libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Merge pull request #4203 from pedroigor/master

Browse source 
[KEYCLOAK-4932] - Improvements to policy enforcer and better spring boot support
This commit is contained in:
Pedro Igor 2017-06-02 10:31:10 -03:00 committed by GitHub
commit 1cddaeb707
4 changed files with 29 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
View file

@ -78,13 +78,13 @@ public abstract class AbstractPolicyEnforcer {
if (pathConfig == null) { if (pathConfig == null) {
if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) { if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
return createAuthorizationContext(accessToken); return createAuthorizationContext(accessToken, null);
} }
LOGGER.debugf("Could not find a configuration for path [%s]", path); LOGGER.debugf("Could not find a configuration for path [%s]", path);
if (isDefaultAccessDeniedUri(request, enforcerConfig)) { if (isDefaultAccessDeniedUri(request, enforcerConfig)) {
return createAuthorizationContext(accessToken); return createAuthorizationContext(accessToken, null);
} }
handleAccessDenied(httpFacade); handleAccessDenied(httpFacade);
@ -100,7 +100,7 @@ public abstract class AbstractPolicyEnforcer {
if (isAuthorized(pathConfig, requiredScopes, accessToken, httpFacade)) { if (isAuthorized(pathConfig, requiredScopes, accessToken, httpFacade)) {
try { try {
return createAuthorizationContext(accessToken); return createAuthorizationContext(accessToken, pathConfig);
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException("Error processing path [" + pathConfig.getPath() + "].", e); throw new RuntimeException("Error processing path [" + pathConfig.getPath() + "].", e);
} }
@ -252,8 +252,8 @@ public abstract class AbstractPolicyEnforcer {
return requiredScopes; return requiredScopes;
} }
private AuthorizationContext createAuthorizationContext(AccessToken accessToken) { private AuthorizationContext createAuthorizationContext(AccessToken accessToken, PathConfig pathConfig) {
return new ClientAuthorizationContext(accessToken, this.paths, authzClient); return new ClientAuthorizationContext(accessToken, pathConfig, this.paths, authzClient);
} }
private boolean isResourcePermission(PathConfig actualPathConfig, Permission permission) { private boolean isResourcePermission(PathConfig actualPathConfig, Permission permission) {

4
authz/client/src/main/java/org/keycloak/authorization/client/ClientAuthorizationContext.java
View file

@ -30,8 +30,8 @@ public class ClientAuthorizationContext extends AuthorizationContext {
private final AuthzClient client; private final AuthzClient client;
public ClientAuthorizationContext(AccessToken authzToken, Map<String, PolicyEnforcerConfig.PathConfig> paths, AuthzClient client) { public ClientAuthorizationContext(AccessToken authzToken, PolicyEnforcerConfig.PathConfig current, Map<String, PolicyEnforcerConfig.PathConfig> paths, AuthzClient client) {
super(authzToken, paths); super(authzToken, current, paths);
this.client = client; this.client = client;
} }

32
core/src/main/java/org/keycloak/AuthorizationContext.java
View file

@ -32,17 +32,19 @@ import java.util.Map;
public class AuthorizationContext { public class AuthorizationContext {
private final AccessToken authzToken; private final AccessToken authzToken;
private final PathConfig current;
private final Map<String, PathConfig> paths; private final Map<String, PathConfig> paths;
private boolean granted; private boolean granted;
public AuthorizationContext(AccessToken authzToken, Map<String, PathConfig> paths) { public AuthorizationContext(AccessToken authzToken, PathConfig current, Map<String, PathConfig> paths) {
this.authzToken = authzToken; this.authzToken = authzToken;
this.current = current;
this.paths = paths; this.paths = paths;
this.granted = true; this.granted = true;
} }
public AuthorizationContext() { public AuthorizationContext() {
this(null, null); this(null, null, null);
this.granted = false; this.granted = false;
} }
@ -57,9 +59,15 @@ public class AuthorizationContext {
return false; return false;
} }
for (Permission permission : authorization.getPermissions()) { if (current != null) {
for (PathConfig pathHolder : this.paths.values()) { if (current.getName().equals(resourceName)) {
if (pathHolder.getName().equals(resourceName)) { return true;
}
}
if (hasResourcePermission(resourceName)) {
for (Permission permission : authorization.getPermissions()) {
for (PathConfig pathHolder : paths.values()) {
if (pathHolder.getId().equals(permission.getResourceSetId())) { if (pathHolder.getId().equals(permission.getResourceSetId())) {
if (permission.getScopes().contains(scopeName)) { if (permission.getScopes().contains(scopeName)) {
return true; return true;
@ -83,13 +91,15 @@ public class AuthorizationContext {
return false; return false;
} }
if (current != null) {
if (current.getName().equals(resourceName)) {
return true;
}
}
for (Permission permission : authorization.getPermissions()) { for (Permission permission : authorization.getPermissions()) {
for (PathConfig pathHolder : this.paths.values()) { if (permission.getResourceSetName().equals(resourceName) || permission.getResourceSetId().equals(resourceName)) {
if (pathHolder.getName().equals(resourceName)) { return true;
if (pathHolder.getId().equals(permission.getResourceSetId())) {
return true;
}
}
} }
} }

2
core/src/main/java/org/keycloak/representations/adapters/config/PolicyEnforcerConfig.java
View file

@ -62,7 +62,7 @@ public class PolicyEnforcerConfig {
} }
public List<PathConfig> getPaths() { public List<PathConfig> getPaths() {
return Collections.unmodifiableList(this.paths); return this.paths;
} }
public EnforcementMode getEnforcementMode() { public EnforcementMode getEnforcementMode() {