Merge pull request #4203 from pedroigor/master
[KEYCLOAK-4932] - Improvements to policy enforcer and better spring boot support
This commit is contained in:
commit
1cddaeb707
4 changed files with 29 additions and 19 deletions
|
@ -78,13 +78,13 @@ public abstract class AbstractPolicyEnforcer {
|
|||
|
||||
if (pathConfig == null) {
|
||||
if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
|
||||
return createAuthorizationContext(accessToken);
|
||||
return createAuthorizationContext(accessToken, null);
|
||||
}
|
||||
|
||||
LOGGER.debugf("Could not find a configuration for path [%s]", path);
|
||||
|
||||
if (isDefaultAccessDeniedUri(request, enforcerConfig)) {
|
||||
return createAuthorizationContext(accessToken);
|
||||
return createAuthorizationContext(accessToken, null);
|
||||
}
|
||||
|
||||
handleAccessDenied(httpFacade);
|
||||
|
@ -100,7 +100,7 @@ public abstract class AbstractPolicyEnforcer {
|
|||
|
||||
if (isAuthorized(pathConfig, requiredScopes, accessToken, httpFacade)) {
|
||||
try {
|
||||
return createAuthorizationContext(accessToken);
|
||||
return createAuthorizationContext(accessToken, pathConfig);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Error processing path [" + pathConfig.getPath() + "].", e);
|
||||
}
|
||||
|
@ -252,8 +252,8 @@ public abstract class AbstractPolicyEnforcer {
|
|||
return requiredScopes;
|
||||
}
|
||||
|
||||
private AuthorizationContext createAuthorizationContext(AccessToken accessToken) {
|
||||
return new ClientAuthorizationContext(accessToken, this.paths, authzClient);
|
||||
private AuthorizationContext createAuthorizationContext(AccessToken accessToken, PathConfig pathConfig) {
|
||||
return new ClientAuthorizationContext(accessToken, pathConfig, this.paths, authzClient);
|
||||
}
|
||||
|
||||
private boolean isResourcePermission(PathConfig actualPathConfig, Permission permission) {
|
||||
|
|
|
@ -30,8 +30,8 @@ public class ClientAuthorizationContext extends AuthorizationContext {
|
|||
|
||||
private final AuthzClient client;
|
||||
|
||||
public ClientAuthorizationContext(AccessToken authzToken, Map<String, PolicyEnforcerConfig.PathConfig> paths, AuthzClient client) {
|
||||
super(authzToken, paths);
|
||||
public ClientAuthorizationContext(AccessToken authzToken, PolicyEnforcerConfig.PathConfig current, Map<String, PolicyEnforcerConfig.PathConfig> paths, AuthzClient client) {
|
||||
super(authzToken, current, paths);
|
||||
this.client = client;
|
||||
}
|
||||
|
||||
|
|
|
@ -32,17 +32,19 @@ import java.util.Map;
|
|||
public class AuthorizationContext {
|
||||
|
||||
private final AccessToken authzToken;
|
||||
private final PathConfig current;
|
||||
private final Map<String, PathConfig> paths;
|
||||
private boolean granted;
|
||||
|
||||
public AuthorizationContext(AccessToken authzToken, Map<String, PathConfig> paths) {
|
||||
public AuthorizationContext(AccessToken authzToken, PathConfig current, Map<String, PathConfig> paths) {
|
||||
this.authzToken = authzToken;
|
||||
this.current = current;
|
||||
this.paths = paths;
|
||||
this.granted = true;
|
||||
}
|
||||
|
||||
public AuthorizationContext() {
|
||||
this(null, null);
|
||||
this(null, null, null);
|
||||
this.granted = false;
|
||||
}
|
||||
|
||||
|
@ -57,9 +59,15 @@ public class AuthorizationContext {
|
|||
return false;
|
||||
}
|
||||
|
||||
for (Permission permission : authorization.getPermissions()) {
|
||||
for (PathConfig pathHolder : this.paths.values()) {
|
||||
if (pathHolder.getName().equals(resourceName)) {
|
||||
if (current != null) {
|
||||
if (current.getName().equals(resourceName)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
if (hasResourcePermission(resourceName)) {
|
||||
for (Permission permission : authorization.getPermissions()) {
|
||||
for (PathConfig pathHolder : paths.values()) {
|
||||
if (pathHolder.getId().equals(permission.getResourceSetId())) {
|
||||
if (permission.getScopes().contains(scopeName)) {
|
||||
return true;
|
||||
|
@ -83,13 +91,15 @@ public class AuthorizationContext {
|
|||
return false;
|
||||
}
|
||||
|
||||
if (current != null) {
|
||||
if (current.getName().equals(resourceName)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
for (Permission permission : authorization.getPermissions()) {
|
||||
for (PathConfig pathHolder : this.paths.values()) {
|
||||
if (pathHolder.getName().equals(resourceName)) {
|
||||
if (pathHolder.getId().equals(permission.getResourceSetId())) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
if (permission.getResourceSetName().equals(resourceName) || permission.getResourceSetId().equals(resourceName)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -62,7 +62,7 @@ public class PolicyEnforcerConfig {
|
|||
}
|
||||
|
||||
public List<PathConfig> getPaths() {
|
||||
return Collections.unmodifiableList(this.paths);
|
||||
return this.paths;
|
||||
}
|
||||
|
||||
public EnforcementMode getEnforcementMode() {
|
||||
|
|
Loading…
Reference in a new issue