KEYCLOAK-7562 Fix ClientInitiatedAccountLinkTest#testErrorConditions

2018-08-01 11:17:36 +02:00 · 2018-08-01 11:17:36 +02:00 · 29da7d3d90
commit 29da7d3d90
parent f99299ee39
2 changed files with 6 additions and 2 deletions
--- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
+++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@ -45,6 +45,7 @@ import org.keycloak.models.AccountRoles;
 import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.AuthenticationFlowModel;
 import org.keycloak.models.ClientModel;
+import org.keycloak.models.ClientSessionContext;
 import org.keycloak.models.Constants;
 import org.keycloak.models.FederatedIdentityModel;
 import org.keycloak.models.IdentityProviderMapperModel;
@ -80,6 +81,7 @@ import org.keycloak.services.messages.Messages;
 import org.keycloak.services.resources.account.AccountFormService;
 import org.keycloak.services.util.BrowserHistoryHelper;
 import org.keycloak.services.util.CacheControlUtil;
+import org.keycloak.services.util.DefaultClientSessionContext;
 import org.keycloak.services.validation.Validation;
 import org.keycloak.sessions.AuthenticationSessionModel;
 import org.keycloak.sessions.RootAuthenticationSessionModel;
@ -262,7 +264,10 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
        ClientModel accountService = this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
        if (!accountService.getId().equals(client.getId())) {
            RoleModel manageAccountRole = accountService.getRole(AccountRoles.MANAGE_ACCOUNT);
-            Set<RoleModel> userAccountRoles = cookieResult.getUser().getClientRoleMappings(accountService);
+
+            // Ensure user has role and client has "role scope" for this role
+            ClientSessionContext ctx = DefaultClientSessionContext.fromClientSessionScopeParameter(clientSession);
+            Set<RoleModel> userAccountRoles = ctx.getRoles();

            if (!userAccountRoles.contains(manageAccountRole)) {
                RoleModel linkRole = accountService.getRole(AccountRoles.MANAGE_ACCOUNT_LINKS);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/ClientInitiatedAccountLinkTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/ClientInitiatedAccountLinkTest.java
@ -205,7 +205,6 @@ public class ClientInitiatedAccountLinkTest extends AbstractServletsAdapterTest


    @Test
-    @Ignore("KEYCLOAK-7562")
    public void testErrorConditions() throws Exception {

        RealmResource realm = adminClient.realms().realm(CHILD_IDP);