KEYCLOAK-16808 Client Policy : Implement existing ConsentRequiredClientRegistrationPolicy as Client Policies' executor
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
This commit is contained in:
parent
b2ed99c70d
commit
b78d151a23
4 changed files with 194 additions and 1 deletions
|
@ -0,0 +1,74 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.services.clientpolicy.executor;
|
||||||
|
|
||||||
|
import org.keycloak.events.Errors;
|
||||||
|
import org.keycloak.models.ClientModel;
|
||||||
|
import org.keycloak.representations.idm.ClientRepresentation;
|
||||||
|
import org.keycloak.services.clientpolicy.ClientPolicyContext;
|
||||||
|
import org.keycloak.services.clientpolicy.ClientPolicyException;
|
||||||
|
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
||||||
|
*/
|
||||||
|
public class ConsentRequiredExecutor implements ClientPolicyExecutorProvider<ClientPolicyExecutorConfiguration> {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
|
||||||
|
ClientCRUDContext clientUpdateContext = null;
|
||||||
|
switch (context.getEvent()) {
|
||||||
|
case REGISTERED:
|
||||||
|
clientUpdateContext = (ClientCRUDContext)context;
|
||||||
|
afterRegister(clientUpdateContext.getTargetClient());
|
||||||
|
break;
|
||||||
|
case UPDATE:
|
||||||
|
clientUpdateContext = (ClientCRUDContext)context;
|
||||||
|
beforeUpdate(clientUpdateContext.getTargetClient(), clientUpdateContext.getProposedClientRepresentation());
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getProviderId() {
|
||||||
|
return ConsentRequiredExecutorFactory.PROVIDER_ID;
|
||||||
|
}
|
||||||
|
|
||||||
|
private void afterRegister(ClientModel clientModel) {
|
||||||
|
clientModel.setConsentRequired(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void beforeUpdate(ClientModel clientToBeUpdated, ClientRepresentation proposedClient) throws ClientPolicyException {
|
||||||
|
if (proposedClient.isConsentRequired() == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (clientToBeUpdated == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
boolean isConsentRequired = clientToBeUpdated.isConsentRequired();
|
||||||
|
boolean newConsentRequired = proposedClient.isConsentRequired();
|
||||||
|
|
||||||
|
if (isConsentRequired && !newConsentRequired) {
|
||||||
|
throw new ClientPolicyException(Errors.INVALID_REGISTRATION, "Not permitted to update consentRequired to false");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,67 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.services.clientpolicy.executor;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.keycloak.Config.Scope;
|
||||||
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
import org.keycloak.models.KeycloakSessionFactory;
|
||||||
|
import org.keycloak.provider.ProviderConfigProperty;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
||||||
|
*/
|
||||||
|
public class ConsentRequiredExecutorFactory implements ClientPolicyExecutorProviderFactory {
|
||||||
|
|
||||||
|
public static final String PROVIDER_ID = "consent-required-executor";
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ClientPolicyExecutorProvider create(KeycloakSession session) {
|
||||||
|
return new ConsentRequiredExecutor();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void init(Scope config) {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void postInit(KeycloakSessionFactory factory) {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void close() {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getId() {
|
||||||
|
return PROVIDER_ID;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getHelpText() {
|
||||||
|
return "When present, then newly registered client will always have 'consentRequired' switch enabled";
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<ProviderConfigProperty> getConfigProperties() {
|
||||||
|
return Collections.emptyList();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -8,3 +8,4 @@ org.keycloak.services.clientpolicy.executor.SecureRedirectUriEnforceExecutorFact
|
||||||
org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSignedJwtEnforceExecutorFactory
|
org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSignedJwtEnforceExecutorFactory
|
||||||
org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory
|
org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory
|
||||||
org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory
|
org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory
|
||||||
|
org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory
|
|
@ -82,6 +82,7 @@ import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceGroupsCond
|
||||||
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory;
|
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory;
|
||||||
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceRolesConditionFactory;
|
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceRolesConditionFactory;
|
||||||
import org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory;
|
import org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory;
|
||||||
|
import org.keycloak.services.clientpolicy.executor.ConsentRequiredExecutorFactory;
|
||||||
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory;
|
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory;
|
||||||
import org.keycloak.services.clientpolicy.executor.PKCEEnforceExecutorFactory;
|
import org.keycloak.services.clientpolicy.executor.PKCEEnforceExecutorFactory;
|
||||||
import org.keycloak.services.clientpolicy.executor.SecureClientAuthEnforceExecutorFactory;
|
import org.keycloak.services.clientpolicy.executor.SecureClientAuthEnforceExecutorFactory;
|
||||||
|
@ -1554,6 +1555,56 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
|
||||||
assertEquals("invalid client access type", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
|
assertEquals("invalid client access type", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testConsentRequiredExecutorExecutor() throws Exception {
|
||||||
|
// register profiles
|
||||||
|
String json = (new ClientProfilesBuilder()).addProfile(
|
||||||
|
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile", Boolean.FALSE, null)
|
||||||
|
.addExecutor(ConsentRequiredExecutorFactory.PROVIDER_ID, null)
|
||||||
|
.toRepresentation()
|
||||||
|
).toString();
|
||||||
|
updateProfiles(json);
|
||||||
|
|
||||||
|
// register policies
|
||||||
|
json = (new ClientPoliciesBuilder()).addPolicy(
|
||||||
|
(new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.FALSE, Boolean.TRUE, null, null)
|
||||||
|
.addCondition(AnyClientConditionFactory.PROVIDER_ID,
|
||||||
|
createAnyClientConditionConfig())
|
||||||
|
.addProfile(PROFILE_NAME)
|
||||||
|
.toRepresentation()
|
||||||
|
).toString();
|
||||||
|
updatePolicies(json);
|
||||||
|
|
||||||
|
String clientId = generateSuffixedName("aaa-app");
|
||||||
|
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
|
||||||
|
clientRep.setImplicitFlowEnabled(Boolean.FALSE);
|
||||||
|
clientRep.setConsentRequired(Boolean.FALSE);
|
||||||
|
});
|
||||||
|
ClientRepresentation clientRep = getClientByAdmin(cid);
|
||||||
|
assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
|
||||||
|
|
||||||
|
try {
|
||||||
|
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
|
||||||
|
cRep.setConsentRequired(Boolean.FALSE);
|
||||||
|
});
|
||||||
|
fail();
|
||||||
|
} catch (ClientPolicyException cpe) {
|
||||||
|
assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
|
||||||
|
}
|
||||||
|
clientRep = getClientByAdmin(cid);
|
||||||
|
assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
|
||||||
|
|
||||||
|
try {
|
||||||
|
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
|
||||||
|
cRep.setImplicitFlowEnabled(Boolean.TRUE);
|
||||||
|
});
|
||||||
|
clientRep = getClientByAdmin(cid);
|
||||||
|
assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
|
||||||
|
} catch (ClientPolicyException cpe) {
|
||||||
|
fail();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private void checkMtlsFlow() throws IOException {
|
private void checkMtlsFlow() throws IOException {
|
||||||
// Check login.
|
// Check login.
|
||||||
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
|
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
|
||||||
|
|
Loading…
Reference in a new issue