Adding a test when custom policies are used

2021-03-22 08:34:53 -03:00 · 2021-03-22 08:34:53 -03:00 · fca65ac644
commit fca65ac644
parent ca81e6ae8c
1 changed files with 48 additions and 0 deletions
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
@ -814,6 +814,54 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
        assertTrue(permissions.isEmpty());
    }

+    @Test
+    public void testDoNotGrantPermissionWhenObtainAllEntitlements() {
+        ResourceRepresentation resource = new ResourceRepresentation();
+
+        resource.setName("Resource A");
+        resource.setOwnerManagedAccess(true);
+        resource.setOwner("marta");
+        resource.addScope("Scope A", "Scope B", "Scope C");
+
+        resource = getAuthzClient().protection().resource().create(resource);
+
+        UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
+
+        permission.setName("Custom User-Managed Permission");
+        permission.addScope("Scope A", "Scope B");
+        permission.addUser("kolo");
+
+        ProtectionResource protection = getAuthzClient().protection("marta", "password");
+
+        protection.policy(resource.getId()).create(permission);
+
+        AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
+
+        AuthorizationRequest request = new AuthorizationRequest();
+
+        request.addPermission(resource.getId(), "Scope A", "Scope B");
+
+        AuthorizationResponse authzResponse = authorization.authorize(request);
+        assertNotNull(authzResponse);
+
+        AccessToken token = toAccessToken(authzResponse.getToken());
+        assertNotNull(token.getAuthorization());
+
+        Collection<Permission> permissions = token.getAuthorization().getPermissions();
+        assertEquals(1, permissions.size());
+
+        assertTrue(permissions
+                .iterator().next().getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
+
+        try {
+            // policy engine does not evaluate custom policies when obtaining all entitlements
+            getAuthzClient().authorization("kolo", "password").authorize();
+            fail("User should not have permission");
+        } catch (Exception e) {
+            assertTrue(AuthorizationDeniedException.class.isInstance(e));
+        }
+    }
+
    private List<PolicyRepresentation> getAssociatedPolicies(UmaPermissionRepresentation permission) {
        return getClient(getRealm()).authorization().policies().policy(permission.getId()).associatedPolicies();
    }