KEYCLOAK-16811 Add executor for disable 'Full Scope Allowed' and add it to FAPI profiles

This commit is contained in:
mposolda 2021-06-03 20:46:02 +02:00 committed by Marek Posolda
parent 1033b272e8
commit 3d16a1e8d3
8 changed files with 274 additions and 4 deletions

View file

@ -0,0 +1,91 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.keycloak.services.clientpolicy.executor;
import com.fasterxml.jackson.annotation.JsonProperty;
import org.keycloak.events.Errors;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
/**
* Check that switch "fullScopeAllowed" is not enabled for the clients
*
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class FullScopeDisabledExecutor implements ClientPolicyExecutorProvider<FullScopeDisabledExecutor.Configuration> {
private FullScopeDisabledExecutor.Configuration configuration;
@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
switch (context.getEvent()) {
case REGISTER:
case UPDATE:
ClientCRUDContext clientUpdateContext = (ClientCRUDContext)context;
autoConfigure(clientUpdateContext.getProposedClientRepresentation());
validate(clientUpdateContext.getProposedClientRepresentation());
break;
default:
return;
}
}
@Override
public void setupConfiguration(FullScopeDisabledExecutor.Configuration config) {
this.configuration = config;
}
@Override
public Class<FullScopeDisabledExecutor.Configuration> getExecutorConfigurationClass() {
return FullScopeDisabledExecutor.Configuration.class;
}
public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {
@JsonProperty("auto-configure")
protected Boolean autoConfigure;
public Boolean isAutoConfigure() {
return autoConfigure;
}
public void setAutoConfigure(Boolean autoConfigure) {
this.autoConfigure = autoConfigure;
}
}
@Override
public String getProviderId() {
return FullScopeDisabledExecutorFactory.PROVIDER_ID;
}
private void autoConfigure(ClientRepresentation rep) {
if (configuration.isAutoConfigure()) {
rep.setFullScopeAllowed(false);
}
}
private void validate(ClientRepresentation proposedClient) throws ClientPolicyException {
if (proposedClient.isFullScopeAllowed() != null && proposedClient.isFullScopeAllowed()) {
throw new ClientPolicyException(Errors.INVALID_REGISTRATION, "Not permitted to enable fullScopeAllowed");
}
}
}

View file

@ -0,0 +1,75 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.keycloak.services.clientpolicy.executor;
import java.util.Collections;
import java.util.List;
import org.keycloak.Config;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.ProviderConfigProperty;
/**
* Check that switch "fullScopeAllowed" is not enabled for the clients
*
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class FullScopeDisabledExecutorFactory implements ClientPolicyExecutorProviderFactory {
public static final String PROVIDER_ID = "full-scope-disabled";
public static final String AUTO_CONFIGURE = "auto-configure";
private static final ProviderConfigProperty AUTO_CONFIGURE_PROPERTY = new ProviderConfigProperty(
AUTO_CONFIGURE, "Auto-configure", "If On, then the during client creation or update, the configuration of the client will be auto-configured to disable fullScopeAllowed. " +
"If off, the clients are validated to not have fullScopeAllowed enabled during create/update client", ProviderConfigProperty.BOOLEAN_TYPE, true);
@Override
public FullScopeDisabledExecutor create(KeycloakSession session) {
return new FullScopeDisabledExecutor();
}
@Override
public void init(Config.Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public void close() {
}
@Override
public String getId() {
return PROVIDER_ID;
}
@Override
public String getHelpText() {
return "When present, then registered/updated clients will be verified to have 'fullScopeAllowed' switch disabled and eventually will be auto-configured for 'fullScopeAllowed' switch to be disabled";
}
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return Collections.singletonList(AUTO_CONFIGURE_PROPERTY);
}
}

View file

@ -8,4 +8,5 @@ org.keycloak.services.clientpolicy.executor.SecureClientUrisExecutorFactory
org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSignedJwtExecutorFactory
org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforcerExecutorFactory
org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory
org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory
org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory
org.keycloak.services.clientpolicy.executor.FullScopeDisabledExecutorFactory

View file

@ -32,6 +32,12 @@
{
"executor": "consent-required",
"configuration": {}
},
{
"executor": "full-scope-disabled",
"configuration": {
"auto-configure": true
}
}
]
},
@ -91,6 +97,12 @@
"executor": "consent-required",
"configuration": {}
},
{
"executor": "full-scope-disabled",
"configuration": {
"auto-configure": true
}
},
{
"executor": "holder-of-key-enforcer",
"configuration": {

View file

@ -124,6 +124,8 @@ import org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceHostsCond
import org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceRolesCondition;
import org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceRolesConditionFactory;
import org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory;
import org.keycloak.services.clientpolicy.executor.FullScopeDisabledExecutor;
import org.keycloak.services.clientpolicy.executor.FullScopeDisabledExecutorFactory;
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforcerExecutor;
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforcerExecutorFactory;
import org.keycloak.services.clientpolicy.executor.PKCEEnforcerExecutor;
@ -297,7 +299,7 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
// each executor
assertExpectedExecutors(Arrays.asList(SecureSessionEnforceExecutorFactory.PROVIDER_ID, PKCEEnforcerExecutorFactory.PROVIDER_ID, SecureClientAuthenticatorExecutorFactory.PROVIDER_ID,
SecureClientUrisExecutorFactory.PROVIDER_ID, ConsentRequiredExecutorFactory.PROVIDER_ID), actualProfileRep);
SecureClientUrisExecutorFactory.PROVIDER_ID, ConsentRequiredExecutorFactory.PROVIDER_ID, FullScopeDisabledExecutorFactory.PROVIDER_ID), actualProfileRep);
assertExpectedSecureSessionEnforceExecutor(actualProfileRep);
// each profile - ordinal-test-profile - updated
@ -854,6 +856,12 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
return config;
}
protected FullScopeDisabledExecutor.Configuration createFullScopeDisabledExecutorConfig(Boolean autoConfigure) {
FullScopeDisabledExecutor.Configuration config = new FullScopeDisabledExecutor.Configuration();
config.setAutoConfigure(autoConfigure);
return config;
}
protected PKCEEnforcerExecutor.Configuration createPKCEEnforceExecutorConfig(Boolean autoConfigure) {
PKCEEnforcerExecutor.Configuration config = new PKCEEnforcerExecutor.Configuration();
config.setAutoConfigure(autoConfigure);

View file

@ -43,6 +43,7 @@ import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.ClientPoliciesUtil;
import org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory;
import org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory;
import org.keycloak.services.clientpolicy.executor.FullScopeDisabledExecutorFactory;
import org.keycloak.services.clientpolicy.executor.PKCEEnforcerExecutorFactory;
import org.keycloak.services.clientpolicy.executor.SecureClientAuthenticatorExecutorFactory;
import org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory;
@ -84,7 +85,7 @@ public class ClientPoliciesLoadUpdateTest extends AbstractClientPoliciesTest {
// Test some executor
assertExpectedExecutors(Arrays.asList(SecureSessionEnforceExecutorFactory.PROVIDER_ID, PKCEEnforcerExecutorFactory.PROVIDER_ID, SecureClientAuthenticatorExecutorFactory.PROVIDER_ID,
SecureClientUrisExecutorFactory.PROVIDER_ID, ConsentRequiredExecutorFactory.PROVIDER_ID), actualProfileRep);
SecureClientUrisExecutorFactory.PROVIDER_ID, ConsentRequiredExecutorFactory.PROVIDER_ID, FullScopeDisabledExecutorFactory.PROVIDER_ID), actualProfileRep);
assertExpectedSecureSessionEnforceExecutor(actualProfileRep);
// Check the "get" request without globals. Assert nothing loaded

View file

@ -85,6 +85,7 @@ import org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceHostsCond
import org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceRolesConditionFactory;
import org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory;
import org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory;
import org.keycloak.services.clientpolicy.executor.FullScopeDisabledExecutorFactory;
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforcerExecutorFactory;
import org.keycloak.services.clientpolicy.executor.PKCEEnforcerExecutorFactory;
import org.keycloak.services.clientpolicy.executor.SecureClientAuthenticatorExecutorFactory;
@ -2133,6 +2134,84 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
}
}
@Test
public void testFullScopeDisabledExecutor() throws Exception {
// register profiles - client autoConfigured to disable fullScopeAllowed
String json = (new ClientProfilesBuilder()).addProfile(
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile")
.addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(true))
.toRepresentation()
).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy(
(new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.TRUE)
.addCondition(AnyClientConditionFactory.PROVIDER_ID,
createAnyClientConditionConfig())
.addProfile(PROFILE_NAME)
.toRepresentation()
).toString();
updatePolicies(json);
// Client will be auto-configured to disable fullScopeAllowed
String clientId = generateSuffixedName("aaa-app");
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setImplicitFlowEnabled(Boolean.FALSE);
clientRep.setFullScopeAllowed(Boolean.TRUE);
});
ClientRepresentation clientRep = getClientByAdmin(cid);
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
// Client cannot be updated to disable fullScopeAllowed
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setFullScopeAllowed(Boolean.TRUE);
});
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
// Switch auto-configure to false. Auto-configuration won't happen, but validation will still be here, so should not be possible to enable fullScopeAllowed
json = (new ClientProfilesBuilder()).addProfile(
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile")
.addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(false))
.toRepresentation()
).toString();
updateProfiles(json);
// Not possible to register client with fullScopeAllowed due the validation
try {
createClientByAdmin(clientId, (ClientRepresentation clientRep2) -> {
clientRep2.setFullScopeAllowed(Boolean.TRUE);
});
fail();
} catch (ClientPolicyException cpe) {
assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
}
// Not possible to update existing client to fullScopeAllowed due the validation
try {
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setFullScopeAllowed(Boolean.TRUE);
});
fail();
} catch (ClientPolicyException cpe) {
assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
}
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
try {
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setImplicitFlowEnabled(Boolean.TRUE);
});
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
} catch (ClientPolicyException cpe) {
fail();
}
}
private void checkMtlsFlow() throws IOException {
// Check login.
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);

View file

@ -216,6 +216,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
});
ClientRepresentation client = getClientByAdmin(clientUUID);
Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
Assert.assertFalse(client.isFullScopeAllowed());
// Set new initialToken for register new clients
setInitialAccessTokenForDynamicClientRegistration();
@ -289,6 +290,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
ClientRepresentation client = getClientByAdmin(clientUUID);
Assert.assertFalse(client.isPublicClient());
Assert.assertEquals(JWTClientSecretAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
Assert.assertFalse(client.isFullScopeAllowed());
checkPKCEWithS256RequiredDuringLogin("foo");
@ -395,12 +397,13 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
client = getClientByAdmin(clientUUID);
Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Check the Consent is enabled, Holder-of-key is enabled and default signature algorithm
// Check the Consent is enabled, Holder-of-key is enabled, fullScopeAllowed disabled and default signature algorithm.
Assert.assertTrue(client.isConsentRequired());
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertTrue(clientConfig.isUseMtlsHokToken());
Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
Assert.assertFalse(client.isFullScopeAllowed());
}