mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-06 06:49:53 -06:00
Code Issues Packages Projects Releases Wiki Activity

13647 fixed wrong feature flag for checking admin fine-grained authz

Browse Source
This commit is contained in:
Sebastian Schuster
2022-08-08 18:45:07 +02:00
committed by Pedro Igor
parent 5775e7c4ba
commit 53472e097c
9 changed files with 17 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
View File

@@ -61,7 +61,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
GroupPermissions(AuthorizationProvider authz, MgmtPermissions root) {
this.authz = authz;
this.root = root;
if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
resourceStore = authz.getStoreFactory().getResourceStore();
policyStore = authz.getStoreFactory().getPolicyStore();
} else {

6
services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
View File

@@ -73,7 +73,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
this.session = session;
this.realm = realm;
KeycloakSessionFactory keycloakSessionFactory = session.getKeycloakSessionFactory();
if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
AuthorizationProviderFactory factory = (AuthorizationProviderFactory) keycloakSessionFactory.getProviderFactory(AuthorizationProvider.class);
this.authz = factory.create(session, realm);
}
@@ -251,7 +251,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
@Override
public ResourceServer realmResourceServer() {
if (!Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) return null;
if (!Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) return null;
if (realmResourceServer != null) return realmResourceServer;
ClientModel client = getRealmManagementClient();
if (client == null) return null;
@@ -262,7 +262,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
}
public ResourceServer initializeRealmResourceServer() {
if (!Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) return null;
if (!Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) return null;
if (realmResourceServer != null) return realmResourceServer;
ClientModel client = getRealmManagementClient();
realmResourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client);

2
services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
View File

@@ -83,7 +83,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
this.session = session;
this.authz = authz;
this.root = root;
if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
policyStore = authz.getStoreFactory().getPolicyStore();
resourceStore = authz.getStoreFactory().getResourceStore();
} else {

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/BrokerLinkAndTokenExchangeTest.java
View File

@@ -97,6 +97,7 @@ import static org.keycloak.testsuite.admin.ApiUtil.createUserAndResetPasswordWit
@AppServerContainer(ContainerConstants.APP_SERVER_EAP6)
@AppServerContainer(ContainerConstants.APP_SERVER_EAP71)
@EnableFeature(value = Profile.Feature.TOKEN_EXCHANGE, skipRestart = true)
@EnableFeature(value = Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, skipRestart = true)
public class BrokerLinkAndTokenExchangeTest extends AbstractServletsAdapterTest {
public static final String CHILD_IDP = "child";
public static final String PARENT_IDP = "parent-idp";
@@ -106,11 +107,6 @@ public class BrokerLinkAndTokenExchangeTest extends AbstractServletsAdapterTest
public static final String UNAUTHORIZED_CHILD_CLIENT = "unauthorized-child-client";
public static final String PARENT_CLIENT = "parent-client";
@BeforeClass
public static void enabled() {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
}
@Deployment(name = ClientApp.DEPLOYMENT_NAME)
protected static WebArchive accountLink() {
return servletDeployment(ClientApp.DEPLOYMENT_NAME, LinkAndExchangeServlet.class, ServletTestUtils.class);

7
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
View File

@@ -18,7 +18,6 @@ package org.keycloak.testsuite.admin;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.authorization.AuthorizationProvider;
@@ -53,7 +52,6 @@ import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.services.resources.admin.permissions.ClientPermissionManagement;
import org.keycloak.services.resources.admin.permissions.GroupPermissionManagement;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected;
import org.keycloak.testsuite.auth.page.AuthRealm;
@@ -88,11 +86,6 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
public static final String CLIENT_NAME = "application";
@BeforeClass
public static void enabled() {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
}
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
RealmRepresentation testRealmRep = new RealmRepresentation();

9
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ManagementPermissionsTest.java
View File

@@ -16,7 +16,6 @@
*/
package org.keycloak.testsuite.admin;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.GroupResource;
@@ -25,7 +24,7 @@ import org.keycloak.admin.client.resource.RoleResource;
import org.keycloak.common.Profile;
import org.keycloak.representations.idm.*;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import javax.ws.rs.core.Response;
@@ -36,13 +35,9 @@ import static org.junit.Assert.assertTrue;
/**
* @author <a href="mailto:leon.graser@bosch-si.com">Leon Graser</a>
*/
@EnableFeature(value = Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, skipRestart = true)
public class ManagementPermissionsTest extends AbstractTestRealmKeycloakTest {
@BeforeClass
public static void enabled() {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
}
@Override
public void configureTestRealm(RealmRepresentation testRealm) {

20
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UsersTest.java
View File

@@ -32,7 +32,7 @@ import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.util.AdminClientUtil;
import java.io.IOException;
@@ -224,17 +224,15 @@ public class UsersTest extends AbstractAdminTest {
}
@Test
@EnableFeature(value = Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, skipRestart = true)
public void countUsersWithGroupViewPermission() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
RealmResource testRealmResource = setupTestEnvironmentWithPermissions(true);
assertThat(testRealmResource.users().count(), is(3));
}
@Test
@EnableFeature(value = Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, skipRestart = true)
public void countUsersBySearchWithGroupViewPermission() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
RealmResource testRealmResource = setupTestEnvironmentWithPermissions(true);
//search all
assertThat(testRealmResource.users().count("user"), is(3));
@@ -256,9 +254,8 @@ public class UsersTest extends AbstractAdminTest {
}
@Test
@EnableFeature(value = Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, skipRestart = true)
public void countUsersByFiltersWithGroupViewPermission() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
RealmResource testRealmResource = setupTestEnvironmentWithPermissions(true);
//search username
assertThat(testRealmResource.users().count(null, null, null, "user"), is(3));
@@ -293,17 +290,15 @@ public class UsersTest extends AbstractAdminTest {
}
@Test
@EnableFeature(value = Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, skipRestart = true)
public void countUsersWithNoViewPermission() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
RealmResource testRealmResource = setupTestEnvironmentWithPermissions(false);
assertThat(testRealmResource.users().count(), is(0));
}
@Test
@EnableFeature(value = Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, skipRestart = true)
public void countUsersBySearchWithNoViewPermission() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
RealmResource testRealmResource = setupTestEnvironmentWithPermissions(false);
//search all
assertThat(testRealmResource.users().count("user"), is(0));
@@ -325,9 +320,8 @@ public class UsersTest extends AbstractAdminTest {
}
@Test
@EnableFeature(value = Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, skipRestart = true)
public void countUsersByFiltersWithNoViewPermission() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
RealmResource testRealmResource = setupTestEnvironmentWithPermissions(false);
//search username
assertThat(testRealmResource.users().count(null, null, null, "user"), is(0));

9
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeSAML2Test.java
View File

@@ -17,7 +17,6 @@
package org.keycloak.testsuite.oauth;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
@@ -54,7 +53,6 @@ import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
@@ -78,7 +76,6 @@ import java.util.List;
import java.util.Map;
import static org.junit.Assert.assertNotNull;
import static org.keycloak.common.Profile.Feature.AUTHORIZATION;
import static org.keycloak.models.ImpersonationSessionNote.IMPERSONATOR_ID;
import static org.keycloak.models.ImpersonationSessionNote.IMPERSONATOR_USERNAME;
import static org.keycloak.protocol.saml.SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE;
@@ -89,6 +86,7 @@ import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
*/
@AuthServerContainerExclude(AuthServer.REMOTE)
@EnableFeature(value = Profile.Feature.TOKEN_EXCHANGE, skipRestart = true)
@EnableFeature(value = Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, skipRestart = true)
public class ClientTokenExchangeSAML2Test extends AbstractKeycloakTest {
private static final String SAML_SIGNED_TARGET = "http://localhost:8080/saml-signed-assertion/";
@@ -104,11 +102,6 @@ public class ClientTokenExchangeSAML2Test extends AbstractKeycloakTest {
@Rule
public AssertEvents events = new AssertEvents(this);
@BeforeClass
public static void enabled() {
ProfileAssume.assumeFeatureEnabled(AUTHORIZATION);
}
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
RealmRepresentation testRealmRep = new RealmRepresentation();

9
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java
View File

@@ -17,7 +17,6 @@
package org.keycloak.testsuite.oauth;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
@@ -49,7 +48,6 @@ import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
@@ -71,7 +69,6 @@ import static org.hamcrest.Matchers.instanceOf;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.keycloak.common.Profile.Feature.AUTHORIZATION;
import static org.keycloak.models.ImpersonationSessionNote.IMPERSONATOR_ID;
import static org.keycloak.models.ImpersonationSessionNote.IMPERSONATOR_USERNAME;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
@@ -83,16 +80,12 @@ import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
*/
@AuthServerContainerExclude(AuthServer.REMOTE)
@EnableFeature(value = Profile.Feature.TOKEN_EXCHANGE, skipRestart = true)
@EnableFeature(value = Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, skipRestart = true)
public class ClientTokenExchangeTest extends AbstractKeycloakTest {
@Rule
public AssertEvents events = new AssertEvents(this);
@BeforeClass
public static void enabled() {
ProfileAssume.assumeFeatureEnabled(AUTHORIZATION);
}
@Test
@UncaughtServerErrorExpected
@DisableFeature(value = Profile.Feature.TOKEN_EXCHANGE, skipRestart = true)