[KEYCLOAK-15406] - Grant access when evaluating user-managed permission for the owner

2020-09-21 15:15:27 -03:00 · 2020-09-21 15:15:27 -03:00 · 24f90ca6cb
commit 24f90ca6cb
parent ee3f9b71db
3 changed files with 54 additions and 1 deletions
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/permission/UMAPolicyProvider.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/permission/UMAPolicyProvider.java
@ -36,6 +36,7 @@ public class UMAPolicyProvider extends AbstractPermissionProvider {

            // no need to evaluate UMA permissions to resource owner resources
            if (resource.getOwner().equals(identity.getId())) {
+                evaluation.grant();
                return;
            }
        }
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/AbstractDecisionCollector.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/AbstractDecisionCollector.java
@ -63,7 +63,7 @@ public abstract class AbstractDecisionCollector implements Decision<DefaultEvalu
                        }
                    }

-                    return null;
+                    return new Result(permission1, evaluation);
                }).policy(parentPolicy);
            } else {
                results.computeIfAbsent(permission, p -> new Result(p, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect());
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
@ -659,6 +659,58 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
        }
    }

+    @Test
+    public void testOwnerAccess() {
+        ResourceRepresentation resource = new ResourceRepresentation();
+
+        resource.setName(UUID.randomUUID().toString());
+        resource.setOwner("marta");
+        resource.addScope("Scope A", "Scope B", "Scope C");
+        resource.setOwnerManagedAccess(true);
+
+        ProtectionResource protection = getAuthzClient().protection();
+
+        resource = protection.resource().create(resource);
+
+        UmaPermissionRepresentation rep = null;
+        
+        try {
+            rep = new UmaPermissionRepresentation();
+            
+            rep.setName("test");
+            rep.addRole("role_b");
+            
+            rep = getAuthzClient().protection("marta", "password").policy(resource.getId()).create(rep);
+        } catch (Exception e) {
+            assertTrue(HttpResponseException.class.cast(e.getCause()).toString().contains("Only resources with owner managed accessed can have policies"));
+        }
+
+        AuthorizationResource authorization = getAuthzClient().authorization("marta", "password");
+
+        AuthorizationRequest request = new AuthorizationRequest();
+        
+        request.addPermission(resource.getId(), "Scope A");
+
+        AuthorizationResponse authorize = authorization.authorize(request);
+        
+        assertNotNull(authorize);
+
+        try {
+            getAuthzClient().authorization("kolo", "password").authorize(request);
+            fail("User should not have permission");
+        } catch (Exception e) {
+            assertTrue(AuthorizationDeniedException.class.isInstance(e));
+        }
+
+        rep.addRole("role_a");
+        
+        getAuthzClient().protection("marta", "password").policy(resource.getId()).update(rep);
+
+        authorization = getAuthzClient().authorization("kolo", "password");
+
+        assertNotNull(authorization.authorize(request));
+    }
+
    @Test
    public void testFindPermission() {
        ResourceRepresentation resource = new ResourceRepresentation();