Merge pull request #5114 from pedroigor/KEYCLOAK-7028

[KEYCLOAK-7028] - Propagating AuthorizationContext when enforcement-mode is disabled for a path
2018-04-03 10:01:57 -03:00 · 2018-04-03 10:01:57 -03:00 · 28d0ab9da8
commit 28d0ab9da8
parent 103a3c4ca7 5c52da80c6
7 changed files with 78 additions and 24 deletions
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
@ -95,7 +95,7 @@ public abstract class AbstractPolicyEnforcer {
            }
            if (EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
-                return createEmptyAuthorizationContext(true);
+                return createAuthorizationContext(accessToken, pathConfig);
            }
            MethodConfig methodConfig = getRequiredScopes(pathConfig, request);
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
@ -137,7 +137,11 @@ public class PolicyEnforcer {
        if (loadPathsFromServer) {
            LOGGER.info("No path provided in configuration.");
-            return configureAllPathsForResourceServer(protectedResource);
+            Map<String, PathConfig> paths = configureAllPathsForResourceServer(protectedResource);
            paths.putAll(configureDefinedPaths(protectedResource, enforcerConfig));
            return paths;
        } else {
            LOGGER.info("Paths provided in configuration.");
            return configureDefinedPaths(protectedResource, enforcerConfig);
--- a/testsuite/integration-arquillian/test-apps/servlet-authz/keycloak-lazy-load-authz-service.json
+++ b/testsuite/integration-arquillian/test-apps/servlet-authz/keycloak-lazy-load-authz-service.json
@ -10,6 +10,14 @@
  },
  "policy-enforcer": {
    "on-deny-redirect-to" : "/servlet-authz-app/accessDenied.jsp",
-    "lazy-load-paths": true
+    "lazy-load-paths": true,
    "paths": [
      {
        "name": "Premium Resource",
        "path": "/protected/premium/pep-disabled.jsp",
        "enforcement-mode": "DISABLED"
      }
    ]
  }
 }
--- a/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/index.jsp
+++ b/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/index.jsp
@ -14,6 +14,7 @@
    <p><a href="protected/dynamicMenu.jsp">Dynamic Menu</a></p>
    <p><a href="protected/premium/onlyPremium.jsp">User Premium</a></p>
    <p><a href="protected/premium/pep-disabled.jsp">PEP Disabled</a></p>
    <p><a href="protected/admin/onlyAdmin.jsp">Administration</a></p>
    <h3>Your permissions are:</h3>
--- a/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/protected/premium/pep-disabled.jsp
+++ b/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/protected/premium/pep-disabled.jsp
@ -0,0 +1,48 @@
 <%@page import="org.keycloak.AuthorizationContext" %>
 <%@ page import="org.keycloak.KeycloakSecurityContext" %>
 <%
    KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
    AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
 %>
 <html>
 <body>
 <h2>Policy enforcement is disabled. Access granted: <%= authzContext.isGranted() %></h2>
 <%@include file="../../logout-include.jsp"%>
 <p>Here is a dynamic menu built from the permissions returned by the server:</p>
 <ul>
    <%
        if (authzContext.hasResourcePermission("Protected Resource")) {
    %>
    <li>
        Do user thing
    </li>
    <%
        }
    %>
    <%
        if (authzContext.hasResourcePermission("Premium Resource")) {
    %>
    <li>
        Do  user premium thing
    </li>
    <%
        }
    %>
    <%
        if (authzContext.hasPermission("Admin Resource", "urn:servlet-authz:protected:admin:access")) {
    %>
    <li>
        Do administration thing
    </li>
    <%
        }
    %>
 </ul>
 </body>
 </html>
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractBaseServletAuthzAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractBaseServletAuthzAdapterTest.java
@ -93,7 +93,7 @@ public abstract class AbstractBaseServletAuthzAdapterTest extends AbstractExampl
        return this.driver.getPageSource().contains(text);
    }
-    private WebElement getLink(String text) {
+    protected WebElement getLink(String text) {
        return this.driver.findElement(By.xpath("//a[text() = '" + text + "']"));
    }
@ -137,7 +137,7 @@ public abstract class AbstractBaseServletAuthzAdapterTest extends AbstractExampl
        }
    }
-    private void navigateTo() {
+    protected void navigateTo() {
        this.driver.navigate().to(getResourceServerUrl());
        WaitUtils.waitUntilElement(By.xpath("//a[text() = 'Dynamic Menu']"));
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzLazyLoadPathsAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzLazyLoadPathsAdapterTest.java
@ -17,32 +17,13 @@
 package org.keycloak.testsuite.adapter.example.authorization;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import java.io.File;
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.List;
 import javax.ws.rs.core.Response;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.junit.Test;
 import org.keycloak.admin.client.resource.ClientPoliciesResource;
 import org.keycloak.admin.client.resource.RealmResource;
 import org.keycloak.admin.client.resource.ResourcesResource;
 import org.keycloak.admin.client.resource.RolePoliciesResource;
 import org.keycloak.admin.client.resource.RoleScopeResource;
 import org.keycloak.admin.client.resource.RolesResource;
 import org.keycloak.admin.client.resource.UserResource;
 import org.keycloak.admin.client.resource.UsersResource;
 import org.keycloak.representations.idm.RoleRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.representations.idm.authorization.ClientPolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceRepresentation;
 import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
 import org.keycloak.testsuite.util.WaitUtils;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@ -55,4 +36,16 @@ public abstract class AbstractServletAuthzLazyLoadPathsAdapterTest extends Abstr
                .addAsWebInfResource(new File(TEST_APPS_HOME_DIR + "/servlet-authz-app/keycloak-lazy-load-authz-service.json"), "keycloak.json");
    }
    @Test
    public void testPathPEPDisabled() {
        performTests(() -> {
            login("alice", "alice");
            assertFalse(wasDenied());
            navigateTo();
            getLink("PEP Disabled").click();
            hasText("Policy enforcement is disabled. Access granted: true");
        });
    }
 }