Protocol now is mandatory during client scope creation. (#29544)

closes #29027 Signed-off-by: raff897 <85362193+raff897@users.noreply.github.com>
2024-05-22 09:10:46 +02:00 · 2024-05-22 09:10:46 +02:00 · a5a55dc66e
commit a5a55dc66e
parent 84acc953dd
3 changed files with 22 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientScopeResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientScopeResource.java
@ -213,6 +213,9 @@ public class ClientScopeResource {
        }
    }

+    public static void validateClientScopeProtocol(String protocol)throws ErrorResponseException{
+        if(protocol==null || (!protocol.equals("openid-connect") && !protocol.equals("saml"))) throw ErrorResponse.error("Unexpected protocol",Response.Status.BAD_REQUEST);
+    }
    /**
     * Makes sure that an update that makes a Client Scope Dynamic is rejected if the Client Scope is assigned to a client
     * as a default scope.
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientScopesResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientScopesResource.java
@ -102,6 +102,7 @@ public class ClientScopesResource {
    public Response createClientScope(ClientScopeRepresentation rep) {
        auth.clients().requireManageClientScopes();
        ClientScopeResource.validateClientScopeName(rep.getName());
+        ClientScopeResource.validateClientScopeProtocol(rep.getProtocol());
        ClientScopeResource.validateDynamicClientScope(rep);
        try {
            ClientScopeModel clientModel = RepresentationToModel.createClientScope(session, realm, rep);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/ClientScopeTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/ClientScopeTest.java
@ -89,6 +89,7 @@ public class ClientScopeTest extends AbstractClientTest {
        // Creating first
        ClientScopeRepresentation scopeRep = new ClientScopeRepresentation();
        scopeRep.setName("scope1");
+        scopeRep.setProtocol("openid-connect");
        String scope1Id = createClientScope(scopeRep);
        // Assert created
        scopeRep = clientScopes().get(scope1Id).toRepresentation();
@ -114,10 +115,12 @@ public class ClientScopeTest extends AbstractClientTest {
    public void testAddDuplicatedClientScope() {
        ClientScopeRepresentation scopeRep = new ClientScopeRepresentation();
        scopeRep.setName("scope1");
+        scopeRep.setProtocol("openid-connect");
        String scopeId = createClientScope(scopeRep);

        scopeRep = new ClientScopeRepresentation();
        scopeRep.setName("scope1");
+        scopeRep.setProtocol("openid-connect");
        Response response = clientScopes().create(scopeRep);
        assertEquals(409, response.getStatus());

@ -149,6 +152,8 @@ public class ClientScopeTest extends AbstractClientTest {
        // Create scope1
        ClientScopeRepresentation scopeRep = new ClientScopeRepresentation();
        scopeRep.setName("scope1");
+        scopeRep.setProtocol("openid-connect");
+
        String scope1Id = createClientScope(scopeRep);

        List<ClientScopeRepresentation> clientScopes = clientScopes().findAll();
@ -157,6 +162,8 @@ public class ClientScopeTest extends AbstractClientTest {
        // Create scope2
        scopeRep = new ClientScopeRepresentation();
        scopeRep.setName("scope2");
+        scopeRep.setProtocol("openid-connect");
+
        String scope2Id = createClientScope(scopeRep);

        clientScopes = clientScopes().findAll();
@ -226,7 +233,12 @@ public class ClientScopeTest extends AbstractClientTest {
        clientScopes().get(scope1Id).remove();
    }

-
+    @Test
+    public void testValidateClientScopeProtocol(){
+        org.keycloak.services.resources.admin.ClientScopeResource.validateClientScopeProtocol("saml");
+        org.keycloak.services.resources.admin.ClientScopeResource.validateClientScopeProtocol("openid-connect");
+        Assert.assertThrows(RuntimeException.class,()->org.keycloak.services.resources.admin.ClientScopeResource.validateClientScopeProtocol("other"));
+    }
    @Test
    public void testRenameScope() {
        // Create two scopes
@ -265,6 +277,7 @@ public class ClientScopeTest extends AbstractClientTest {
        // create client scope
        ClientScopeRepresentation scopeRep = new ClientScopeRepresentation();
        scopeRep.setName("bar-scope");
+        scopeRep.setProtocol("openid-connect");
        String scopeId = createClientScope(scopeRep);

        // update with some scopes
@ -336,6 +349,8 @@ public class ClientScopeTest extends AbstractClientTest {
        RealmResource realm = testRealmResource();
        ClientScopeRepresentation clientScopeRep = new ClientScopeRepresentation();
        clientScopeRep.setName("my-scope");
+        clientScopeRep.setProtocol("openid-connect");
+
        String clientScopeId = createClientScope(clientScopeRep);

        createRealmRole("realm-composite");
@ -403,6 +418,8 @@ public class ClientScopeTest extends AbstractClientTest {
        // Add client scope
        ClientScopeRepresentation scopeRep = new ClientScopeRepresentation();
        scopeRep.setName("bar-scope");
+        scopeRep.setProtocol("openid-connect");
+
        String scopeId = createClientScope(scopeRep);

        // Add realm role to scopes of clientScope