libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-17764 Remove all clients querying fallback (#8077)

Browse source
This commit is contained in:
Michal Hajas 2021-05-26 13:18:58 +02:00 committed by GitHub
parent 1ab0d585a9
commit 5c71c3d97f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 17 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
View file

@ -173,13 +173,6 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
role = client.getRole(roleName); role = client.getRole(roleName);
} }
// fallback to find any client role with the given name
if (role == null) {
String finalRoleName = roleName;
role = realm.getClientsStream().map(clientModel -> clientModel.getRole(finalRoleName)).filter(roleModel -> roleModel != null)
.findFirst().orElse(null);
}
if (role == null) { if (role == null) {
throw new RuntimeException("Error while updating policy [" + policy.getName() + "]. Role [" + roleName + "] could not be found."); throw new RuntimeException("Error while updating policy [" + policy.getName() + "]. Role [" + roleName + "] could not be found.");
} }

2
testsuite/integration-arquillian/test-apps/photoz/photoz-restful-api-authz-service.json
View file

@ -81,7 +81,7 @@
"decisionStrategy": "UNANIMOUS", "decisionStrategy": "UNANIMOUS",
"config": { "config": {
"applyPolicies": "[]", "applyPolicies": "[]",
"roles": "[{\"id\":\"user\"},{\"id\":\"manage-albums\",\"required\":true}]" "roles": "[{\"id\":\"user\"},{\"id\":\"photoz-restful-api/manage-albums\",\"required\":true}]"
} }
}, },
{ {

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java
View file

@ -222,7 +222,7 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractBaseServle
policy.setName("Required Role Policy"); policy.setName("Required Role Policy");
policy.addRole("user_premium", false); policy.addRole("user_premium", false);
policy.addRole("required-role", false); policy.addRole(RESOURCE_SERVER_ID + "/required-role", false);
RolePoliciesResource rolePolicy = getAuthorizationResource().policies().role(); RolePoliciesResource rolePolicy = getAuthorizationResource().policies().role();
@ -237,7 +237,7 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractBaseServle
policy.getRoles().clear(); policy.getRoles().clear();
policy.addRole("user_premium", false); policy.addRole("user_premium", false);
policy.addRole("required-role", true); policy.addRole(RESOURCE_SERVER_ID + "/required-role", true);
rolePolicy.findById(policy.getId()).update(policy); rolePolicy.findById(policy.getId()).update(policy);
@ -258,7 +258,7 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractBaseServle
policy.getRoles().clear(); policy.getRoles().clear();
policy.addRole("user_premium", false); policy.addRole("user_premium", false);
policy.addRole("required-role", false); policy.addRole(RESOURCE_SERVER_ID + "/required-role", false);
rolePolicy.findById(policy.getId()).update(policy); rolePolicy.findById(policy.getId()).update(policy);

4
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
View file

@ -74,8 +74,8 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class); AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
ClientModel myclient = realm.getClientByClientId("myclient"); ClientModel myclient = realm.getClientByClientId("myclient");
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findById(myclient.getId()); ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findById(myclient.getId());
createRolePolicy(authz, resourceServer, "client-role-1"); createRolePolicy(authz, resourceServer, myclient.getClientId() + "/client-role-1");
createRolePolicy(authz, resourceServer, "client-role-2"); createRolePolicy(authz, resourceServer, myclient.getClientId() + "/client-role-2");
} }
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, String roleName) { private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, String roleName) {

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java
View file

@ -92,7 +92,7 @@ public class RolePolicyManagementTest extends AbstractPolicyManagementTest {
roles.create(new RoleRepresentation("Client Role B", "desc", false)); roles.create(new RoleRepresentation("Client Role B", "desc", false));
representation.addRole("Client Role A"); representation.addRole("resource-server-test/Client Role A");
representation.addClientRole(clientRep.getClientId(), "Client Role B", true); representation.addClientRole(clientRep.getClientId(), "Client Role B", true);
assertCreated(authorization, representation); assertCreated(authorization, representation);

10
testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/acme-resource-server-cleanup-test.json
View file

@ -56,7 +56,7 @@
"logic": "POSITIVE", "logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS", "decisionStrategy": "UNANIMOUS",
"config": { "config": {
"roles": "[{\"id\":\"Acme administrator\",\"required\":true}]" "roles": "[{\"id\":\"myclient/Acme administrator\",\"required\":true}]"
} }
}, },
{ {
@ -65,7 +65,7 @@
"logic": "POSITIVE", "logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS", "decisionStrategy": "UNANIMOUS",
"config": { "config": {
"roles": "[{\"id\":\"Acme viewer\",\"required\":true}]" "roles": "[{\"id\":\"myclient/Acme viewer\",\"required\":true}]"
} }
}, },
{ {
@ -74,7 +74,7 @@
"logic": "POSITIVE", "logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS", "decisionStrategy": "UNANIMOUS",
"config": { "config": {
"roles": "[{\"id\":\"tenant user\",\"required\":true}]" "roles": "[{\"id\":\"myclient/tenant user\",\"required\":true}]"
} }
}, },
{ {
@ -83,7 +83,7 @@
"logic": "POSITIVE", "logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS", "decisionStrategy": "UNANIMOUS",
"config": { "config": {
"roles": "[{\"id\":\"tenant administrator\",\"required\":true}]" "roles": "[{\"id\":\"myclient/tenant administrator\",\"required\":true}]"
} }
}, },
{ {
@ -92,7 +92,7 @@
"logic": "POSITIVE", "logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS", "decisionStrategy": "UNANIMOUS",
"config": { "config": {
"roles": "[{\"id\":\"tenant viewer\",\"required\":true}]" "roles": "[{\"id\":\"myclient/tenant viewer\",\"required\":true}]"
} }
}, },
{ {

4
testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/import-authorization-unordered-settings.json
View file

@ -68,7 +68,7 @@
"logic": "POSITIVE", "logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS", "decisionStrategy": "UNANIMOUS",
"config": { "config": {
"roles": "[{\"id\":\"user\"},{\"id\":\"manage-albums\",\"required\":true}]" "roles": "[{\"id\":\"user\"},{\"id\":\"resource-server-test/manage-albums\",\"required\":true}]"
} }
}, },
{ {
@ -143,7 +143,7 @@
"logic": "POSITIVE", "logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS", "decisionStrategy": "UNANIMOUS",
"config": { "config": {
"roles": "[{\"id\":\"admin\",\"required\":true}]" "roles": "[{\"id\":\"resource-server-test/admin\",\"required\":true}]"
} }
}, },
{ {