[KEYCLOAK-10279] - Do not limit results when fetching resources

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PathCache.java

@@ -143,6 +143,10 @@ public class PathCache {
         return false;
     }
 
+    public int size() {
+        return cache.size();
+    }
+
     private static final class CacheEntry {
 
         final String key;

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java

@@ -143,7 +143,7 @@ public class PolicyEnforcer {
     }
 
     private Map<String, PathConfig> configurePaths(ProtectedResource protectedResource, PolicyEnforcerConfig enforcerConfig) {
-        boolean loadPathsFromServer = true;
+        boolean loadPathsFromServer = !enforcerConfig.getLazyLoadPaths();
 
         for (PathConfig pathConfig : enforcerConfig.getPaths()) {
             if (!PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
@@ -306,6 +306,10 @@ public class PolicyEnforcer {
             return paths.values();
         }
 
+        public PathCache getPathCache() {
+            return pathCache;
+        }
+
         @Override
         protected PathConfig resolvePathConfig(PathConfig originalConfig, String path) {
             if (originalConfig.hasPattern()) {

authz/client/src/main/java/org/keycloak/authorization/client/resource/ProtectedResource.java

@@ -283,6 +283,6 @@ public class ProtectedResource {
                 .param("matchingUri", Boolean.valueOf(matchingUri).toString())
                 .param("deep", Boolean.toString(deep))
                 .param("first", firstResult != null ? firstResult.toString() : null)
-                .param("max", maxResult != null ? maxResult.toString() : null);
+                .param("max", maxResult != null ? maxResult.toString() : Integer.toString(-1));
     }
-}
+}

services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java

@@ -419,7 +419,7 @@ public class ResourceSetService {
             attributes.put("uri_not_null", new String[] {"true"});
             attributes.put("owner", new String[] {resourceServer.getId()});
 
-            List<Resource> serverResources = storeFactory.getResourceStore().findByResourceServer(attributes, this.resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS);
+            List<Resource> serverResources = storeFactory.getResourceStore().findByResourceServer(attributes, this.resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : -1);
 
             PathMatcher<Map.Entry<String, Resource>> pathMatcher = new PathMatcher<Map.Entry<String, Resource>>() {
                 @Override
@@ -479,4 +479,4 @@ public class ResourceSetService {
             }
         }
     }
-}
+}

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java

@@ -39,6 +39,7 @@ import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
+import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
@@ -478,6 +479,64 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
         assertTrue(context.isGranted());
     }
 
+    @Test
+    public void testLazyLoadPaths() {
+        ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
+
+        for (int i = 0; i < 200; i++) {
+            ResourceRepresentation representation = new ResourceRepresentation();
+
+            representation.setType("test");
+            representation.setName("Resource " + i);
+            representation.setUri("/api/" + i);
+
+            javax.ws.rs.core.Response response = clientResource.authorization().resources().create(representation);
+
+            representation.setId(response.readEntity(ResourceRepresentation.class).getId());
+
+            response.close();
+        }
+
+        ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
+
+        permission.setName("Test Permission");
+        permission.setResourceType("test");
+        permission.addPolicy("Only User Policy");
+
+        PermissionsResource permissions = clientResource.authorization().permissions();
+        permissions.resource().create(permission).close();
+
+        KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-no-lazyload.json"));
+        PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
+
+        assertEquals(203, policyEnforcer.getPaths().size());
+
+        deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload.json"));
+        policyEnforcer = deployment.getPolicyEnforcer();
+        assertEquals(0, policyEnforcer.getPathMatcher().getPathCache().size());
+        assertEquals(0, policyEnforcer.getPaths().size());
+
+        oauth.realm(REALM_NAME);
+        oauth.clientId("public-client-test");
+        oauth.doLogin("marta", "password");
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+        OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
+        String token = response.getAccessToken();
+
+        for (int i = 0; i < 101; i++) {
+            policyEnforcer.enforce(createHttpFacade("/api/" + i, token));
+        }
+
+        assertEquals(101, policyEnforcer.getPathMatcher().getPathCache().size());
+
+        for (int i = 101; i < 200; i++) {
+            policyEnforcer.enforce(createHttpFacade("/api/" + i, token));
+        }
+
+        assertEquals(200, policyEnforcer.getPathMatcher().getPathCache().size());
+        assertEquals(0, policyEnforcer.getPaths().size());
+    }
+
     private void initAuthorizationSettings(ClientResource clientResource) {
         if (clientResource.authorization().resources().findByName("Resource A").isEmpty()) {
             JSPolicyRepresentation jsPolicy = new JSPolicyRepresentation();

testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-lazyload.json

@@ -0,0 +1,13 @@
+{
+  "realm": "authz-test",
+  "auth-server-url": "http://localhost:8180/auth",
+  "ssl-required": "external",
+  "resource": "resource-server-test",
+  "credentials": {
+    "secret": "secret"
+  },
+  "bearer-only": true,
+  "policy-enforcer": {
+    "lazy-load-paths": true
+  }
+}

testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-no-lazyload.json

@@ -0,0 +1,11 @@
+{
+  "realm": "authz-test",
+  "auth-server-url": "http://localhost:8180/auth",
+  "ssl-required": "external",
+  "resource": "resource-server-test",
+  "credentials": {
+    "secret": "secret"
+  },
+  "bearer-only": true,
+  "policy-enforcer": {}
+}