Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KeycloakRole equals only with itself #6113

Merged
merged 1 commit into from Jul 8, 2019
Merged

KeycloakRole equals only with itself #6113

merged 1 commit into from Jul 8, 2019

Conversation

Valeran86
Copy link
Contributor

I use Keycloak Spring Adapter (KSA) to secure existing application. Today I realized that some functions didn't work anymore because of security checking like this:

GrantedAuthority adminRole = new MySpecialGrantedAuthority( "superadmin" );
for ( GrantedAuthority role : userRoles ) {
        if ( role.equals( adminRole ) ) {
          return true;
        }
      }

In this example, when I use KSA authorization fails.
I believe, that more preferable in KeycloakRole use this implementation of equals method.

@Valeran86
KeycloakRole equals only with itself
281fdd2 
I use Keycloak Spring Adapter (KSA) to secure existing application. Today I realized that some functions didn't work anymore because of security checking like this:
```
GrantedAuthority adminRole = new MySpecialGrantedAuthority( "superadmin" );
for ( GrantedAuthority role : userRoles ) {
        if ( role.equals( adminRole ) ) {
          return true;
        }
      }
```
In this example, when I use KSA authorization fails.
I believe, that more preferable in `KeycloakRole` use this implementation of `equals` method.
@pedroigor pedroigor added the missing/issue GitHub issue is missing label Jun 24, 2019
pedroigor
pedroigor reviewed Jun 24, 2019
View reviewed changes
Copy link
Contributor

@pedroigor pedroigor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Valeran86, could you elaborate more on why it stop working ? Is it caused by upgrading to a specific spring version?

Or are you just trying to compare KeycloakRole instances with any GrantedAuthority instance?

I'm afraid that by changing that logic you may break existing use cases. Can't you just inherit your custom MySpecialGrantedAuthority from KeycloakRole ?

@Valeran86
Copy link
Contributor Author

@pedroigor, thanks for you reply. Yes, I'm trying to compare KeycloakRole instance with MySpecialGrantedAuthority.

Can't you just inherit your custom MySpecialGrantedAuthority from KeycloakRole?
No, I'm afraid not, because in that case I need to change many parts of code in tests and production.

I'm afraid that by changing that logic you may break existing use cases.
Why do you think so? All tests in CI passed.

@pedroigor
Copy link
Contributor

Thanks, @Valeran86.

Although all tests are passing, our tests coverage for spring adapter is not the ideal. We really lack integration tests and we always have to think twice when doing some specific changes.

Your changes look good for me but I'm not sure if people is relying on the current implementation of equals. I'll send an e-mail to both keycloak-user and keycloak-dev mailing lists about this. Depending on the feedback we have we are good to go.

@pedroigor
Copy link
Contributor

@Valeran86, just sent an e-mail to both user and dev mailing lists. If nobody complains I think we are good to go.

The reason that makes me comfortable about this change is that the granted authority is really about a string representing some grant. In this case a role. So it should be fine to rely on both the supertype and getAuthority checks.

@pedroigor pedroigor merged commit 2899375 into keycloak:master Jul 8, 2019
@pedroigor pedroigor removed Discuss missing/issue GitHub issue is missing labels Jul 8, 2019
@pedroigor pedroigor mentioned this pull request Jul 8, 2019
Merged
@pedroigor
Copy link
Contributor

@Valeran86, could you please open a new PR referencing a JIRA in both title and commit message ?

@Valeran86
Copy link
Contributor Author

@pedroigor, sorry for late answer. Am I still need open new PR?

@pedroigor
Copy link
Contributor

@Valeran86, we did not get any objection for this change and I think it makes sense. If you still want this change, please open a new PR. But this time, please create a JIRA and reference it in both commit message and PR title.

@Valeran86 Valeran86 mentioned this pull request Jul 15, 2019
Merged
@Valeran86
Copy link
Contributor Author

@pedroigor, hello. I added JIRA task and opened new PR - #6173.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pedroigor pedroigor pedroigor approved these changes

@sebastienblanc sebastienblanc Awaiting requested review from sebastienblanc

Assignees

@abstractj abstractj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Valeran86 @pedroigor @abstractj