From 2df62369c3d9b2f6a7fc55b99c9412bff63c2632 Mon Sep 17 00:00:00 2001 From: vmuzikar Date: Wed, 16 Sep 2020 12:20:29 +0200 Subject: [PATCH] KEYCLOAK-15295 User can manage resources with just "view-profile" role using new Account Console (cherry picked from commit 1b063825755d9f5aa13e612757e8ef7299430761) --- .../account/resources/ResourceService.java | 3 + .../account/ResourcesRestServiceTest.java | 79 ++++++++++++++----- 2 files changed, 64 insertions(+), 18 deletions(-) diff --git a/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java b/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java index 68ce9d6d49..451048458c 100644 --- a/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java +++ b/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java @@ -36,6 +36,7 @@ import java.util.Map; import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.authorization.model.PermissionTicket; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.models.AccountRoles; import org.keycloak.models.KeycloakSession; import org.keycloak.models.UserModel; import org.keycloak.models.UserProvider; @@ -118,6 +119,8 @@ public class ResourceService extends AbstractResourceService { @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) public Response revoke(List permissions) { + auth.require(AccountRoles.MANAGE_ACCOUNT); + if (permissions == null || permissions.isEmpty()) { throw new BadRequestException("invalid_permissions"); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/ResourcesRestServiceTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/ResourcesRestServiceTest.java index a07f294b9a..60416d1d14 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/ResourcesRestServiceTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/ResourcesRestServiceTest.java @@ -16,24 +16,6 @@ */ package org.keycloak.testsuite.account; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import javax.ws.rs.core.Response; -import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Iterator; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.function.Consumer; - import com.fasterxml.jackson.core.type.TypeReference; import org.junit.Test; import org.keycloak.admin.client.resource.AuthorizationResource; @@ -57,9 +39,29 @@ import org.keycloak.services.resources.account.resources.AbstractResourceService import org.keycloak.services.resources.account.resources.AbstractResourceService.Permission; import org.keycloak.services.resources.account.resources.AbstractResourceService.Resource; import org.keycloak.testsuite.util.ClientBuilder; +import org.keycloak.testsuite.util.TokenUtil; import org.keycloak.testsuite.util.UserBuilder; import org.keycloak.util.JsonSerialization; +import javax.ws.rs.core.Response; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.function.Consumer; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + /** * @author Pedro Igor */ @@ -403,6 +405,47 @@ public class ResourcesRestServiceTest extends AbstractRestServiceTest { assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatus()); } + @Test + public void testEndpointPermissions() throws Exception { + // resource for view-account-access + String resourceId; + ResourceRepresentation resource = new ResourceRepresentation(); + resource.setOwnerManagedAccess(true); + resource.setOwner(findUser("view-account-access").getId()); + resource.setName("Resource view-account-access"); + resource.setDisplayName("Display Name view-account-access"); + resource.setIconUri("Icon Uri view-account-access"); + resource.addScope("Scope A", "Scope B", "Scope C", "Scope D"); + resource.setUri("http://resourceServer.com/resources/view-account-access"); + try (Response response1 = getResourceServer().authorization().resources().create(resource)) { + resourceId = response1.readEntity(ResourceRepresentation.class).getId(); + } + + final String resourcesUrl = getAccountUrl("resources"); + final String sharedWithOthersUrl = resourcesUrl + "/shared-with-others"; + final String sharedWithMeUrl = resourcesUrl + "/shared-with-me"; + final String resourceUrl = resourcesUrl + "/" + resourceId; + final String permissionsUrl = resourceUrl + "/permissions"; + final String requestsUrl = resourceUrl + "/permissions/requests"; + + TokenUtil viewProfileTokenUtil = new TokenUtil("view-account-access", "password"); + TokenUtil noAccessTokenUtil = new TokenUtil("no-account-access", "password"); + + // test read access + for (String url : Arrays.asList(resourcesUrl, sharedWithOthersUrl, sharedWithMeUrl, resourceUrl, permissionsUrl, requestsUrl)) { + assertEquals( "no-account-access GET " + url, 403, + SimpleHttp.doGet(url, httpClient).acceptJson().auth(noAccessTokenUtil.getToken()).asStatus()); + assertEquals("view-account-access GET " + url,200, + SimpleHttp.doGet(url, httpClient).acceptJson().auth(viewProfileTokenUtil.getToken()).asStatus()); + } + + // test write access + assertEquals( "no-account-access PUT " + permissionsUrl, 403, + SimpleHttp.doPut(permissionsUrl, httpClient).acceptJson().auth(noAccessTokenUtil.getToken()).json(Collections.emptyList()).asStatus()); + assertEquals( "view-account-access PUT " + permissionsUrl, 403, + SimpleHttp.doPut(permissionsUrl, httpClient).acceptJson().auth(viewProfileTokenUtil.getToken()).json(Collections.emptyList()).asStatus()); + } + @Test public void testRevokePermission() throws Exception { List users = Arrays.asList("jdoe", "alice");