[KEYCLOAK-15406] - Grant access when evaluating user-managed permission for the owner

This commit is contained in:
Pedro Igor 2020-09-21 15:15:27 -03:00
parent ee3f9b71db
commit 24f90ca6cb
3 changed files with 54 additions and 1 deletions

View file

@ -36,6 +36,7 @@ public class UMAPolicyProvider extends AbstractPermissionProvider {
// no need to evaluate UMA permissions to resource owner resources
if (resource.getOwner().equals(identity.getId())) {
evaluation.grant();
return;
}
}

View file

@ -63,7 +63,7 @@ public abstract class AbstractDecisionCollector implements Decision<DefaultEvalu
}
}
return null;
return new Result(permission1, evaluation);
}).policy(parentPolicy);
} else {
results.computeIfAbsent(permission, p -> new Result(p, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect());

View file

@ -659,6 +659,58 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
}
}
@Test
public void testOwnerAccess() {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(UUID.randomUUID().toString());
resource.setOwner("marta");
resource.addScope("Scope A", "Scope B", "Scope C");
resource.setOwnerManagedAccess(true);
ProtectionResource protection = getAuthzClient().protection();
resource = protection.resource().create(resource);
UmaPermissionRepresentation rep = null;
try {
rep = new UmaPermissionRepresentation();
rep.setName("test");
rep.addRole("role_b");
rep = getAuthzClient().protection("marta", "password").policy(resource.getId()).create(rep);
} catch (Exception e) {
assertTrue(HttpResponseException.class.cast(e.getCause()).toString().contains("Only resources with owner managed accessed can have policies"));
}
AuthorizationResource authorization = getAuthzClient().authorization("marta", "password");
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resource.getId(), "Scope A");
AuthorizationResponse authorize = authorization.authorize(request);
assertNotNull(authorize);
try {
getAuthzClient().authorization("kolo", "password").authorize(request);
fail("User should not have permission");
} catch (Exception e) {
assertTrue(AuthorizationDeniedException.class.isInstance(e));
}
rep.addRole("role_a");
getAuthzClient().protection("marta", "password").policy(resource.getId()).update(rep);
authorization = getAuthzClient().authorization("kolo", "password");
assertNotNull(authorization.authorize(request));
}
@Test
public void testFindPermission() {
ResourceRepresentation resource = new ResourceRepresentation();