libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Merge pull request #5004 from pedroigor/KEYCLOAK-6623

Browse source 
[KEYCLOAK-6623] - Policy enforcer gets confused with similar paths ending with wildcards
This commit is contained in:
Pedro Igor 2018-03-12 09:59:05 -03:00 committed by GitHub
commit b9b1102b74
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 65 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PathMatcher.java
View file

@ -95,7 +95,9 @@ class PathMatcher {
}
if (WILDCARD == expectedUri.charAt(expectedUri.length() - 1)) {
matchingAnyPath = entry;
if (matchingAnyPath == null || matchingAnyPath.getPath().length() < matchingUri.length()) {
matchingAnyPath = entry;
}
} else {
int suffixIndex = expectedUri.indexOf(WILDCARD + ".");

28
testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json
View file

@ -107,6 +107,14 @@
{
"name": "Pattern 12",
"uri": "/realm_uri"
},
{
"name": "Pattern 13",
"uri": "/keycloak-6623/*"
},
{
"name": "Pattern 14",
"uri": "/keycloak-6623/sub-resource/*"
}
],
"policies": [
@ -258,6 +266,26 @@
"resources": "[\"Pattern 12\"]",
"applyPolicies": "[\"Default Policy\"]"
}
},
{
"name": "Pattern 13 Permission",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Pattern 13\"]",
"applyPolicies": "[\"Default Policy\"]"
}
},
{
"name": "Pattern 14 Permission",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Pattern 14\"]",
"applyPolicies": "[\"Default Policy\"]"
}
}
],
"scopes": []

8
testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/src/main/webapp/WEB-INF/keycloak.json
View file

@ -60,6 +60,14 @@
{
"name": "Pattern 12",
"path": "/keycloak_json_uri"
},
{
"name": "Pattern 14",
"path": "/keycloak-6623/sub-resource/*"
},
{
"name": "Pattern 13",
"path": "/keycloak-6623/*"
}
]
}

26
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletPolicyEnforcerTest.java
View file

@ -379,6 +379,32 @@ public abstract class AbstractServletPolicyEnforcerTest extends AbstractExampleA
});
}
@Test
public void testPathOrderWithAllPaths() {
performTests(() -> {
login("alice", "alice");
navigateTo("/keycloak-6623");
assertFalse(wasDenied());
navigateTo("/keycloak-6623/sub-resource");
assertFalse(wasDenied());
updatePermissionPolicies("Pattern 13 Permission", "Deny Policy");
login("alice", "alice");
navigateTo("/keycloak-6623");
assertTrue(wasDenied());
navigateTo("/keycloak-6623/sub-resource");
assertFalse(wasDenied());
updatePermissionPolicies("Pattern 14 Permission", "Deny Policy");
login("alice", "alice");
navigateTo("/keycloak-6623");
assertTrue(wasDenied());
navigateTo("/keycloak-6623/sub-resource/resource");
assertTrue(wasDenied());
});
}
private void navigateTo(String path) {
this.driver.navigate().to(getResourceServerUrl() + path);