From 30b07a1ff56a4f5e15d8dedc77eeaf08b46d6d21 Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Tue, 3 Mar 2020 09:34:06 -0300 Subject: [PATCH] [KEYCLOAK-13175] - Setting the enforcement mode when fetching lazily fetching resources --- .../authorization/PolicyEnforcer.java | 4 +++ .../tests/base/.attach_pid34555 | 0 .../authorization/PolicyEnforcerTest.java | 35 ++++++++++++++++++- .../authorization-test/enforcer-paths.json | 24 +++++++++++++ 4 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 testsuite/integration-arquillian/tests/base/.attach_pid34555 create mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-paths.json diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java index bcdcf0d976..63e380c1c9 100644 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java @@ -269,9 +269,11 @@ public class PolicyEnforcer { if (!matchingResources.isEmpty()) { Map> cipConfig = null; + PolicyEnforcerConfig.EnforcementMode enforcementMode = PolicyEnforcerConfig.EnforcementMode.ENFORCING; if (pathConfig != null) { cipConfig = pathConfig.getClaimInformationPointConfig(); + enforcementMode = pathConfig.getEnforcementMode(); } pathConfig = PathConfig.createPathConfigs(matchingResources.get(0)).iterator().next(); @@ -279,6 +281,8 @@ public class PolicyEnforcer { if (cipConfig != null) { pathConfig.setClaimInformationPointConfig(cipConfig); } + + pathConfig.setEnforcementMode(enforcementMode); } } catch (Exception cause) { LOGGER.errorf(cause, "Could not lazy load resource with path [" + targetUri + "] from server"); diff --git a/testsuite/integration-arquillian/tests/base/.attach_pid34555 b/testsuite/integration-arquillian/tests/base/.attach_pid34555 new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java index 11476697e8..8d1ec42863 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java @@ -163,6 +163,35 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest { assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus()); } + @Test + public void testPathConfigurationPrecendenceWhenLazyLoadingPaths() { + KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-paths.json")); + PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); + OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea"); + AuthorizationContext context = policyEnforcer.enforce(httpFacade); + + assertFalse(context.isGranted()); + assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus()); + + oauth.realm(REALM_NAME); + oauth.clientId("public-client-test"); + oauth.doLogin("marta", "password"); + + String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); + OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null); + String token = response.getAccessToken(); + + httpFacade = createHttpFacade("/api/resourcea", token); + + context = policyEnforcer.enforce(httpFacade); + assertTrue(context.isGranted()); + + httpFacade = createHttpFacade("/"); + + context = policyEnforcer.enforce(httpFacade); + assertTrue(context.isGranted()); + } + @Test public void testResolvingClaimsOnce() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json")); @@ -559,7 +588,7 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-no-lazyload.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); - assertEquals(204, policyEnforcer.getPaths().size()); + assertEquals(205, policyEnforcer.getPaths().size()); deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload.json")); policyEnforcer = deployment.getPolicyEnforcer(); @@ -642,6 +671,10 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest { clientResource.authorization().permissions().resource().create(permission).close(); } + + if (clientResource.authorization().resources().findByName("Root").isEmpty()) { + createResource(clientResource, "Root", "/*"); + } } private InputStream getAdapterConfiguration(String fileName) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-paths.json b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-paths.json new file mode 100644 index 0000000000..0221a18667 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-paths.json @@ -0,0 +1,24 @@ +{ + "realm": "authz-test", + "auth-server-url": "http://localhost:8180/auth", + "ssl-required": "external", + "resource": "resource-server-test", + "credentials": { + "secret": "secret" + }, + "bearer-only": true, + "policy-enforcer": { + "lazy-load-paths": true, + "paths": [ + { + "name": "Root", + "path": "/*", + "enforcement-mode": "DISABLED" + }, + { + "name": "Resource A", + "path": "/api/*" + } + ] + } +}