[KEYCLOAK-15406] - Grant access when evaluating user-managed permission for the owner
This commit is contained in:
parent
ee3f9b71db
commit
24f90ca6cb
3 changed files with 54 additions and 1 deletions
|
@ -36,6 +36,7 @@ public class UMAPolicyProvider extends AbstractPermissionProvider {
|
|||
|
||||
// no need to evaluate UMA permissions to resource owner resources
|
||||
if (resource.getOwner().equals(identity.getId())) {
|
||||
evaluation.grant();
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -63,7 +63,7 @@ public abstract class AbstractDecisionCollector implements Decision<DefaultEvalu
|
|||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
return new Result(permission1, evaluation);
|
||||
}).policy(parentPolicy);
|
||||
} else {
|
||||
results.computeIfAbsent(permission, p -> new Result(p, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect());
|
||||
|
|
|
@ -659,6 +659,58 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testOwnerAccess() {
|
||||
ResourceRepresentation resource = new ResourceRepresentation();
|
||||
|
||||
resource.setName(UUID.randomUUID().toString());
|
||||
resource.setOwner("marta");
|
||||
resource.addScope("Scope A", "Scope B", "Scope C");
|
||||
resource.setOwnerManagedAccess(true);
|
||||
|
||||
ProtectionResource protection = getAuthzClient().protection();
|
||||
|
||||
resource = protection.resource().create(resource);
|
||||
|
||||
UmaPermissionRepresentation rep = null;
|
||||
|
||||
try {
|
||||
rep = new UmaPermissionRepresentation();
|
||||
|
||||
rep.setName("test");
|
||||
rep.addRole("role_b");
|
||||
|
||||
rep = getAuthzClient().protection("marta", "password").policy(resource.getId()).create(rep);
|
||||
} catch (Exception e) {
|
||||
assertTrue(HttpResponseException.class.cast(e.getCause()).toString().contains("Only resources with owner managed accessed can have policies"));
|
||||
}
|
||||
|
||||
AuthorizationResource authorization = getAuthzClient().authorization("marta", "password");
|
||||
|
||||
AuthorizationRequest request = new AuthorizationRequest();
|
||||
|
||||
request.addPermission(resource.getId(), "Scope A");
|
||||
|
||||
AuthorizationResponse authorize = authorization.authorize(request);
|
||||
|
||||
assertNotNull(authorize);
|
||||
|
||||
try {
|
||||
getAuthzClient().authorization("kolo", "password").authorize(request);
|
||||
fail("User should not have permission");
|
||||
} catch (Exception e) {
|
||||
assertTrue(AuthorizationDeniedException.class.isInstance(e));
|
||||
}
|
||||
|
||||
rep.addRole("role_a");
|
||||
|
||||
getAuthzClient().protection("marta", "password").policy(resource.getId()).update(rep);
|
||||
|
||||
authorization = getAuthzClient().authorization("kolo", "password");
|
||||
|
||||
assertNotNull(authorization.authorize(request));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFindPermission() {
|
||||
ResourceRepresentation resource = new ResourceRepresentation();
|
||||
|
|
Loading…
Reference in a new issue