[KEYCLOAK-10279] - Do not limit results when fetching resources
This commit is contained in:
parent
9a5b85910a
commit
e9ea1f0e36
7 changed files with 96 additions and 5 deletions
|
@ -143,6 +143,10 @@ public class PathCache {
|
|||
return false;
|
||||
}
|
||||
|
||||
public int size() {
|
||||
return cache.size();
|
||||
}
|
||||
|
||||
private static final class CacheEntry {
|
||||
|
||||
final String key;
|
||||
|
|
|
@ -143,7 +143,7 @@ public class PolicyEnforcer {
|
|||
}
|
||||
|
||||
private Map<String, PathConfig> configurePaths(ProtectedResource protectedResource, PolicyEnforcerConfig enforcerConfig) {
|
||||
boolean loadPathsFromServer = true;
|
||||
boolean loadPathsFromServer = !enforcerConfig.getLazyLoadPaths();
|
||||
|
||||
for (PathConfig pathConfig : enforcerConfig.getPaths()) {
|
||||
if (!PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
|
||||
|
@ -306,6 +306,10 @@ public class PolicyEnforcer {
|
|||
return paths.values();
|
||||
}
|
||||
|
||||
public PathCache getPathCache() {
|
||||
return pathCache;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected PathConfig resolvePathConfig(PathConfig originalConfig, String path) {
|
||||
if (originalConfig.hasPattern()) {
|
||||
|
|
|
@ -283,6 +283,6 @@ public class ProtectedResource {
|
|||
.param("matchingUri", Boolean.valueOf(matchingUri).toString())
|
||||
.param("deep", Boolean.toString(deep))
|
||||
.param("first", firstResult != null ? firstResult.toString() : null)
|
||||
.param("max", maxResult != null ? maxResult.toString() : null);
|
||||
.param("max", maxResult != null ? maxResult.toString() : Integer.toString(-1));
|
||||
}
|
||||
}
|
|
@ -419,7 +419,7 @@ public class ResourceSetService {
|
|||
attributes.put("uri_not_null", new String[] {"true"});
|
||||
attributes.put("owner", new String[] {resourceServer.getId()});
|
||||
|
||||
List<Resource> serverResources = storeFactory.getResourceStore().findByResourceServer(attributes, this.resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS);
|
||||
List<Resource> serverResources = storeFactory.getResourceStore().findByResourceServer(attributes, this.resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : -1);
|
||||
|
||||
PathMatcher<Map.Entry<String, Resource>> pathMatcher = new PathMatcher<Map.Entry<String, Resource>>() {
|
||||
@Override
|
||||
|
|
|
@ -39,6 +39,7 @@ import java.util.concurrent.atomic.AtomicBoolean;
|
|||
import java.util.function.Function;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
@ -478,6 +479,64 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
|
|||
assertTrue(context.isGranted());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testLazyLoadPaths() {
|
||||
ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
|
||||
|
||||
for (int i = 0; i < 200; i++) {
|
||||
ResourceRepresentation representation = new ResourceRepresentation();
|
||||
|
||||
representation.setType("test");
|
||||
representation.setName("Resource " + i);
|
||||
representation.setUri("/api/" + i);
|
||||
|
||||
javax.ws.rs.core.Response response = clientResource.authorization().resources().create(representation);
|
||||
|
||||
representation.setId(response.readEntity(ResourceRepresentation.class).getId());
|
||||
|
||||
response.close();
|
||||
}
|
||||
|
||||
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
|
||||
|
||||
permission.setName("Test Permission");
|
||||
permission.setResourceType("test");
|
||||
permission.addPolicy("Only User Policy");
|
||||
|
||||
PermissionsResource permissions = clientResource.authorization().permissions();
|
||||
permissions.resource().create(permission).close();
|
||||
|
||||
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-no-lazyload.json"));
|
||||
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
|
||||
|
||||
assertEquals(203, policyEnforcer.getPaths().size());
|
||||
|
||||
deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload.json"));
|
||||
policyEnforcer = deployment.getPolicyEnforcer();
|
||||
assertEquals(0, policyEnforcer.getPathMatcher().getPathCache().size());
|
||||
assertEquals(0, policyEnforcer.getPaths().size());
|
||||
|
||||
oauth.realm(REALM_NAME);
|
||||
oauth.clientId("public-client-test");
|
||||
oauth.doLogin("marta", "password");
|
||||
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
|
||||
String token = response.getAccessToken();
|
||||
|
||||
for (int i = 0; i < 101; i++) {
|
||||
policyEnforcer.enforce(createHttpFacade("/api/" + i, token));
|
||||
}
|
||||
|
||||
assertEquals(101, policyEnforcer.getPathMatcher().getPathCache().size());
|
||||
|
||||
for (int i = 101; i < 200; i++) {
|
||||
policyEnforcer.enforce(createHttpFacade("/api/" + i, token));
|
||||
}
|
||||
|
||||
assertEquals(200, policyEnforcer.getPathMatcher().getPathCache().size());
|
||||
assertEquals(0, policyEnforcer.getPaths().size());
|
||||
}
|
||||
|
||||
private void initAuthorizationSettings(ClientResource clientResource) {
|
||||
if (clientResource.authorization().resources().findByName("Resource A").isEmpty()) {
|
||||
JSPolicyRepresentation jsPolicy = new JSPolicyRepresentation();
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
{
|
||||
"realm": "authz-test",
|
||||
"auth-server-url": "http://localhost:8180/auth",
|
||||
"ssl-required": "external",
|
||||
"resource": "resource-server-test",
|
||||
"credentials": {
|
||||
"secret": "secret"
|
||||
},
|
||||
"bearer-only": true,
|
||||
"policy-enforcer": {
|
||||
"lazy-load-paths": true
|
||||
}
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"realm": "authz-test",
|
||||
"auth-server-url": "http://localhost:8180/auth",
|
||||
"ssl-required": "external",
|
||||
"resource": "resource-server-test",
|
||||
"credentials": {
|
||||
"secret": "secret"
|
||||
},
|
||||
"bearer-only": true,
|
||||
"policy-enforcer": {}
|
||||
}
|
Loading…
Reference in a new issue