Disabling strict https if hostname is diasabled

Closes #15287
keycloak · Jan 10, 2023 · e7fa1ca · e7fa1ca
1 parent eb54328
commit e7fa1ca
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 26 deletions.
diff --git a/.../runtime/src/main/java/org/keycloak/quarkus/runtime/hostname/DefaultHostnameProvider.java b/.../runtime/src/main/java/org/keycloak/quarkus/runtime/hostname/DefaultHostnameProvider.java
@@ -109,10 +109,10 @@ public String getContextPath(UriInfo originalUriInfo, UrlType urlType) {
     @Override
     public int getPort(UriInfo originalUriInfo, UrlType urlType) {
         if (ADMIN.equals(urlType)) {
-            return fromBaseUriOrDefault(URI::getPort, adminBaseUri, getRequestPort());
+            return fromBaseUriOrDefault(URI::getPort, adminBaseUri, getRequestPort(originalUriInfo));
         }
 
-        Integer port = forNonStrictBackChannel(originalUriInfo, urlType, this::getPort, this::getPort);
+        Integer port = forNonStrictBackChannel(originalUriInfo, urlType, this::getPort, this::getRequestPort);
 
         if (port != null) {
             return port;
@@ -127,7 +127,7 @@ public int getPort(UriInfo originalUriInfo, UrlType urlType) {
 
     @Override
     public int getPort(UriInfo originalUriInfo) {
-        return noProxy && strictHttps ? defaultTlsPort : getRequestPort();
+        return noProxy && strictHttps ? defaultTlsPort : getRequestPort(originalUriInfo);
     }
 
     private <T> T forNonStrictBackChannel(UriInfo originalUriInfo, UrlType urlType,
@@ -235,7 +235,7 @@ public void init(Config.Scope config) {
         hostnameEnabled = (frontEndHostName != null || frontEndBaseUri != null);
 
         if (frontEndBaseUri == null) {
-            strictHttps = config.getBoolean("strict-https", false);
+            strictHttps = hostnameEnabled && config.getBoolean("strict-https", false);
         } else {
             frontEndHostName = frontEndBaseUri.getHost();
             strictHttps = "https".equals(frontEndBaseUri.getScheme());
@@ -293,7 +293,7 @@ public void init(Config.Scope config) {
                 !noProxy);
     }
 
-    private int getRequestPort() {
+    private int getRequestPort(UriInfo uriInfo) {
         KeycloakSession session = Resteasy.getContextData(KeycloakSession.class);
         return session.getContext().getContextObject(HttpRequest.class).getUri().getBaseUri().getPort();
     }

diff --git a/...us/tests/integration/src/main/java/org/keycloak/it/junit5/extension/CLITestExtension.java b/...us/tests/integration/src/main/java/org/keycloak/it/junit5/extension/CLITestExtension.java
@@ -32,6 +32,8 @@
 import java.util.List;
 import java.util.Set;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import io.quarkus.deployment.util.FileUtil;
 import io.quarkus.runtime.configuration.QuarkusConfigFactory;
@@ -102,7 +104,7 @@ public void beforeEach(ExtensionContext context) throws Exception {
             onBeforeStartDistribution(context.getRequiredTestMethod().getAnnotation(BeforeStartDistribution.class));
 
             if (launch != null) {
-                result = dist.run(List.of(launch.value()));
+                result = dist.run(Stream.concat(List.of(launch.value()).stream(), List.of(distConfig.defaultOptions()).stream()).collect(Collectors.toList()));
             }
         } else {
             configureProfile(context);

diff --git a/...us/tests/integration/src/main/java/org/keycloak/it/junit5/extension/DistributionTest.java b/...us/tests/integration/src/main/java/org/keycloak/it/junit5/extension/DistributionTest.java
@@ -56,5 +56,10 @@ enum ReInstall {
      * If any build option must be unset after the running the build command.
      */
     boolean removeBuildOptionsAfterBuild() default false;
+
+    /**
+     * If any option must be set when starting the server.
+     */
+    String[] defaultOptions() default {};
 }
 
diff --git a/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/HostnameDistTest.java b/quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/HostnameDistTest.java
@@ -31,7 +31,7 @@
 import io.quarkus.test.junit.main.Launch;
 import io.restassured.RestAssured;
 
-@DistributionTest(keepAlive = true)
+@DistributionTest(keepAlive = true, defaultOptions = { "--http-enabled=true" })
 @BeforeStartDistribution(CopyTLSKeystore.class)
 @RawDistOnly(reason = "Containers are immutable")
 public class HostnameDistTest {
@@ -42,25 +42,25 @@ public static void onBeforeAll() {
     }
 
     @Test
-    @Launch({ "start", "--hostname=mykeycloak.org", "--http-enabled=true", "--hostname-strict-https=false" })
+    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-strict-https=false" })
     public void testSchemeAndPortFromRequestWhenNoProxySet() {
         assertFrontEndUrl("http://mykeycloak.org:8080", "http://mykeycloak.org:8080/");
         assertFrontEndUrl("http://localhost:8080", "http://mykeycloak.org:8080/");
         assertFrontEndUrl("https://localhost:8443", "https://mykeycloak.org:8443/");
     }
 
     @Test
-    @Launch({ "start", "--hostname=mykeycloak.org", "--http-enabled=true" })
+    @Launch({ "start", "--hostname=mykeycloak.org" })
     public void testForceHttpsSchemeAndPortWhenStrictHttpsEnabled() {
         assertFrontEndUrl("http://mykeycloak.org:8080", "https://mykeycloak.org:8443/");
         assertFrontEndUrl("http://localhost:8080", "https://mykeycloak.org:8443/");
     }
 
     @Test
-    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-port=8443", "--http-enabled=true", "--hostname-strict-https=false" })
+    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-port=1234" })
     public void testForceHostnamePortWhenNoProxyIsSet() {
-        assertFrontEndUrl("http://mykeycloak.org:8080", "http://mykeycloak.org:8443/");
-        assertFrontEndUrl("https://mykeycloak.org:8443", "https://mykeycloak.org:8443/");
+        assertFrontEndUrl("http://mykeycloak.org:8080", "https://mykeycloak.org:1234/");
+        assertFrontEndUrl("https://mykeycloak.org:8443", "https://mykeycloak.org:1234/");
     }
 
     @Test
@@ -84,32 +84,33 @@ public void testUseDefaultPortsAndHttpsSchemeWhenProxyIsSetAndStrictHttpsEnabled
     }
 
     @Test
-    @Launch({ "start", "--hostname=mykeycloak.org", "--http-enabled=true", "--hostname-strict-https=false" })
+    @Launch({ "start", "--hostname=mykeycloak.org" })
     public void testBackEndUrlFromRequest() {
         assertBackEndUrl("http://localhost:8080", "http://localhost:8080/");
+        assertBackEndUrl("https://localhost:8443", "https://localhost:8443/");
     }
 
     @Test
-    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-strict-backchannel=true", "--http-enabled=true", "--hostname-strict-https=false" })
+    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-strict-backchannel=true" })
     public void testBackEndUrlSameAsFrontEndUrl() {
-        assertBackEndUrl("http://localhost:8080", "http://mykeycloak.org:8080/");
+        assertBackEndUrl("http://localhost:8080", "https://mykeycloak.org:8443/");
     }
 
     @Test
-    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-path=/auth", "--hostname-strict=true", "--hostname-strict-backchannel=true", "--http-enabled=true", "--hostname-strict-https=false" })
+    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-path=/auth", "--hostname-strict-backchannel=true" })
     public void testSetHostnamePath() {
-        assertFrontEndUrl("http://localhost:8080", "http://mykeycloak.org:8080/auth/");
-        assertBackEndUrl("http://localhost:8080", "http://mykeycloak.org:8080/auth/");
+        assertFrontEndUrl("http://localhost:8080", "https://mykeycloak.org:8443/auth/");
+        assertBackEndUrl("http://localhost:8080", "https://mykeycloak.org:8443/auth/");
     }
 
     @Test
-    @Launch({ "start", "--hostname=mykeycloak.org", "--https-port=8543", "--hostname-strict-https=true", "--http-enabled=true" })
+    @Launch({ "start", "--hostname=mykeycloak.org", "--https-port=8543", "--hostname-strict-https=true" })
     public void testDefaultTlsPortChangeWhenHttpPortSet() {
         assertFrontEndUrl("http://mykeycloak.org:8080", "https://mykeycloak.org:8543/");
     }
 
     @Test
-    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-strict-https=true", "--hostname-port=8543", "--http-enabled=true" })
+    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-port=8543" })
     public void testWelcomePageAdminUrl() {
         Assert.assertTrue(when().get("http://mykeycloak.org:8080").asString().contains("http://mykeycloak.org:8080/admin/"));
         Assert.assertTrue(when().get("https://mykeycloak.org:8443").asString().contains("https://mykeycloak.org:8443/admin/"));
@@ -118,14 +119,14 @@ public void testWelcomePageAdminUrl() {
     }
 
     @Test
-    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-admin=mykeycloakadmin.127.0.0.1.nip.io", "--http-enabled=true" })
+    @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-admin=mykeycloakadmin.org" })
     public void testHostnameAdminSet() {
-        Assert.assertTrue(when().get("https://mykeycloak.org:8443/admin/master/console").asString().contains("\"authUrl\": \"https://mykeycloakadmin.127.0.0.1.nip.io:8443\""));
-        Assert.assertTrue(when().get("https://mykeycloak.org:8443/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https://mykeycloakadmin.127.0.0.1.nip.io:8443/admin/master/console&state=02234324-d91e-4bf2-8396-57498e96b12a&response_mode=fragment&response_type=code&scope=openid&nonce=f8f3812e-e349-4bbf-8d15-cbba4927f5e5&code_challenge=7qjD_v11WGkt1ig-ZFHxJdrEvuTlzjFRgRGQ_5ADcko&code_challenge_method=S256").asString().contains("Sign in to your account"));
+        Assert.assertTrue(when().get("https://mykeycloak.org:8443/admin/master/console").asString().contains("\"authUrl\": \"https://mykeycloakadmin.org:8443\""));
+        Assert.assertTrue(when().get("https://mykeycloak.org:8443/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https://mykeycloakadmin.org:8443/admin/master/console&state=02234324-d91e-4bf2-8396-57498e96b12a&response_mode=fragment&response_type=code&scope=openid&nonce=f8f3812e-e349-4bbf-8d15-cbba4927f5e5&code_challenge=7qjD_v11WGkt1ig-ZFHxJdrEvuTlzjFRgRGQ_5ADcko&code_challenge_method=S256").asString().contains("Sign in to your account"));
     }
 
     @Test
-    @Launch({ "start", "--hostname=mykeycloak.org", "--http-enabled=true" })
+    @Launch({ "start", "--hostname=mykeycloak.org" })
     public void testInvalidRedirectUriWhenAdminNotSet() {
         Assert.assertTrue(when().get("https://mykeycloak.org:8443/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https://mykeycloakadmin.127.0.0.1.nip.io:8443/admin/master/console&state=02234324-d91e-4bf2-8396-57498e96b12a&response_mode=fragment&response_type=code&scope=openid&nonce=f8f3812e-e349-4bbf-8d15-cbba4927f5e5&code_challenge=7qjD_v11WGkt1ig-ZFHxJdrEvuTlzjFRgRGQ_5ADcko&code_challenge_method=S256").asString().contains("Invalid parameter: redirect_uri"));
     }
@@ -137,9 +138,15 @@ public void testFrontendUrl() {
     }
 
     @Test
-    @Launch({ "start", "--proxy=edge", "--hostname=mykeycloak.org", "--hostname-admin-url=http://mykeycloakadmin.127.0.0.1.nip.io:1234" })
+    @Launch({ "start", "--proxy=edge", "--hostname=mykeycloak.org", "--hostname-admin-url=http://mykeycloakadmin.org:1234" })
     public void testAdminUrl() {
-        Assert.assertTrue(when().get("https://mykeycloak.org:8443").asString().contains("http://mykeycloakadmin.127.0.0.1.nip.io:1234/admin/"));
+        Assert.assertTrue(when().get("https://mykeycloak.org:8443").asString().contains("http://mykeycloakadmin.org:1234/admin/"));
+    }
+
+    @Test
+    @Launch({ "start", "--hostname-strict=false" })
+    public void testStrictHttpsDisabledIfHostnameDisabled() {
+        assertFrontEndUrl("http://mykeycloak.org:8080", "http://mykeycloak.org:8080/");
     }
 
     private OIDCConfigurationRepresentation getServerMetadata(String baseUrl) {