[KEYCLOAK-7028] - Propagating AuthorizationContext when enforcement-mode is disable for a path
This commit is contained in:
parent
8fe10b3331
commit
5c52da80c6
7 changed files with 78 additions and 24 deletions
|
@ -95,7 +95,7 @@ public abstract class AbstractPolicyEnforcer {
|
|||
}
|
||||
|
||||
if (EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
|
||||
return createEmptyAuthorizationContext(true);
|
||||
return createAuthorizationContext(accessToken, pathConfig);
|
||||
}
|
||||
|
||||
MethodConfig methodConfig = getRequiredScopes(pathConfig, request);
|
||||
|
|
|
@ -137,7 +137,11 @@ public class PolicyEnforcer {
|
|||
|
||||
if (loadPathsFromServer) {
|
||||
LOGGER.info("No path provided in configuration.");
|
||||
return configureAllPathsForResourceServer(protectedResource);
|
||||
Map<String, PathConfig> paths = configureAllPathsForResourceServer(protectedResource);
|
||||
|
||||
paths.putAll(configureDefinedPaths(protectedResource, enforcerConfig));
|
||||
|
||||
return paths;
|
||||
} else {
|
||||
LOGGER.info("Paths provided in configuration.");
|
||||
return configureDefinedPaths(protectedResource, enforcerConfig);
|
||||
|
|
|
@ -10,6 +10,14 @@
|
|||
},
|
||||
"policy-enforcer": {
|
||||
"on-deny-redirect-to" : "/servlet-authz-app/accessDenied.jsp",
|
||||
"lazy-load-paths": true
|
||||
"lazy-load-paths": true,
|
||||
"paths": [
|
||||
{
|
||||
"name": "Premium Resource",
|
||||
"path": "/protected/premium/pep-disabled.jsp",
|
||||
"enforcement-mode": "DISABLED"
|
||||
}
|
||||
]
|
||||
|
||||
}
|
||||
}
|
|
@ -14,6 +14,7 @@
|
|||
|
||||
<p><a href="protected/dynamicMenu.jsp">Dynamic Menu</a></p>
|
||||
<p><a href="protected/premium/onlyPremium.jsp">User Premium</a></p>
|
||||
<p><a href="protected/premium/pep-disabled.jsp">PEP Disabled</a></p>
|
||||
<p><a href="protected/admin/onlyAdmin.jsp">Administration</a></p>
|
||||
|
||||
<h3>Your permissions are:</h3>
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
<%@page import="org.keycloak.AuthorizationContext" %>
|
||||
<%@ page import="org.keycloak.KeycloakSecurityContext" %>
|
||||
|
||||
<%
|
||||
KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
|
||||
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
|
||||
%>
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<h2>Policy enforcement is disabled. Access granted: <%= authzContext.isGranted() %></h2>
|
||||
<%@include file="../../logout-include.jsp"%>
|
||||
|
||||
<p>Here is a dynamic menu built from the permissions returned by the server:</p>
|
||||
|
||||
<ul>
|
||||
<%
|
||||
if (authzContext.hasResourcePermission("Protected Resource")) {
|
||||
%>
|
||||
<li>
|
||||
Do user thing
|
||||
</li>
|
||||
<%
|
||||
}
|
||||
%>
|
||||
|
||||
<%
|
||||
if (authzContext.hasResourcePermission("Premium Resource")) {
|
||||
%>
|
||||
<li>
|
||||
Do user premium thing
|
||||
</li>
|
||||
<%
|
||||
}
|
||||
%>
|
||||
|
||||
<%
|
||||
if (authzContext.hasPermission("Admin Resource", "urn:servlet-authz:protected:admin:access")) {
|
||||
%>
|
||||
<li>
|
||||
Do administration thing
|
||||
</li>
|
||||
<%
|
||||
}
|
||||
%>
|
||||
</ul>
|
||||
</body>
|
||||
</html>
|
|
@ -93,7 +93,7 @@ public abstract class AbstractBaseServletAuthzAdapterTest extends AbstractExampl
|
|||
return this.driver.getPageSource().contains(text);
|
||||
}
|
||||
|
||||
private WebElement getLink(String text) {
|
||||
protected WebElement getLink(String text) {
|
||||
return this.driver.findElement(By.xpath("//a[text() = '" + text + "']"));
|
||||
}
|
||||
|
||||
|
@ -137,7 +137,7 @@ public abstract class AbstractBaseServletAuthzAdapterTest extends AbstractExampl
|
|||
}
|
||||
}
|
||||
|
||||
private void navigateTo() {
|
||||
protected void navigateTo() {
|
||||
this.driver.navigate().to(getResourceServerUrl());
|
||||
WaitUtils.waitUntilElement(By.xpath("//a[text() = 'Dynamic Menu']"));
|
||||
}
|
||||
|
|
|
@ -17,32 +17,13 @@
|
|||
package org.keycloak.testsuite.adapter.example.authorization;
|
||||
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import javax.ws.rs.core.Response;
|
||||
|
||||
import org.jboss.arquillian.container.test.api.Deployment;
|
||||
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.admin.client.resource.ClientPoliciesResource;
|
||||
import org.keycloak.admin.client.resource.RealmResource;
|
||||
import org.keycloak.admin.client.resource.ResourcesResource;
|
||||
import org.keycloak.admin.client.resource.RolePoliciesResource;
|
||||
import org.keycloak.admin.client.resource.RoleScopeResource;
|
||||
import org.keycloak.admin.client.resource.RolesResource;
|
||||
import org.keycloak.admin.client.resource.UserResource;
|
||||
import org.keycloak.admin.client.resource.UsersResource;
|
||||
import org.keycloak.representations.idm.RoleRepresentation;
|
||||
import org.keycloak.representations.idm.UserRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ClientPolicyRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
|
||||
import org.keycloak.testsuite.util.WaitUtils;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
|
@ -55,4 +36,16 @@ public abstract class AbstractServletAuthzLazyLoadPathsAdapterTest extends Abstr
|
|||
.addAsWebInfResource(new File(TEST_APPS_HOME_DIR + "/servlet-authz-app/keycloak-lazy-load-authz-service.json"), "keycloak.json");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testPathPEPDisabled() {
|
||||
performTests(() -> {
|
||||
login("alice", "alice");
|
||||
assertFalse(wasDenied());
|
||||
|
||||
navigateTo();
|
||||
getLink("PEP Disabled").click();
|
||||
|
||||
hasText("Policy enforcement is disabled. Access granted: true");
|
||||
});
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue