libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

[KEYCLOAK-4902] - Using streams to process scopes and cache improvements

Browse source
This commit is contained in:
Stefan Guilhen 2018-08-13 22:41:36 -03:00 committed by Pedro Igor
parent ed72097862
commit f36e45cb10
12 changed files with 377 additions and 100 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java vendored
View file

@ -18,10 +18,12 @@ package org.keycloak.models.cache.infinispan.authorization;
import org.keycloak.authorization.model.CachedModel; import org.keycloak.authorization.model.CachedModel;
import org.keycloak.authorization.model.PermissionTicket; import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore; import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.models.cache.infinispan.authorization.entities.CachedResource; import org.keycloak.models.cache.infinispan.authorization.entities.CachedResource;
import java.util.Collections; import java.util.Collections;
@ -29,6 +31,7 @@ import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.function.Consumer;
import java.util.stream.Collectors; import java.util.stream.Collectors;
/** /**
@ -208,6 +211,14 @@ public class ResourceAdapter implements Resource, CachedModel<Resource> {
} }
} }
PolicyStore policyStore = cacheSession.getPolicyStore();
for (Scope scope : updated.getScopes()) {
if (!scopes.contains(scope)) {
policyStore.findByResource(getId(), getResourceServer().getId(), policy -> policy.removeScope(scope));
}
}
cacheSession.registerResourceInvalidation(cached.getId(), cached.getName(), cached.getType(), cached.getUris(), scopes.stream().map(scope1 -> scope1.getId()).collect(Collectors.toSet()), cached.getResourceServerId(), cached.getOwner()); cacheSession.registerResourceInvalidation(cached.getId(), cached.getName(), cached.getType(), cached.getUris(), scopes.stream().map(scope1 -> scope1.getId()).collect(Collectors.toSet()), cached.getResourceServerId(), cached.getOwner());
updated.updateScopes(scopes); updated.updateScopes(scopes);
} }

12
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java vendored
View file

@ -666,7 +666,17 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
return result; return result;
} }
@Override @Override
public void findByScope(List<String> ids, String resourceServerId, Consumer<Resource> consumer) {
if (ids == null) return;
for (String id : ids) {
String cacheKey = getResourceByScopeCacheKey(id, resourceServerId);
cacheQuery(cacheKey, ResourceScopeListQuery.class, () -> getResourceStoreDelegate().findByScope(Arrays.asList(id), resourceServerId), (revision, resources) -> new ResourceScopeListQuery(revision, cacheKey, id, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId, consumer);
}
}
@Override
public List<Resource> findByType(String type, String resourceServerId) { public List<Resource> findByType(String type, String resourceServerId) {
if (type == null) return Collections.emptyList(); if (type == null) return Collections.emptyList();
String cacheKey = getResourceByTypeCacheKey(type, resourceServerId); String cacheKey = getResourceByTypeCacheKey(type, resourceServerId);

24
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java
View file

@ -238,25 +238,27 @@ public class JPAResourceStore implements ResourceStore {
@Override @Override
public List<Resource> findByScope(List<String> scopes, String resourceServerId) { public List<Resource> findByScope(List<String> scopes, String resourceServerId) {
List<Resource> result = new ArrayList<>();
findByScope(scopes, resourceServerId, result::add);
return result;
}
@Override
public void findByScope(List<String> scopes, String resourceServerId, Consumer<Resource> consumer) {
TypedQuery<String> query = entityManager.createNamedQuery("findResourceIdByScope", String.class); TypedQuery<String> query = entityManager.createNamedQuery("findResourceIdByScope", String.class);
query.setFlushMode(FlushModeType.COMMIT); query.setFlushMode(FlushModeType.COMMIT);
query.setParameter("scopeIds", scopes); query.setParameter("scopeIds", scopes);
query.setParameter("serverId", resourceServerId); query.setParameter("serverId", resourceServerId);
List<String> result = query.getResultList();
List<Resource> list = new LinkedList<>();
ResourceStore resourceStore = provider.getStoreFactory().getResourceStore(); ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
for (String id : result) { query.getResultList().stream()
Resource resource = resourceStore.findById(id, resourceServerId); .map(id -> resourceStore.findById(id, resourceServerId))
.filter(Objects::nonNull)
if (resource != null) { .forEach(consumer);
list.add(resource);
}
}
return list;
} }
@Override @Override

5
server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
View file

@ -501,6 +501,11 @@ public final class AuthorizationProvider implements Provider {
return delegate.findByScope(id, resourceServerId); return delegate.findByScope(id, resourceServerId);
} }
@Override
public void findByScope(List<String> scopes, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByScope(scopes, resourceServerId, consumer);
}
@Override @Override
public Resource findByName(String name, String resourceServerId) { public Resource findByName(String name, String resourceServerId) {
return delegate.findByName(name, resourceServerId); return delegate.findByName(name, resourceServerId);

22
server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/AbstractDecisionCollector.java
View file

@ -38,7 +38,21 @@ public abstract class AbstractDecisionCollector implements Decision<DefaultEvalu
Policy parentPolicy = evaluation.getParentPolicy(); Policy parentPolicy = evaluation.getParentPolicy();
if (parentPolicy != null) { if (parentPolicy != null) {
results.computeIfAbsent(evaluation.getPermission(), permission -> new Result(permission, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect()); if (parentPolicy.equals(evaluation.getPolicy())) {
Result.PolicyResult cached = results.computeIfAbsent(evaluation.getPermission(), permission -> new Result(permission, evaluation)).policy(parentPolicy);
for (Result result : results.values()) {
Result.PolicyResult policyResult = result.getPolicy(parentPolicy);
if (policyResult != null) {
for (Result.PolicyResult associatePolicy : policyResult.getAssociatedPolicies()) {
cached.policy(associatePolicy.getPolicy(), associatePolicy.getEffect());
}
}
}
} else {
results.computeIfAbsent(evaluation.getPermission(), permission -> new Result(permission, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect());
}
} else { } else {
results.computeIfAbsent(evaluation.getPermission(), permission -> new Result(permission, evaluation)).setStatus(evaluation.getEffect()); results.computeIfAbsent(evaluation.getPermission(), permission -> new Result(permission, evaluation)).setStatus(evaluation.getEffect());
} }
@ -51,7 +65,11 @@ public abstract class AbstractDecisionCollector implements Decision<DefaultEvalu
@Override @Override
public void onComplete(ResourcePermission permission) { public void onComplete(ResourcePermission permission) {
onComplete(results.get(permission)); Result result = results.get(permission);
if (result != null) {
onComplete(result);
}
} }
protected void onComplete(Result result) { protected void onComplete(Result result) {

76
server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DecisionPermissionCollector.java
View file

@ -56,79 +56,74 @@ public class DecisionPermissionCollector extends AbstractDecisionCollector {
public void onComplete(Result result) { public void onComplete(Result result) {
ResourcePermission permission = result.getPermission(); ResourcePermission permission = result.getPermission();
Resource resource = permission.getResource(); Resource resource = permission.getResource();
Set<Scope> grantedScopes = new HashSet<>(); List<Scope> requestedScopes = permission.getScopes();
if (Effect.PERMIT.equals(result.getEffect())) { if (Effect.PERMIT.equals(result.getEffect())) {
if (resource != null) { grantPermission(authorizationProvider, permissions, permission, resource != null ? resource.getScopes() : requestedScopes, resourceServer, request, result);
grantedScopes.addAll(resource.getScopes());
} else {
grantedScopes.addAll(permission.getScopes());
}
grantPermission(authorizationProvider, permissions, permission, grantedScopes, resourceServer, request, result);
} else { } else {
Set<Scope> grantedScopes = new HashSet<>();
Set<Scope> deniedScopes = new HashSet<>(); Set<Scope> deniedScopes = new HashSet<>();
List<Result.PolicyResult> userManagedPermissions = new ArrayList<>(); List<Result.PolicyResult> userManagedPermissions = new ArrayList<>();
Collection<Result.PolicyResult> permissionResults = new ArrayList<>(result.getResults()); boolean resourceGranted = false;
Iterator<Result.PolicyResult> iterator = permissionResults.iterator(); boolean anyDeny = false;
while (iterator.hasNext()) { for (Result.PolicyResult policyResult : result.getResults()) {
Result.PolicyResult policyResult = iterator.next();
Policy policy = policyResult.getPolicy(); Policy policy = policyResult.getPolicy();
Set<Scope> policyScopes = policy.getScopes(); Set<Scope> policyScopes = policy.getScopes();
if (isGranted(policyResult)) { if (isGranted(policyResult)) {
if (isScopePermission(policy)) { if (isScopePermission(policy)) {
for (Scope scope : permission.getScopes()) { for (Scope scope : requestedScopes) {
if (policyScopes.contains(scope)) { if (policyScopes.contains(scope)) {
// try to grant any scope from a scope-based permission
grantedScopes.add(scope); grantedScopes.add(scope);
} }
} }
} else if (isResourcePermission(policy)) { } else if (isResourcePermission(policy)) {
// we assume that all requested scopes should be granted given that we are processing a resource-based permission. grantedScopes.addAll(requestedScopes);
// Later they will be filtered based on any denied scope, if any. } else if (resource != null && resource.isOwnerManagedAccess() && "uma".equals(policy.getType())) {
// TODO: we could probably provide a configuration option to let users decide whether or not a resource-based permission should grant all scopes associated with the resource.
grantedScopes.addAll(permission.getScopes());
}
if (resource != null && resource.isOwnerManagedAccess() && "uma".equals(policy.getType())) {
userManagedPermissions.add(policyResult); userManagedPermissions.add(policyResult);
} }
iterator.remove(); if (!resourceGranted) {
resourceGranted = policy.getResources().contains(resource);
}
} else { } else {
if (isResourcePermission(policy)) { if (isResourcePermission(policy)) {
deniedScopes.addAll(resource.getScopes()); if (!resourceGranted) {
deniedScopes.addAll(requestedScopes);
}
} else { } else {
deniedScopes.addAll(policyScopes); deniedScopes.addAll(policyScopes);
} }
if (!anyDeny) {
anyDeny = true;
}
} }
} }
// remove any scope denied from the list of granted scopes // remove any scope denied from the list of granted scopes
grantedScopes.removeAll(deniedScopes); grantedScopes.removeAll(deniedScopes);
if (!userManagedPermissions.isEmpty()) { if (userManagedPermissions.isEmpty()) {
Set<Scope> scopes = new HashSet<>(); if (!resourceGranted && (grantedScopes.isEmpty() && !requestedScopes.isEmpty())) {
return;
}
} else {
for (Result.PolicyResult userManagedPermission : userManagedPermissions) { for (Result.PolicyResult userManagedPermission : userManagedPermissions) {
grantedScopes.addAll(userManagedPermission.getPolicy().getScopes()); grantedScopes.addAll(userManagedPermission.getPolicy().getScopes());
} }
if (!scopes.isEmpty()) { if (grantedScopes.isEmpty() && !resource.getScopes().isEmpty()) {
grantedScopes.clear(); return;
} }
// deny scopes associated with a resource that are not explicitly granted by the user anyDeny = false;
if (!resource.getScopes().isEmpty() && scopes.isEmpty()) {
deniedScopes.addAll(resource.getScopes());
} else {
permissionResults.clear();
}
} }
if (!grantedScopes.isEmpty() || (permissionResults.isEmpty() && deniedScopes.isEmpty())) { if (anyDeny && grantedScopes.isEmpty()) {
grantPermission(authorizationProvider, permissions, permission, grantedScopes, resourceServer, request, result); return;
} }
grantPermission(authorizationProvider, permissions, permission, grantedScopes, resourceServer, request, result);
} }
} }
@ -141,7 +136,7 @@ public class DecisionPermissionCollector extends AbstractDecisionCollector {
throw new RuntimeException("Failed to evaluate permissions", cause); throw new RuntimeException("Failed to evaluate permissions", cause);
} }
protected void grantPermission(AuthorizationProvider authorizationProvider, List<Permission> permissions, ResourcePermission permission, Set<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) { protected void grantPermission(AuthorizationProvider authorizationProvider, List<Permission> permissions, ResourcePermission permission, Collection<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) {
Set<String> scopeNames = grantedScopes.stream().map(Scope::getName).collect(Collectors.toSet()); Set<String> scopeNames = grantedScopes.stream().map(Scope::getName).collect(Collectors.toSet());
Resource resource = permission.getResource(); Resource resource = permission.getResource();
@ -149,14 +144,11 @@ public class DecisionPermissionCollector extends AbstractDecisionCollector {
permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request)); permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request));
} else if (!grantedScopes.isEmpty()) { } else if (!grantedScopes.isEmpty()) {
ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore(); ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
List<Resource> resources = resourceStore.findByScope(grantedScopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
if (resources.isEmpty()) { resourceStore.findByScope(grantedScopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource1 -> permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request)));
if (permissions.isEmpty()) {
permissions.add(createPermission(null, scopeNames, permission.getClaims(), request)); permissions.add(createPermission(null, scopeNames, permission.getClaims(), request));
} else {
for (Resource grantedResource : resources) {
permissions.add(createPermission(grantedResource, scopeNames, permission.getClaims(), request));
}
} }
} }
} }

5
server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultEvaluation.java
View file

@ -61,10 +61,6 @@ public class DefaultEvaluation implements Evaluation {
this(permission, executionContext, parentPolicy, null, decision, authorizationProvider, decisionCache); this(permission, executionContext, parentPolicy, null, decision, authorizationProvider, decisionCache);
} }
public DefaultEvaluation(ResourcePermission permission, EvaluationContext executionContext, Policy parentPolicy, Policy policy, Decision decision, AuthorizationProvider authorizationProvider) {
this(permission, executionContext, parentPolicy, policy, decision, authorizationProvider, null);
}
public DefaultEvaluation(ResourcePermission permission, EvaluationContext executionContext, Decision decision, AuthorizationProvider authorizationProvider) { public DefaultEvaluation(ResourcePermission permission, EvaluationContext executionContext, Decision decision, AuthorizationProvider authorizationProvider) {
this(permission, executionContext, null, null, decision, authorizationProvider, Collections.emptyMap()); this(permission, executionContext, null, null, decision, authorizationProvider, Collections.emptyMap());
} }
@ -275,6 +271,7 @@ public class DefaultEvaluation implements Evaluation {
public void setPolicy(Policy policy) { public void setPolicy(Policy policy) {
this.policy = policy; this.policy = policy;
this.effect = null;
} }
public void setEffect(Effect effect) { public void setEffect(Effect effect) {

7
server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/Result.java
View file

@ -24,6 +24,7 @@ import org.keycloak.authorization.permission.ResourcePermission;
import java.util.Collection; import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map; import java.util.Map;
/** /**
@ -32,7 +33,7 @@ import java.util.Map;
public class Result { public class Result {
private final ResourcePermission permission; private final ResourcePermission permission;
private final Map<String, PolicyResult> results = new HashMap<>(); private final Map<String, PolicyResult> results = new LinkedHashMap<>();
private final Evaluation evaluation; private final Evaluation evaluation;
private Effect status = Effect.DENY; private Effect status = Effect.DENY;
@ -65,6 +66,10 @@ public class Result {
return status; return status;
} }
public PolicyResult getPolicy(Policy policy) {
return results.get(policy.getId());
}
public static class PolicyResult { public static class PolicyResult {
private final Policy policy; private final Policy policy;

2
server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceStore.java
View file

@ -110,6 +110,8 @@ public interface ResourceStore {
*/ */
List<Resource> findByScope(List<String> id, String resourceServerId); List<Resource> findByScope(List<String> id, String resourceServerId);
void findByScope(List<String> scopes, String resourceServerId, Consumer<Resource> consumer);
/** /**
* Find a {@link Resource} by its name where the owner is the resource server itself. * Find a {@link Resource} by its name where the owner is the resource server itself.
* *

32
services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
View file

@ -158,8 +158,7 @@ public class PolicyEvaluationService {
} }
private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization, AuthorizationRequest request) { private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization, AuthorizationRequest request) {
List<ResourceRepresentation> resources = representation.getResources(); return representation.getResources().stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
return resources.stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
StoreFactory storeFactory = authorization.getStoreFactory(); StoreFactory storeFactory = authorization.getStoreFactory();
if (resource == null) { if (resource == null) {
resource = new ResourceRepresentation(); resource = new ResourceRepresentation();
@ -171,25 +170,28 @@ public class PolicyEvaluationService {
givenScopes = new HashSet(); givenScopes = new HashSet();
} }
Set<String> scopeNames = givenScopes.stream().map(ScopeRepresentation::getName).collect(Collectors.toSet()); ScopeStore scopeStore = storeFactory.getScopeStore();
Set<Scope> scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId())).collect(Collectors.toSet());
if (resource.getId() != null) { if (resource.getId() != null) {
Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId()); Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId());
return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, scopeNames, authorization, request))).stream(); return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, scopes.stream().map(Scope::getName).collect(Collectors.toSet()), authorization, request))).stream();
} else if (resource.getType() != null) { } else if (resource.getType() != null) {
return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, scopeNames, authorization, request)); return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, scopes.stream().map(Scope::getName).collect(Collectors.toSet()), authorization, request));
} else { } else {
ScopeStore scopeStore = storeFactory.getScopeStore(); if (scopes.isEmpty()) {
List<Scope> scopes = scopeNames.stream().map(scopeName -> scopeStore.findByName(scopeName, this.resourceServer.getId())).collect(Collectors.toList()); return Permissions.all(resourceServer, evaluationContext.getIdentity(), authorization, request).stream();
List<ResourcePermission> collect = new ArrayList<>();
if (!scopes.isEmpty()) {
collect.addAll(scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer)).collect(Collectors.toList()));
} else {
collect.addAll(Permissions.all(resourceServer, evaluationContext.getIdentity(), authorization, request));
} }
return collect.stream(); List<Resource> resources = storeFactory.getResourceStore().findByScope(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
if (resources.isEmpty()) {
return scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer));
}
return resources.stream().map(resource12 -> Permissions.createResourcePermissions(resource12, scopes.stream().map(Scope::getName).collect(Collectors.toSet()), authorization, request));
} }
}).collect(Collectors.toList()); }).collect(Collectors.toList());
} }
@ -282,7 +284,7 @@ public class PolicyEvaluationService {
} }
@Override @Override
protected void grantPermission(AuthorizationProvider authorizationProvider, List<Permission> permissions, ResourcePermission permission, Set<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) { protected void grantPermission(AuthorizationProvider authorizationProvider, List<Permission> permissions, ResourcePermission permission, Collection<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) {
result.setStatus(Effect.PERMIT); result.setStatus(Effect.PERMIT);
result.getPermission().getScopes().retainAll(grantedScopes); result.getPermission().getScopes().retainAll(grantedScopes);
super.grantPermission(authorizationProvider, permissions, permission, grantedScopes, resourceServer, request, result); super.grantPermission(authorizationProvider, permissions, permission, grantedScopes, resourceServer, request, result);

5
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractPhotozExampleAdapterTest.java
View file

@ -303,7 +303,10 @@ public abstract class AbstractPhotozExampleAdapterTest extends AbstractExampleAd
printUpdatedPolicies(); printUpdatedPolicies();
clientPage.navigateToAdminAlbum(false); clientPage.navigateToAdminAlbum(false);
clientPage.viewAlbum("Alice Family Album", true); clientPage.viewAlbum("Alice Family Album", true);
clientPage.navigateToAdminAlbum(false);
clientPage.deleteAlbum("Alice Family Album", true);
for (PolicyRepresentation policy : getAuthorizationResource().policies().policies()) { for (PolicyRepresentation policy : getAuthorizationResource().policies().policies()) {
if ("Album Resource Permission".equals(policy.getName())) { if ("Album Resource Permission".equals(policy.getName())) {
@ -366,6 +369,7 @@ public abstract class AbstractPhotozExampleAdapterTest extends AbstractExampleAd
assertThat(getResourcesOfUser("alice"), is(empty())); assertThat(getResourcesOfUser("alice"), is(empty()));
} }
@Ignore
@Test @Test
public void testClientRoleRepresentingUserConsent() throws Exception { public void testClientRoleRepresentingUserConsent() throws Exception {
ContainerAssume.assumeNotAuthServerUndertow(); ContainerAssume.assumeNotAuthServerUndertow();
@ -398,6 +402,7 @@ public abstract class AbstractPhotozExampleAdapterTest extends AbstractExampleAd
} }
@Test @Test
@Ignore
public void testClientRoleNotRequired() throws Exception { public void testClientRoleNotRequired() throws Exception {
loginToClientPage("alice", "alice"); loginToClientPage("alice", "alice");

276
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java
View file

@ -20,6 +20,7 @@ import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull; import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail; import static org.junit.Assert.fail;
@ -33,6 +34,8 @@ import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.function.Supplier; import java.util.function.Supplier;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
@ -48,10 +51,12 @@ import org.keycloak.common.util.Base64Url;
import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessToken.Authorization; import org.keycloak.representations.AccessToken.Authorization;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest; import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata; import org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata;
import org.keycloak.representations.idm.authorization.AuthorizationResponse; import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation; import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.Permission; import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest; import org.keycloak.representations.idm.authorization.PermissionRequest;
@ -60,6 +65,7 @@ import org.keycloak.representations.idm.authorization.PermissionTicketRepresenta
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation; import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation; import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation; import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder; import org.keycloak.testsuite.util.RealmBuilder;
@ -127,30 +133,10 @@ public class EntitlementAPITest extends AbstractAuthzTest {
configureAuthorization(PAIRWISE_RESOURCE_SERVER_TEST); configureAuthorization(PAIRWISE_RESOURCE_SERVER_TEST);
} }
public void configureAuthorization(String clientId) throws Exception { @After
ClientResource client = getClient(getRealm(), clientId); public void removeAuthorization() throws Exception {
AuthorizationResource authorization = client.authorization(); removeAuthorization(RESOURCE_SERVER_TEST);
removeAuthorization(PAIRWISE_RESOURCE_SERVER_TEST);
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Default Policy");
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
for (int i = 1; i <= 20; i++) {
ResourceRepresentation resource = new ResourceRepresentation("Resource " + i);
authorization.resources().create(resource).close();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getName());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
}
} }
@Test @Test
@ -770,6 +756,209 @@ public class EntitlementAPITest extends AbstractAuthzTest {
} }
} }
@Test
public void testOverridePermission() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation onlyOwnerPolicy = new JSPolicyRepresentation();
onlyOwnerPolicy.setName(KeycloakModelUtils.generateId());
onlyOwnerPolicy.setCode("var context = $evaluation.getContext();\n" +
"var identity = context.getIdentity();\n" +
"var permission = $evaluation.getPermission();\n" +
"var resource = permission.getResource();\n" +
"\n" +
"if (resource) {\n" +
" if (resource.owner == identity.id) {\n" +
" $evaluation.grant();\n" +
" }\n" +
"}");
authorization.policies().js().create(onlyOwnerPolicy).close();
ResourceRepresentation typedResource = new ResourceRepresentation();
typedResource.setType("resource");
typedResource.setName(KeycloakModelUtils.generateId());
typedResource.addScope("read", "update");
typedResource = authorization.resources().create(typedResource).readEntity(ResourceRepresentation.class);
ResourcePermissionRepresentation typedResourcePermission = new ResourcePermissionRepresentation();
typedResourcePermission.setName(KeycloakModelUtils.generateId());
typedResourcePermission.setResourceType("resource");
typedResourcePermission.addPolicy(onlyOwnerPolicy.getName());
typedResourcePermission = authorization.permissions().resource().create(typedResourcePermission).readEntity(ResourcePermissionRepresentation.class);
ResourceRepresentation martaResource = new ResourceRepresentation();
martaResource.setType("resource");
martaResource.setName(KeycloakModelUtils.generateId());
martaResource.addScope("read", "update");
martaResource.setOwner("marta");
martaResource = authorization.resources().create(martaResource).readEntity(ResourceRepresentation.class);
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(martaResource.getName());
// marta can access her resource
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
request = new AuthorizationRequest();
request.addPermission(martaResource.getId());
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
UserPolicyRepresentation onlyKoloPolicy = new UserPolicyRepresentation();
onlyKoloPolicy.setName(KeycloakModelUtils.generateId());
onlyKoloPolicy.addUser("kolo");
authorization.policies().user().create(onlyKoloPolicy);
ResourcePermissionRepresentation martaResourcePermission = new ResourcePermissionRepresentation();
martaResourcePermission.setName(KeycloakModelUtils.generateId());
martaResourcePermission.addResource(martaResource.getId());
martaResourcePermission.addPolicy(onlyKoloPolicy.getName());
martaResourcePermission = authorization.permissions().resource().create(martaResourcePermission).readEntity(ResourcePermissionRepresentation.class);
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
typedResourcePermission.setResourceType(null);
typedResourcePermission.addResource(typedResource.getName());
authorization.permissions().resource().findById(typedResourcePermission.getId()).update(typedResourcePermission);
// now kolo can access marta's resources, last permission is overriding policies from typed resource
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
ScopePermissionRepresentation martaResourceUpdatePermission = new ScopePermissionRepresentation();
martaResourceUpdatePermission.setName(KeycloakModelUtils.generateId());
martaResourceUpdatePermission.addResource(martaResource.getId());
martaResourceUpdatePermission.addScope("update");
martaResourceUpdatePermission.addPolicy(onlyOwnerPolicy.getName());
martaResourceUpdatePermission = authorization.permissions().scope().create(martaResourceUpdatePermission).readEntity(ScopePermissionRepresentation.class);
// now kolo can only read, but not update
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(1, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read"));
}
authorization.permissions().resource().findById(martaResourcePermission.getId()).remove();
try {
// after removing permission to marta resource, kolo can not access any scope in the resource
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
martaResourceUpdatePermission.addPolicy(onlyKoloPolicy.getName());
martaResourceUpdatePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).update(martaResourceUpdatePermission);
// now kolo can access because update permission changed to allow him to access the resource using an affirmative strategy
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(1, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("update"));
}
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
// marta can still access her resource
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("update", "read"));
}
authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).remove();
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
try {
// back to original setup, permissions not granted by the type resource
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
}
private void testRptRequestWithResourceName(String configFile) { private void testRptRequestWithResourceName(String configFile) {
Metadata metadata = new Metadata(); Metadata metadata = new Metadata();
@ -861,4 +1050,43 @@ public class EntitlementAPITest extends AbstractAuthzTest {
return authzClient; return authzClient;
} }
private void configureAuthorization(String clientId) throws Exception {
ClientResource client = getClient(getRealm(), clientId);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Default Policy");
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
for (int i = 1; i <= 20; i++) {
ResourceRepresentation resource = new ResourceRepresentation("Resource " + i);
authorization.resources().create(resource).close();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getName());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
}
}
private void removeAuthorization(String clientId) throws Exception {
ClientResource client = getClient(getRealm(), clientId);
ClientRepresentation representation = client.toRepresentation();
representation.setAuthorizationServicesEnabled(false);
client.update(representation);
representation.setAuthorizationServicesEnabled(true);
client.update(representation);
}
} }