[fixes #9057] - Scope permission checks may result in a false positive

Author: pedroigor

extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java

@@ -71,7 +71,7 @@ public Uni<Boolean> apply(Permission permission) {
                         if (context != null) {
                             String scopes = permission.getActions();
 
-                            if (scopes == null) {
+                            if (scopes == null || "".equals(scopes)) {
                                 return Uni.createFrom().item(context.hasResourcePermission(permission.getName()));
                             }
 

integration-tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java

@@ -1,5 +1,6 @@
 package io.quarkus.it.keycloak;
 
+import java.security.BasicPermission;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -13,6 +14,7 @@
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 
@@ -43,6 +45,27 @@ public List<Permission> apply(Boolean granted) {
                 });
     }
 
+    @GET
+    @Path("/scope")
+    @Produces(MediaType.APPLICATION_JSON)
+    public Uni<List<Permission>> hasScopePermission(@QueryParam("scope") String scope) {
+        return identity.checkPermission(new BasicPermission("Scope Permission Resource") {
+            @Override
+            public String getActions() {
+                return scope;
+            }
+        }).onItem()
+                .apply(new Function<Boolean, List<Permission>>() {
+                    @Override
+                    public List<Permission> apply(Boolean granted) {
+                        if (granted) {
+                            return identity.getAttribute("permissions");
+                        }
+                        throw new ForbiddenException();
+                    }
+                });
+    }
+
     @Path("/claim-protected")
     @GET
     @Produces(MediaType.APPLICATION_JSON)

integration-tests/keycloak-authorization/src/main/resources/application.properties

@@ -49,4 +49,7 @@ quarkus.keycloak.policy-enforcer.paths.8.name=Public
 quarkus.keycloak.policy-enforcer.paths.8.path=/hello
 quarkus.keycloak.policy-enforcer.paths.8.enforcement-mode=DISABLED
 
+quarkus.keycloak.policy-enforcer.paths.9.name=Scope Permission Resource
+quarkus.keycloak.policy-enforcer.paths.9.path=/api/permission/scope
+
 admin-url=${keycloak.url}

integration-tests/keycloak-authorization/src/test/java/io/quarkus/it/keycloak/KeycloakTestResource.java

@@ -93,6 +93,7 @@ private static ClientRepresentation createClient(String clientId) {
         configureHttpResponseClaimBasedPermission(authorizationSettings);
         configureBodyClaimBasedPermission(authorizationSettings);
         configurePaths(authorizationSettings);
+        configureScopePermission(authorizationSettings);
 
         client.setAuthorizationSettings(authorizationSettings);
 
@@ -108,6 +109,13 @@ private static void configurePermissionResourcePermission(ResourceServerRepresen
         createPermission(settings, createResource(settings, "Permission Resource", "/api/permission"), policy);
     }
 
+    private static void configureScopePermission(ResourceServerRepresentation settings) {
+        PolicyRepresentation policy = createJSPolicy("Grant Policy", "$evaluation.grant();", settings);
+        createScopePermission(settings,
+                createResource(settings, "Scope Permission Resource", "/api/permission/scope", "read", "write"), policy,
+                "read");
+    }
+
     private static void configureClaimBasedPermission(ResourceServerRepresentation settings) {
         PolicyRepresentation policy = createJSPolicy("Claim-Based Policy", "var context = $evaluation.getContext();\n"
                 + "var attributes = context.getAttributes();\n"
@@ -166,10 +174,30 @@ private static void createPermission(ResourceServerRepresentation settings, Reso
         settings.getPolicies().add(permission);
     }
 
+    private static void createScopePermission(ResourceServerRepresentation settings, ResourceRepresentation resource,
+            PolicyRepresentation policy, String scope) {
+        PolicyRepresentation permission = new PolicyRepresentation();
+
+        permission.setName(resource.getName() + " Permission");
+        permission.setType("scope");
+        permission.setResources(new HashSet<>());
+        permission.getResources().add(resource.getName());
+        permission.setScopes(new HashSet<>());
+        permission.getScopes().add(scope);
+        permission.setPolicies(new HashSet<>());
+        permission.getPolicies().add(policy.getName());
+
+        settings.getPolicies().add(permission);
+    }
+
     private static ResourceRepresentation createResource(ResourceServerRepresentation authorizationSettings, String name,
-            String uri) {
+            String uri, String... scopes) {
         ResourceRepresentation resource = new ResourceRepresentation(name);
 
+        for (String scope : scopes) {
+            resource.addScope(scope);
+        }
+
         if (uri != null) {
             resource.setUris(Collections.singleton(uri));
         }

integration-tests/keycloak-authorization/src/test/java/io/quarkus/it/keycloak/PolicyEnforcerTest.java

@@ -40,6 +40,15 @@ public void testUserHasRoleConfidential() {
                 .then()
                 .statusCode(200)
                 .and().body(Matchers.containsString("Permission Resource"));
+        RestAssured.given().auth().oauth2(getAccessToken("jdoe"))
+                .when().get("/api/permission/scope?scope=write")
+                .then()
+                .statusCode(403);
+        RestAssured.given().auth().oauth2(getAccessToken("jdoe"))
+                .when().get("/api/permission/scope?scope=read")
+                .then()
+                .statusCode(200)
+                .and().body(Matchers.containsString("read"));
         ;
         RestAssured.given().auth().oauth2(getAccessToken("admin"))
                 .when().get("/api/permission")