From 7b8abd83d72f4b24257ad3f0c4c5802e04332a73 Mon Sep 17 00:00:00 2001 From: Farah Juma Date: Wed, 1 May 2024 11:20:04 -0400 Subject: [PATCH 1/2] [ELY-2340] Move some test methods to OidcBaseTest --- .../security/http/oidc/BearerTest.java | 2 +- .../security/http/oidc/OidcBaseTest.java | 70 ++++++++++++++ .../wildfly/security/http/oidc/OidcTest.java | 93 ------------------- 3 files changed, 71 insertions(+), 94 deletions(-) diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/BearerTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/BearerTest.java index 1aacbe3239d..18c4b2f087d 100644 --- a/http/oidc/src/test/java/org/wildfly/security/http/oidc/BearerTest.java +++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/BearerTest.java @@ -488,7 +488,7 @@ private InputStream getOidcConfigurationInputStream(String authServerUrl) { return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8)); } - private InputStream getOidcConfigurationInputStreamWithProviderUrl() { + protected InputStream getOidcConfigurationInputStreamWithProviderUrl() { String oidcConfig = "{\n" + " \"client-id\" : \"" + BEARER_ONLY_CLIENT_ID + "\",\n" + " \"provider-url\" : \"" + KEYCLOAK_CONTAINER.getAuthServerUrl() + "/realms/" + TEST_REALM + "\",\n" + diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java index 587945a523d..2891eb90cdf 100644 --- a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java +++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java @@ -21,9 +21,14 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; +import static org.wildfly.security.http.oidc.Oidc.OIDC_NAME; +import java.io.ByteArrayInputStream; import java.io.IOException; +import java.io.InputStream; import java.net.URI; +import java.nio.charset.StandardCharsets; +import java.util.HashMap; import java.util.List; import java.util.Map; @@ -54,6 +59,7 @@ import org.wildfly.security.jose.util.JsonSerialization; import com.gargoylesoftware.htmlunit.SilentCssErrorHandler; +import com.gargoylesoftware.htmlunit.TextPage; import com.gargoylesoftware.htmlunit.WebClient; import com.gargoylesoftware.htmlunit.html.HtmlForm; import com.gargoylesoftware.htmlunit.html.HtmlInput; @@ -64,6 +70,7 @@ import okhttp3.mockwebserver.Dispatcher; import okhttp3.mockwebserver.MockResponse; import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.QueueDispatcher; import okhttp3.mockwebserver.RecordedRequest; /** @@ -332,4 +339,67 @@ protected void checkForScopeClaims(Callback callback, String expectedScopes) thr } } } + + // Note: The tests will fail if `localhost` is not listed first in `/etc/hosts` file for the loopback addresses (IPv4 and IPv6). + protected void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak, + int expectedDispatcherStatusCode, String expectedLocation, String clientPageText) throws Exception { + performAuthentication(oidcConfig, username, password, loginToKeycloak, expectedDispatcherStatusCode, expectedLocation, clientPageText, null, false); + } + + private void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak, + int expectedDispatcherStatusCode, String expectedLocation, String clientPageText, String expectedScope, boolean checkInvalidScopeError) throws Exception { + try { + Map props = new HashMap<>(); + OidcClientConfiguration oidcClientConfiguration = OidcClientConfigurationBuilder.build(oidcConfig); + assertEquals(OidcClientConfiguration.RelativeUrlsUsed.NEVER, oidcClientConfiguration.getRelativeUrls()); + + OidcClientContext oidcClientContext = new OidcClientContext(oidcClientConfiguration); + oidcFactory = new OidcMechanismFactory(oidcClientContext); + HttpServerAuthenticationMechanism mechanism; + if (expectedScope == null) { + mechanism = oidcFactory.createAuthenticationMechanism(OIDC_NAME, props, getCallbackHandler()); + } else { + mechanism = oidcFactory.createAuthenticationMechanism(OIDC_NAME, props, getCallbackHandler(true, expectedScope)); + } + + URI requestUri = new URI(getClientUrl()); + TestingHttpServerRequest request = new TestingHttpServerRequest(null, requestUri); + mechanism.evaluateRequest(request); + TestingHttpServerResponse response = request.getResponse(); + assertEquals(loginToKeycloak ? HttpStatus.SC_MOVED_TEMPORARILY : HttpStatus.SC_FORBIDDEN, response.getStatusCode()); + assertEquals(Status.NO_AUTH, request.getResult()); + if (expectedScope != null) { + assertTrue(response.getFirstResponseHeaderValue("Location").contains("scope=" + expectedScope)); + } + + if (loginToKeycloak) { + client.setDispatcher(createAppResponse(mechanism, expectedDispatcherStatusCode, expectedLocation, clientPageText)); + + if (checkInvalidScopeError) { + WebClient webClient = getWebClient(); + TextPage keycloakLoginPage = webClient.getPage(response.getLocation()); + assertTrue(keycloakLoginPage.getWebResponse().getWebRequest().toString().contains("error_description=Invalid+scopes")); + } else { + TextPage page = loginToKeycloak(username, password, requestUri, response.getLocation(), + response.getCookies()).click(); + assertTrue(page.getContent().contains(clientPageText)); + } + } + } finally { + client.setDispatcher(new QueueDispatcher()); + } + } + + protected InputStream getOidcConfigurationInputStreamWithProviderUrl() { + String oidcConfig = "{\n" + + " \"resource\" : \"" + CLIENT_ID + "\",\n" + + " \"public-client\" : \"false\",\n" + + " \"provider-url\" : \"" + KEYCLOAK_CONTAINER.getAuthServerUrl() + "/realms/" + TEST_REALM + "\",\n" + + " \"ssl-required\" : \"EXTERNAL\",\n" + + " \"credentials\" : {\n" + + " \"secret\" : \"" + CLIENT_SECRET + "\"\n" + + " }\n" + + "}"; + return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8)); + } } diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java index 1556424ac12..b7e1ce6ec6a 100644 --- a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java +++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java @@ -237,37 +237,6 @@ public void testOpenIDWithMultipleScopeValue() throws Exception { true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT, expectedScope, false); } - // Note: The tests will fail if `localhost` is not listed first in `/etc/hosts` file for the loopback addresses (IPv4 and IPv6). - private void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak, - int expectedDispatcherStatusCode, String expectedLocation, String clientPageText) throws Exception { - performAuthentication(oidcConfig, username, password, loginToKeycloak, expectedDispatcherStatusCode, expectedLocation, clientPageText, null, false); - } - - private void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak, - int expectedDispatcherStatusCode, String expectedLocation, String clientPageText, - CallbackHandler callbackHandler) throws Exception { - performAuthentication(oidcConfig, username, password, loginToKeycloak, expectedDispatcherStatusCode, expectedLocation, - clientPageText, null, false, callbackHandler); - } - - @Test - public void testPrincipalAttribute() throws Exception { - // custom principal-attribute - performAuthentication(getOidcConfigurationInputStreamWithPrincipalAttribute("aud"), KeycloakConfiguration.ALICE, - KeycloakConfiguration.ALICE_PASSWORD, true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT, - getCallbackHandler( "test-webapp")); - - // standard principal-attribute - performAuthentication(getOidcConfigurationInputStreamWithPrincipalAttribute("given_name"), KeycloakConfiguration.ALICE, - KeycloakConfiguration.ALICE_PASSWORD, true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT, - getCallbackHandler("Alice")); - - // invalid principal-attribute, logging in should still succeed - performAuthentication(getOidcConfigurationInputStreamWithPrincipalAttribute("invalid_claim"), KeycloakConfiguration.ALICE, - KeycloakConfiguration.ALICE_PASSWORD, true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT, - getCallbackHandler()); - } - /***************************************************************************************************************************************** * Tests for multi-tenancy. * @@ -527,55 +496,6 @@ private void performTenantRequest(String username, String password, String tenan } } - private void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak, - int expectedDispatcherStatusCode, String expectedLocation, String clientPageText, - String expectedScope, boolean checkInvalidScopeError) throws Exception { - performAuthentication(oidcConfig, username, password, loginToKeycloak, expectedDispatcherStatusCode, expectedLocation, - clientPageText, expectedScope, checkInvalidScopeError, getCallbackHandler(checkInvalidScopeError, - expectedScope, null)); - } - - private void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak, - int expectedDispatcherStatusCode, String expectedLocation, String clientPageText, - String expectedScope, boolean checkInvalidScopeError, - CallbackHandler callbackHandler) throws Exception { - try { - Map props = new HashMap<>(); - OidcClientConfiguration oidcClientConfiguration = OidcClientConfigurationBuilder.build(oidcConfig); - assertEquals(OidcClientConfiguration.RelativeUrlsUsed.NEVER, oidcClientConfiguration.getRelativeUrls()); - - OidcClientContext oidcClientContext = new OidcClientContext(oidcClientConfiguration); - oidcFactory = new OidcMechanismFactory(oidcClientContext); - HttpServerAuthenticationMechanism mechanism = oidcFactory.createAuthenticationMechanism(OIDC_NAME, props, callbackHandler); - - URI requestUri = new URI(getClientUrl()); - TestingHttpServerRequest request = new TestingHttpServerRequest(null, requestUri); - mechanism.evaluateRequest(request); - TestingHttpServerResponse response = request.getResponse(); - assertEquals(loginToKeycloak ? HttpStatus.SC_MOVED_TEMPORARILY : HttpStatus.SC_FORBIDDEN, response.getStatusCode()); - assertEquals(Status.NO_AUTH, request.getResult()); - if (expectedScope != null) { - assertTrue(response.getFirstResponseHeaderValue("Location").contains("scope=" + expectedScope)); - } - - if (loginToKeycloak) { - client.setDispatcher(createAppResponse(mechanism, expectedDispatcherStatusCode, expectedLocation, clientPageText)); - - if (checkInvalidScopeError) { - WebClient webClient = getWebClient(); - TextPage keycloakLoginPage = webClient.getPage(response.getLocation()); - assertTrue(keycloakLoginPage.getWebResponse().getWebRequest().toString().contains("error_description=Invalid+scopes")); - } else { - TextPage page = loginToKeycloak(username, password, requestUri, response.getLocation(), - response.getCookies()).click(); - assertTrue(page.getContent().contains(clientPageText)); - } - } - } finally { - client.setDispatcher(new QueueDispatcher()); - } - } - private InputStream getOidcConfigurationInputStream() { return getOidcConfigurationInputStream(CLIENT_SECRET); } @@ -598,19 +518,6 @@ private InputStream getOidcConfigurationInputStream(String clientSecret, String return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8)); } - private InputStream getOidcConfigurationInputStreamWithProviderUrl() { - String oidcConfig = "{\n" + - " \"resource\" : \"" + CLIENT_ID + "\",\n" + - " \"public-client\" : \"false\",\n" + - " \"provider-url\" : \"" + KEYCLOAK_CONTAINER.getAuthServerUrl() + "/realms/" + TEST_REALM + "\",\n" + - " \"ssl-required\" : \"EXTERNAL\",\n" + - " \"credentials\" : {\n" + - " \"secret\" : \"" + CLIENT_SECRET + "\"\n" + - " }\n" + - "}"; - return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8)); - } - private InputStream getOidcConfigurationInputStreamWithEnvironmentVariableExpression() { String oidcConfig = "{\n" + " \"resource\" : \"" + CLIENT_ID + "\",\n" + From dcbadba73db8e1ad2d4aa8f31bcc7bc97266d9fe Mon Sep 17 00:00:00 2001 From: Farah Juma Date: Wed, 1 May 2024 11:20:44 -0400 Subject: [PATCH 2/2] [ELY-2340] Add the ability to allow query params in redirect URIs via a new system property --- .../org/wildfly/security/http/oidc/Oidc.java | 2 + .../http/oidc/OidcRequestAuthenticator.java | 21 ++++- .../security/http/oidc/OidcBaseTest.java | 20 ++++- .../http/oidc/QueryParamsBaseTest.java | 61 ++++++++++++++ .../http/oidc/QueryParamsDisabledTest.java | 74 ++++++++++++++++ .../http/oidc/QueryParamsEnabledTest.java | 84 +++++++++++++++++++ 6 files changed, 258 insertions(+), 4 deletions(-) create mode 100644 http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsBaseTest.java create mode 100644 http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsDisabledTest.java create mode 100644 http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsEnabledTest.java diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java index 2052af1a0c1..f42313b7f58 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java @@ -65,6 +65,7 @@ public class Oidc { public static final String FACES_REQUEST = "Faces-Request"; public static final String GRANT_TYPE = "grant_type"; public static final String INVALID_TOKEN = "invalid_token"; + public static final String ISSUER = "iss"; public static final String LOGIN_HINT = "login_hint"; public static final String DOMAIN_HINT = "domain_hint"; public static final String MAX_AGE = "max_age"; @@ -113,6 +114,7 @@ public class Oidc { static final String KEYCLOAK_QUERY_BEARER_TOKEN = "k_query_bearer_token"; static final String DEFAULT_TOKEN_SIGNATURE_ALGORITHM = "RS256"; public static final String DISABLE_TYP_CLAIM_VALIDATION_PROPERTY_NAME = "wildfly.elytron.oidc.disable.typ.claim.validation"; + public static final String ALLOW_QUERY_PARAMS_PROPERTY_NAME = "wildfly.elytron.oidc.allow.query.params"; public static final String X_REQUESTED_WITH = "X-Requested-With"; public static final String XML_HTTP_REQUEST = "XMLHttpRequest"; diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcRequestAuthenticator.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcRequestAuthenticator.java index dbb3f056874..bf67e938598 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcRequestAuthenticator.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcRequestAuthenticator.java @@ -19,10 +19,12 @@ package org.wildfly.security.http.oidc; import static org.wildfly.security.http.oidc.ElytronMessages.log; +import static org.wildfly.security.http.oidc.Oidc.ALLOW_QUERY_PARAMS_PROPERTY_NAME; import static org.wildfly.security.http.oidc.Oidc.CLIENT_ID; import static org.wildfly.security.http.oidc.Oidc.CODE; import static org.wildfly.security.http.oidc.Oidc.DOMAIN_HINT; import static org.wildfly.security.http.oidc.Oidc.ERROR; +import static org.wildfly.security.http.oidc.Oidc.ISSUER; import static org.wildfly.security.http.oidc.Oidc.KC_IDP_HINT; import static org.wildfly.security.http.oidc.Oidc.LOGIN_HINT; import static org.wildfly.security.http.oidc.Oidc.MAX_AGE; @@ -43,6 +45,8 @@ import java.net.MalformedURLException; import java.net.URISyntaxException; import java.net.URL; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Arrays; import java.util.HashSet; @@ -74,6 +78,17 @@ public class OidcRequestAuthenticator { protected String refreshToken; protected String strippedOauthParametersRequestUri; + static final boolean ALLOW_QUERY_PARAMS_PROPERTY; + + static { + ALLOW_QUERY_PARAMS_PROPERTY = AccessController.doPrivileged(new PrivilegedAction() { + @Override + public Boolean run() { + return Boolean.parseBoolean(System.getProperty(ALLOW_QUERY_PARAMS_PROPERTY_NAME, "false")); + } + }); + } + public OidcRequestAuthenticator(RequestAuthenticator requestAuthenticator, OidcHttpFacade facade, OidcClientConfiguration deployment, int sslRedirectPort, OidcTokenStore tokenStore) { this.reqAuthenticator = requestAuthenticator; this.facade = facade; @@ -375,11 +390,15 @@ protected AuthChallenge resolveCode(String code) { private static String stripOauthParametersFromRedirect(String uri) { uri = stripQueryParam(uri, CODE); uri = stripQueryParam(uri, STATE); - return stripQueryParam(uri, SESSION_STATE); + uri = stripQueryParam(uri, SESSION_STATE); + return stripQueryParam(uri, ISSUER); } private String rewrittenRedirectUri(String originalUri) { Map rewriteRules = deployment.getRedirectRewriteRules(); + if (ALLOW_QUERY_PARAMS_PROPERTY && (rewriteRules == null || rewriteRules.isEmpty())) { + return originalUri; + } try { URL url = new URL(originalUri); Map.Entry rule = null; diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java index 2891eb90cdf..de3115d96b0 100644 --- a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java +++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java @@ -343,11 +343,25 @@ protected void checkForScopeClaims(Callback callback, String expectedScopes) thr // Note: The tests will fail if `localhost` is not listed first in `/etc/hosts` file for the loopback addresses (IPv4 and IPv6). protected void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak, int expectedDispatcherStatusCode, String expectedLocation, String clientPageText) throws Exception { - performAuthentication(oidcConfig, username, password, loginToKeycloak, expectedDispatcherStatusCode, expectedLocation, clientPageText, null, false); + performAuthentication(oidcConfig, username, password, loginToKeycloak, expectedDispatcherStatusCode, getClientUrl(), expectedLocation, + clientPageText, null, false); + } + + protected void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak, + int expectedDispatcherStatusCode, String clientUrl, String expectedLocation, String clientPageText) throws Exception { + performAuthentication(oidcConfig, username, password, loginToKeycloak, expectedDispatcherStatusCode, clientUrl, expectedLocation, + clientPageText, null, false); + } + + protected void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak, int expectedDispatcherStatusCode, + String expectedLocation, String clientPageText, String expectedScope, boolean checkInvalidScopeError) throws Exception { + performAuthentication(oidcConfig, username, password, loginToKeycloak, expectedDispatcherStatusCode, getClientUrl(), expectedLocation, clientPageText, + expectedScope, checkInvalidScopeError); } private void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak, - int expectedDispatcherStatusCode, String expectedLocation, String clientPageText, String expectedScope, boolean checkInvalidScopeError) throws Exception { + int expectedDispatcherStatusCode, String clientUrl, String expectedLocation, String clientPageText, + String expectedScope, boolean checkInvalidScopeError) throws Exception { try { Map props = new HashMap<>(); OidcClientConfiguration oidcClientConfiguration = OidcClientConfigurationBuilder.build(oidcConfig); @@ -362,7 +376,7 @@ private void performAuthentication(InputStream oidcConfig, String username, Stri mechanism = oidcFactory.createAuthenticationMechanism(OIDC_NAME, props, getCallbackHandler(true, expectedScope)); } - URI requestUri = new URI(getClientUrl()); + URI requestUri = new URI(clientUrl); TestingHttpServerRequest request = new TestingHttpServerRequest(null, requestUri); mechanism.evaluateRequest(request); TestingHttpServerResponse response = request.getResponse(); diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsBaseTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsBaseTest.java new file mode 100644 index 00000000000..e6bb2762ed5 --- /dev/null +++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsBaseTest.java @@ -0,0 +1,61 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2024 Red Hat, Inc., and individual contributors + * as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.wildfly.security.http.oidc; + +import static org.junit.Assume.assumeTrue; + +import org.junit.AfterClass; +import org.junit.BeforeClass; + +import io.restassured.RestAssured; +import okhttp3.mockwebserver.MockWebServer; + +/** + * Tests for the {@code wildfly.elytron.oidc.allow.query.params} system property. + * + * @author Farah Juma + */ +public class QueryParamsBaseTest extends OidcBaseTest { + + @BeforeClass + public static void startTestContainers() throws Exception { + assumeTrue("Docker isn't available, OIDC tests will be skipped", isDockerAvailable()); + KEYCLOAK_CONTAINER = new KeycloakContainer(); + KEYCLOAK_CONTAINER.start(); + sendRealmCreationRequest(KeycloakConfiguration.getRealmRepresentation(TEST_REALM, CLIENT_ID, CLIENT_SECRET, CLIENT_HOST_NAME, CLIENT_PORT, CLIENT_APP, 3, 3, false, true)); + client = new MockWebServer(); + client.start(CLIENT_PORT); + } + + @AfterClass + public static void generalCleanup() throws Exception { + if (KEYCLOAK_CONTAINER != null) { + RestAssured + .given() + .auth().oauth2(KeycloakConfiguration.getAdminAccessToken(KEYCLOAK_CONTAINER.getAuthServerUrl())) + .when() + .delete(KEYCLOAK_CONTAINER.getAuthServerUrl() + "/admin/realms/" + TEST_REALM).then().statusCode(204); + KEYCLOAK_CONTAINER.stop(); + } + if (client != null) { + client.shutdown(); + } + } + +} diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsDisabledTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsDisabledTest.java new file mode 100644 index 00000000000..f32771d3812 --- /dev/null +++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsDisabledTest.java @@ -0,0 +1,74 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2024 Red Hat, Inc., and individual contributors + * as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.wildfly.security.http.oidc; + +import static org.junit.Assume.assumeFalse; +import static org.wildfly.security.http.oidc.Oidc.ALLOW_QUERY_PARAMS_PROPERTY_NAME; + +import org.apache.http.HttpStatus; +import org.junit.BeforeClass; +import org.junit.Test; + +/** + * Tests for disabling query params via the {@code wildfly.elytron.oidc.allow.query.params} system property. + * + * @author Farah Juma + */ +public class QueryParamsDisabledTest extends QueryParamsBaseTest { + + @BeforeClass + public static void beforeClass() { + assumeFalse("wildfly.elytron.oidc.allow.query.params should default to false", + Boolean.parseBoolean(System.getProperty(ALLOW_QUERY_PARAMS_PROPERTY_NAME))); + } + + /** + * Test successfully logging in without query params included in the URL. + */ + @Test + public void testSuccessfulAuthenticationWithoutQueryParamsWithSystemPropertyDisabled() throws Exception { + String originalUrl = getClientUrl(); + String expectedUrlAfterRedirect = originalUrl; + performAuthentication(getOidcConfigurationInputStreamWithProviderUrl(), KeycloakConfiguration.ALICE, + KeycloakConfiguration.ALICE_PASSWORD, true, HttpStatus.SC_MOVED_TEMPORARILY, originalUrl, + expectedUrlAfterRedirect, CLIENT_PAGE_TEXT); + } + + /** + * Test successfully logging in with query params included in the URL. + * The query params should not be present upon redirect. + */ + @Test + public void testSuccessfulAuthenticationWithQueryParamsWithSystemPropertyDisabled() throws Exception { + String queryParams = "?myparam=abc"; + String originalUrl = getClientUrl() + queryParams; + String expectedUrlAfterRedirect = getClientUrl(); + performAuthentication(getOidcConfigurationInputStreamWithProviderUrl(), KeycloakConfiguration.ALICE, + KeycloakConfiguration.ALICE_PASSWORD, true, HttpStatus.SC_MOVED_TEMPORARILY, + originalUrl, expectedUrlAfterRedirect, CLIENT_PAGE_TEXT); + + queryParams = "?one=abc&two=def&three=ghi"; + originalUrl = getClientUrl() + queryParams; + expectedUrlAfterRedirect = getClientUrl(); + performAuthentication(getOidcConfigurationInputStreamWithProviderUrl(), KeycloakConfiguration.ALICE, + KeycloakConfiguration.ALICE_PASSWORD, true, HttpStatus.SC_MOVED_TEMPORARILY, originalUrl, + expectedUrlAfterRedirect, CLIENT_PAGE_TEXT); + } + +} diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsEnabledTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsEnabledTest.java new file mode 100644 index 00000000000..d16cc998ffb --- /dev/null +++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/QueryParamsEnabledTest.java @@ -0,0 +1,84 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2024 Red Hat, Inc., and individual contributors + * as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.wildfly.security.http.oidc; + +import static org.wildfly.security.http.oidc.Oidc.ALLOW_QUERY_PARAMS_PROPERTY_NAME; + +import org.apache.http.HttpStatus; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; + +/** + * Tests for enabling query params via the {@code wildfly.elytron.oidc.allow.query.params} system property. + * + * @author Farah Juma + */ +public class QueryParamsEnabledTest extends QueryParamsBaseTest { + + private static String ALLOW_QUERY_PARAMS_PROPERTY; + + @BeforeClass + public static void beforeClass() { + ALLOW_QUERY_PARAMS_PROPERTY = System.setProperty(ALLOW_QUERY_PARAMS_PROPERTY_NAME, "true"); + } + + @AfterClass + public static void afterClass() { + if (ALLOW_QUERY_PARAMS_PROPERTY == null) { + System.clearProperty(ALLOW_QUERY_PARAMS_PROPERTY_NAME); + } else { + System.setProperty(ALLOW_QUERY_PARAMS_PROPERTY_NAME, ALLOW_QUERY_PARAMS_PROPERTY); + } + } + + /** + * Test successfully logging in without query params included in the URL. + */ + @Test + public void testSuccessfulAuthenticationWithoutQueryParamsWithSystemPropertyEnabled() throws Exception { + String originalUrl = getClientUrl(); + String expectedUrlAfterRedirect = originalUrl; + performAuthentication(getOidcConfigurationInputStreamWithProviderUrl(), KeycloakConfiguration.ALICE, + KeycloakConfiguration.ALICE_PASSWORD, true, HttpStatus.SC_MOVED_TEMPORARILY, originalUrl, + expectedUrlAfterRedirect, CLIENT_PAGE_TEXT); + } + + /** + * Test successfully logging in with query params included in the URL. + * The query params should be present upon redirect. + */ + @Test + public void testSuccessfulAuthenticationWithQueryParamsWithSystemPropertyEnabled() throws Exception { + String queryParams = "?myparam=abc"; + String originalUrl = getClientUrl() + queryParams; + String expectedUrlAfterRedirect = originalUrl; + performAuthentication(getOidcConfigurationInputStreamWithProviderUrl(), KeycloakConfiguration.ALICE, + KeycloakConfiguration.ALICE_PASSWORD, true, HttpStatus.SC_MOVED_TEMPORARILY, originalUrl, + expectedUrlAfterRedirect, CLIENT_PAGE_TEXT); + + queryParams = "?one=abc&two=def&three=ghi"; + originalUrl = getClientUrl() + queryParams; + expectedUrlAfterRedirect = originalUrl; + performAuthentication(getOidcConfigurationInputStreamWithProviderUrl(), KeycloakConfiguration.ALICE, + KeycloakConfiguration.ALICE_PASSWORD, true, HttpStatus.SC_MOVED_TEMPORARILY, originalUrl, + expectedUrlAfterRedirect, CLIENT_PAGE_TEXT); + } + +}