    /**
+     * KEYCLOAK-942
+     */
+    @Test
+    public void testAdminApplicationLogout() throws Throwable {
+        testStrategy.testAdminApplicationLogout();
+    }
+}

testsuite/jetty/jetty81/src/test/resources/adapter-test/demorealm.json

@@ -28,6 +28,21 @@
             "applicationRoles": {
                 "account": [ "manage-account" ]
             }
+        },
+        {
+            "username" : "mposolda",
+            "enabled": true,
+            "email" : "mposolda@redhat.com",
+            "firstName": "Marek",
+            "lastName": "Posolda",
+            "credentials" : [
+                { "type" : "password",
+                  "value" : "password" }
+            ],
+            "realmRoles": [ "user" ],
+            "applicationRoles": {
+                "account": [ "manage-account" ]
+            }
         }
     ],
     "roles" : {

testsuite/jetty/jetty91/src/test/java/org/keycloak/testsuite/Jetty9Test.java

@@ -75,8 +75,7 @@ public class Jetty9Test {
     public static AbstractKeycloakRule keycloakRule = new AbstractKeycloakRule() {
         @Override
         protected void configure(KeycloakSession session, RealmManager manager, RealmModel adminRealm) {
-            RealmRepresentation representation = KeycloakServer.loadJson(getClass().getResourceAsStream("/adapter-test/demorealm.json"), RealmRepresentation.class);
-            RealmModel realm = manager.importRealm(representation);
+            AdapterTestStrategy.baseAdapterTestInitialization(session, manager, adminRealm, getClass());
         }
     };
 
@@ -191,4 +190,12 @@ public class Jetty9Test {
         testStrategy.testSessionInvalidatedAfterFailedRefresh();
 
     }
+
+    /**
+     * KEYCLOAK-942
+     */
+    @Test
+    public void testAdminApplicationLogout() throws Throwable {
+        testStrategy.testAdminApplicationLogout();
+    }
 }

testsuite/jetty/jetty91/src/test/resources/adapter-test/demorealm.json

@@ -28,6 +28,21 @@
             "applicationRoles": {
                 "account": [ "manage-account" ]
             }
+        },
+        {
+            "username" : "mposolda",
+            "enabled": true,
+            "email" : "mposolda@redhat.com",
+            "firstName": "Marek",
+            "lastName": "Posolda",
+            "credentials" : [
+                { "type" : "password",
+                  "value" : "password" }
+            ],
+            "realmRoles": [ "user" ],
+            "applicationRoles": {
+                "account": [ "manage-account" ]
+            }
         }
     ],
     "roles" : {

testsuite/jetty/jetty92/src/test/java/org/keycloak/testsuite/Jetty9Test.java

@@ -75,8 +75,7 @@ public class Jetty9Test {
     public static AbstractKeycloakRule keycloakRule = new AbstractKeycloakRule() {
         @Override
         protected void configure(KeycloakSession session, RealmManager manager, RealmModel adminRealm) {
-            RealmRepresentation representation = KeycloakServer.loadJson(getClass().getResourceAsStream("/adapter-test/demorealm.json"), RealmRepresentation.class);
-            RealmModel realm = manager.importRealm(representation);
+            AdapterTestStrategy.baseAdapterTestInitialization(session, manager, adminRealm, getClass());
         }
     };
 
@@ -191,4 +190,12 @@ public class Jetty9Test {
         testStrategy.testSessionInvalidatedAfterFailedRefresh();
 
     }
+
+    /**
+     * KEYCLOAK-942
+     */
+    @Test
+    public void testAdminApplicationLogout() throws Throwable {
+        testStrategy.testAdminApplicationLogout();
+    }
 }

testsuite/jetty/jetty92/src/test/resources/adapter-test/demorealm.json

@@ -28,6 +28,21 @@
             "applicationRoles": {
                 "account": [ "manage-account" ]
             }
+        },
+        {
+            "username" : "mposolda",
+            "enabled": true,
+            "email" : "mposolda@redhat.com",
+            "firstName": "Marek",
+            "lastName": "Posolda",
+            "credentials" : [
+                { "type" : "password",
+                  "value" : "password" }
+            ],
+            "realmRoles": [ "user" ],
+            "applicationRoles": {
+                "account": [ "manage-account" ]
+            }
         }
     ],
     "roles" : {

testsuite/tomcat6/src/test/java/org/keycloak/testsuite/TomcatTest.java

@@ -63,8 +63,7 @@ public class TomcatTest {
     public static AbstractKeycloakRule keycloakRule = new AbstractKeycloakRule() {
         @Override
         protected void configure(KeycloakSession session, RealmManager manager, RealmModel adminRealm) {
-            RealmRepresentation representation = KeycloakServer.loadJson(getClass().getResourceAsStream("/adapter-test/demorealm.json"), RealmRepresentation.class);
-            RealmModel realm = manager.importRealm(representation);
+            AdapterTestStrategy.baseAdapterTestInitialization(session, manager, adminRealm, getClass());
        }
     };
 
@@ -173,6 +172,14 @@ public class TomcatTest {
 
     }
 
+    /**
+     * KEYCLOAK-942
+     */
+    @Test
+    public void testAdminApplicationLogout() throws Throwable {
+        testStrategy.testAdminApplicationLogout();
+    }
+
     static String getBaseDirectory() {
         String dirPath = null;
         String relativeDirPath = "testsuite" + File.separator + "tomcat6" + File.separator + "target";

testsuite/tomcat6/src/test/resources/adapter-test/demorealm.json

@@ -28,6 +28,21 @@
             "applicationRoles": {
                 "account": [ "manage-account" ]
             }
+        },
+        {
+            "username" : "mposolda",
+            "enabled": true,
+            "email" : "mposolda@redhat.com",
+            "firstName": "Marek",
+            "lastName": "Posolda",
+            "credentials" : [
+                { "type" : "password",
+                  "value" : "password" }
+            ],
+            "realmRoles": [ "user" ],
+            "applicationRoles": {
+                "account": [ "manage-account" ]
+            }
         }
     ],
     "roles" : {

testsuite/tomcat7/src/test/java/org/keycloak/testsuite/Tomcat7Test.java

@@ -64,8 +64,7 @@ public class Tomcat7Test {
     public static AbstractKeycloakRule keycloakRule = new AbstractKeycloakRule() {
         @Override
         protected void configure(KeycloakSession session, RealmManager manager, RealmModel adminRealm) {
-            RealmRepresentation representation = KeycloakServer.loadJson(getClass().getResourceAsStream("/adapter-test/demorealm.json"), RealmRepresentation.class);
-            RealmModel realm = manager.importRealm(representation);
+            AdapterTestStrategy.baseAdapterTestInitialization(session, manager, adminRealm, getClass());
        }
     };
 
@@ -177,6 +176,14 @@ public class Tomcat7Test {
 
     }
 
+    /**
+     * KEYCLOAK-942
+     */
+    @Test
+    public void testAdminApplicationLogout() throws Throwable {
+        testStrategy.testAdminApplicationLogout();
+    }
+
 
     private static String getBaseDirectory() {
         String dirPath = null;

testsuite/tomcat7/src/test/resources/adapter-test/demorealm.json

@@ -28,6 +28,21 @@
             "applicationRoles": {
                 "account": [ "manage-account" ]
             }
+        },
+        {
+            "username" : "mposolda",
+            "enabled": true,
+            "email" : "mposolda@redhat.com",
+            "firstName": "Marek",
+            "lastName": "Posolda",
+            "credentials" : [
+                { "type" : "password",
+                  "value" : "password" }
+            ],
+            "realmRoles": [ "user" ],
+            "applicationRoles": {
+                "account": [ "manage-account" ]
+            }
         }
     ],
     "roles" : {

testsuite/tomcat8/src/test/java/org/keycloak/testsuite/TomcatTest.java

@@ -64,8 +64,7 @@ public class TomcatTest {
     public static AbstractKeycloakRule keycloakRule = new AbstractKeycloakRule() {
         @Override
         protected void configure(KeycloakSession session, RealmManager manager, RealmModel adminRealm) {
-            RealmRepresentation representation = KeycloakServer.loadJson(getClass().getResourceAsStream("/adapter-test/demorealm.json"), RealmRepresentation.class);
-            RealmModel realm = manager.importRealm(representation);
+            AdapterTestStrategy.baseAdapterTestInitialization(session, manager, adminRealm, getClass());
         }
     };
 
@@ -178,6 +177,14 @@ public class TomcatTest {
 
     }
 
+    /**
+     * KEYCLOAK-942
+     */
+    @Test
+    public void testAdminApplicationLogout() throws Throwable {
+        testStrategy.testAdminApplicationLogout();
+    }
+
     private static String getBaseDirectory() {
         String dirPath = null;
         String relativeDirPath = "testsuite" + File.separator + "tomcat8" + File.separator + "target";

testsuite/tomcat8/src/test/resources/adapter-test/demorealm.json

@@ -28,6 +28,21 @@
             "applicationRoles": {
                 "account": [ "manage-account" ]
             }
+        },
+        {
+            "username" : "mposolda",
+            "enabled": true,
+            "email" : "mposolda@redhat.com",
+            "firstName": "Marek",
+            "lastName": "Posolda",
+            "credentials" : [
+                { "type" : "password",
+                  "value" : "password" }
+            ],
+            "realmRoles": [ "user" ],
+            "applicationRoles": {
+                "account": [ "manage-account" ]
+            }
         }
     ],
     "roles" : {