Merge pull request #5114 from pedroigor/KEYCLOAK-7028

[KEYCLOAK-7028] - Propagating AuthorizationContext when enforcement-mode is disabled for a path
2018-04-03 10:01:57 -03:00 · 2018-04-03 10:01:57 -03:00 · 28d0ab9da8
commit 28d0ab9da8
parent 103a3c4ca7 5c52da80c6
7 changed files with 78 additions and 24 deletions
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
@ -95,7 +95,7 @@ public abstract class AbstractPolicyEnforcer {
            }

            if (EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
-                return createEmptyAuthorizationContext(true);
+                return createAuthorizationContext(accessToken, pathConfig);
            }

            MethodConfig methodConfig = getRequiredScopes(pathConfig, request);
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
@ -137,7 +137,11 @@ public class PolicyEnforcer {

        if (loadPathsFromServer) {
            LOGGER.info("No path provided in configuration.");
-            return configureAllPathsForResourceServer(protectedResource);
+            Map<String, PathConfig> paths = configureAllPathsForResourceServer(protectedResource);
+
+            paths.putAll(configureDefinedPaths(protectedResource, enforcerConfig));
+
+            return paths;
        } else {
            LOGGER.info("Paths provided in configuration.");
            return configureDefinedPaths(protectedResource, enforcerConfig);
--- a/testsuite/integration-arquillian/test-apps/servlet-authz/keycloak-lazy-load-authz-service.json
+++ b/testsuite/integration-arquillian/test-apps/servlet-authz/keycloak-lazy-load-authz-service.json
@ -10,6 +10,14 @@
  },
  "policy-enforcer": {
    "on-deny-redirect-to" : "/servlet-authz-app/accessDenied.jsp",
-    "lazy-load-paths": true
+    "lazy-load-paths": true,
+    "paths": [
+      {
+        "name": "Premium Resource",
+        "path": "/protected/premium/pep-disabled.jsp",
+        "enforcement-mode": "DISABLED"
+      }
+    ]
+
  }
 }
--- a/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/index.jsp
+++ b/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/index.jsp
@ -14,6 +14,7 @@

    <p><a href="protected/dynamicMenu.jsp">Dynamic Menu</a></p>
    <p><a href="protected/premium/onlyPremium.jsp">User Premium</a></p>
+    <p><a href="protected/premium/pep-disabled.jsp">PEP Disabled</a></p>
    <p><a href="protected/admin/onlyAdmin.jsp">Administration</a></p>

    <h3>Your permissions are:</h3>
--- a/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/protected/premium/pep-disabled.jsp
+++ b/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/protected/premium/pep-disabled.jsp
@ -0,0 +1,48 @@
+<%@page import="org.keycloak.AuthorizationContext" %>
+<%@ page import="org.keycloak.KeycloakSecurityContext" %>
+
+<%
+    KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
+    AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
+%>
+
+<html>
+<body>
+<h2>Policy enforcement is disabled. Access granted: <%= authzContext.isGranted() %></h2>
+<%@include file="../../logout-include.jsp"%>
+
+<p>Here is a dynamic menu built from the permissions returned by the server:</p>
+
+<ul>
+    <%
+        if (authzContext.hasResourcePermission("Protected Resource")) {
+    %>
+    <li>
+        Do user thing
+    </li>
+    <%
+        }
+    %>
+
+    <%
+        if (authzContext.hasResourcePermission("Premium Resource")) {
+    %>
+    <li>
+        Do  user premium thing
+    </li>
+    <%
+        }
+    %>
+
+    <%
+        if (authzContext.hasPermission("Admin Resource", "urn:servlet-authz:protected:admin:access")) {
+    %>
+    <li>
+        Do administration thing
+    </li>
+    <%
+        }
+    %>
+</ul>
+</body>
+</html>
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractBaseServletAuthzAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractBaseServletAuthzAdapterTest.java
@ -93,7 +93,7 @@ public abstract class AbstractBaseServletAuthzAdapterTest extends AbstractExampl
        return this.driver.getPageSource().contains(text);
    }

-    private WebElement getLink(String text) {
+    protected WebElement getLink(String text) {
        return this.driver.findElement(By.xpath("//a[text() = '" + text + "']"));
    }

@ -137,7 +137,7 @@ public abstract class AbstractBaseServletAuthzAdapterTest extends AbstractExampl
        }
    }

-    private void navigateTo() {
+    protected void navigateTo() {
        this.driver.navigate().to(getResourceServerUrl());
        WaitUtils.waitUntilElement(By.xpath("//a[text() = 'Dynamic Menu']"));
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzLazyLoadPathsAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzLazyLoadPathsAdapterTest.java
@ -17,32 +17,13 @@
 package org.keycloak.testsuite.adapter.example.authorization;

 import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;

 import java.io.File;
 import java.io.IOException;
-import java.util.Arrays;
-import java.util.List;
-
-import javax.ws.rs.core.Response;

 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.junit.Test;
-import org.keycloak.admin.client.resource.ClientPoliciesResource;
-import org.keycloak.admin.client.resource.RealmResource;
-import org.keycloak.admin.client.resource.ResourcesResource;
-import org.keycloak.admin.client.resource.RolePoliciesResource;
-import org.keycloak.admin.client.resource.RoleScopeResource;
-import org.keycloak.admin.client.resource.RolesResource;
-import org.keycloak.admin.client.resource.UserResource;
-import org.keycloak.admin.client.resource.UsersResource;
-import org.keycloak.representations.idm.RoleRepresentation;
-import org.keycloak.representations.idm.UserRepresentation;
-import org.keycloak.representations.idm.authorization.ClientPolicyRepresentation;
-import org.keycloak.representations.idm.authorization.ResourceRepresentation;
-import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
-import org.keycloak.testsuite.util.WaitUtils;

 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@ -55,4 +36,16 @@ public abstract class AbstractServletAuthzLazyLoadPathsAdapterTest extends Abstr
                .addAsWebInfResource(new File(TEST_APPS_HOME_DIR + "/servlet-authz-app/keycloak-lazy-load-authz-service.json"), "keycloak.json");
    }

+    @Test
+    public void testPathPEPDisabled() {
+        performTests(() -> {
+            login("alice", "alice");
+            assertFalse(wasDenied());
+
+            navigateTo();
+            getLink("PEP Disabled").click();
+
+            hasText("Policy enforcement is disabled. Access granted: true");
+        });
+    }
 }