From c67fa1e417154ec7bdeb34a691239cd3a1a4fcad Mon Sep 17 00:00:00 2001 From: vzakharchenko Date: Fri, 23 Jul 2021 15:27:38 +0300 Subject: [PATCH] fixed authorization based on realm and client roles --- package.json | 2 +- src/enforcer/ClientRoleEnforcer.test.ts | 24 ++++++++++++++++++++++++ src/enforcer/ClientRoleEnforcer.ts | 3 ++- src/enforcer/RealmRoleEnforcer.test.ts | 23 +++++++++++++++++++++++ src/enforcer/RealmRoleEnforcer.ts | 3 ++- 5 files changed, 52 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 4d0d27e..ff1b7ec 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "keycloak-lambda-authorizer", - "version": "1.0.1", + "version": "1.0.2", "description": "Keycloak Cloud Adapter", "main": "index.js", "homepage": "https://github.com/vzakharchenko/keycloak-lambda-authorizer", diff --git a/src/enforcer/ClientRoleEnforcer.test.ts b/src/enforcer/ClientRoleEnforcer.test.ts index 033dcb0..fdbb9a2 100644 --- a/src/enforcer/ClientRoleEnforcer.test.ts +++ b/src/enforcer/ClientRoleEnforcer.test.ts @@ -104,5 +104,29 @@ describe('ClientRoleEnforcer tests', () => { throw new Error('invalid test '); } }); + test('ClientRoleEnforcer Error 5', async () => { + let error = false; + try { + + + // @ts-ignore + await new ClientRoleEnforcer({}).enforce({ + // @ts-ignore + token: { + payload: { + }, + }, + }, () => { + return { + clientRole: {clientRole: 'clientRole', clientId: 'clientId'}}; + }); + } catch (e) { + error = true; + expect(e.message).toEqual('Access Denied'); + } + if (!error) { + throw new Error('invalid test '); + } + }); }); diff --git a/src/enforcer/ClientRoleEnforcer.ts b/src/enforcer/ClientRoleEnforcer.ts index 64c6e14..72f7047 100644 --- a/src/enforcer/ClientRoleEnforcer.ts +++ b/src/enforcer/ClientRoleEnforcer.ts @@ -19,7 +19,8 @@ export class ClientRoleEnforcer implements EnforcerAction { if (!enforcer.clientRole) { throw new Error('Client Role is Empty'); } - const resourceAccess = requestContent.token.payload.resource_access[enforcer.clientRole.clientId]; + const resourceAccess = requestContent.token.payload.resource_access && + requestContent.token.payload.resource_access[enforcer.clientRole.clientId]; if (!resourceAccess) { throw new Error('Access Denied'); } diff --git a/src/enforcer/RealmRoleEnforcer.test.ts b/src/enforcer/RealmRoleEnforcer.test.ts index 6fee4a2..2a683e6 100644 --- a/src/enforcer/RealmRoleEnforcer.test.ts +++ b/src/enforcer/RealmRoleEnforcer.test.ts @@ -80,5 +80,28 @@ describe('RealmRoleEnforcer tests', () => { throw new Error('invalid test '); } }); + test('RealmRoleEnforcer Error 4', async () => { + let error = false; + try { + + + // @ts-ignore + await new RealmRoleEnforcer({}).enforce({ + // @ts-ignore + token: { + payload: { + }, + }, + }, () => { + return {realmRole: 'realmRole'}; + }); + } catch (e) { + error = true; + expect(e.message).toEqual('Access Denied'); + } + if (!error) { + throw new Error('invalid test '); + } + }); }); diff --git a/src/enforcer/RealmRoleEnforcer.ts b/src/enforcer/RealmRoleEnforcer.ts index ef4b152..8be4549 100644 --- a/src/enforcer/RealmRoleEnforcer.ts +++ b/src/enforcer/RealmRoleEnforcer.ts @@ -19,7 +19,8 @@ export class RealmRoleEnforcer implements EnforcerAction { if (!enforcer.realmRole) { throw new Error('Realm Role is Empty'); } - const role = requestContent.token.payload.realm_access.roles.find( + const role = requestContent.token.payload.realm_access && + requestContent.token.payload.realm_access.roles.find( (r:string) => r === enforcer.realmRole, ); if (!role) {