[KEYCLOAK-9402] - 401 response when enforcement mode is DISABLED

2020-01-27 17:55:06 -03:00 · 2020-01-27 17:55:06 -03:00 · 2a82ed6eea
commit 2a82ed6eea
parent 873c62bbef
3 changed files with 34 additions and 1 deletions
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
@ -59,14 +59,17 @@ public abstract class AbstractPolicyEnforcer {

    public AuthorizationContext authorize(OIDCHttpFacade httpFacade) {
        EnforcementMode enforcementMode = getEnforcerConfig().getEnforcementMode();
+        KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();

        if (EnforcementMode.DISABLED.equals(enforcementMode)) {
+            if (securityContext == null) {
+                httpFacade.getResponse().sendError(401, "Invalid bearer");
+            }
            return createEmptyAuthorizationContext(true);
        }

        Request request = httpFacade.getRequest();
        PathConfig pathConfig = getPathConfig(request);
-        KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();

        if (securityContext == null) {
            if (!isDefaultAccessDeniedUri(request)) {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java
@ -301,6 +301,17 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
        assertTrue(context.isGranted());
    }

+    @Test
+    public void testEnforcementModeDisabled() {
+        KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode.json"));
+        PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
+
+        OIDCHttpFacade httpFacade = createHttpFacade("/api/resource/public");
+        policyEnforcer.enforce(httpFacade);
+        TestResponse response = TestResponse.class.cast(httpFacade.getResponse());
+        assertEquals(401, response.getStatus());
+    }
+
    @Test
    public void testDefaultWWWAuthenticateCorsHeader() {
        KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode-path.json"));
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode.json
@ -0,0 +1,19 @@
+{
+  "realm": "authz-test",
+  "auth-server-url": "http://localhost:8180/auth",
+  "ssl-required": "external",
+  "resource": "resource-server-test",
+  "credentials": {
+    "secret": "secret"
+  },
+  "bearer-only": true,
+  "policy-enforcer": {
+    "enforcement-mode": "DISABLED",
+    "paths": [
+      {
+        "name": "Resource B",
+        "path": "/api/resource/public"
+      }
+    ]
+  }
+}