Reapply "Prevent login page cookie issues with a descriptive error me…

…ssage" This reverts commit 9fa84b3.
keycloak · Oct 14, 2024 · a5a8daf · a5a8daf
1 parent f692295
commit a5a8daf
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 4 deletions.
diff --git a/benchmark/src/main/java/org/keycloak/benchmark/Config.java b/benchmark/src/main/java/org/keycloak/benchmark/Config.java
@@ -1,5 +1,6 @@
 package org.keycloak.benchmark;
 
+import java.net.URI;
 import java.text.SimpleDateFormat;
 import java.util.Arrays;
 import java.util.List;
@@ -190,7 +191,7 @@ public class Config {
         String serversProp = System.getProperty("server-url");
         if (serversProp == null) {
             String serversEnv = System.getenv("KC_SERVER_URL");
-            serverUris = serversEnv != null ? serversEnv : "http://localhost:8080/auth";
+            serverUris = serversEnv != null ? serversEnv : "http://0.0.0.0:8080";
         } else {
             serverUris = serversProp;
         }
@@ -199,6 +200,46 @@ public class Config {
         serverUrisList = Arrays.asList(serverUris.split(" "));
     }
 
+    public static void preventLocalhostServerUris() {
+        serverUrisList.stream().forEach(s -> {
+            URI uri = URI.create(s);
+            if (uri.getScheme().equals("http") && isLocalhostSecureContext(uri)) {
+                throw new RuntimeException("""
+                                           Gatling won't send secure cookies to localhost addresses. Due to this, it is incompatible of running tests against with Keycloak 26.
+                                           See https://github.com/keycloak/keycloak-benchmark/issues/945 for more information.
+                                           As a workaround, use a different IP address on your current host, or use http://0.0.0.0
+                                           """);
+            }
+        });
+    }
+
+    public static boolean isLocalhostSecureContext(URI uri) {
+        String host = uri.getHost();
+        if (host == null) {
+            return false;
+        }
+
+        // The host matches a CIDR notation of ::1/128
+        if (host.equals("[::1]") || host.equals("[0000:0000:0000:0000:0000:0000:0000:0001]")) {
+            return true;
+        }
+
+        // The host matches a CIDR notation of 127.0.0.0/8
+        if (host.matches("127.\\d{1,3}.\\d{1,3}.\\d{1,3}")) {
+            return true;
+        }
+
+        if (host.equals("localhost") || host.equals("localhost.")) {
+            return true;
+        }
+
+        if (host.endsWith(".localhost") || host.endsWith(".localhost.")) {
+            return true;
+        }
+
+        return false;
+    }
+
     public static String toStringPopulationConfig() {
         return String.format(
                 "  realms: %s\n"

diff --git a/benchmark/src/main/scala/keycloak/scenario/authentication/AuthorizationCode.scala b/benchmark/src/main/scala/keycloak/scenario/authentication/AuthorizationCode.scala
@@ -1,9 +1,12 @@
 package keycloak.scenario.authentication
 
 import keycloak.scenario.{CommonSimulation, KeycloakScenarioBuilder}
+import org.keycloak.benchmark.Config
 
 class AuthorizationCode extends CommonSimulation {
 
+  Config.preventLocalhostServerUris()
+
   setUp("Authentication - Authorization Code Username/Password", new KeycloakScenarioBuilder()
     .openLoginPage(true)
     .loginUsernamePassword()

diff --git a/benchmark/src/main/scala/keycloak/scenario/authentication/LoginUserPassword.scala b/benchmark/src/main/scala/keycloak/scenario/authentication/LoginUserPassword.scala
@@ -1,9 +1,12 @@
 package keycloak.scenario.authentication
 
 import keycloak.scenario.{CommonSimulation, KeycloakScenarioBuilder}
+import org.keycloak.benchmark.Config
 
 class LoginUserPassword extends CommonSimulation {
 
+  Config.preventLocalhostServerUris()
+
   setUp("Authentication - Login Username/Password", new KeycloakScenarioBuilder()
     .openLoginPage(true)
     .loginUsernamePassword())

diff --git a/doc/benchmark/modules/ROOT/pages/run/running-benchmark-cli.adoc b/doc/benchmark/modules/ROOT/pages/run/running-benchmark-cli.adoc
@@ -31,7 +31,7 @@ To start running tests, execute:
 ./kcb.sh
 ----
 
-By default, tests expect Keycloak to run on \http://localhost:8080/auth, and the default scenario is `keycloak.scenarion.authentication.ClientSecret`.
+By default, tests expect Keycloak to run on \http://0.0.0.0:8080, and the default scenario is `keycloak.scenarion.authentication.ClientSecret`.
 
 To use a different server URL, realm and scenario:
 

diff --git a/doc/benchmark/modules/ROOT/pages/scenario/authorization-code.adoc b/doc/benchmark/modules/ROOT/pages/scenario/authorization-code.adoc
@@ -14,6 +14,12 @@ See xref:scenario-overview.adoc[] for a list of all scenarios.
 
 See the source code at link:{github-files}/benchmark/src/main/scala/keycloak/scenario/authentication/AuthorizationCode.scala[AuthorizationCode.scala] for details.
 
+[WARNING]
+====
+Due to the circumstances described in issue https://github.com/keycloak/keycloak-benchmark/issues/945[#945], this scenario will not work with a non-TLS localhost URLs like `+http://localhost+`, `+http://127.0.0.1+` or similar.
+Instead, use IP addresses of other interfaces, or `+http://0.0.0.0+`, or run Keycloak with a TLS certificate.
+====
+
 == Running an example scenario
 
 === Prerequisites
@@ -35,13 +41,13 @@ See xref:configuration.adoc[] for additional CLI options.
 ----
 bin/kcb.sh \
   --scenario=keycloak.scenario.authentication.AuthorizationCode \
-  --server-url=http://localhost:8080/ \
+  --server-url=http://0.0.0.0:8080/ \
   --realm-name=realm-0 \
   --username=user-0 \
   --user-password=user-0-password \
   --client-id=client-0 \
   --client-secret=client-0-secret \
-  --client-redirect-uri=http://localhost:8080 \
+  --client-redirect-uri=http://0.0.0.0:8080 \
   --log-http-on-failure
 ----