libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

[KEYCLOAK-3428] - Removing scope policies in case the resource does not match

Browse source
This commit is contained in:
Pedro Igor 2016-08-11 14:58:14 -03:00
parent 2df7d6252e
commit 0030df060b
2 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
server-spi/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java
View file

@ -38,6 +38,7 @@ import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger; import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.Consumer; import java.util.function.Consumer;
import java.util.function.Predicate;
import java.util.stream.Collectors; import java.util.stream.Collectors;
/** /**
@ -132,12 +133,21 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator {
return true; return true;
} }
Resource resourcePermission = permission.getResource();
Set<Resource> policyResources = policy.getResources();
if (resourcePermission != null && !policyResources.isEmpty()) {
if (!policyResources.stream().filter(resource -> resource.getId().equals(resourcePermission.getId())).findFirst().isPresent()) {
return false;
}
}
Set<Scope> scopes = new HashSet<>(policy.getScopes()); Set<Scope> scopes = new HashSet<>(policy.getScopes());
if (scopes.isEmpty()) { if (scopes.isEmpty()) {
Set<Resource> resources = new HashSet<>(); Set<Resource> resources = new HashSet<>();
resources.addAll(policy.getResources()); resources.addAll(policyResources);
for (Resource resource : resources) { for (Resource resource : resources) {
scopes.addAll(resource.getScopes()); scopes.addAll(resource.getScopes());

2
services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java
View file

@ -163,7 +163,7 @@ public class PolicyEvaluationResponse {
if (policy.getStatus().equals(Effect.DENY)) { if (policy.getStatus().equals(Effect.DENY)) {
Policy policyModel = authorization.getStoreFactory().getPolicyStore().findById(policy.getPolicy().getId()); Policy policyModel = authorization.getStoreFactory().getPolicyStore().findById(policy.getPolicy().getId());
for (ScopeRepresentation scope : policyModel.getScopes().stream().map(scope -> Models.toRepresentation(scope, authorization)).collect(Collectors.toList())) { for (ScopeRepresentation scope : policyModel.getScopes().stream().map(scopeModel -> Models.toRepresentation(scopeModel, authorization)).collect(Collectors.toList())) {
if (!policy.getScopes().contains(scope)) { if (!policy.getScopes().contains(scope)) {
policy.getScopes().add(scope); policy.getScopes().add(scope);
} }