From d69d00082f3778f666307b7e104235c5880d0adc Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Thu, 1 Jun 2017 22:53:46 -0300 Subject: [PATCH] [KEYCLOAK-4932] - Improvements to policy enforcer and better spring boot support --- .../authorization/AbstractPolicyEnforcer.java | 10 +++--- .../client/ClientAuthorizationContext.java | 4 +-- .../org/keycloak/AuthorizationContext.java | 32 ++++++++++++------- .../adapters/config/PolicyEnforcerConfig.java | 2 +- 4 files changed, 29 insertions(+), 19 deletions(-) diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java index 61f46f15c8..f3127befa4 100644 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java @@ -78,13 +78,13 @@ public abstract class AbstractPolicyEnforcer { if (pathConfig == null) { if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) { - return createAuthorizationContext(accessToken); + return createAuthorizationContext(accessToken, null); } LOGGER.debugf("Could not find a configuration for path [%s]", path); if (isDefaultAccessDeniedUri(request, enforcerConfig)) { - return createAuthorizationContext(accessToken); + return createAuthorizationContext(accessToken, null); } handleAccessDenied(httpFacade); @@ -100,7 +100,7 @@ public abstract class AbstractPolicyEnforcer { if (isAuthorized(pathConfig, requiredScopes, accessToken, httpFacade)) { try { - return createAuthorizationContext(accessToken); + return createAuthorizationContext(accessToken, pathConfig); } catch (Exception e) { throw new RuntimeException("Error processing path [" + pathConfig.getPath() + "].", e); } @@ -252,8 +252,8 @@ public abstract class AbstractPolicyEnforcer { return requiredScopes; } - private AuthorizationContext createAuthorizationContext(AccessToken accessToken) { - return new ClientAuthorizationContext(accessToken, this.paths, authzClient); + private AuthorizationContext createAuthorizationContext(AccessToken accessToken, PathConfig pathConfig) { + return new ClientAuthorizationContext(accessToken, pathConfig, this.paths, authzClient); } private boolean isResourcePermission(PathConfig actualPathConfig, Permission permission) { diff --git a/authz/client/src/main/java/org/keycloak/authorization/client/ClientAuthorizationContext.java b/authz/client/src/main/java/org/keycloak/authorization/client/ClientAuthorizationContext.java index 73bcd9f7b6..a46e5111f2 100644 --- a/authz/client/src/main/java/org/keycloak/authorization/client/ClientAuthorizationContext.java +++ b/authz/client/src/main/java/org/keycloak/authorization/client/ClientAuthorizationContext.java @@ -30,8 +30,8 @@ public class ClientAuthorizationContext extends AuthorizationContext { private final AuthzClient client; - public ClientAuthorizationContext(AccessToken authzToken, Map paths, AuthzClient client) { - super(authzToken, paths); + public ClientAuthorizationContext(AccessToken authzToken, PolicyEnforcerConfig.PathConfig current, Map paths, AuthzClient client) { + super(authzToken, current, paths); this.client = client; } diff --git a/core/src/main/java/org/keycloak/AuthorizationContext.java b/core/src/main/java/org/keycloak/AuthorizationContext.java index 93f3ff1f75..e096e7e2e0 100644 --- a/core/src/main/java/org/keycloak/AuthorizationContext.java +++ b/core/src/main/java/org/keycloak/AuthorizationContext.java @@ -32,17 +32,19 @@ import java.util.Map; public class AuthorizationContext { private final AccessToken authzToken; + private final PathConfig current; private final Map paths; private boolean granted; - public AuthorizationContext(AccessToken authzToken, Map paths) { + public AuthorizationContext(AccessToken authzToken, PathConfig current, Map paths) { this.authzToken = authzToken; + this.current = current; this.paths = paths; this.granted = true; } public AuthorizationContext() { - this(null, null); + this(null, null, null); this.granted = false; } @@ -57,9 +59,15 @@ public class AuthorizationContext { return false; } - for (Permission permission : authorization.getPermissions()) { - for (PathConfig pathHolder : this.paths.values()) { - if (pathHolder.getName().equals(resourceName)) { + if (current != null) { + if (current.getName().equals(resourceName)) { + return true; + } + } + + if (hasResourcePermission(resourceName)) { + for (Permission permission : authorization.getPermissions()) { + for (PathConfig pathHolder : paths.values()) { if (pathHolder.getId().equals(permission.getResourceSetId())) { if (permission.getScopes().contains(scopeName)) { return true; @@ -83,13 +91,15 @@ public class AuthorizationContext { return false; } + if (current != null) { + if (current.getName().equals(resourceName)) { + return true; + } + } + for (Permission permission : authorization.getPermissions()) { - for (PathConfig pathHolder : this.paths.values()) { - if (pathHolder.getName().equals(resourceName)) { - if (pathHolder.getId().equals(permission.getResourceSetId())) { - return true; - } - } + if (permission.getResourceSetName().equals(resourceName) || permission.getResourceSetId().equals(resourceName)) { + return true; } } diff --git a/core/src/main/java/org/keycloak/representations/adapters/config/PolicyEnforcerConfig.java b/core/src/main/java/org/keycloak/representations/adapters/config/PolicyEnforcerConfig.java index dd94537645..a495cadaa2 100644 --- a/core/src/main/java/org/keycloak/representations/adapters/config/PolicyEnforcerConfig.java +++ b/core/src/main/java/org/keycloak/representations/adapters/config/PolicyEnforcerConfig.java @@ -62,7 +62,7 @@ public class PolicyEnforcerConfig { } public List getPaths() { - return Collections.unmodifiableList(this.paths); + return this.paths; } public EnforcementMode getEnforcementMode() {