keycloak-service
公開メンバ関数 | 限定公開メンバ関数 | 関数 | 非公開メンバ関数 | 静的非公開メンバ関数 | 非公開変数類 | 静的非公開変数類 | 全メンバ一覧
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy クラス
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy の継承関係図
Inheritance graph
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy 連携図
Collaboration graph

公開メンバ関数

 TrustedHostClientRegistrationPolicy (KeycloakSession session, ComponentModel componentModel)
 
void beforeRegister (ClientRegistrationContext context) throws ClientRegistrationPolicyException
 
void afterRegister (ClientRegistrationContext context, ClientModel clientModel)
 
void beforeUpdate (ClientRegistrationContext context, ClientModel clientModel) throws ClientRegistrationPolicyException
 
void afterUpdate (ClientRegistrationContext context, ClientModel clientModel)
 
void beforeView (ClientRegistrationProvider provider, ClientModel clientModel) throws ClientRegistrationPolicyException
 
void beforeDelete (ClientRegistrationProvider provider, ClientModel clientModel) throws ClientRegistrationPolicyException
 
default void close ()
 

限定公開メンバ関数

void verifyHost () throws ClientRegistrationPolicyException
 
List< String > getTrustedHosts ()
 
List< String > getTrustedDomains ()
 
String verifyHostInTrustedHosts (String hostAddress, List< String > trustedHosts)
 
String verifyHostInTrustedDomains (String hostAddress, List< String > trustedDomains)
 
void verifyClientUrls (ClientRegistrationContext context) throws ClientRegistrationPolicyException
 
void checkURLTrusted (String url, List< String > trustedHosts, List< String > trustedDomains) throws ClientRegistrationPolicyException
 

関数

boolean isHostMustMatch ()
 
boolean isClientUrisMustMatch ()
 

非公開メンバ関数

boolean parseBoolean (String propertyKey)
 

静的非公開メンバ関数

static String relativeToAbsoluteURI (String rootUrl, String relative)
 

非公開変数類

final KeycloakSession session
 
final ComponentModel componentModel
 

静的非公開変数類

static final Logger logger = Logger.getLogger(TrustedHostClientRegistrationPolicy.class)
 

詳解

著者
Marek Posolda

構築子と解体子

◆ TrustedHostClientRegistrationPolicy()

org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.TrustedHostClientRegistrationPolicy ( KeycloakSession  session,
ComponentModel  componentModel 
)
inline
51  {
52  this.session = session;
53  this.componentModel = componentModel;
54  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.componentModel
final ComponentModel componentModel
Definition: TrustedHostClientRegistrationPolicy.java:49
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.session
final KeycloakSession session
Definition: TrustedHostClientRegistrationPolicy.java:48

関数詳解

◆ afterRegister()

void org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.afterRegister ( ClientRegistrationContext  context,
ClientModel  clientModel 
)
inline

org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyを実装しています。

63  {
64  }

◆ afterUpdate()

void org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.afterUpdate ( ClientRegistrationContext  context,
ClientModel  clientModel 
)
inline

org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyを実装しています。

75  {
76 
77  }

◆ beforeDelete()

void org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.beforeDelete ( ClientRegistrationProvider  provider,
ClientModel  clientModel 
) throws ClientRegistrationPolicyException
inline

org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyを実装しています。

85  {
86  verifyHost();
87  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyHost
void verifyHost()
Definition: TrustedHostClientRegistrationPolicy.java:91

◆ beforeRegister()

void org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.beforeRegister ( ClientRegistrationContext  context) throws ClientRegistrationPolicyException
inline

org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyを実装しています。

57  {
58  verifyHost();
59  verifyClientUrls(context);
60  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyClientUrls
void verifyClientUrls(ClientRegistrationContext context)
Definition: TrustedHostClientRegistrationPolicy.java:187
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyHost
void verifyHost()
Definition: TrustedHostClientRegistrationPolicy.java:91

◆ beforeUpdate()

void org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.beforeUpdate ( ClientRegistrationContext  context,
ClientModel  clientModel 
) throws ClientRegistrationPolicyException
inline

org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyを実装しています。

69  {
70  verifyHost();
71  verifyClientUrls(context);
72  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyClientUrls
void verifyClientUrls(ClientRegistrationContext context)
Definition: TrustedHostClientRegistrationPolicy.java:187
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyHost
void verifyHost()
Definition: TrustedHostClientRegistrationPolicy.java:91

◆ beforeView()

void org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.beforeView ( ClientRegistrationProvider  provider,
ClientModel  clientModel 
) throws ClientRegistrationPolicyException
inline

org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyを実装しています。

80  {
81  verifyHost();
82  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyHost
void verifyHost()
Definition: TrustedHostClientRegistrationPolicy.java:91

◆ checkURLTrusted()

void org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.checkURLTrusted ( String  url,
List< String >  trustedHosts,
List< String >  trustedDomains 
) throws ClientRegistrationPolicyException
inlineprotected
223  {
224  try {
225  String host = new URL(url).getHost();
226 
227  for (String trustedHost : trustedHosts) {
228  if (host.equals(trustedHost)) {
229  return;
230  }
231  }
232 
233  for (String trustedDomain : trustedDomains) {
234  if (host.endsWith(trustedDomain)) {
235  return;
236  }
237  }
238  } catch (MalformedURLException mfe) {
239  logger.debugf(mfe, "URL '%s' is malformed", url);
240  throw new ClientRegistrationPolicyException("URL is malformed");
241  }
242 
243  ServicesLogger.LOGGER.urlDoesntMatch(url);
244  throw new ClientRegistrationPolicyException("URL doesn't match any trusted host or trusted domain");
245  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.logger
static final Logger logger
Definition: TrustedHostClientRegistrationPolicy.java:46

◆ close()

default void org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy.close ( )
inlineinherited
43  {
44  }

◆ getTrustedDomains()

List<String> org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.getTrustedDomains ( )
inlineprotected
131  {
132  List<String> trustedHostsConfig = componentModel.getConfig().getList(TrustedHostClientRegistrationPolicyFactory.TRUSTED_HOSTS);
133  List<String> domains = new LinkedList<>();
134 
135  for (String hostname : trustedHostsConfig) {
136  if (hostname.startsWith("*.")) {
137  hostname = hostname.substring(2);
138  domains.add(hostname);
139  }
140  }
141 
142  return domains;
143  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.componentModel
final ComponentModel componentModel
Definition: TrustedHostClientRegistrationPolicy.java:49

◆ getTrustedHosts()

List<String> org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.getTrustedHosts ( )
inlineprotected
121  {
122  List<String> trustedHostsConfig = componentModel.getConfig().getList(TrustedHostClientRegistrationPolicyFactory.TRUSTED_HOSTS);
123  return trustedHostsConfig.stream().filter((String hostname) -> {
124 
125  return !hostname.startsWith("*.");
126 
127  }).collect(Collectors.toList());
128  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.componentModel
final ComponentModel componentModel
Definition: TrustedHostClientRegistrationPolicy.java:49

◆ isClientUrisMustMatch()

boolean org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.isClientUrisMustMatch ( )
inlinepackage
266  {
267  return parseBoolean(TrustedHostClientRegistrationPolicyFactory.CLIENT_URIS_MUST_MATCH);
268  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.parseBoolean
boolean parseBoolean(String propertyKey)
Definition: TrustedHostClientRegistrationPolicy.java:271

◆ isHostMustMatch()

boolean org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.isHostMustMatch ( )
inlinepackage
262  {
263  return parseBoolean(TrustedHostClientRegistrationPolicyFactory.HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH);
264  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.parseBoolean
boolean parseBoolean(String propertyKey)
Definition: TrustedHostClientRegistrationPolicy.java:271

◆ parseBoolean()

boolean org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.parseBoolean ( String  propertyKey)
inlineprivate
271  {
272  String val = componentModel.getConfig().getFirst(propertyKey);
273  return val==null || Boolean.parseBoolean(val);
274  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.componentModel
final ComponentModel componentModel
Definition: TrustedHostClientRegistrationPolicy.java:49

◆ relativeToAbsoluteURI()

static String org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.relativeToAbsoluteURI ( String  rootUrl,
String  relative 
)
inlinestaticprivate
248  {
249  if (relative == null) {
250  return null;
251  }
252 
253  if (!relative.startsWith("/")) {
254  return relative;
255  } else if (rootUrl == null || rootUrl.isEmpty()) {
256  return null;
257  }
258 
259  return rootUrl + relative;
260  }

◆ verifyClientUrls()

void org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyClientUrls ( ClientRegistrationContext  context) throws ClientRegistrationPolicyException
inlineprotected
187  {
188  boolean redirectUriMustMatch = isClientUrisMustMatch();
189  if (!redirectUriMustMatch) {
190  return;
191  }
192 
193  List<String> trustedHosts = getTrustedHosts();
194  List<String> trustedDomains = getTrustedDomains();
195 
196  ClientRepresentation client = context.getClient();
197  String rootUrl = client.getRootUrl();
198  String baseUrl = client.getBaseUrl();
199  String adminUrl = client.getAdminUrl();
200  List<String> redirectUris = client.getRedirectUris();
201 
202  baseUrl = relativeToAbsoluteURI(rootUrl, baseUrl);
203  adminUrl = relativeToAbsoluteURI(rootUrl, adminUrl);
204  Set<String> resolvedRedirects = PairwiseSubMapperUtils.resolveValidRedirectUris(rootUrl, redirectUris);
205 
206  if (rootUrl != null) {
207  checkURLTrusted(rootUrl, trustedHosts, trustedDomains);
208  }
209 
210  if (baseUrl != null) {
211  checkURLTrusted(baseUrl, trustedHosts, trustedDomains);
212  }
213  if (adminUrl != null) {
214  checkURLTrusted(adminUrl, trustedHosts, trustedDomains);
215  }
216  for (String redirect : resolvedRedirects) {
217  checkURLTrusted(redirect, trustedHosts, trustedDomains);
218  }
219 
220  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.checkURLTrusted
void checkURLTrusted(String url, List< String > trustedHosts, List< String > trustedDomains)
Definition: TrustedHostClientRegistrationPolicy.java:223
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.isClientUrisMustMatch
boolean isClientUrisMustMatch()
Definition: TrustedHostClientRegistrationPolicy.java:266
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.getTrustedHosts
List< String > getTrustedHosts()
Definition: TrustedHostClientRegistrationPolicy.java:121
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.relativeToAbsoluteURI
static String relativeToAbsoluteURI(String rootUrl, String relative)
Definition: TrustedHostClientRegistrationPolicy.java:248
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.getTrustedDomains
List< String > getTrustedDomains()
Definition: TrustedHostClientRegistrationPolicy.java:131

◆ verifyHost()

void org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyHost ( ) throws ClientRegistrationPolicyException
inlineprotected
91  {
92  boolean hostMustMatch = isHostMustMatch();
93  if (!hostMustMatch) {
94  return;
95  }
96 
97  String hostAddress = session.getContext().getConnection().getRemoteAddr();
98 
99  logger.debugf("Verifying remote host : %s", hostAddress);
100 
101  List<String> trustedHosts = getTrustedHosts();
102  List<String> trustedDomains = getTrustedDomains();
103 
104  // Verify trustedHosts by their IP addresses
105  String verifiedHost = verifyHostInTrustedHosts(hostAddress, trustedHosts);
106  if (verifiedHost != null) {
107  return;
108  }
109 
110  // Verify domains if hostAddress hostname belongs to the domain. This assumes proper DNS setup
111  verifiedHost = verifyHostInTrustedDomains(hostAddress, trustedDomains);
112  if (verifiedHost != null) {
113  return;
114  }
115 
116  ServicesLogger.LOGGER.failedToVerifyRemoteHost(hostAddress);
117  throw new ClientRegistrationPolicyException("Host not trusted.");
118  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.logger
static final Logger logger
Definition: TrustedHostClientRegistrationPolicy.java:46
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.getTrustedHosts
List< String > getTrustedHosts()
Definition: TrustedHostClientRegistrationPolicy.java:121
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyHostInTrustedDomains
String verifyHostInTrustedDomains(String hostAddress, List< String > trustedDomains)
Definition: TrustedHostClientRegistrationPolicy.java:165
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.isHostMustMatch
boolean isHostMustMatch()
Definition: TrustedHostClientRegistrationPolicy.java:262
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyHostInTrustedHosts
String verifyHostInTrustedHosts(String hostAddress, List< String > trustedHosts)
Definition: TrustedHostClientRegistrationPolicy.java:146
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.getTrustedDomains
List< String > getTrustedDomains()
Definition: TrustedHostClientRegistrationPolicy.java:131
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.session
final KeycloakSession session
Definition: TrustedHostClientRegistrationPolicy.java:48

◆ verifyHostInTrustedDomains()

String org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyHostInTrustedDomains ( String  hostAddress,
List< String >  trustedDomains 
)
inlineprotected
165  {
166  if (!trustedDomains.isEmpty()) {
167  try {
168  String hostname = InetAddress.getByName(hostAddress).getHostName();
169 
170  logger.debugf("Trying verify request from address '%s' of host '%s' by domains", hostAddress, hostname);
171 
172  for (String confDomain : trustedDomains) {
173  if (hostname.endsWith(confDomain)) {
174  logger.debugf("Successfully verified host '%s' by trusted domain '%s'", hostname, confDomain);
175  return hostname;
176  }
177  }
178  } catch (UnknownHostException uhe) {
179  logger.debugf(uhe, "Request of address '%s' came from unknown host. Skip verification by domains", hostAddress);
180  }
181  }
182 
183  return null;
184  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.logger
static final Logger logger
Definition: TrustedHostClientRegistrationPolicy.java:46

◆ verifyHostInTrustedHosts()

String org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.verifyHostInTrustedHosts ( String  hostAddress,
List< String >  trustedHosts 
)
inlineprotected
146  {
147  for (String confHostName : trustedHosts) {
148  try {
149  String hostIPAddress = InetAddress.getByName(confHostName).getHostAddress();
150 
151  logger.tracef("Trying host '%s' of address '%s'", confHostName, hostIPAddress);
152  if (hostIPAddress.equals(hostAddress)) {
153  logger.debugf("Successfully verified host : %s", confHostName);
154  return confHostName;
155  }
156  } catch (UnknownHostException uhe) {
157  logger.debugf(uhe, "Unknown host from realm configuration: %s", confHostName);
158  }
159  }
160 
161  return null;
162  }
org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.logger
static final Logger logger
Definition: TrustedHostClientRegistrationPolicy.java:46

メンバ詳解

◆ componentModel

final ComponentModel org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.componentModel
private

◆ logger

final Logger org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.logger = Logger.getLogger(TrustedHostClientRegistrationPolicy.class)
staticprivate

◆ session

final KeycloakSession org.keycloak.services.clientregistration.policy.impl.TrustedHostClientRegistrationPolicy.session
private
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時00分27秒作成 - keycloak-service / 構成:   doxygen 1.8.13