libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

[KEYCLOAK-18007] - Configure resolved paths with the method config from configuration

Browse source
This commit is contained in:
Pedro Igor 2021-05-05 10:23:47 -03:00
parent a3a88d7d3c
commit b7e5db6534
3 changed files with 85 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
View file

@ -281,10 +281,12 @@ public class PolicyEnforcer {
Map<String, Map<String, Object>> cipConfig = null; Map<String, Map<String, Object>> cipConfig = null;
PolicyEnforcerConfig.EnforcementMode enforcementMode = PolicyEnforcerConfig.EnforcementMode.ENFORCING; PolicyEnforcerConfig.EnforcementMode enforcementMode = PolicyEnforcerConfig.EnforcementMode.ENFORCING;
ResourceRepresentation targetResource = matchingResources.get(0); ResourceRepresentation targetResource = matchingResources.get(0);
List<PolicyEnforcerConfig.MethodConfig> methodConfig = null;
if (pathConfig != null) { if (pathConfig != null) {
cipConfig = pathConfig.getClaimInformationPointConfig(); cipConfig = pathConfig.getClaimInformationPointConfig();
enforcementMode = pathConfig.getEnforcementMode(); enforcementMode = pathConfig.getEnforcementMode();
methodConfig = pathConfig.getMethods();
} else { } else {
for (PathConfig existingPath : paths.values()) { for (PathConfig existingPath : paths.values()) {
if (targetResource.getId().equals(existingPath.getId()) if (targetResource.getId().equals(existingPath.getId())
@ -301,6 +303,10 @@ public class PolicyEnforcer {
pathConfig.setClaimInformationPointConfig(cipConfig); pathConfig.setClaimInformationPointConfig(cipConfig);
} }
if (methodConfig != null) {
pathConfig.setMethods(methodConfig);
}
pathConfig.setEnforcementMode(enforcementMode); pathConfig.setEnforcementMode(enforcementMode);
} }
} catch (Exception cause) { } catch (Exception cause) {

52
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java
View file

@ -18,6 +18,7 @@ package org.keycloak.testsuite.admin.client.authorization;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail; import static org.junit.Assert.fail;
import static org.keycloak.common.Profile.Feature.UPLOAD_SCRIPTS; import static org.keycloak.common.Profile.Feature.UPLOAD_SCRIPTS;
@ -61,10 +62,13 @@ import org.keycloak.adapters.spi.LogoutError;
import org.keycloak.admin.client.resource.ClientResource; import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource; import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.PermissionsResource; import org.keycloak.admin.client.resource.PermissionsResource;
import org.keycloak.admin.client.resource.ResourcesResource;
import org.keycloak.authorization.client.AuthzClient; import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException; import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest; import org.keycloak.representations.idm.authorization.AuthorizationRequest;
@ -635,6 +639,54 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
assertTrue(context.isGranted()); assertTrue(context.isGranted());
} }
@Test
public void testSetMethodConfigs() {
ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
ResourceRepresentation representation = new ResourceRepresentation();
representation.setName(KeycloakModelUtils.generateId());
representation.setUris(Collections.singleton("/api-method/*"));
ResourcesResource resources = clientResource.authorization().resources();
javax.ws.rs.core.Response response = resources.create(representation);
representation.setId(response.readEntity(ResourceRepresentation.class).getId());
response.close();
try {
KeycloakDeployment deployment = KeycloakDeploymentBuilder
.build(getAdapterConfiguration("enforcer-paths-use-method-config.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
oauth.realm(REALM_NAME);
oauth.clientId("public-client-test");
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse tokeResponse = oauth.doAccessTokenRequest(code, null);
String token = tokeResponse.getAccessToken();
AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api-method/foo", token));
// GET is disabled in the config
assertTrue(context.isGranted());
PolicyEnforcerConfig.PathConfig pathConfig = policyEnforcer.getPaths().get("/api-method/*");
assertNotNull(pathConfig);
List<PolicyEnforcerConfig.MethodConfig> methods = pathConfig.getMethods();
assertEquals(1, methods.size());
assertTrue(PolicyEnforcerConfig.ScopeEnforcementMode.DISABLED.equals(methods.get(0).getScopesEnforcementMode()));
// other verbs should be protected
context = policyEnforcer.enforce(createHttpFacade("/api-method/foo", token, "POST"));
assertFalse(context.isGranted());
} finally {
resources.resource(representation.getId()).remove();
}
}
private void initAuthorizationSettings(ClientResource clientResource) { private void initAuthorizationSettings(ClientResource clientResource) {
if (clientResource.authorization().resources().findByName("Resource A").isEmpty()) { if (clientResource.authorization().resources().findByName("Resource A").isEmpty()) {
JSPolicyRepresentation jsPolicy = new JSPolicyRepresentation(); JSPolicyRepresentation jsPolicy = new JSPolicyRepresentation();

27
testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-paths-use-method-config.json Normal file
View file

@ -0,0 +1,27 @@
{
"realm": "authz-test",
"auth-server-url": "http://localhost:8180/auth",
"ssl-required": "external",
"resource": "resource-server-test",
"credentials": {
"secret": "secret"
},
"bearer-only": true,
"policy-enforcer": {
"lazy-load-paths": true,
"paths": [
{
"path": "/api-method/*",
"methods": [
{
"method": "GET",
"scopes": [
"withdrawal"
],
"scopes-enforcement-mode": "DISABLED"
}
]
}
]
}
}