Return 404 when invoking authorization endpoints in case authz settings are disabled

Closes #10151
2022-08-11 17:52:33 -03:00 · 2022-08-11 17:52:33 -03:00 · 841c65d24f
commit 841c65d24f
parent 26de05fa44
3 changed files with 41 additions and 5 deletions
--- a/services/src/main/java/org/keycloak/authorization/admin/AuthorizationService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/AuthorizationService.java
@ -18,6 +18,7 @@

 package org.keycloak.authorization.admin;

+import javax.ws.rs.NotFoundException;
 import javax.ws.rs.Path;

 import org.jboss.resteasy.spi.ResteasyProviderFactory;
@ -48,7 +49,15 @@ public class AuthorizationService {
    }

    @Path("/resource-server")
-    public ResourceServerService resourceServer() {
+    public Object resourceServer() {
+        if (resourceServer == null) {
+            throw new NotFoundException();
+        }
+
+        return getResourceServerService();
+    }
+
+    public ResourceServerService getResourceServerService() {
        ResourceServerService resource = new ResourceServerService(this.authorization, this.resourceServer, this.client, this.auth, adminEvent);

        ResteasyProviderFactory.getInstance().injectProperties(resource);
@ -57,12 +66,12 @@ public class AuthorizationService {
    }

    public void enable(boolean newClient) {
-        this.resourceServer = resourceServer().create(newClient);
+        this.resourceServer = getResourceServerService().create(newClient);
    }

    public void disable() {
        if (isEnabled()) {
-            resourceServer().delete();
+            getResourceServerService().delete();
        }
    }

--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java
@ -195,7 +195,7 @@ public class ClientsResource {
                ResourceServerRepresentation authorizationSettings = rep.getAuthorizationSettings();

                if (authorizationSettings != null) {
-                    authorizationService.resourceServer().importSettings(authorizationSettings);
+                    authorizationService.getResourceServerService().importSettings(authorizationSettings);
                }
            }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ResourceServerManagementTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ResourceServerManagementTest.java
@ -31,8 +31,9 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;

-
+import javax.ws.rs.NotFoundException;

 /**
 *
@ -69,4 +70,30 @@ public class ResourceServerManagementTest extends AbstractAuthorizationTest {

        assertTrue(clients.isEmpty());
    }
+
+    @Test
+    public void testInvalidRequestWhenCallingAuthzEndpoints() throws Exception {
+        ClientsResource clientsResource = testRealmResource().clients();
+        ClientRepresentation clientRepresentation = JsonSerialization.readValue(
+                getClass().getResourceAsStream("/authorization-test/client-with-authz-settings.json"),
+                ClientRepresentation.class);
+
+        clientRepresentation.setAuthorizationServicesEnabled(false);
+        clientRepresentation.setAuthorizationSettings(null);
+
+        clientsResource.create(clientRepresentation).close();
+
+        List<ClientRepresentation> clients = clientsResource.findByClientId("authz-client");
+
+        assertFalse(clients.isEmpty());
+
+        String clientId = clients.get(0).getId();
+
+        try {
+            clientsResource.get(clientId).authorization().getSettings();
+            fail("Should fail, authorization not enabled");
+        } catch (NotFoundException nfe) {
+            // expected
+        }
+    }
 }