From 02a9eb442de779724df94c8a9f5d512c1bc86346 Mon Sep 17 00:00:00 2001 From: Takashi Norimatsu Date: Tue, 20 Jul 2021 03:52:48 +0900 Subject: [PATCH] KEYCLOAK-18829 FAPI-CIBA-ID1 conformance test : ClientRolesCondition needs to be evaluated on CIBA backchannel authentication request and token request --- .../condition/ClientRolesCondition.java | 2 + .../keycloak/testsuite/client/CIBATest.java | 40 +++++++++++++------ 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientRolesCondition.java b/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientRolesCondition.java index f21ba33a38..b353ca1995 100644 --- a/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientRolesCondition.java +++ b/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientRolesCondition.java @@ -75,6 +75,8 @@ public class ClientRolesCondition extends AbstractClientPolicyConditionProvider< case TOKEN_INTROSPECT: case USERINFO_REQUEST: case LOGOUT_REQUEST: + case BACKCHANNEL_AUTHENTICATION_REQUEST: + case BACKCHANNEL_TOKEN_REQUEST: if (isRolesMatched(session.getContext().getClient())) return ClientPolicyVote.YES; return ClientPolicyVote.NO; default: diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java index 9a14de20d3..13d0fc3a97 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java @@ -37,6 +37,7 @@ import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.QUARKUS; import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE; import static org.keycloak.testsuite.util.ClientPoliciesUtil.createAnyClientConditionConfig; +import static org.keycloak.testsuite.util.ClientPoliciesUtil.createClientRolesConditionConfig; import static org.keycloak.testsuite.util.ClientPoliciesUtil.createClientUpdateContextConditionConfig; import static org.keycloak.testsuite.util.ClientPoliciesUtil.createSecureCibaAuthenticationRequestSigningAlgorithmExecutorConfig; @@ -94,8 +95,8 @@ import org.keycloak.services.clientpolicy.ClientPolicyEvent; import org.keycloak.services.clientpolicy.ClientPoliciesUtil; import org.keycloak.services.clientpolicy.ClientPolicyException; import org.keycloak.services.clientpolicy.condition.AnyClientConditionFactory; +import org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory; import org.keycloak.services.clientpolicy.condition.ClientUpdaterContextConditionFactory; -import org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmExecutorFactory; import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude; @@ -109,6 +110,7 @@ import org.keycloak.testsuite.util.InfinispanTestTimeServiceRule; import org.keycloak.testsuite.util.KeycloakModelUtils; import org.keycloak.testsuite.util.Matchers; import org.keycloak.testsuite.util.OAuthClient; +import org.keycloak.testsuite.util.RoleBuilder; import org.keycloak.testsuite.util.UserBuilder; import org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder; import org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder; @@ -1436,15 +1438,21 @@ public class CIBATest extends AbstractClientPoliciesTest { ).toString(); updateProfiles(json); - // register policies + // register role policy + String roleName = "sample-client-role-alpha"; json = (new ClientPoliciesBuilder()).addPolicy( - (new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE) - .addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()) - .addProfile(PROFILE_NAME) - .toRepresentation() - ).toString(); + (new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forste Politikken", Boolean.TRUE) + .addCondition(ClientRolesConditionFactory.PROVIDER_ID, + createClientRolesConditionConfig(Arrays.asList(roleName))) + .addProfile(PROFILE_NAME) + .toRepresentation() + ).toString(); updatePolicies(json); + // Add role to the client + ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(REALM_NAME), clientId); + clientResource.roles().create(RoleBuilder.create().name(roleName).build()); + AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(clientId, clientSecret, TEST_USER_NAME, "Pjb9eD8w", null, null); assertEquals(400, response.getStatusCode()); assertEquals(ClientPolicyEvent.BACKCHANNEL_AUTHENTICATION_REQUEST.toString(), response.getError()); @@ -1489,15 +1497,21 @@ public class CIBATest extends AbstractClientPoliciesTest { ).toString(); updateProfiles(json); - // register policies + // register role policy + String roleName = "sample-client-role-alpha"; json = (new ClientPoliciesBuilder()).addPolicy( - (new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE) - .addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()) - .addProfile(PROFILE_NAME) - .toRepresentation() - ).toString(); + (new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forste Politikken", Boolean.TRUE) + .addCondition(ClientRolesConditionFactory.PROVIDER_ID, + createClientRolesConditionConfig(Arrays.asList(roleName))) + .addProfile(PROFILE_NAME) + .toRepresentation() + ).toString(); updatePolicies(json); + // Add role to the client + ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(REALM_NAME), clientId); + clientResource.roles().create(RoleBuilder.create().name(roleName).build()); + OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(clientId, clientSecret, response.getAuthReqId()); assertThat(tokenRes.getStatusCode(), is(equalTo(400))); assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));