Merge pull request #4203 from pedroigor/master

[KEYCLOAK-4932] - Improvements to policy enforcer and better spring boot support

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java

@@ -78,13 +78,13 @@ public abstract class AbstractPolicyEnforcer {
 
                 if (pathConfig == null) {
                     if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
-                        return createAuthorizationContext(accessToken);
+                        return createAuthorizationContext(accessToken, null);
                     }
 
                     LOGGER.debugf("Could not find a configuration for path [%s]", path);
 
                     if (isDefaultAccessDeniedUri(request, enforcerConfig)) {
-                        return createAuthorizationContext(accessToken);
+                        return createAuthorizationContext(accessToken, null);
                     }
 
                     handleAccessDenied(httpFacade);
@@ -100,7 +100,7 @@ public abstract class AbstractPolicyEnforcer {
 
                 if (isAuthorized(pathConfig, requiredScopes, accessToken, httpFacade)) {
                     try {
-                        return createAuthorizationContext(accessToken);
+                        return createAuthorizationContext(accessToken, pathConfig);
                     } catch (Exception e) {
                         throw new RuntimeException("Error processing path [" + pathConfig.getPath() + "].", e);
                     }
@@ -252,8 +252,8 @@ public abstract class AbstractPolicyEnforcer {
         return requiredScopes;
     }
 
-    private AuthorizationContext createAuthorizationContext(AccessToken accessToken) {
-        return new ClientAuthorizationContext(accessToken, this.paths, authzClient);
+    private AuthorizationContext createAuthorizationContext(AccessToken accessToken, PathConfig pathConfig) {
+        return new ClientAuthorizationContext(accessToken, pathConfig, this.paths, authzClient);
     }
 
     private boolean isResourcePermission(PathConfig actualPathConfig, Permission permission) {

authz/client/src/main/java/org/keycloak/authorization/client/ClientAuthorizationContext.java

@@ -30,8 +30,8 @@ public class ClientAuthorizationContext extends AuthorizationContext {
 
     private final AuthzClient client;
 
-    public ClientAuthorizationContext(AccessToken authzToken, Map<String, PolicyEnforcerConfig.PathConfig> paths, AuthzClient client) {
-        super(authzToken, paths);
+    public ClientAuthorizationContext(AccessToken authzToken, PolicyEnforcerConfig.PathConfig current, Map<String, PolicyEnforcerConfig.PathConfig> paths, AuthzClient client) {
+        super(authzToken, current, paths);
         this.client = client;
     }
 

core/src/main/java/org/keycloak/AuthorizationContext.java

@@ -32,17 +32,19 @@ import java.util.Map;
 public class AuthorizationContext {
 
     private final AccessToken authzToken;
+    private final PathConfig current;
     private final Map<String, PathConfig> paths;
     private boolean granted;
 
-    public AuthorizationContext(AccessToken authzToken, Map<String, PathConfig> paths) {
+    public AuthorizationContext(AccessToken authzToken, PathConfig current, Map<String, PathConfig> paths) {
         this.authzToken = authzToken;
+        this.current = current;
         this.paths = paths;
         this.granted = true;
     }
 
     public AuthorizationContext() {
-        this(null, null);
+        this(null, null, null);
         this.granted = false;
     }
 
@@ -57,9 +59,15 @@ public class AuthorizationContext {
             return false;
         }
 
+        if (current != null) {
+            if (current.getName().equals(resourceName)) {
+                return true;
+            }
+        }
+
+        if (hasResourcePermission(resourceName)) {
             for (Permission permission : authorization.getPermissions()) {
-            for (PathConfig pathHolder : this.paths.values()) {
-                if (pathHolder.getName().equals(resourceName)) {
+                for (PathConfig pathHolder : paths.values()) {
                     if (pathHolder.getId().equals(permission.getResourceSetId())) {
                         if (permission.getScopes().contains(scopeName)) {
                             return true;
@@ -83,13 +91,15 @@ public class AuthorizationContext {
             return false;
         }
 
-        for (Permission permission : authorization.getPermissions()) {
-            for (PathConfig pathHolder : this.paths.values()) {
-                if (pathHolder.getName().equals(resourceName)) {
-                    if (pathHolder.getId().equals(permission.getResourceSetId())) {
+        if (current != null) {
+            if (current.getName().equals(resourceName)) {
                 return true;
             }
         }
+
+        for (Permission permission : authorization.getPermissions()) {
+            if (permission.getResourceSetName().equals(resourceName) || permission.getResourceSetId().equals(resourceName)) {
+                return true;
             }
         }
 

core/src/main/java/org/keycloak/representations/adapters/config/PolicyEnforcerConfig.java

@@ -62,7 +62,7 @@ public class PolicyEnforcerConfig {
     }
 
     public List<PathConfig> getPaths() {
-        return Collections.unmodifiableList(this.paths);
+        return this.paths;
     }
 
     public EnforcementMode getEnforcementMode() {