Add validation for role and time policies

Closes #28978

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
This commit is contained in:
Stefan Guilhen 2024-10-18 12:49:10 -03:00 committed by Pedro Igor
parent 1d38fa88cd
commit 8581886944
5 changed files with 71 additions and 8 deletions

View file

@ -51,6 +51,11 @@
<artifactId>keycloak-server-spi-private</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>io.quarkus.resteasy.reactive</groupId>
<artifactId>resteasy-reactive-common</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>

View file

@ -22,6 +22,7 @@ import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.policy.provider.util.PolicyValidationException;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
@ -150,7 +151,7 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
private void updateRoles(Policy policy, AuthorizationProvider authorization, Set<RolePolicyRepresentation.RoleDefinition> roles) {
Set<RolePolicyRepresentation.RoleDefinition> updatedRoles = new HashSet<>();
Set<String> processedRoles = new HashSet<>();
if (roles != null) {
RealmModel realm = authorization.getRealm();
for (RolePolicyRepresentation.RoleDefinition definition : roles) {
@ -159,8 +160,10 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
continue;
}
if (!processedRoles.add(role.getId())) {
throw new PolicyValidationException("Role can't be specified multiple times - " + role.getName());
}
definition.setId(role.getId());
updatedRoles.add(definition);
}
}

View file

@ -1,6 +1,23 @@
/*
* Copyright 2024 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.policy.provider.time;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
@ -9,6 +26,7 @@ import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.policy.provider.util.PolicyValidationException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
@ -116,8 +134,7 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory<TimePoli
String noa = representation.getNotOnOrAfter();
if (nbf != null && noa != null) {
validateFormat(nbf);
validateFormat(noa);
validateFormat(nbf, noa);
}
Map<String, String> config = new HashMap(policy.getConfig());
@ -143,11 +160,20 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory<TimePoli
policy.setConfig(config);
}
private void validateFormat(String date) {
private void validateFormat(String notBefore, String notOnOrAfter) {
Date nbf, noa;
try {
new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(date));
nbf = new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(notBefore));
} catch (Exception e) {
throw new RuntimeException("Could not parse a date using format [" + date + "]");
throw new PolicyValidationException("Unable not parse a date using format [" + notBefore + "]");
}
try {
noa = new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(notOnOrAfter));
} catch (Exception e) {
throw new PolicyValidationException("Unable not parse a date using format [" + notOnOrAfter + "]");
}
if (noa.before(nbf)) {
throw new PolicyValidationException("Expire time can't be set to a date before start time");
}
}
}

View file

@ -0,0 +1,29 @@
/*
* Copyright 2024 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.policy.provider.util;
import jakarta.ws.rs.BadRequestException;
/**
* Exception that is thrown when validation errors are found when creating/updating policies.
*/
public class PolicyValidationException extends BadRequestException {
public PolicyValidationException(String message) {
super(message);
}
}

View file

@ -2085,7 +2085,7 @@ ldapGeneralOptionsSettingsDescription=This section contains a few basic options
importSkipped_one=One record skipped.
eventTypes.OAUTH2_DEVICE_AUTH.description=OAuth2 device authentication
notBeforeClearedSuccess=Success\! "Not Before" cleared for realm.
policySaveError=Could not update the policy due to {{error}}
policySaveError=Could not update the policy: {{error}}
experimental=Experimental
idTokenSignatureAlgorithmHelp=JWA algorithm used for signing ID tokens.
deleteResourceConfirm=If you delete this resource, some permissions will be affected.