From 213b685b43203a718448e86639234ee0fd41d18e Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Mon, 21 Jul 2014 13:50:27 +0100 Subject: [PATCH] KEYCLOAK-569 Check application roles for scope --- .../models/cache/ApplicationAdapter.java | 14 ++++++++++++++ .../keycloak/models/jpa/ApplicationAdapter.java | 14 ++++++++++++++ .../keycloak/adapters/ApplicationAdapter.java | 15 +++++++++++++++ .../testsuite/composites/CompositeRoleTest.java | 17 +++++++++++++++-- 4 files changed, 58 insertions(+), 2 deletions(-) diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ApplicationAdapter.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ApplicationAdapter.java index 65480b5007..58fecaf633 100755 --- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ApplicationAdapter.java +++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ApplicationAdapter.java @@ -184,6 +184,20 @@ public class ApplicationAdapter extends ClientAdapter implements ApplicationMode return roles; } + @Override + public boolean hasScope(RoleModel role) { + if (super.hasScope(role)) { + return true; + } + Set roles = getRoles(); + if (roles.contains(role)) return true; + + for (RoleModel mapping : roles) { + if (mapping.hasRole(role)) return true; + } + return false; + } + @Override public boolean equals(Object o) { if (this == o) return true; diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/ApplicationAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/ApplicationAdapter.java index 966e6c9bea..1874912d77 100755 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/ApplicationAdapter.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/ApplicationAdapter.java @@ -166,6 +166,20 @@ public class ApplicationAdapter extends ClientAdapter implements ApplicationMode return list; } + @Override + public boolean hasScope(RoleModel role) { + if (super.hasScope(role)) { + return true; + } + Set roles = getRoles(); + if (roles.contains(role)) return true; + + for (RoleModel mapping : roles) { + if (mapping.hasRole(role)) return true; + } + return false; + } + @Override public Set getApplicationScopeMappings(ClientModel client) { Set roleMappings = client.getScopeMappings(); diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java index 606ebd3a75..3171e0aca9 100755 --- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java +++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java @@ -160,6 +160,20 @@ public class ApplicationAdapter extends ClientAdapter im return result; } + @Override + public boolean hasScope(RoleModel role) { + if (super.hasScope(role)) { + return true; + } + Set roles = getRoles(); + if (roles.contains(role)) return true; + + for (RoleModel mapping : roles) { + if (mapping.hasRole(role)) return true; + } + return false; + } + @Override public Set getApplicationScopeMappings(ClientModel client) { Set result = new HashSet(); @@ -204,6 +218,7 @@ public class ApplicationAdapter extends ClientAdapter im updateMongoEntity(); } + @Override public boolean equals(Object o) { if (this == o) return true; diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java index af4967d7d8..a255f46ce7 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java @@ -184,6 +184,9 @@ public class CompositeRoleTest { Assert.assertEquals(1, token.getRealmAccess().getRoles().size()); Assert.assertTrue(token.getResourceAccess("APP_ROLE_APPLICATION").isUserInRole("APP_ROLE_1")); Assert.assertTrue(token.getRealmAccess().isUserInRole("REALM_ROLE_1")); + + AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password"); + Assert.assertEquals(200, refreshResponse.getStatusCode()); } @@ -207,10 +210,11 @@ public class CompositeRoleTest { Assert.assertEquals(1, token.getResourceAccess("APP_ROLE_APPLICATION").getRoles().size()); Assert.assertTrue(token.getResourceAccess("APP_ROLE_APPLICATION").isUserInRole("APP_ROLE_1")); + + AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password"); + Assert.assertEquals(200, refreshResponse.getStatusCode()); } - - @Test public void testRealmOnlyWithUserCompositeAppComposite() throws Exception { oauth.realm("Test"); @@ -232,6 +236,9 @@ public class CompositeRoleTest { Assert.assertEquals(2, token.getRealmAccess().getRoles().size()); Assert.assertTrue(token.getRealmAccess().isUserInRole("REALM_COMPOSITE_1")); Assert.assertTrue(token.getRealmAccess().isUserInRole("REALM_ROLE_1")); + + AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password"); + Assert.assertEquals(200, refreshResponse.getStatusCode()); } @Test @@ -254,6 +261,9 @@ public class CompositeRoleTest { Assert.assertEquals(1, token.getRealmAccess().getRoles().size()); Assert.assertTrue(token.getRealmAccess().isUserInRole("REALM_ROLE_1")); + + AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password"); + Assert.assertEquals(200, refreshResponse.getStatusCode()); } @Test @@ -276,6 +286,9 @@ public class CompositeRoleTest { Assert.assertEquals(1, token.getRealmAccess().getRoles().size()); Assert.assertTrue(token.getRealmAccess().isUserInRole("REALM_ROLE_1")); + + AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password"); + Assert.assertEquals(200, refreshResponse.getStatusCode()); } }