From 2a82ed6eea1c5cc6e98912dce01148b0e54d1d04 Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Mon, 27 Jan 2020 17:55:06 -0300 Subject: [PATCH] [KEYCLOAK-9402] - 401 response when enforcement mode is DISABLED --- .../authorization/AbstractPolicyEnforcer.java | 5 ++++- .../authorization/PolicyEnforcerTest.java | 11 +++++++++++ .../enforcer-disabled-enforce-mode.json | 19 +++++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode.json diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java index 138e143359..1f4438f0d0 100644 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java @@ -59,14 +59,17 @@ public abstract class AbstractPolicyEnforcer { public AuthorizationContext authorize(OIDCHttpFacade httpFacade) { EnforcementMode enforcementMode = getEnforcerConfig().getEnforcementMode(); + KeycloakSecurityContext securityContext = httpFacade.getSecurityContext(); if (EnforcementMode.DISABLED.equals(enforcementMode)) { + if (securityContext == null) { + httpFacade.getResponse().sendError(401, "Invalid bearer"); + } return createEmptyAuthorizationContext(true); } Request request = httpFacade.getRequest(); PathConfig pathConfig = getPathConfig(request); - KeycloakSecurityContext securityContext = httpFacade.getSecurityContext(); if (securityContext == null) { if (!isDefaultAccessDeniedUri(request)) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java index 2fcc0b0ea5..97787d45e1 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java @@ -301,6 +301,17 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest { assertTrue(context.isGranted()); } + @Test + public void testEnforcementModeDisabled() { + KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode.json")); + PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); + + OIDCHttpFacade httpFacade = createHttpFacade("/api/resource/public"); + policyEnforcer.enforce(httpFacade); + TestResponse response = TestResponse.class.cast(httpFacade.getResponse()); + assertEquals(401, response.getStatus()); + } + @Test public void testDefaultWWWAuthenticateCorsHeader() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode-path.json")); diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode.json b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode.json new file mode 100644 index 0000000000..dbf85cb50c --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode.json @@ -0,0 +1,19 @@ +{ + "realm": "authz-test", + "auth-server-url": "http://localhost:8180/auth", + "ssl-required": "external", + "resource": "resource-server-test", + "credentials": { + "secret": "secret" + }, + "bearer-only": true, + "policy-enforcer": { + "enforcement-mode": "DISABLED", + "paths": [ + { + "name": "Resource B", + "path": "/api/resource/public" + } + ] + } +}