keycloak-memoizeit
Changes
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java 2(+1 -1)
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java 6(+5 -1)
testsuite/integration-arquillian/test-apps/servlet-authz/keycloak-lazy-load-authz-service.json 10(+9 -1)
testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/protected/premium/pep-disabled.jsp 48(+48 -0)
Details
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
index 452583b..c600e1a 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
@@ -95,7 +95,7 @@ public abstract class AbstractPolicyEnforcer {
}
if (EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
- return createEmptyAuthorizationContext(true);
+ return createAuthorizationContext(accessToken, pathConfig);
}
MethodConfig methodConfig = getRequiredScopes(pathConfig, request);
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
index 2d5f0cc..275315e 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
@@ -137,7 +137,11 @@ public class PolicyEnforcer {
if (loadPathsFromServer) {
LOGGER.info("No path provided in configuration.");
- return configureAllPathsForResourceServer(protectedResource);
+ Map<String, PathConfig> paths = configureAllPathsForResourceServer(protectedResource);
+
+ paths.putAll(configureDefinedPaths(protectedResource, enforcerConfig));
+
+ return paths;
} else {
LOGGER.info("Paths provided in configuration.");
return configureDefinedPaths(protectedResource, enforcerConfig);
diff --git a/testsuite/integration-arquillian/test-apps/servlet-authz/keycloak-lazy-load-authz-service.json b/testsuite/integration-arquillian/test-apps/servlet-authz/keycloak-lazy-load-authz-service.json
index 35f76d2..df115c3 100644
--- a/testsuite/integration-arquillian/test-apps/servlet-authz/keycloak-lazy-load-authz-service.json
+++ b/testsuite/integration-arquillian/test-apps/servlet-authz/keycloak-lazy-load-authz-service.json
@@ -10,6 +10,14 @@
},
"policy-enforcer": {
"on-deny-redirect-to" : "/servlet-authz-app/accessDenied.jsp",
- "lazy-load-paths": true
+ "lazy-load-paths": true,
+ "paths": [
+ {
+ "name": "Premium Resource",
+ "path": "/protected/premium/pep-disabled.jsp",
+ "enforcement-mode": "DISABLED"
+ }
+ ]
+
}
}
\ No newline at end of file
diff --git a/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/index.jsp b/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/index.jsp
index 345a69d..5117470 100755
--- a/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/index.jsp
+++ b/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/index.jsp
@@ -14,6 +14,7 @@
<p><a href="protected/dynamicMenu.jsp">Dynamic Menu</a></p>
<p><a href="protected/premium/onlyPremium.jsp">User Premium</a></p>
+ <p><a href="protected/premium/pep-disabled.jsp">PEP Disabled</a></p>
<p><a href="protected/admin/onlyAdmin.jsp">Administration</a></p>
<h3>Your permissions are:</h3>
diff --git a/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/protected/premium/pep-disabled.jsp b/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/protected/premium/pep-disabled.jsp
new file mode 100644
index 0000000..8ef0ed8
--- /dev/null
+++ b/testsuite/integration-arquillian/test-apps/servlet-authz/src/main/webapp/protected/premium/pep-disabled.jsp
@@ -0,0 +1,48 @@
+<%@page import="org.keycloak.AuthorizationContext" %>
+<%@ page import="org.keycloak.KeycloakSecurityContext" %>
+
+<%
+ KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
+ AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
+%>
+
+<html>
+<body>
+<h2>Policy enforcement is disabled. Access granted: <%= authzContext.isGranted() %></h2>
+<%@include file="../../logout-include.jsp"%>
+
+<p>Here is a dynamic menu built from the permissions returned by the server:</p>
+
+<ul>
+ <%
+ if (authzContext.hasResourcePermission("Protected Resource")) {
+ %>
+ <li>
+ Do user thing
+ </li>
+ <%
+ }
+ %>
+
+ <%
+ if (authzContext.hasResourcePermission("Premium Resource")) {
+ %>
+ <li>
+ Do user premium thing
+ </li>
+ <%
+ }
+ %>
+
+ <%
+ if (authzContext.hasPermission("Admin Resource", "urn:servlet-authz:protected:admin:access")) {
+ %>
+ <li>
+ Do administration thing
+ </li>
+ <%
+ }
+ %>
+</ul>
+</body>
+</html>
\ No newline at end of file
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractBaseServletAuthzAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractBaseServletAuthzAdapterTest.java
index 7f47bb9..03abbb2 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractBaseServletAuthzAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractBaseServletAuthzAdapterTest.java
@@ -93,7 +93,7 @@ public abstract class AbstractBaseServletAuthzAdapterTest extends AbstractExampl
return this.driver.getPageSource().contains(text);
}
- private WebElement getLink(String text) {
+ protected WebElement getLink(String text) {
return this.driver.findElement(By.xpath("//a[text() = '" + text + "']"));
}
@@ -137,7 +137,7 @@ public abstract class AbstractBaseServletAuthzAdapterTest extends AbstractExampl
}
}
- private void navigateTo() {
+ protected void navigateTo() {
this.driver.navigate().to(getResourceServerUrl());
WaitUtils.waitUntilElement(By.xpath("//a[text() = 'Dynamic Menu']"));
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzLazyLoadPathsAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzLazyLoadPathsAdapterTest.java
index 0989aa5..fb68580 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzLazyLoadPathsAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzLazyLoadPathsAdapterTest.java
@@ -17,32 +17,13 @@
package org.keycloak.testsuite.adapter.example.authorization;
import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
import java.io.File;
import java.io.IOException;
-import java.util.Arrays;
-import java.util.List;
-
-import javax.ws.rs.core.Response;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Test;
-import org.keycloak.admin.client.resource.ClientPoliciesResource;
-import org.keycloak.admin.client.resource.RealmResource;
-import org.keycloak.admin.client.resource.ResourcesResource;
-import org.keycloak.admin.client.resource.RolePoliciesResource;
-import org.keycloak.admin.client.resource.RoleScopeResource;
-import org.keycloak.admin.client.resource.RolesResource;
-import org.keycloak.admin.client.resource.UserResource;
-import org.keycloak.admin.client.resource.UsersResource;
-import org.keycloak.representations.idm.RoleRepresentation;
-import org.keycloak.representations.idm.UserRepresentation;
-import org.keycloak.representations.idm.authorization.ClientPolicyRepresentation;
-import org.keycloak.representations.idm.authorization.ResourceRepresentation;
-import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
-import org.keycloak.testsuite.util.WaitUtils;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@@ -55,4 +36,16 @@ public abstract class AbstractServletAuthzLazyLoadPathsAdapterTest extends Abstr
.addAsWebInfResource(new File(TEST_APPS_HOME_DIR + "/servlet-authz-app/keycloak-lazy-load-authz-service.json"), "keycloak.json");
}
+ @Test
+ public void testPathPEPDisabled() {
+ performTests(() -> {
+ login("alice", "alice");
+ assertFalse(wasDenied());
+
+ navigateTo();
+ getLink("PEP Disabled").click();
+
+ hasText("Policy enforcement is disabled. Access granted: true");
+ });
+ }
}