keycloak-aplcache

Merge pull request #3138 from pedroigor/KEYCLOAK-3428 [KEYCLOAK-3428] …

8/11/2016 2:59:20 PM

- Removing scope policies in case the resource does not match

Pedro Igor

Commit: 27187c1

Tree: 63c61bb

Parents: f6f587e
0030df0

Changes

server-spi/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java 12(+11 -1)

services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java 2(+1 -1)

Details

server-spi/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java 12(+11 -1)

diff --git a/server-spi/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java b/server-spi/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java
index d5fa9cc..724b655 100644
--- a/server-spi/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java
+++ b/server-spi/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java
@@ -38,6 +38,7 @@ import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.function.Consumer;
+import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
 /**
@@ -132,12 +133,21 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator {
             return true;
         }
 
+        Resource resourcePermission = permission.getResource();
+        Set<Resource> policyResources = policy.getResources();
+
+        if (resourcePermission != null && !policyResources.isEmpty()) {
+            if (!policyResources.stream().filter(resource -> resource.getId().equals(resourcePermission.getId())).findFirst().isPresent()) {
+                return false;
+            }
+        }
+
         Set<Scope> scopes = new HashSet<>(policy.getScopes());
 
         if (scopes.isEmpty()) {
             Set<Resource> resources = new HashSet<>();
 
-            resources.addAll(policy.getResources());
+            resources.addAll(policyResources);
 
             for (Resource resource : resources) {
                 scopes.addAll(resource.getScopes());

services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java 2(+1 -1)

diff --git a/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java b/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java
index ee6661d..37d07e0 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java
@@ -163,7 +163,7 @@ public class PolicyEvaluationResponse {
 
                 if (policy.getStatus().equals(Effect.DENY)) {
                     Policy policyModel = authorization.getStoreFactory().getPolicyStore().findById(policy.getPolicy().getId());
-                    for (ScopeRepresentation scope : policyModel.getScopes().stream().map(scope -> Models.toRepresentation(scope, authorization)).collect(Collectors.toList())) {
+                    for (ScopeRepresentation scope : policyModel.getScopes().stream().map(scopeModel -> Models.toRepresentation(scopeModel, authorization)).collect(Collectors.toList())) {
                         if (!policy.getScopes().contains(scope)) {
                             policy.getScopes().add(scope);
                         }