From 38d8cf2cb327df3cd4d308476523ddf6adbbd809 Mon Sep 17 00:00:00 2001
From: rmartinc <rmartinc@redhat.com>
Date: Mon, 17 Jun 2024 11:53:01 +0200
Subject: [PATCH] Add UPDATE event to the client-roles condition Closes #30284

Signed-off-by: rmartinc <rmartinc@redhat.com>
---
 .../condition/ClientRolesCondition.java       |  1 +
 .../client/policies/ClientPoliciesTest.java   | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientRolesCondition.java b/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientRolesCondition.java
index 8dccc27fe6..c7fc19962f 100644
--- a/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientRolesCondition.java
+++ b/services/src/main/java/org/keycloak/services/clientpolicy/condition/ClientRolesCondition.java
@@ -90,6 +90,7 @@ public class ClientRolesCondition extends AbstractClientPolicyConditionProvider<
             case BACKCHANNEL_TOKEN_RESPONSE:
             case PUSHED_AUTHORIZATION_REQUEST:
             case REGISTERED:
+            case UPDATE:
             case UPDATED:
             case SAML_AUTHN_REQUEST:
             case SAML_LOGOUT_REQUEST:
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java
index 1ce8da09e5..94bead432b 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java
@@ -826,6 +826,40 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
         }
     }
 
+    @Test
+    public void testConsentRequiredExecutorWithClientRolesCondition() throws Exception {
+        // register profiles with consent-required executor
+        updateProfiles(new ClientProfilesBuilder().addProfile(
+                new ClientProfileBuilder().createProfile(PROFILE_NAME, "Test Profile")
+                        .addExecutor(ConsentRequiredExecutorFactory.PROVIDER_ID, createConsentRequiredExecutorConfig(true))
+                        .toRepresentation()).toString());
+
+        // register policies with the client-roles condition to sample-client-role
+        updatePolicies(new ClientPoliciesBuilder().addPolicy(
+                new ClientPolicyBuilder().createPolicy(POLICY_NAME, "Test Policy", Boolean.TRUE)
+                        .addCondition(ClientRolesConditionFactory.PROVIDER_ID,
+                                createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE)))
+                        .addProfile(PROFILE_NAME)
+                        .toRepresentation()).toString());
+
+        // Client is allowed to be created without consent because no roles at creation time
+        String clientId = generateSuffixedName("consent-app");
+        String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
+            clientRep.setImplicitFlowEnabled(Boolean.FALSE);
+            clientRep.setConsentRequired(Boolean.FALSE);
+        });
+        Assert.assertFalse(getClientByAdmin(cid).isConsentRequired());
+
+        // add the role to the client to execute condition
+        adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
+
+        // update with consent to false should be updated to true by autoconfigure
+        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
+            cRep.setConsentRequired(Boolean.FALSE);
+        });
+        Assert.assertTrue(getClientByAdmin(cid).isConsentRequired());
+    }
+
     @Test
     public void testFullScopeDisabledExecutor() throws Exception {
         // register profiles - client autoConfigured to disable fullScopeAllowed