[KEYCLOAK-12312] - Partial import of realm breaking access to client's service account roles

2019-12-20 20:27:47 -03:00 · 2019-12-20 20:27:47 -03:00 · dae212c035
commit dae212c035
parent c596647241
2 changed files with 49 additions and 8 deletions
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmCacheSession.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmCacheSession.java
@ -566,6 +566,15 @@ public class RealmCacheSession implements CacheRealmProvider {
        for (RoleModel role : client.getRoles()) {
            roleRemovalInvalidations(role.getId(), role.getName(), client.getId());
        }
+        
+        if (client.isServiceAccountsEnabled()) {
+            UserModel serviceAccount = session.users().getServiceAccount(client);
+            
+            if (serviceAccount != null) {
+                session.users().removeUser(realm, serviceAccount);
+            }
+        }
+        
        return getRealmDelegate().removeClient(id, realm);
    }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/partialimport/PartialImportTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/partialimport/PartialImportTest.java
@ -81,6 +81,7 @@ public class PartialImportTest extends AbstractAuthTest {

    private static final int NUM_RESOURCE_TYPES = 6;
    private static final String CLIENT_ROLES_CLIENT = "clientRolesClient";
+    private static final String CLIENT_SERVICE_ACCOUNT = "clientServiceAccount";
    private static final String USER_PREFIX = "user";
    private static final String GROUP_PREFIX = "group";
    private static final String CLIENT_PREFIX = "client";
@ -126,11 +127,29 @@ public class PartialImportTest extends AbstractAuthTest {
        client.setName(CLIENT_ROLES_CLIENT);
        client.setRootUrl("foo");
        client.setProtocol("openid-connect");
-        Response resp = testRealmResource().clients().create(client);
+        try (Response resp = testRealmResource().clients().create(client)) {

-        // for some reason, findAll() will later fail unless readEntity is called here
-        resp.readEntity(String.class);
-        //testRealmResource().clients().findAll();
+            // for some reason, findAll() will later fail unless readEntity is called here
+            resp.readEntity(String.class);
+            //testRealmResource().clients().findAll();
+        }
+    }
+
+    @Before
+    public void createClientWithServiceAccount() {
+        ClientRepresentation client = new ClientRepresentation();
+        client.setClientId(CLIENT_SERVICE_ACCOUNT);
+        client.setName(CLIENT_SERVICE_ACCOUNT);
+        client.setRootUrl("foo");
+        client.setProtocol("openid-connect");
+        client.setPublicClient(false);
+        client.setSecret("secret");
+        client.setServiceAccountsEnabled(true);
+        try (Response resp = testRealmResource().clients().create(client)) {
+            String id = ApiUtil.getCreatedId(resp);
+            UserRepresentation serviceAccountUser = testRealmResource().clients().get(id).getServiceAccountUser();
+            assertNotNull(serviceAccountUser);
+        }
    }

    @Before
@ -204,8 +223,9 @@ public class PartialImportTest extends AbstractAuthTest {
    }

    private PartialImportResults doImport() {
-        Response response = testRealmResource().partialImport(piRep);
-        return response.readEntity(PartialImportResults.class);
+        try (Response response = testRealmResource().partialImport(piRep)) {
+            return response.readEntity(PartialImportResults.class);
+        }
    }

    private void addUsers() {
@ -373,8 +393,9 @@ public class PartialImportTest extends AbstractAuthTest {
        UserRepresentation user = createUserRepresentation(USER_PREFIX + 999, USER_PREFIX + 1 + "@foo.com", "foo", "bar", true);
        piRep.getUsers().add(user);

-        Response response = testRealmResource().partialImport(piRep);
-        assertEquals(409, response.getStatus());
+        try (Response response = testRealmResource().partialImport(piRep)) {
+            assertEquals(409, response.getStatus());
+        }
    }
    
    @Test
@ -798,4 +819,15 @@ public class PartialImportTest extends AbstractAuthTest {
        Assert.assertEquals(0, result.getOverwritten());
    }

+    @Test
+    public void testOverwriteExistingClientWithServiceAccount() {
+        setOverwrite();
+        piRep.setClients(Arrays.asList(testRealmResource().clients().findByClientId(CLIENT_SERVICE_ACCOUNT).get(0)));
+
+        Assert.assertEquals(1, doImport().getOverwritten());
+
+        ClientRepresentation client = testRealmResource().clients().findByClientId(CLIENT_SERVICE_ACCOUNT).get(0);
+        testRealmResource().clients().get(client.getId()).getServiceAccountUser();
+    }
+
 }