From c37ca235ab87616408e7724b9c54f2925b1e366d Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Thu, 12 Dec 2019 21:15:57 -0300 Subject: [PATCH] [KEYCLOAK-11352] - Can't request permissions by name by a non-owner resource service, although the audience is set --- .../AuthorizationTokenService.java | 2 +- .../testsuite/authz/EntitlementAPITest.java | 53 +++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) diff --git a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java index 865c13cf56..b0ad83e3ce 100644 --- a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java +++ b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java @@ -459,7 +459,7 @@ public class AuthorizationTokenService { requestedResources.add(ownerResource); } - if (!identity.isResourceServer()) { + if (!identity.isResourceServer() || !identity.getId().equals(resourceServer.getId())) { List tickets = storeFactory.getPermissionTicketStore().findGranted(resourceName, identity.getId(), resourceServer.getId()); for (PermissionTicket permissionTicket : tickets) { requestedResources.add(permissionTicket.getResource()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java index ad0ba87cb7..a758bd8a67 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java @@ -89,6 +89,7 @@ import org.keycloak.representations.idm.authorization.ScopeRepresentation; import org.keycloak.representations.idm.authorization.UserPolicyRepresentation; import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude; import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer; +import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.RealmBuilder; @@ -1985,6 +1986,58 @@ public class EntitlementAPITest extends AbstractAuthzTest { authzClient.authorization().authorize(request); } + @Test + public void testPermissionsAcrossResourceServers() throws Exception { + String rsAId; + try (Response response = getRealm().clients().create(ClientBuilder.create().clientId("rs-a").secret("secret").serviceAccount().authorizationServicesEnabled(true).build())) { + rsAId = ApiUtil.getCreatedId(response); + } + String rsBId; + try (Response response = getRealm().clients().create(ClientBuilder.create().clientId("rs-b").secret("secret").serviceAccount().authorizationServicesEnabled(true).build())) { + rsBId = ApiUtil.getCreatedId(response); + } + ClientResource rsB = getRealm().clients().get(rsBId); + + rsB.authorization().resources().create(new ResourceRepresentation("Resource A")); + + JSPolicyRepresentation grantPolicy = new JSPolicyRepresentation(); + + grantPolicy.setName("Grant Policy"); + grantPolicy.setCode("$evaluation.grant();"); + + rsB.authorization().policies().js().create(grantPolicy); + + ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation(); + + permission.setName("Resource A Permission"); + permission.addResource("Resource A"); + permission.addPolicy(grantPolicy.getName()); + + rsB.authorization().permissions().resource().create(permission); + + AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG); + Configuration config = authzClient.getConfiguration(); + + config.setResource("rs-a"); + + authzClient = AuthzClient.create(config); + AccessTokenResponse accessTokenResponse = authzClient.obtainAccessToken(); + AccessToken accessToken = toAccessToken(accessTokenResponse.getToken()); + + config.setResource("rs-b"); + + AuthorizationRequest request = new AuthorizationRequest(); + + request.addPermission("Resource A"); + + AuthorizationResponse response = authzClient.authorization(accessTokenResponse.getToken()).authorize(request); + + assertNotNull(response.getToken()); + Collection permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions(); + assertEquals(1, permissions.size()); + assertEquals("Resource A", permissions.iterator().next().getResourceName()); + } + private void testRptRequestWithResourceName(String configFile) { Metadata metadata = new Metadata();