libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Check if UMA is enabled on resource, if not reject the request.

Browse source 
Closes #24422

Signed-off-by: Felix Gustavsson <felix.gustavsson@topgolf.com>
This commit is contained in:
Felix Gustavsson 2023-11-08 11:44:12 +01:00 committed by Pedro Igor
parent 768231d950
commit 0f47071a29
2 changed files with 29 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/authorization/protection/permission/PermissionTicketService.java
View file

@ -87,6 +87,8 @@ public class PermissionTicketService {
if (!resource.getOwner().equals(this.identity.getId())) if (!resource.getOwner().equals(this.identity.getId()))
throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be only created by the owner", Response.Status.FORBIDDEN); throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be only created by the owner", Response.Status.FORBIDDEN);
if (!resource.isOwnerManagedAccess())
throw new ErrorResponseException("invalid_permission", "permission can only be created for resources with user-managed access enabled", Response.Status.BAD_REQUEST);
UserModel user = null; UserModel user = null;
if(representation.getRequester() != null) if(representation.getRequester() != null)

27
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedAccessTest.java
View file

@ -34,6 +34,8 @@ import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource; import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.authorization.client.AuthorizationDeniedException; import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.resource.PermissionResource; import org.keycloak.authorization.client.resource.PermissionResource;
import org.keycloak.authorization.client.resource.ProtectionResource;
import org.keycloak.authorization.client.util.HttpResponseException;
import org.keycloak.events.EventType; import org.keycloak.events.EventType;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.AuthorizationRequest; import org.keycloak.representations.idm.authorization.AuthorizationRequest;
@ -695,6 +697,31 @@ public class UserManagedAccessTest extends AbstractResourceServerTest {
assertTrue(permissions.isEmpty()); assertTrue(permissions.isEmpty());
} }
@Test
public void testResourceIsUserManagedCheck() throws Exception {
resource = addResource("Resource A", null, false, "ScopeA");
PermissionTicketRepresentation ticket = new PermissionTicketRepresentation();
ticket.setResource(resource.getId());
ticket.setRequesterName("marta");
ticket.setScopeName("ScopeA");
ticket.setGranted(true);
ProtectionResource protection = getAuthzClient().protection();
try {
protection.permission().create(ticket);
fail("Ticket creation should be denied, resource is not owner managed");
} catch (RuntimeException cause) {
cause.printStackTrace();
assertTrue(HttpResponseException.class.isInstance(cause.getCause()));
assertEquals(400, HttpResponseException.class.cast(cause.getCause()).getStatusCode());
String errorString = new String((HttpResponseException.class.cast(cause.getCause()).getBytes()));
assertTrue(errorString.contains("invalid_permission"));
assertTrue(errorString.contains("permission can only be created for resources with user-managed access enabled"));
}
}
private List<Permission> authorize(String userName, String password, AuthorizationRequest request) { private List<Permission> authorize(String userName, String password, AuthorizationRequest request) {
AuthorizationResponse response = getAuthzClient().authorization(userName, password).authorize(request); AuthorizationResponse response = getAuthzClient().authorization(userName, password).authorize(request);
AccessToken token = toAccessToken(response.getToken()); AccessToken token = toAccessToken(response.getToken());