[KEYCLOAK-13175] - Setting the enforcement mode when fetching lazily fetching resources

2020-03-03 09:34:06 -03:00 · 2020-03-03 09:34:06 -03:00 · 30b07a1ff5
commit 30b07a1ff5
parent 75a772f52b
4 changed files with 62 additions and 1 deletions
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
@ -269,9 +269,11 @@ public class PolicyEnforcer {

                        if (!matchingResources.isEmpty()) {
                            Map<String, Map<String, Object>> cipConfig = null;
+                            PolicyEnforcerConfig.EnforcementMode enforcementMode = PolicyEnforcerConfig.EnforcementMode.ENFORCING;

                            if (pathConfig != null) {
                                cipConfig = pathConfig.getClaimInformationPointConfig();
+                                enforcementMode = pathConfig.getEnforcementMode();
                            }

                            pathConfig = PathConfig.createPathConfigs(matchingResources.get(0)).iterator().next();
@ -279,6 +281,8 @@ public class PolicyEnforcer {
                            if (cipConfig != null) {
                                pathConfig.setClaimInformationPointConfig(cipConfig);
                            }
+                            
+                            pathConfig.setEnforcementMode(enforcementMode);
                        }
                    } catch (Exception cause) {
                        LOGGER.errorf(cause, "Could not lazy load resource with path [" + targetUri + "] from server");
--- a/testsuite/integration-arquillian/tests/base/.attach_pid34555
+++ b/testsuite/integration-arquillian/tests/base/.attach_pid34555
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java
@ -163,6 +163,35 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
        assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
    }

+    @Test
+    public void testPathConfigurationPrecendenceWhenLazyLoadingPaths() {
+        KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-paths.json"));
+        PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
+        OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea");
+        AuthorizationContext context = policyEnforcer.enforce(httpFacade);
+
+        assertFalse(context.isGranted());
+        assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
+
+        oauth.realm(REALM_NAME);
+        oauth.clientId("public-client-test");
+        oauth.doLogin("marta", "password");
+
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+        OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
+        String token = response.getAccessToken();
+
+        httpFacade = createHttpFacade("/api/resourcea", token);
+
+        context = policyEnforcer.enforce(httpFacade);
+        assertTrue(context.isGranted());
+
+        httpFacade = createHttpFacade("/");
+
+        context = policyEnforcer.enforce(httpFacade);
+        assertTrue(context.isGranted());
+    }
+
    @Test
    public void testResolvingClaimsOnce() {
        KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json"));
@ -559,7 +588,7 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
        KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-no-lazyload.json"));
        PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();

-        assertEquals(204, policyEnforcer.getPaths().size());
+        assertEquals(205, policyEnforcer.getPaths().size());

        deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload.json"));
        policyEnforcer = deployment.getPolicyEnforcer();
@ -642,6 +671,10 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {

            clientResource.authorization().permissions().resource().create(permission).close();
        }
+
+        if (clientResource.authorization().resources().findByName("Root").isEmpty()) {
+            createResource(clientResource, "Root", "/*");
+        }
    }

    private InputStream getAdapterConfiguration(String fileName) {
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-paths.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-paths.json
@ -0,0 +1,24 @@
+{
+  "realm": "authz-test",
+  "auth-server-url": "http://localhost:8180/auth",
+  "ssl-required": "external",
+  "resource": "resource-server-test",
+  "credentials": {
+    "secret": "secret"
+  },
+  "bearer-only": true,
+  "policy-enforcer": {
+    "lazy-load-paths": true,
+    "paths": [
+      {
+        "name": "Root",
+        "path": "/*",
+        "enforcement-mode": "DISABLED"
+      },
+      {
+        "name": "Resource A",
+        "path": "/api/*"
+      }
+    ]
+  }
+}