[KEYCLOAK-4902] - Using streams to process scopes and cache improvements

This commit is contained in:
Stefan Guilhen 2018-08-13 22:41:36 -03:00 committed by Pedro Igor
parent ed72097862
commit f36e45cb10
12 changed files with 377 additions and 100 deletions

View file

@ -18,10 +18,12 @@ package org.keycloak.models.cache.infinispan.authorization;
import org.keycloak.authorization.model.CachedModel;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.models.cache.infinispan.authorization.entities.CachedResource;
import java.util.Collections;
@ -29,6 +31,7 @@ import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.stream.Collectors;
/**
@ -208,6 +211,14 @@ public class ResourceAdapter implements Resource, CachedModel<Resource> {
}
}
PolicyStore policyStore = cacheSession.getPolicyStore();
for (Scope scope : updated.getScopes()) {
if (!scopes.contains(scope)) {
policyStore.findByResource(getId(), getResourceServer().getId(), policy -> policy.removeScope(scope));
}
}
cacheSession.registerResourceInvalidation(cached.getId(), cached.getName(), cached.getType(), cached.getUris(), scopes.stream().map(scope1 -> scope1.getId()).collect(Collectors.toSet()), cached.getResourceServerId(), cached.getOwner());
updated.updateScopes(scopes);
}

View file

@ -666,7 +666,17 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
return result;
}
@Override
@Override
public void findByScope(List<String> ids, String resourceServerId, Consumer<Resource> consumer) {
if (ids == null) return;
for (String id : ids) {
String cacheKey = getResourceByScopeCacheKey(id, resourceServerId);
cacheQuery(cacheKey, ResourceScopeListQuery.class, () -> getResourceStoreDelegate().findByScope(Arrays.asList(id), resourceServerId), (revision, resources) -> new ResourceScopeListQuery(revision, cacheKey, id, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId, consumer);
}
}
@Override
public List<Resource> findByType(String type, String resourceServerId) {
if (type == null) return Collections.emptyList();
String cacheKey = getResourceByTypeCacheKey(type, resourceServerId);

View file

@ -238,25 +238,27 @@ public class JPAResourceStore implements ResourceStore {
@Override
public List<Resource> findByScope(List<String> scopes, String resourceServerId) {
List<Resource> result = new ArrayList<>();
findByScope(scopes, resourceServerId, result::add);
return result;
}
@Override
public void findByScope(List<String> scopes, String resourceServerId, Consumer<Resource> consumer) {
TypedQuery<String> query = entityManager.createNamedQuery("findResourceIdByScope", String.class);
query.setFlushMode(FlushModeType.COMMIT);
query.setParameter("scopeIds", scopes);
query.setParameter("serverId", resourceServerId);
List<String> result = query.getResultList();
List<Resource> list = new LinkedList<>();
ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
for (String id : result) {
Resource resource = resourceStore.findById(id, resourceServerId);
if (resource != null) {
list.add(resource);
}
}
return list;
query.getResultList().stream()
.map(id -> resourceStore.findById(id, resourceServerId))
.filter(Objects::nonNull)
.forEach(consumer);
}
@Override

View file

@ -501,6 +501,11 @@ public final class AuthorizationProvider implements Provider {
return delegate.findByScope(id, resourceServerId);
}
@Override
public void findByScope(List<String> scopes, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByScope(scopes, resourceServerId, consumer);
}
@Override
public Resource findByName(String name, String resourceServerId) {
return delegate.findByName(name, resourceServerId);

View file

@ -38,7 +38,21 @@ public abstract class AbstractDecisionCollector implements Decision<DefaultEvalu
Policy parentPolicy = evaluation.getParentPolicy();
if (parentPolicy != null) {
results.computeIfAbsent(evaluation.getPermission(), permission -> new Result(permission, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect());
if (parentPolicy.equals(evaluation.getPolicy())) {
Result.PolicyResult cached = results.computeIfAbsent(evaluation.getPermission(), permission -> new Result(permission, evaluation)).policy(parentPolicy);
for (Result result : results.values()) {
Result.PolicyResult policyResult = result.getPolicy(parentPolicy);
if (policyResult != null) {
for (Result.PolicyResult associatePolicy : policyResult.getAssociatedPolicies()) {
cached.policy(associatePolicy.getPolicy(), associatePolicy.getEffect());
}
}
}
} else {
results.computeIfAbsent(evaluation.getPermission(), permission -> new Result(permission, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect());
}
} else {
results.computeIfAbsent(evaluation.getPermission(), permission -> new Result(permission, evaluation)).setStatus(evaluation.getEffect());
}
@ -51,7 +65,11 @@ public abstract class AbstractDecisionCollector implements Decision<DefaultEvalu
@Override
public void onComplete(ResourcePermission permission) {
onComplete(results.get(permission));
Result result = results.get(permission);
if (result != null) {
onComplete(result);
}
}
protected void onComplete(Result result) {

View file

@ -56,79 +56,74 @@ public class DecisionPermissionCollector extends AbstractDecisionCollector {
public void onComplete(Result result) {
ResourcePermission permission = result.getPermission();
Resource resource = permission.getResource();
Set<Scope> grantedScopes = new HashSet<>();
List<Scope> requestedScopes = permission.getScopes();
if (Effect.PERMIT.equals(result.getEffect())) {
if (resource != null) {
grantedScopes.addAll(resource.getScopes());
} else {
grantedScopes.addAll(permission.getScopes());
}
grantPermission(authorizationProvider, permissions, permission, grantedScopes, resourceServer, request, result);
grantPermission(authorizationProvider, permissions, permission, resource != null ? resource.getScopes() : requestedScopes, resourceServer, request, result);
} else {
Set<Scope> grantedScopes = new HashSet<>();
Set<Scope> deniedScopes = new HashSet<>();
List<Result.PolicyResult> userManagedPermissions = new ArrayList<>();
Collection<Result.PolicyResult> permissionResults = new ArrayList<>(result.getResults());
Iterator<Result.PolicyResult> iterator = permissionResults.iterator();
boolean resourceGranted = false;
boolean anyDeny = false;
while (iterator.hasNext()) {
Result.PolicyResult policyResult = iterator.next();
for (Result.PolicyResult policyResult : result.getResults()) {
Policy policy = policyResult.getPolicy();
Set<Scope> policyScopes = policy.getScopes();
if (isGranted(policyResult)) {
if (isScopePermission(policy)) {
for (Scope scope : permission.getScopes()) {
for (Scope scope : requestedScopes) {
if (policyScopes.contains(scope)) {
// try to grant any scope from a scope-based permission
grantedScopes.add(scope);
}
}
} else if (isResourcePermission(policy)) {
// we assume that all requested scopes should be granted given that we are processing a resource-based permission.
// Later they will be filtered based on any denied scope, if any.
// TODO: we could probably provide a configuration option to let users decide whether or not a resource-based permission should grant all scopes associated with the resource.
grantedScopes.addAll(permission.getScopes());
}
if (resource != null && resource.isOwnerManagedAccess() && "uma".equals(policy.getType())) {
grantedScopes.addAll(requestedScopes);
} else if (resource != null && resource.isOwnerManagedAccess() && "uma".equals(policy.getType())) {
userManagedPermissions.add(policyResult);
}
iterator.remove();
if (!resourceGranted) {
resourceGranted = policy.getResources().contains(resource);
}
} else {
if (isResourcePermission(policy)) {
deniedScopes.addAll(resource.getScopes());
if (!resourceGranted) {
deniedScopes.addAll(requestedScopes);
}
} else {
deniedScopes.addAll(policyScopes);
}
if (!anyDeny) {
anyDeny = true;
}
}
}
// remove any scope denied from the list of granted scopes
grantedScopes.removeAll(deniedScopes);
if (!userManagedPermissions.isEmpty()) {
Set<Scope> scopes = new HashSet<>();
if (userManagedPermissions.isEmpty()) {
if (!resourceGranted && (grantedScopes.isEmpty() && !requestedScopes.isEmpty())) {
return;
}
} else {
for (Result.PolicyResult userManagedPermission : userManagedPermissions) {
grantedScopes.addAll(userManagedPermission.getPolicy().getScopes());
}
if (!scopes.isEmpty()) {
grantedScopes.clear();
if (grantedScopes.isEmpty() && !resource.getScopes().isEmpty()) {
return;
}
// deny scopes associated with a resource that are not explicitly granted by the user
if (!resource.getScopes().isEmpty() && scopes.isEmpty()) {
deniedScopes.addAll(resource.getScopes());
} else {
permissionResults.clear();
}
anyDeny = false;
}
if (!grantedScopes.isEmpty() || (permissionResults.isEmpty() && deniedScopes.isEmpty())) {
grantPermission(authorizationProvider, permissions, permission, grantedScopes, resourceServer, request, result);
if (anyDeny && grantedScopes.isEmpty()) {
return;
}
grantPermission(authorizationProvider, permissions, permission, grantedScopes, resourceServer, request, result);
}
}
@ -141,7 +136,7 @@ public class DecisionPermissionCollector extends AbstractDecisionCollector {
throw new RuntimeException("Failed to evaluate permissions", cause);
}
protected void grantPermission(AuthorizationProvider authorizationProvider, List<Permission> permissions, ResourcePermission permission, Set<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) {
protected void grantPermission(AuthorizationProvider authorizationProvider, List<Permission> permissions, ResourcePermission permission, Collection<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) {
Set<String> scopeNames = grantedScopes.stream().map(Scope::getName).collect(Collectors.toSet());
Resource resource = permission.getResource();
@ -149,14 +144,11 @@ public class DecisionPermissionCollector extends AbstractDecisionCollector {
permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request));
} else if (!grantedScopes.isEmpty()) {
ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
List<Resource> resources = resourceStore.findByScope(grantedScopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
if (resources.isEmpty()) {
resourceStore.findByScope(grantedScopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource1 -> permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request)));
if (permissions.isEmpty()) {
permissions.add(createPermission(null, scopeNames, permission.getClaims(), request));
} else {
for (Resource grantedResource : resources) {
permissions.add(createPermission(grantedResource, scopeNames, permission.getClaims(), request));
}
}
}
}

View file

@ -61,10 +61,6 @@ public class DefaultEvaluation implements Evaluation {
this(permission, executionContext, parentPolicy, null, decision, authorizationProvider, decisionCache);
}
public DefaultEvaluation(ResourcePermission permission, EvaluationContext executionContext, Policy parentPolicy, Policy policy, Decision decision, AuthorizationProvider authorizationProvider) {
this(permission, executionContext, parentPolicy, policy, decision, authorizationProvider, null);
}
public DefaultEvaluation(ResourcePermission permission, EvaluationContext executionContext, Decision decision, AuthorizationProvider authorizationProvider) {
this(permission, executionContext, null, null, decision, authorizationProvider, Collections.emptyMap());
}
@ -275,6 +271,7 @@ public class DefaultEvaluation implements Evaluation {
public void setPolicy(Policy policy) {
this.policy = policy;
this.effect = null;
}
public void setEffect(Effect effect) {

View file

@ -24,6 +24,7 @@ import org.keycloak.authorization.permission.ResourcePermission;
import java.util.Collection;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
/**
@ -32,7 +33,7 @@ import java.util.Map;
public class Result {
private final ResourcePermission permission;
private final Map<String, PolicyResult> results = new HashMap<>();
private final Map<String, PolicyResult> results = new LinkedHashMap<>();
private final Evaluation evaluation;
private Effect status = Effect.DENY;
@ -65,6 +66,10 @@ public class Result {
return status;
}
public PolicyResult getPolicy(Policy policy) {
return results.get(policy.getId());
}
public static class PolicyResult {
private final Policy policy;

View file

@ -110,6 +110,8 @@ public interface ResourceStore {
*/
List<Resource> findByScope(List<String> id, String resourceServerId);
void findByScope(List<String> scopes, String resourceServerId, Consumer<Resource> consumer);
/**
* Find a {@link Resource} by its name where the owner is the resource server itself.
*

View file

@ -158,8 +158,7 @@ public class PolicyEvaluationService {
}
private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization, AuthorizationRequest request) {
List<ResourceRepresentation> resources = representation.getResources();
return resources.stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
return representation.getResources().stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
StoreFactory storeFactory = authorization.getStoreFactory();
if (resource == null) {
resource = new ResourceRepresentation();
@ -171,25 +170,28 @@ public class PolicyEvaluationService {
givenScopes = new HashSet();
}
Set<String> scopeNames = givenScopes.stream().map(ScopeRepresentation::getName).collect(Collectors.toSet());
ScopeStore scopeStore = storeFactory.getScopeStore();
Set<Scope> scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId())).collect(Collectors.toSet());
if (resource.getId() != null) {
Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId());
return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, scopeNames, authorization, request))).stream();
return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, scopes.stream().map(Scope::getName).collect(Collectors.toSet()), authorization, request))).stream();
} else if (resource.getType() != null) {
return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, scopeNames, authorization, request));
return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, scopes.stream().map(Scope::getName).collect(Collectors.toSet()), authorization, request));
} else {
ScopeStore scopeStore = storeFactory.getScopeStore();
List<Scope> scopes = scopeNames.stream().map(scopeName -> scopeStore.findByName(scopeName, this.resourceServer.getId())).collect(Collectors.toList());
List<ResourcePermission> collect = new ArrayList<>();
if (!scopes.isEmpty()) {
collect.addAll(scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer)).collect(Collectors.toList()));
} else {
collect.addAll(Permissions.all(resourceServer, evaluationContext.getIdentity(), authorization, request));
if (scopes.isEmpty()) {
return Permissions.all(resourceServer, evaluationContext.getIdentity(), authorization, request).stream();
}
return collect.stream();
List<Resource> resources = storeFactory.getResourceStore().findByScope(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
if (resources.isEmpty()) {
return scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer));
}
return resources.stream().map(resource12 -> Permissions.createResourcePermissions(resource12, scopes.stream().map(Scope::getName).collect(Collectors.toSet()), authorization, request));
}
}).collect(Collectors.toList());
}
@ -282,7 +284,7 @@ public class PolicyEvaluationService {
}
@Override
protected void grantPermission(AuthorizationProvider authorizationProvider, List<Permission> permissions, ResourcePermission permission, Set<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) {
protected void grantPermission(AuthorizationProvider authorizationProvider, List<Permission> permissions, ResourcePermission permission, Collection<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) {
result.setStatus(Effect.PERMIT);
result.getPermission().getScopes().retainAll(grantedScopes);
super.grantPermission(authorizationProvider, permissions, permission, grantedScopes, resourceServer, request, result);

View file

@ -303,7 +303,10 @@ public abstract class AbstractPhotozExampleAdapterTest extends AbstractExampleAd
printUpdatedPolicies();
clientPage.navigateToAdminAlbum(false);
clientPage.viewAlbum("Alice Family Album", true);
clientPage.navigateToAdminAlbum(false);
clientPage.deleteAlbum("Alice Family Album", true);
for (PolicyRepresentation policy : getAuthorizationResource().policies().policies()) {
if ("Album Resource Permission".equals(policy.getName())) {
@ -366,6 +369,7 @@ public abstract class AbstractPhotozExampleAdapterTest extends AbstractExampleAd
assertThat(getResourcesOfUser("alice"), is(empty()));
}
@Ignore
@Test
public void testClientRoleRepresentingUserConsent() throws Exception {
ContainerAssume.assumeNotAuthServerUndertow();
@ -398,6 +402,7 @@ public abstract class AbstractPhotozExampleAdapterTest extends AbstractExampleAd
}
@Test
@Ignore
public void testClientRoleNotRequired() throws Exception {
loginToClientPage("alice", "alice");

View file

@ -20,6 +20,7 @@ import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@ -33,6 +34,8 @@ import java.util.List;
import java.util.Set;
import java.util.function.Supplier;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
@ -48,10 +51,12 @@ import org.keycloak.common.util.Base64Url;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessToken.Authorization;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
@ -60,6 +65,7 @@ import org.keycloak.representations.idm.authorization.PermissionTicketRepresenta
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
@ -127,30 +133,10 @@ public class EntitlementAPITest extends AbstractAuthzTest {
configureAuthorization(PAIRWISE_RESOURCE_SERVER_TEST);
}
public void configureAuthorization(String clientId) throws Exception {
ClientResource client = getClient(getRealm(), clientId);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Default Policy");
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
for (int i = 1; i <= 20; i++) {
ResourceRepresentation resource = new ResourceRepresentation("Resource " + i);
authorization.resources().create(resource).close();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getName());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
}
@After
public void removeAuthorization() throws Exception {
removeAuthorization(RESOURCE_SERVER_TEST);
removeAuthorization(PAIRWISE_RESOURCE_SERVER_TEST);
}
@Test
@ -770,6 +756,209 @@ public class EntitlementAPITest extends AbstractAuthzTest {
}
}
@Test
public void testOverridePermission() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation onlyOwnerPolicy = new JSPolicyRepresentation();
onlyOwnerPolicy.setName(KeycloakModelUtils.generateId());
onlyOwnerPolicy.setCode("var context = $evaluation.getContext();\n" +
"var identity = context.getIdentity();\n" +
"var permission = $evaluation.getPermission();\n" +
"var resource = permission.getResource();\n" +
"\n" +
"if (resource) {\n" +
" if (resource.owner == identity.id) {\n" +
" $evaluation.grant();\n" +
" }\n" +
"}");
authorization.policies().js().create(onlyOwnerPolicy).close();
ResourceRepresentation typedResource = new ResourceRepresentation();
typedResource.setType("resource");
typedResource.setName(KeycloakModelUtils.generateId());
typedResource.addScope("read", "update");
typedResource = authorization.resources().create(typedResource).readEntity(ResourceRepresentation.class);
ResourcePermissionRepresentation typedResourcePermission = new ResourcePermissionRepresentation();
typedResourcePermission.setName(KeycloakModelUtils.generateId());
typedResourcePermission.setResourceType("resource");
typedResourcePermission.addPolicy(onlyOwnerPolicy.getName());
typedResourcePermission = authorization.permissions().resource().create(typedResourcePermission).readEntity(ResourcePermissionRepresentation.class);
ResourceRepresentation martaResource = new ResourceRepresentation();
martaResource.setType("resource");
martaResource.setName(KeycloakModelUtils.generateId());
martaResource.addScope("read", "update");
martaResource.setOwner("marta");
martaResource = authorization.resources().create(martaResource).readEntity(ResourceRepresentation.class);
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(martaResource.getName());
// marta can access her resource
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
request = new AuthorizationRequest();
request.addPermission(martaResource.getId());
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
UserPolicyRepresentation onlyKoloPolicy = new UserPolicyRepresentation();
onlyKoloPolicy.setName(KeycloakModelUtils.generateId());
onlyKoloPolicy.addUser("kolo");
authorization.policies().user().create(onlyKoloPolicy);
ResourcePermissionRepresentation martaResourcePermission = new ResourcePermissionRepresentation();
martaResourcePermission.setName(KeycloakModelUtils.generateId());
martaResourcePermission.addResource(martaResource.getId());
martaResourcePermission.addPolicy(onlyKoloPolicy.getName());
martaResourcePermission = authorization.permissions().resource().create(martaResourcePermission).readEntity(ResourcePermissionRepresentation.class);
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
typedResourcePermission.setResourceType(null);
typedResourcePermission.addResource(typedResource.getName());
authorization.permissions().resource().findById(typedResourcePermission.getId()).update(typedResourcePermission);
// now kolo can access marta's resources, last permission is overriding policies from typed resource
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
ScopePermissionRepresentation martaResourceUpdatePermission = new ScopePermissionRepresentation();
martaResourceUpdatePermission.setName(KeycloakModelUtils.generateId());
martaResourceUpdatePermission.addResource(martaResource.getId());
martaResourceUpdatePermission.addScope("update");
martaResourceUpdatePermission.addPolicy(onlyOwnerPolicy.getName());
martaResourceUpdatePermission = authorization.permissions().scope().create(martaResourceUpdatePermission).readEntity(ScopePermissionRepresentation.class);
// now kolo can only read, but not update
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(1, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read"));
}
authorization.permissions().resource().findById(martaResourcePermission.getId()).remove();
try {
// after removing permission to marta resource, kolo can not access any scope in the resource
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
martaResourceUpdatePermission.addPolicy(onlyKoloPolicy.getName());
martaResourceUpdatePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).update(martaResourceUpdatePermission);
// now kolo can access because update permission changed to allow him to access the resource using an affirmative strategy
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(1, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("update"));
}
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
// marta can still access her resource
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("update", "read"));
}
authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).remove();
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
try {
// back to original setup, permissions not granted by the type resource
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
}
private void testRptRequestWithResourceName(String configFile) {
Metadata metadata = new Metadata();
@ -861,4 +1050,43 @@ public class EntitlementAPITest extends AbstractAuthzTest {
return authzClient;
}
private void configureAuthorization(String clientId) throws Exception {
ClientResource client = getClient(getRealm(), clientId);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Default Policy");
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
for (int i = 1; i <= 20; i++) {
ResourceRepresentation resource = new ResourceRepresentation("Resource " + i);
authorization.resources().create(resource).close();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getName());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
}
}
private void removeAuthorization(String clientId) throws Exception {
ClientResource client = getClient(getRealm(), clientId);
ClientRepresentation representation = client.toRepresentation();
representation.setAuthorizationServicesEnabled(false);
client.update(representation);
representation.setAuthorizationServicesEnabled(true);
client.update(representation);
}
}