libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

[KEYCLOAK-13175] - Setting the enforcement mode when fetching lazily fetching resources

Browse source
This commit is contained in:
Pedro Igor 2020-03-03 09:34:06 -03:00 committed by Stian Thorgersen
parent 75a772f52b
commit 30b07a1ff5
4 changed files with 62 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
View file

@ -269,9 +269,11 @@ public class PolicyEnforcer {
if (!matchingResources.isEmpty()) { if (!matchingResources.isEmpty()) {
Map<String, Map<String, Object>> cipConfig = null; Map<String, Map<String, Object>> cipConfig = null;
PolicyEnforcerConfig.EnforcementMode enforcementMode = PolicyEnforcerConfig.EnforcementMode.ENFORCING;
if (pathConfig != null) { if (pathConfig != null) {
cipConfig = pathConfig.getClaimInformationPointConfig(); cipConfig = pathConfig.getClaimInformationPointConfig();
enforcementMode = pathConfig.getEnforcementMode();
} }
pathConfig = PathConfig.createPathConfigs(matchingResources.get(0)).iterator().next(); pathConfig = PathConfig.createPathConfigs(matchingResources.get(0)).iterator().next();
@ -279,6 +281,8 @@ public class PolicyEnforcer {
if (cipConfig != null) { if (cipConfig != null) {
pathConfig.setClaimInformationPointConfig(cipConfig); pathConfig.setClaimInformationPointConfig(cipConfig);
} }
pathConfig.setEnforcementMode(enforcementMode);
} }
} catch (Exception cause) { } catch (Exception cause) {
LOGGER.errorf(cause, "Could not lazy load resource with path [" + targetUri + "] from server"); LOGGER.errorf(cause, "Could not lazy load resource with path [" + targetUri + "] from server");

0
testsuite/integration-arquillian/tests/base/.attach_pid34555 Normal file
View file

35
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java
View file

@ -163,6 +163,35 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus()); assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
} }
@Test
public void testPathConfigurationPrecendenceWhenLazyLoadingPaths() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-paths.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea");
AuthorizationContext context = policyEnforcer.enforce(httpFacade);
assertFalse(context.isGranted());
assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
oauth.realm(REALM_NAME);
oauth.clientId("public-client-test");
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
String token = response.getAccessToken();
httpFacade = createHttpFacade("/api/resourcea", token);
context = policyEnforcer.enforce(httpFacade);
assertTrue(context.isGranted());
httpFacade = createHttpFacade("/");
context = policyEnforcer.enforce(httpFacade);
assertTrue(context.isGranted());
}
@Test @Test
public void testResolvingClaimsOnce() { public void testResolvingClaimsOnce() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json")); KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json"));
@ -559,7 +588,7 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-no-lazyload.json")); KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-no-lazyload.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
assertEquals(204, policyEnforcer.getPaths().size()); assertEquals(205, policyEnforcer.getPaths().size());
deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload.json")); deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload.json"));
policyEnforcer = deployment.getPolicyEnforcer(); policyEnforcer = deployment.getPolicyEnforcer();
@ -642,6 +671,10 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
clientResource.authorization().permissions().resource().create(permission).close(); clientResource.authorization().permissions().resource().create(permission).close();
} }
if (clientResource.authorization().resources().findByName("Root").isEmpty()) {
createResource(clientResource, "Root", "/*");
}
} }
private InputStream getAdapterConfiguration(String fileName) { private InputStream getAdapterConfiguration(String fileName) {

24
testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-paths.json Normal file
View file

@ -0,0 +1,24 @@
{
"realm": "authz-test",
"auth-server-url": "http://localhost:8180/auth",
"ssl-required": "external",
"resource": "resource-server-test",
"credentials": {
"secret": "secret"
},
"bearer-only": true,
"policy-enforcer": {
"lazy-load-paths": true,
"paths": [
{
"name": "Root",
"path": "/*",
"enforcement-mode": "DISABLED"
},
{
"name": "Resource A",
"path": "/api/*"
}
]
}
}