[KEYCLOAK-9769] service account can't authorize when group policy exists in resource server

2019-03-07 20:54:45 +09:00 · 2019-03-07 20:54:45 +09:00 · b4973ad7b5
commit b4973ad7b5
parent 1bf19ada7e
2 changed files with 15 additions and 6 deletions
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultEvaluation.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultEvaluation.java
@ -46,7 +46,6 @@ import org.keycloak.representations.idm.authorization.Logic;
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public class DefaultEvaluation implements Evaluation {
-
    private final ResourcePermission permission;
    private final EvaluationContext executionContext;
    private final Decision decision;
@ -173,10 +172,12 @@ public class DefaultEvaluation implements Evaluation {

                if (Objects.isNull(user)) {
                    user = session.users().getUserByUsername(id, realm);
-
-                    if (Objects.isNull(user)) {
-                        user = session.users().getUserByEmail(id, realm);
-                    }
+                }
+                if (Objects.isNull(user)) {
+                    user = session.users().getUserByEmail(id, realm);
+                }
+                if (Objects.isNull(user)) {
+                    user = session.users().getServiceAccount(realm.getClientById(id));
                }

                return user;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/GroupNamePolicyTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/GroupNamePolicyTest.java
@ -100,7 +100,8 @@ public class GroupNamePolicyTest extends AbstractAuthzTest {
                    .redirectUris("http://localhost/resource-server-test")
                    .defaultRoles("uma_protection")
                    .directAccessGrants()
-                    .protocolMapper(groupProtocolMapper))
+                    .protocolMapper(groupProtocolMapper)
+                    .serviceAccountsEnabled(true))
                .build());
    }

@ -152,6 +153,13 @@ public class GroupNamePolicyTest extends AbstractAuthzTest {
        } catch (AuthorizationDeniedException ignore) {

        }
+
+        try {
+            authzClient.authorization(authzClient.obtainAccessToken().getToken()).authorize(new AuthorizationRequest(ticket));
+            fail("Should fail because service account is not granted with expected group");
+        } catch (AuthorizationDeniedException ignore) {
+
+        }
    }

    @Test