From 5c71c3d97ff4dc94b64d53f6ee63b04c9cd919aa Mon Sep 17 00:00:00 2001 From: Michal Hajas Date: Wed, 26 May 2021 13:18:58 +0200 Subject: [PATCH] KEYCLOAK-17764 Remove all clients querying fallback (#8077) --- .../provider/role/RolePolicyProviderFactory.java | 7 ------- .../photoz/photoz-restful-api-authz-service.json | 4 ++-- .../AbstractServletAuthzAdapterTest.java | 6 +++--- .../keycloak/testsuite/admin/AuthzCleanupTest.java | 4 ++-- .../authorization/RolePolicyManagementTest.java | 2 +- .../acme-resource-server-cleanup-test.json | 12 ++++++------ .../import-authorization-unordered-settings.json | 6 +++--- 7 files changed, 17 insertions(+), 24 deletions(-) diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java index ff22c5a574..b7ad3158fe 100644 --- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java +++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java @@ -173,13 +173,6 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory clientModel.getRole(finalRoleName)).filter(roleModel -> roleModel != null) - .findFirst().orElse(null); - } - if (role == null) { throw new RuntimeException("Error while updating policy [" + policy.getName() + "]. Role [" + roleName + "] could not be found."); } diff --git a/testsuite/integration-arquillian/test-apps/photoz/photoz-restful-api-authz-service.json b/testsuite/integration-arquillian/test-apps/photoz/photoz-restful-api-authz-service.json index 7453506ec1..da634bf87c 100644 --- a/testsuite/integration-arquillian/test-apps/photoz/photoz-restful-api-authz-service.json +++ b/testsuite/integration-arquillian/test-apps/photoz/photoz-restful-api-authz-service.json @@ -81,7 +81,7 @@ "decisionStrategy": "UNANIMOUS", "config": { "applyPolicies": "[]", - "roles": "[{\"id\":\"user\"},{\"id\":\"manage-albums\",\"required\":true}]" + "roles": "[{\"id\":\"user\"},{\"id\":\"photoz-restful-api/manage-albums\",\"required\":true}]" } }, { @@ -232,4 +232,4 @@ "name": "admin:manage" } ] -} \ No newline at end of file +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java index 9953dce1d9..73e10e331e 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java @@ -222,7 +222,7 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractBaseServle policy.setName("Required Role Policy"); policy.addRole("user_premium", false); - policy.addRole("required-role", false); + policy.addRole(RESOURCE_SERVER_ID + "/required-role", false); RolePoliciesResource rolePolicy = getAuthorizationResource().policies().role(); @@ -237,7 +237,7 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractBaseServle policy.getRoles().clear(); policy.addRole("user_premium", false); - policy.addRole("required-role", true); + policy.addRole(RESOURCE_SERVER_ID + "/required-role", true); rolePolicy.findById(policy.getId()).update(policy); @@ -258,7 +258,7 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractBaseServle policy.getRoles().clear(); policy.addRole("user_premium", false); - policy.addRole("required-role", false); + policy.addRole(RESOURCE_SERVER_ID + "/required-role", false); rolePolicy.findById(policy.getId()).update(policy); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java index a09a0aa331..48889deb9b 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java @@ -74,8 +74,8 @@ public class AuthzCleanupTest extends AbstractKeycloakTest { AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class); ClientModel myclient = realm.getClientByClientId("myclient"); ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findById(myclient.getId()); - createRolePolicy(authz, resourceServer, "client-role-1"); - createRolePolicy(authz, resourceServer, "client-role-2"); + createRolePolicy(authz, resourceServer, myclient.getClientId() + "/client-role-1"); + createRolePolicy(authz, resourceServer, myclient.getClientId() + "/client-role-2"); } private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, String roleName) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java index a5e03e4cb4..db9cd7ade3 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java @@ -92,7 +92,7 @@ public class RolePolicyManagementTest extends AbstractPolicyManagementTest { roles.create(new RoleRepresentation("Client Role B", "desc", false)); - representation.addRole("Client Role A"); + representation.addRole("resource-server-test/Client Role A"); representation.addClientRole(clientRep.getClientId(), "Client Role B", true); assertCreated(authorization, representation); diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/acme-resource-server-cleanup-test.json b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/acme-resource-server-cleanup-test.json index 902e861605..841dbcff44 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/acme-resource-server-cleanup-test.json +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/acme-resource-server-cleanup-test.json @@ -56,7 +56,7 @@ "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "roles": "[{\"id\":\"Acme administrator\",\"required\":true}]" + "roles": "[{\"id\":\"myclient/Acme administrator\",\"required\":true}]" } }, { @@ -65,7 +65,7 @@ "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "roles": "[{\"id\":\"Acme viewer\",\"required\":true}]" + "roles": "[{\"id\":\"myclient/Acme viewer\",\"required\":true}]" } }, { @@ -74,7 +74,7 @@ "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "roles": "[{\"id\":\"tenant user\",\"required\":true}]" + "roles": "[{\"id\":\"myclient/tenant user\",\"required\":true}]" } }, { @@ -83,7 +83,7 @@ "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "roles": "[{\"id\":\"tenant administrator\",\"required\":true}]" + "roles": "[{\"id\":\"myclient/tenant administrator\",\"required\":true}]" } }, { @@ -92,7 +92,7 @@ "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "roles": "[{\"id\":\"tenant viewer\",\"required\":true}]" + "roles": "[{\"id\":\"myclient/tenant viewer\",\"required\":true}]" } }, { @@ -188,4 +188,4 @@ "name": "urn:acme.com:scopes:userprofile:manage" } ] -} \ No newline at end of file +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/import-authorization-unordered-settings.json b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/import-authorization-unordered-settings.json index 61dcbe2be7..004881c06a 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/import-authorization-unordered-settings.json +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/import-authorization-unordered-settings.json @@ -68,7 +68,7 @@ "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "roles": "[{\"id\":\"user\"},{\"id\":\"manage-albums\",\"required\":true}]" + "roles": "[{\"id\":\"user\"},{\"id\":\"resource-server-test/manage-albums\",\"required\":true}]" } }, { @@ -143,7 +143,7 @@ "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { - "roles": "[{\"id\":\"admin\",\"required\":true}]" + "roles": "[{\"id\":\"resource-server-test/admin\",\"required\":true}]" } }, { @@ -188,4 +188,4 @@ "name": "urn:photoz.com:scopes:album:admin:manage" } ] -} \ No newline at end of file +}