KEYCLOAK-16811 Add executor for disable 'Full Scope Allowed' and add it to FAPI profiles
This commit is contained in:
parent
1033b272e8
commit
3d16a1e8d3
8 changed files with 274 additions and 4 deletions
|
@ -0,0 +1,91 @@
|
|||
/*
|
||||
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
package org.keycloak.services.clientpolicy.executor;
|
||||
|
||||
import com.fasterxml.jackson.annotation.JsonProperty;
|
||||
import org.keycloak.events.Errors;
|
||||
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyContext;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyException;
|
||||
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
|
||||
|
||||
/**
|
||||
* Check that switch "fullScopeAllowed" is not enabled for the clients
|
||||
*
|
||||
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||
*/
|
||||
public class FullScopeDisabledExecutor implements ClientPolicyExecutorProvider<FullScopeDisabledExecutor.Configuration> {
|
||||
|
||||
private FullScopeDisabledExecutor.Configuration configuration;
|
||||
|
||||
@Override
|
||||
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
|
||||
switch (context.getEvent()) {
|
||||
case REGISTER:
|
||||
case UPDATE:
|
||||
ClientCRUDContext clientUpdateContext = (ClientCRUDContext)context;
|
||||
autoConfigure(clientUpdateContext.getProposedClientRepresentation());
|
||||
validate(clientUpdateContext.getProposedClientRepresentation());
|
||||
break;
|
||||
default:
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setupConfiguration(FullScopeDisabledExecutor.Configuration config) {
|
||||
this.configuration = config;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Class<FullScopeDisabledExecutor.Configuration> getExecutorConfigurationClass() {
|
||||
return FullScopeDisabledExecutor.Configuration.class;
|
||||
}
|
||||
|
||||
public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {
|
||||
@JsonProperty("auto-configure")
|
||||
protected Boolean autoConfigure;
|
||||
|
||||
public Boolean isAutoConfigure() {
|
||||
return autoConfigure;
|
||||
}
|
||||
|
||||
public void setAutoConfigure(Boolean autoConfigure) {
|
||||
this.autoConfigure = autoConfigure;
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getProviderId() {
|
||||
return FullScopeDisabledExecutorFactory.PROVIDER_ID;
|
||||
}
|
||||
|
||||
private void autoConfigure(ClientRepresentation rep) {
|
||||
if (configuration.isAutoConfigure()) {
|
||||
rep.setFullScopeAllowed(false);
|
||||
}
|
||||
}
|
||||
|
||||
private void validate(ClientRepresentation proposedClient) throws ClientPolicyException {
|
||||
if (proposedClient.isFullScopeAllowed() != null && proposedClient.isFullScopeAllowed()) {
|
||||
throw new ClientPolicyException(Errors.INVALID_REGISTRATION, "Not permitted to enable fullScopeAllowed");
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
/*
|
||||
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
package org.keycloak.services.clientpolicy.executor;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
|
||||
import org.keycloak.Config;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.KeycloakSessionFactory;
|
||||
import org.keycloak.provider.ProviderConfigProperty;
|
||||
|
||||
/**
|
||||
* Check that switch "fullScopeAllowed" is not enabled for the clients
|
||||
*
|
||||
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||
*/
|
||||
public class FullScopeDisabledExecutorFactory implements ClientPolicyExecutorProviderFactory {
|
||||
|
||||
public static final String PROVIDER_ID = "full-scope-disabled";
|
||||
|
||||
public static final String AUTO_CONFIGURE = "auto-configure";
|
||||
|
||||
private static final ProviderConfigProperty AUTO_CONFIGURE_PROPERTY = new ProviderConfigProperty(
|
||||
AUTO_CONFIGURE, "Auto-configure", "If On, then the during client creation or update, the configuration of the client will be auto-configured to disable fullScopeAllowed. " +
|
||||
"If off, the clients are validated to not have fullScopeAllowed enabled during create/update client", ProviderConfigProperty.BOOLEAN_TYPE, true);
|
||||
|
||||
@Override
|
||||
public FullScopeDisabledExecutor create(KeycloakSession session) {
|
||||
return new FullScopeDisabledExecutor();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void init(Config.Scope config) {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void postInit(KeycloakSessionFactory factory) {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void close() {
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return PROVIDER_ID;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getHelpText() {
|
||||
return "When present, then registered/updated clients will be verified to have 'fullScopeAllowed' switch disabled and eventually will be auto-configured for 'fullScopeAllowed' switch to be disabled";
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<ProviderConfigProperty> getConfigProperties() {
|
||||
return Collections.singletonList(AUTO_CONFIGURE_PROPERTY);
|
||||
}
|
||||
}
|
|
@ -8,4 +8,5 @@ org.keycloak.services.clientpolicy.executor.SecureClientUrisExecutorFactory
|
|||
org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSignedJwtExecutorFactory
|
||||
org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforcerExecutorFactory
|
||||
org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory
|
||||
org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory
|
||||
org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory
|
||||
org.keycloak.services.clientpolicy.executor.FullScopeDisabledExecutorFactory
|
|
@ -32,6 +32,12 @@
|
|||
{
|
||||
"executor": "consent-required",
|
||||
"configuration": {}
|
||||
},
|
||||
{
|
||||
"executor": "full-scope-disabled",
|
||||
"configuration": {
|
||||
"auto-configure": true
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -91,6 +97,12 @@
|
|||
"executor": "consent-required",
|
||||
"configuration": {}
|
||||
},
|
||||
{
|
||||
"executor": "full-scope-disabled",
|
||||
"configuration": {
|
||||
"auto-configure": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"executor": "holder-of-key-enforcer",
|
||||
"configuration": {
|
||||
|
|
|
@ -124,6 +124,8 @@ import org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceHostsCond
|
|||
import org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceRolesCondition;
|
||||
import org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceRolesConditionFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.FullScopeDisabledExecutor;
|
||||
import org.keycloak.services.clientpolicy.executor.FullScopeDisabledExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforcerExecutor;
|
||||
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforcerExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.PKCEEnforcerExecutor;
|
||||
|
@ -297,7 +299,7 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
|
|||
|
||||
// each executor
|
||||
assertExpectedExecutors(Arrays.asList(SecureSessionEnforceExecutorFactory.PROVIDER_ID, PKCEEnforcerExecutorFactory.PROVIDER_ID, SecureClientAuthenticatorExecutorFactory.PROVIDER_ID,
|
||||
SecureClientUrisExecutorFactory.PROVIDER_ID, ConsentRequiredExecutorFactory.PROVIDER_ID), actualProfileRep);
|
||||
SecureClientUrisExecutorFactory.PROVIDER_ID, ConsentRequiredExecutorFactory.PROVIDER_ID, FullScopeDisabledExecutorFactory.PROVIDER_ID), actualProfileRep);
|
||||
assertExpectedSecureSessionEnforceExecutor(actualProfileRep);
|
||||
|
||||
// each profile - ordinal-test-profile - updated
|
||||
|
@ -854,6 +856,12 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
|
|||
return config;
|
||||
}
|
||||
|
||||
protected FullScopeDisabledExecutor.Configuration createFullScopeDisabledExecutorConfig(Boolean autoConfigure) {
|
||||
FullScopeDisabledExecutor.Configuration config = new FullScopeDisabledExecutor.Configuration();
|
||||
config.setAutoConfigure(autoConfigure);
|
||||
return config;
|
||||
}
|
||||
|
||||
protected PKCEEnforcerExecutor.Configuration createPKCEEnforceExecutorConfig(Boolean autoConfigure) {
|
||||
PKCEEnforcerExecutor.Configuration config = new PKCEEnforcerExecutor.Configuration();
|
||||
config.setAutoConfigure(autoConfigure);
|
||||
|
|
|
@ -43,6 +43,7 @@ import org.keycloak.services.clientpolicy.ClientPolicyException;
|
|||
import org.keycloak.services.clientpolicy.ClientPoliciesUtil;
|
||||
import org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory;
|
||||
import org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.FullScopeDisabledExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.PKCEEnforcerExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.SecureClientAuthenticatorExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory;
|
||||
|
@ -84,7 +85,7 @@ public class ClientPoliciesLoadUpdateTest extends AbstractClientPoliciesTest {
|
|||
|
||||
// Test some executor
|
||||
assertExpectedExecutors(Arrays.asList(SecureSessionEnforceExecutorFactory.PROVIDER_ID, PKCEEnforcerExecutorFactory.PROVIDER_ID, SecureClientAuthenticatorExecutorFactory.PROVIDER_ID,
|
||||
SecureClientUrisExecutorFactory.PROVIDER_ID, ConsentRequiredExecutorFactory.PROVIDER_ID), actualProfileRep);
|
||||
SecureClientUrisExecutorFactory.PROVIDER_ID, ConsentRequiredExecutorFactory.PROVIDER_ID, FullScopeDisabledExecutorFactory.PROVIDER_ID), actualProfileRep);
|
||||
assertExpectedSecureSessionEnforceExecutor(actualProfileRep);
|
||||
|
||||
// Check the "get" request without globals. Assert nothing loaded
|
||||
|
|
|
@ -85,6 +85,7 @@ import org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceHostsCond
|
|||
import org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceRolesConditionFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.FullScopeDisabledExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforcerExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.PKCEEnforcerExecutorFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.SecureClientAuthenticatorExecutorFactory;
|
||||
|
@ -2133,6 +2134,84 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFullScopeDisabledExecutor() throws Exception {
|
||||
// register profiles - client autoConfigured to disable fullScopeAllowed
|
||||
String json = (new ClientProfilesBuilder()).addProfile(
|
||||
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile")
|
||||
.addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(true))
|
||||
.toRepresentation()
|
||||
).toString();
|
||||
updateProfiles(json);
|
||||
|
||||
// register policies
|
||||
json = (new ClientPoliciesBuilder()).addPolicy(
|
||||
(new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.TRUE)
|
||||
.addCondition(AnyClientConditionFactory.PROVIDER_ID,
|
||||
createAnyClientConditionConfig())
|
||||
.addProfile(PROFILE_NAME)
|
||||
.toRepresentation()
|
||||
).toString();
|
||||
updatePolicies(json);
|
||||
|
||||
// Client will be auto-configured to disable fullScopeAllowed
|
||||
String clientId = generateSuffixedName("aaa-app");
|
||||
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
|
||||
clientRep.setImplicitFlowEnabled(Boolean.FALSE);
|
||||
clientRep.setFullScopeAllowed(Boolean.TRUE);
|
||||
});
|
||||
ClientRepresentation clientRep = getClientByAdmin(cid);
|
||||
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
|
||||
|
||||
// Client cannot be updated to disable fullScopeAllowed
|
||||
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
|
||||
cRep.setFullScopeAllowed(Boolean.TRUE);
|
||||
});
|
||||
clientRep = getClientByAdmin(cid);
|
||||
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
|
||||
|
||||
// Switch auto-configure to false. Auto-configuration won't happen, but validation will still be here, so should not be possible to enable fullScopeAllowed
|
||||
json = (new ClientProfilesBuilder()).addProfile(
|
||||
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile")
|
||||
.addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(false))
|
||||
.toRepresentation()
|
||||
).toString();
|
||||
updateProfiles(json);
|
||||
|
||||
// Not possible to register client with fullScopeAllowed due the validation
|
||||
try {
|
||||
createClientByAdmin(clientId, (ClientRepresentation clientRep2) -> {
|
||||
clientRep2.setFullScopeAllowed(Boolean.TRUE);
|
||||
});
|
||||
fail();
|
||||
} catch (ClientPolicyException cpe) {
|
||||
assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
|
||||
}
|
||||
|
||||
// Not possible to update existing client to fullScopeAllowed due the validation
|
||||
try {
|
||||
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
|
||||
cRep.setFullScopeAllowed(Boolean.TRUE);
|
||||
});
|
||||
fail();
|
||||
} catch (ClientPolicyException cpe) {
|
||||
assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
|
||||
}
|
||||
clientRep = getClientByAdmin(cid);
|
||||
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
|
||||
|
||||
try {
|
||||
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
|
||||
cRep.setImplicitFlowEnabled(Boolean.TRUE);
|
||||
});
|
||||
clientRep = getClientByAdmin(cid);
|
||||
assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
|
||||
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
|
||||
} catch (ClientPolicyException cpe) {
|
||||
fail();
|
||||
}
|
||||
}
|
||||
|
||||
private void checkMtlsFlow() throws IOException {
|
||||
// Check login.
|
||||
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
|
||||
|
|
|
@ -216,6 +216,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
|
|||
});
|
||||
ClientRepresentation client = getClientByAdmin(clientUUID);
|
||||
Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
|
||||
Assert.assertFalse(client.isFullScopeAllowed());
|
||||
|
||||
// Set new initialToken for register new clients
|
||||
setInitialAccessTokenForDynamicClientRegistration();
|
||||
|
@ -289,6 +290,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
|
|||
ClientRepresentation client = getClientByAdmin(clientUUID);
|
||||
Assert.assertFalse(client.isPublicClient());
|
||||
Assert.assertEquals(JWTClientSecretAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
|
||||
Assert.assertFalse(client.isFullScopeAllowed());
|
||||
|
||||
checkPKCEWithS256RequiredDuringLogin("foo");
|
||||
|
||||
|
@ -395,12 +397,13 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
|
|||
client = getClientByAdmin(clientUUID);
|
||||
Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
|
||||
|
||||
// Check the Consent is enabled, Holder-of-key is enabled and default signature algorithm
|
||||
// Check the Consent is enabled, Holder-of-key is enabled, fullScopeAllowed disabled and default signature algorithm.
|
||||
Assert.assertTrue(client.isConsentRequired());
|
||||
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
|
||||
Assert.assertTrue(clientConfig.isUseMtlsHokToken());
|
||||
Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
|
||||
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
|
||||
Assert.assertFalse(client.isFullScopeAllowed());
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue