libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-15295 User can manage resources with just "view-profile" role using new Account Console

Browse source 
(cherry picked from commit 1b063825755d9f5aa13e612757e8ef7299430761)
This commit is contained in:
vmuzikar 2020-09-16 12:20:29 +02:00 committed by Stian Thorgersen
parent 6b2e1cbc5f
commit 2df62369c3
2 changed files with 64 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java
View file

@ -36,6 +36,7 @@ import java.util.Map;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.models.AccountRoles;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
@ -118,6 +119,8 @@ public class ResourceService extends AbstractResourceService {
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response revoke(List<Permission> permissions) {
auth.require(AccountRoles.MANAGE_ACCOUNT);
if (permissions == null || permissions.isEmpty()) {
throw new BadRequestException("invalid_permissions");
}

79
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/ResourcesRestServiceTest.java
View file

@ -16,24 +16,6 @@
*/
package org.keycloak.testsuite.account;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import javax.ws.rs.core.Response;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import com.fasterxml.jackson.core.type.TypeReference;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
@ -57,9 +39,29 @@ import org.keycloak.services.resources.account.resources.AbstractResourceService
import org.keycloak.services.resources.account.resources.AbstractResourceService.Permission;
import org.keycloak.services.resources.account.resources.AbstractResourceService.Resource;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.TokenUtil;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;
import javax.ws.rs.core.Response;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
@ -403,6 +405,47 @@ public class ResourcesRestServiceTest extends AbstractRestServiceTest {
assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatus());
}
@Test
public void testEndpointPermissions() throws Exception {
// resource for view-account-access
String resourceId;
ResourceRepresentation resource = new ResourceRepresentation();
resource.setOwnerManagedAccess(true);
resource.setOwner(findUser("view-account-access").getId());
resource.setName("Resource view-account-access");
resource.setDisplayName("Display Name view-account-access");
resource.setIconUri("Icon Uri view-account-access");
resource.addScope("Scope A", "Scope B", "Scope C", "Scope D");
resource.setUri("http://resourceServer.com/resources/view-account-access");
try (Response response1 = getResourceServer().authorization().resources().create(resource)) {
resourceId = response1.readEntity(ResourceRepresentation.class).getId();
}
final String resourcesUrl = getAccountUrl("resources");
final String sharedWithOthersUrl = resourcesUrl + "/shared-with-others";
final String sharedWithMeUrl = resourcesUrl + "/shared-with-me";
final String resourceUrl = resourcesUrl + "/" + resourceId;
final String permissionsUrl = resourceUrl + "/permissions";
final String requestsUrl = resourceUrl + "/permissions/requests";
TokenUtil viewProfileTokenUtil = new TokenUtil("view-account-access", "password");
TokenUtil noAccessTokenUtil = new TokenUtil("no-account-access", "password");
// test read access
for (String url : Arrays.asList(resourcesUrl, sharedWithOthersUrl, sharedWithMeUrl, resourceUrl, permissionsUrl, requestsUrl)) {
assertEquals( "no-account-access GET " + url, 403,
SimpleHttp.doGet(url, httpClient).acceptJson().auth(noAccessTokenUtil.getToken()).asStatus());
assertEquals("view-account-access GET " + url,200,
SimpleHttp.doGet(url, httpClient).acceptJson().auth(viewProfileTokenUtil.getToken()).asStatus());
}
// test write access
assertEquals( "no-account-access PUT " + permissionsUrl, 403,
SimpleHttp.doPut(permissionsUrl, httpClient).acceptJson().auth(noAccessTokenUtil.getToken()).json(Collections.emptyList()).asStatus());
assertEquals( "view-account-access PUT " + permissionsUrl, 403,
SimpleHttp.doPut(permissionsUrl, httpClient).acceptJson().auth(viewProfileTokenUtil.getToken()).json(Collections.emptyList()).asStatus());
}
@Test
public void testRevokePermission() throws Exception {
List<String> users = Arrays.asList("jdoe", "alice");