keycloak-aplcache
Changes
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java 10(+5 -5)
Details
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
index 61f46f1..f3127be 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
@@ -78,13 +78,13 @@ public abstract class AbstractPolicyEnforcer {
if (pathConfig == null) {
if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
- return createAuthorizationContext(accessToken);
+ return createAuthorizationContext(accessToken, null);
}
LOGGER.debugf("Could not find a configuration for path [%s]", path);
if (isDefaultAccessDeniedUri(request, enforcerConfig)) {
- return createAuthorizationContext(accessToken);
+ return createAuthorizationContext(accessToken, null);
}
handleAccessDenied(httpFacade);
@@ -100,7 +100,7 @@ public abstract class AbstractPolicyEnforcer {
if (isAuthorized(pathConfig, requiredScopes, accessToken, httpFacade)) {
try {
- return createAuthorizationContext(accessToken);
+ return createAuthorizationContext(accessToken, pathConfig);
} catch (Exception e) {
throw new RuntimeException("Error processing path [" + pathConfig.getPath() + "].", e);
}
@@ -252,8 +252,8 @@ public abstract class AbstractPolicyEnforcer {
return requiredScopes;
}
- private AuthorizationContext createAuthorizationContext(AccessToken accessToken) {
- return new ClientAuthorizationContext(accessToken, this.paths, authzClient);
+ private AuthorizationContext createAuthorizationContext(AccessToken accessToken, PathConfig pathConfig) {
+ return new ClientAuthorizationContext(accessToken, pathConfig, this.paths, authzClient);
}
private boolean isResourcePermission(PathConfig actualPathConfig, Permission permission) {
diff --git a/authz/client/src/main/java/org/keycloak/authorization/client/ClientAuthorizationContext.java b/authz/client/src/main/java/org/keycloak/authorization/client/ClientAuthorizationContext.java
index 73bcd9f..a46e511 100644
--- a/authz/client/src/main/java/org/keycloak/authorization/client/ClientAuthorizationContext.java
+++ b/authz/client/src/main/java/org/keycloak/authorization/client/ClientAuthorizationContext.java
@@ -30,8 +30,8 @@ public class ClientAuthorizationContext extends AuthorizationContext {
private final AuthzClient client;
- public ClientAuthorizationContext(AccessToken authzToken, Map<String, PolicyEnforcerConfig.PathConfig> paths, AuthzClient client) {
- super(authzToken, paths);
+ public ClientAuthorizationContext(AccessToken authzToken, PolicyEnforcerConfig.PathConfig current, Map<String, PolicyEnforcerConfig.PathConfig> paths, AuthzClient client) {
+ super(authzToken, current, paths);
this.client = client;
}
diff --git a/core/src/main/java/org/keycloak/AuthorizationContext.java b/core/src/main/java/org/keycloak/AuthorizationContext.java
index 93f3ff1..e096e7e 100644
--- a/core/src/main/java/org/keycloak/AuthorizationContext.java
+++ b/core/src/main/java/org/keycloak/AuthorizationContext.java
@@ -32,17 +32,19 @@ import java.util.Map;
public class AuthorizationContext {
private final AccessToken authzToken;
+ private final PathConfig current;
private final Map<String, PathConfig> paths;
private boolean granted;
- public AuthorizationContext(AccessToken authzToken, Map<String, PathConfig> paths) {
+ public AuthorizationContext(AccessToken authzToken, PathConfig current, Map<String, PathConfig> paths) {
this.authzToken = authzToken;
+ this.current = current;
this.paths = paths;
this.granted = true;
}
public AuthorizationContext() {
- this(null, null);
+ this(null, null, null);
this.granted = false;
}
@@ -57,9 +59,15 @@ public class AuthorizationContext {
return false;
}
- for (Permission permission : authorization.getPermissions()) {
- for (PathConfig pathHolder : this.paths.values()) {
- if (pathHolder.getName().equals(resourceName)) {
+ if (current != null) {
+ if (current.getName().equals(resourceName)) {
+ return true;
+ }
+ }
+
+ if (hasResourcePermission(resourceName)) {
+ for (Permission permission : authorization.getPermissions()) {
+ for (PathConfig pathHolder : paths.values()) {
if (pathHolder.getId().equals(permission.getResourceSetId())) {
if (permission.getScopes().contains(scopeName)) {
return true;
@@ -83,13 +91,15 @@ public class AuthorizationContext {
return false;
}
+ if (current != null) {
+ if (current.getName().equals(resourceName)) {
+ return true;
+ }
+ }
+
for (Permission permission : authorization.getPermissions()) {
- for (PathConfig pathHolder : this.paths.values()) {
- if (pathHolder.getName().equals(resourceName)) {
- if (pathHolder.getId().equals(permission.getResourceSetId())) {
- return true;
- }
- }
+ if (permission.getResourceSetName().equals(resourceName) || permission.getResourceSetId().equals(resourceName)) {
+ return true;
}
}
diff --git a/core/src/main/java/org/keycloak/representations/adapters/config/PolicyEnforcerConfig.java b/core/src/main/java/org/keycloak/representations/adapters/config/PolicyEnforcerConfig.java
index dd94537..a495cad 100644
--- a/core/src/main/java/org/keycloak/representations/adapters/config/PolicyEnforcerConfig.java
+++ b/core/src/main/java/org/keycloak/representations/adapters/config/PolicyEnforcerConfig.java
@@ -62,7 +62,7 @@ public class PolicyEnforcerConfig {
}
public List<PathConfig> getPaths() {
- return Collections.unmodifiableList(this.paths);
+ return this.paths;
}
public EnforcementMode getEnforcementMode() {