From 9ebbc7673c0017e41f01f3c3a10a5fd61d6d7972 Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Thu, 13 May 2021 18:34:26 -0300 Subject: [PATCH] [KEYCLOAK-18111] - Error when processing path without associated resource --- .../authorization/PolicyEnforcer.java | 2 +- .../authorization/PolicyEnforcerTest.java | 12 ++++++++++++ .../enforcer-lazyload-with-paths.json | 19 +++++++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-lazyload-with-paths.json diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java index 0e8f55af8c..b47247c5fa 100644 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java @@ -287,7 +287,7 @@ public class PolicyEnforcer { enforcementMode = pathConfig.getEnforcementMode(); } else { for (PathConfig existingPath : paths.values()) { - if (existingPath.getId().equals(targetResource.getId()) + if (targetResource.getId().equals(existingPath.getId()) && existingPath.isStatic() && !PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(existingPath.getEnforcementMode())) { return null; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java index a25fa02c20..39e43331b5 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java @@ -621,6 +621,18 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest { assertEquals(200, policyEnforcer.getPathMatcher().getPathCache().size()); assertEquals(0, policyEnforcer.getPaths().size()); + + ResourceRepresentation resource = clientResource.authorization().resources() + .findByName("Root").get(0); + + clientResource.authorization().resources().resource(resource.getId()).remove(); + + deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload-with-paths.json")); + policyEnforcer = deployment.getPolicyEnforcer(); + + AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/0", token)); + + assertTrue(context.isGranted()); } private void initAuthorizationSettings(ClientResource clientResource) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-lazyload-with-paths.json b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-lazyload-with-paths.json new file mode 100644 index 0000000000..0c213f6415 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-lazyload-with-paths.json @@ -0,0 +1,19 @@ +{ + "realm": "authz-test", + "auth-server-url": "http://localhost:8180/auth", + "ssl-required": "external", + "resource": "resource-server-test", + "credentials": { + "secret": "secret" + }, + "bearer-only": true, + "policy-enforcer": { + "lazy-load-paths": true, + "paths": [ + { + "path": "/disabled", + "enforcement-mode": "DISABLED" + } + ] + } +}