Add validation for role and time policies
Closes #28978 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
This commit is contained in:
parent
1d38fa88cd
commit
8581886944
5 changed files with 71 additions and 8 deletions
|
@ -51,6 +51,11 @@
|
|||
<artifactId>keycloak-server-spi-private</artifactId>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>io.quarkus.resteasy.reactive</groupId>
|
||||
<artifactId>resteasy-reactive-common</artifactId>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.jboss.logging</groupId>
|
||||
<artifactId>jboss-logging</artifactId>
|
||||
|
|
|
@ -22,6 +22,7 @@ import org.keycloak.authorization.AuthorizationProvider;
|
|||
import org.keycloak.authorization.model.Policy;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProvider;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
|
||||
import org.keycloak.authorization.policy.provider.util.PolicyValidationException;
|
||||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.KeycloakSessionFactory;
|
||||
|
@ -150,7 +151,7 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
|
|||
|
||||
private void updateRoles(Policy policy, AuthorizationProvider authorization, Set<RolePolicyRepresentation.RoleDefinition> roles) {
|
||||
Set<RolePolicyRepresentation.RoleDefinition> updatedRoles = new HashSet<>();
|
||||
|
||||
Set<String> processedRoles = new HashSet<>();
|
||||
if (roles != null) {
|
||||
RealmModel realm = authorization.getRealm();
|
||||
for (RolePolicyRepresentation.RoleDefinition definition : roles) {
|
||||
|
@ -159,8 +160,10 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
|
|||
continue;
|
||||
}
|
||||
|
||||
if (!processedRoles.add(role.getId())) {
|
||||
throw new PolicyValidationException("Role can't be specified multiple times - " + role.getName());
|
||||
}
|
||||
definition.setId(role.getId());
|
||||
|
||||
updatedRoles.add(definition);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,6 +1,23 @@
|
|||
/*
|
||||
* Copyright 2024 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.authorization.policy.provider.time;
|
||||
|
||||
import java.text.SimpleDateFormat;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
|
@ -9,6 +26,7 @@ import org.keycloak.authorization.AuthorizationProvider;
|
|||
import org.keycloak.authorization.model.Policy;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProvider;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
|
||||
import org.keycloak.authorization.policy.provider.util.PolicyValidationException;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.KeycloakSessionFactory;
|
||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||
|
@ -116,8 +134,7 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory<TimePoli
|
|||
String noa = representation.getNotOnOrAfter();
|
||||
|
||||
if (nbf != null && noa != null) {
|
||||
validateFormat(nbf);
|
||||
validateFormat(noa);
|
||||
validateFormat(nbf, noa);
|
||||
}
|
||||
|
||||
Map<String, String> config = new HashMap(policy.getConfig());
|
||||
|
@ -143,11 +160,20 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory<TimePoli
|
|||
policy.setConfig(config);
|
||||
}
|
||||
|
||||
private void validateFormat(String date) {
|
||||
private void validateFormat(String notBefore, String notOnOrAfter) {
|
||||
Date nbf, noa;
|
||||
try {
|
||||
new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(date));
|
||||
nbf = new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(notBefore));
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Could not parse a date using format [" + date + "]");
|
||||
throw new PolicyValidationException("Unable not parse a date using format [" + notBefore + "]");
|
||||
}
|
||||
try {
|
||||
noa = new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(notOnOrAfter));
|
||||
} catch (Exception e) {
|
||||
throw new PolicyValidationException("Unable not parse a date using format [" + notOnOrAfter + "]");
|
||||
}
|
||||
if (noa.before(nbf)) {
|
||||
throw new PolicyValidationException("Expire time can't be set to a date before start time");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
/*
|
||||
* Copyright 2024 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.authorization.policy.provider.util;
|
||||
|
||||
import jakarta.ws.rs.BadRequestException;
|
||||
|
||||
/**
|
||||
* Exception that is thrown when validation errors are found when creating/updating policies.
|
||||
*/
|
||||
public class PolicyValidationException extends BadRequestException {
|
||||
|
||||
public PolicyValidationException(String message) {
|
||||
super(message);
|
||||
}
|
||||
}
|
|
@ -2085,7 +2085,7 @@ ldapGeneralOptionsSettingsDescription=This section contains a few basic options
|
|||
importSkipped_one=One record skipped.
|
||||
eventTypes.OAUTH2_DEVICE_AUTH.description=OAuth2 device authentication
|
||||
notBeforeClearedSuccess=Success\! "Not Before" cleared for realm.
|
||||
policySaveError=Could not update the policy due to {{error}}
|
||||
policySaveError=Could not update the policy: {{error}}
|
||||
experimental=Experimental
|
||||
idTokenSignatureAlgorithmHelp=JWA algorithm used for signing ID tokens.
|
||||
deleteResourceConfirm=If you delete this resource, some permissions will be affected.
|
||||
|
|
Loading…
Reference in a new issue