KEYCLOAK-16808 Client Policy : Implement existing ConsentRequiredClientRegistrationPolicy as Client Policies' executor

Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
This commit is contained in:
Takashi Norimatsu 2021-05-02 09:58:38 +09:00 committed by Marek Posolda
parent b2ed99c70d
commit b78d151a23
4 changed files with 194 additions and 1 deletions

View file

@ -0,0 +1,74 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.services.clientpolicy.executor;
import org.keycloak.events.Errors;
import org.keycloak.models.ClientModel;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
/**
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
*/
public class ConsentRequiredExecutor implements ClientPolicyExecutorProvider<ClientPolicyExecutorConfiguration> {
@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
ClientCRUDContext clientUpdateContext = null;
switch (context.getEvent()) {
case REGISTERED:
clientUpdateContext = (ClientCRUDContext)context;
afterRegister(clientUpdateContext.getTargetClient());
break;
case UPDATE:
clientUpdateContext = (ClientCRUDContext)context;
beforeUpdate(clientUpdateContext.getTargetClient(), clientUpdateContext.getProposedClientRepresentation());
break;
default:
return;
}
}
@Override
public String getProviderId() {
return ConsentRequiredExecutorFactory.PROVIDER_ID;
}
private void afterRegister(ClientModel clientModel) {
clientModel.setConsentRequired(true);
}
public void beforeUpdate(ClientModel clientToBeUpdated, ClientRepresentation proposedClient) throws ClientPolicyException {
if (proposedClient.isConsentRequired() == null) {
return;
}
if (clientToBeUpdated == null) {
return;
}
boolean isConsentRequired = clientToBeUpdated.isConsentRequired();
boolean newConsentRequired = proposedClient.isConsentRequired();
if (isConsentRequired && !newConsentRequired) {
throw new ClientPolicyException(Errors.INVALID_REGISTRATION, "Not permitted to update consentRequired to false");
}
}
}

View file

@ -0,0 +1,67 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.services.clientpolicy.executor;
import java.util.Collections;
import java.util.List;
import org.keycloak.Config.Scope;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.ProviderConfigProperty;
/**
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
*/
public class ConsentRequiredExecutorFactory implements ClientPolicyExecutorProviderFactory {
public static final String PROVIDER_ID = "consent-required-executor";
@Override
public ClientPolicyExecutorProvider create(KeycloakSession session) {
return new ConsentRequiredExecutor();
}
@Override
public void init(Scope config) {
}
@Override
public void postInit(KeycloakSessionFactory factory) {
}
@Override
public void close() {
}
@Override
public String getId() {
return PROVIDER_ID;
}
@Override
public String getHelpText() {
return "When present, then newly registered client will always have 'consentRequired' switch enabled";
}
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return Collections.emptyList();
}
}

View file

@ -8,3 +8,4 @@ org.keycloak.services.clientpolicy.executor.SecureRedirectUriEnforceExecutorFact
org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSignedJwtEnforceExecutorFactory org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSignedJwtEnforceExecutorFactory
org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory
org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory
org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory

View file

@ -82,6 +82,7 @@ import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceGroupsCond
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory; import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory;
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceRolesConditionFactory; import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceRolesConditionFactory;
import org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory; import org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory;
import org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory;
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory; import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory;
import org.keycloak.services.clientpolicy.executor.PKCEEnforceExecutorFactory; import org.keycloak.services.clientpolicy.executor.PKCEEnforceExecutorFactory;
import org.keycloak.services.clientpolicy.executor.SecureClientAuthEnforceExecutorFactory; import org.keycloak.services.clientpolicy.executor.SecureClientAuthEnforceExecutorFactory;
@ -1554,6 +1555,56 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
assertEquals("invalid client access type", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION)); assertEquals("invalid client access type", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
} }
@Test
public void testConsentRequiredExecutorExecutor() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile(
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile", Boolean.FALSE, null)
.addExecutor(ConsentRequiredExecutorFactory.PROVIDER_ID, null)
.toRepresentation()
).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy(
(new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.FALSE, Boolean.TRUE, null, null)
.addCondition(AnyClientConditionFactory.PROVIDER_ID,
createAnyClientConditionConfig())
.addProfile(PROFILE_NAME)
.toRepresentation()
).toString();
updatePolicies(json);
String clientId = generateSuffixedName("aaa-app");
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setImplicitFlowEnabled(Boolean.FALSE);
clientRep.setConsentRequired(Boolean.FALSE);
});
ClientRepresentation clientRep = getClientByAdmin(cid);
assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
try {
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setConsentRequired(Boolean.FALSE);
});
fail();
} catch (ClientPolicyException cpe) {
assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
}
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
try {
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setImplicitFlowEnabled(Boolean.TRUE);
});
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
} catch (ClientPolicyException cpe) {
fail();
}
}
private void checkMtlsFlow() throws IOException { private void checkMtlsFlow() throws IOException {
// Check login. // Check login.
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);