Prosoft Git

keycloak-uncached

[KEYCLOAK-8142] - Fixing regression when setting path enforcement

8/29/2018 8:31:10 PM
Pedro Igor

Pedro Igor

Commit: 33efcc6

Tree: bea6287

Parents: 2eddfd3

Changes

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java 6(+5 -1)

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java 35(+35 -0)

testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode-path.json 19(+19 -0)

Details

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java 6(+5 -1) 

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
index 2ce7a49..cf7e6d4 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
@@ -70,7 +70,11 @@ public abstract class AbstractPolicyEnforcer {
         if (securityContext == null) {
             if (!isDefaultAccessDeniedUri(request)) {
                 if (pathConfig != null) {
-                    challenge(pathConfig, getRequiredScopes(pathConfig, request), httpFacade);
+                    if (EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
+                        return createEmptyAuthorizationContext(true);
+                    } else {
+                        challenge(pathConfig, getRequiredScopes(pathConfig, request), httpFacade);
+                    }
                 } else {
                     handleAccessDenied(httpFacade);
                 }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java 35(+35 -0) 

diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java
index 2df71b6..e514348 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java
@@ -176,6 +176,41 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
         assertEquals(403, response.getStatus());
     }
 
+    @Test
+    public void testMappedPathEnforcementModeDisabled() {
+        KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode-path.json"));
+        PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
+
+        OIDCHttpFacade httpFacade = createHttpFacade("/api/resource/public");
+        AuthorizationContext context = policyEnforcer.enforce(httpFacade);
+        assertTrue(context.isGranted());
+
+        httpFacade = createHttpFacade("/api/resourceb");
+        context = policyEnforcer.enforce(httpFacade);
+        assertFalse(context.isGranted());
+        TestResponse response = TestResponse.class.cast(httpFacade.getResponse());
+        assertEquals(403, response.getStatus());
+
+        oauth.realm(REALM_NAME);
+        oauth.clientId("public-client-test");
+        oauth.doLogin("marta", "password");
+        String token = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE), null).getAccessToken();
+
+        httpFacade = createHttpFacade("/api/resourcea", token);
+        context = policyEnforcer.enforce(httpFacade);
+        assertTrue(context.isGranted());
+
+        httpFacade = createHttpFacade("/api/resourceb", token);
+        context = policyEnforcer.enforce(httpFacade);
+        assertFalse(context.isGranted());
+        response = TestResponse.class.cast(httpFacade.getResponse());
+        assertEquals(403, response.getStatus());
+
+        httpFacade = createHttpFacade("/api/resource/public", token);
+        context = policyEnforcer.enforce(httpFacade);
+        assertTrue(context.isGranted());
+    }
+
     private void initAuthorizationSettings(ClientResource clientResource) {
         if (clientResource.authorization().resources().findByName("Resource A").isEmpty()) {
             JSPolicyRepresentation policy = new JSPolicyRepresentation();

testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode-path.json 19(+19 -0) 

diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode-path.json b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode-path.json
new file mode 100644
index 0000000..878a9bc
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/enforcer-disabled-enforce-mode-path.json
@@ -0,0 +1,19 @@
+{
+  "realm": "authz-test",
+  "auth-server-url": "http://localhost:8180/auth",
+  "ssl-required": "external",
+  "resource": "resource-server-test",
+  "credentials": {
+    "secret": "secret"
+  },
+  "bearer-only": true,
+  "policy-enforcer": {
+    "paths": [
+      {
+        "name": "Resource B",
+        "path": "/api/resource/public",
+        "enforcement-mode": "DISABLED"
+      }
+    ]
+  }
+}

Bonobo Git Server (6.3.0.632) © 2015 Jakub Chodounský · Official Page · Github