Disable Authz caching for new storage tests

Closes #10500
2022-03-01 09:33:04 +01:00 · 2022-03-01 09:33:04 +01:00 · f77ce315bb
commit f77ce315bb
parent f569db2e42
5 changed files with 40 additions and 6 deletions
--- a/model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java
+++ b/model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java
@ -19,6 +19,7 @@ package org.keycloak.models.map.authorization;

 import org.jboss.logging.Logger;
 import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.UserManagedPermissionUtil;
 import org.keycloak.authorization.model.PermissionTicket;
 import org.keycloak.authorization.model.PermissionTicket.SearchableFields;
 import org.keycloak.authorization.model.Resource;
@ -129,7 +130,12 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
    @Override
    public void delete(String id) {
        LOG.tracef("delete(%s)%s", id, getShortStackTrace());
+
+        PermissionTicket permissionTicket = findById(id, null);
+        if (permissionTicket == null) return;
+
        tx.delete(id);
+        UserManagedPermissionUtil.removePolicy(permissionTicket, authorizationProvider.getStoreFactory());
    }

    @Override
--- a/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java
+++ b/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java
@ -17,7 +17,10 @@

 package org.keycloak.models.map.authorization.adapter;

+import org.keycloak.authorization.model.PermissionTicket;
 import org.keycloak.authorization.model.Scope;
+import org.keycloak.authorization.store.PermissionTicketStore;
+import org.keycloak.authorization.store.PolicyStore;
 import org.keycloak.authorization.store.StoreFactory;

 import org.keycloak.models.map.authorization.entity.MapResourceEntity;
@ -129,6 +132,25 @@ public class MapResourceAdapter extends AbstractResourceModel<MapResourceEntity>
    @Override
    public void updateScopes(Set<Scope> scopes) {
        throwExceptionIfReadonly();
+
+        PermissionTicketStore permissionStore = storeFactory.getPermissionTicketStore();
+        PolicyStore policyStore = storeFactory.getPolicyStore();
+
+        for (Scope scope : getScopes()) {
+            if (!scopes.contains(scope)) {
+                // The scope^ was removed from the Resource
+
+                // Remove permission tickets based on the scope
+                List<PermissionTicket> permissions = permissionStore.findByScope(scope.getId(), getResourceServer());
+                for (PermissionTicket permission : permissions) {
+                    permissionStore.delete(permission.getId());
+                }
+
+                // Remove the scope from each Policy for this Resource
+                policyStore.findByResource(getId(), getResourceServer(), policy -> policy.removeScope(scope));
+            }
+        }
+
        entity.setScopeIds(scopes.stream().map(Scope::getId).collect(Collectors.toSet()));
    }

--- a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
+++ b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
@ -494,15 +494,14 @@ public class AuthorizationTokenService {
            }
        }

-        resolvePreviousGrantedPermissions(ticket, request, resourceServer, permissionsToEvaluate, resourceStore, scopeStore, limit);
+        resolvePreviousGrantedPermissions(request, resourceServer, permissionsToEvaluate, resourceStore, scopeStore, limit);

        return permissionsToEvaluate.values();
    }

-    private void resolvePreviousGrantedPermissions(PermissionTicketToken ticket,
-            KeycloakAuthorizationRequest request, ResourceServer resourceServer,
-            Map<String, ResourcePermission> permissionsToEvaluate, ResourceStore resourceStore, ScopeStore scopeStore,
-            AtomicInteger limit) {
+    private void resolvePreviousGrantedPermissions(KeycloakAuthorizationRequest request, ResourceServer resourceServer,
+                                                   Map<String, ResourcePermission> permissionsToEvaluate, ResourceStore resourceStore, ScopeStore scopeStore,
+                                                   AtomicInteger limit) {
        AccessToken rpt = request.getRpt();

        if (rpt != null && rpt.isActive()) {
@ -517,7 +516,7 @@ public class AuthorizationTokenService {
                            break;
                        }

-                        Resource resource = resourceStore.findById(grantedPermission.getResourceId(), ticket.getIssuedFor());
+                        Resource resource = resourceStore.findById(grantedPermission.getResourceId(), resourceServer.getId());

                        if (resource != null) {
                            ResourcePermission permission = permissionsToEvaluate.get(resource.getId());
--- a/testsuite/integration-arquillian/tests/base/pom.xml
+++ b/testsuite/integration-arquillian/tests/base/pom.xml
@ -1134,6 +1134,7 @@
                                <keycloak.userSession.provider>map</keycloak.userSession.provider>
                                <keycloak.loginFailure.provider>map</keycloak.loginFailure.provider>
                                <keycloak.authorization.provider>map</keycloak.authorization.provider>
+                                <keycloak.authorizationCache.enabled>false</keycloak.authorizationCache.enabled>
                          </systemPropertyVariables>
                      </configuration>
                    </plugin>
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json
@ -167,6 +167,12 @@
        }
    },

+    "authorizationCache": {
+        "default": {
+            "enabled": "${keycloak.authorizationCache.enabled:true}"
+        }
+    },
+
    "userCache": {
        "provider": "${keycloak.user.cache.provider:default}",
        "default" : {