[keycloak-user] Policy Enforcer: enforcement-mode=ENFORCING question

Alexey Titorenko titorenko at dtg.technology
Mon Feb 4 04:49:25 EST 2019 

Hello guys!

Could someone help me with this.

I’m playing with policy enforcers in test Spring Boot application trying to find how to apply it to our cases. I’m trying to investigate how 'ENFORCING’ mode is working with scope based permissions. 

My intuitive understanding of this:
if resource does not have any permissions defined on it, then access is denied for any scope requested.
if resource has some permissions, then access to scopes, not covered by any existing permissions is always denied.

What I see in reality:
first case works fine. Access to my service is denied If no permissions defined on it.
if the resource has a permission, controlling access to one scope, then access to the other scopes is always GRANTED.

In particular, I’ve created demo REST document storage service, which defines CRUD operations, plus one ‘list’ operation to get list of documents for an entity. All these operations are covered by a corresponding scope (create, view, update, delete, list). After that:
If I have no permissions defined for this service, then no access is granted whatever scope I request.
If I define scope-based permission, let’s say, controlling access to the ‘list’ scope on the resource, then access is automatically granted to requests for all CRUD operations, for example, for ‘create' operation.

Is it how this is intended to work or not? My expectation is that everything should be denied (every scope), until explicitly allowed by some permission.

Below are debug log messages that might be of some interest, my policy enforcer config, and some screenshots.

The first log entry corresponds to ‘create’ operation with ‘create’ scope and the other one — to ‘list’ operation. 

Thank you,
Alexey.

From Logs:
2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4] o.k.a.a.AbstractPolicyEnforcer           : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/{id}', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]].

2019-02-04 12:29:11.846 DEBUG 5364 --- [nio-8085-exec-3] o.k.a.a.AbstractPolicyEnforcer           : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[list]}]].


Config
svc.name=docs-uma
server.port = 8085
keycloak.realm=DemoApp
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.ssl-required=external
keycloak.resource=docs-svc-uma
keycloak.cors=true
keycloak.use-resource-role-mappings=true
keycloak.verify-token-audience=false
keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
keycloak.confidential-port=0
keycloak.bearer-only=true

keycloak.securityConstraints[0].securityCollections[0].name = secured operation
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents
keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/*

keycloak.securityConstraints[1].securityCollections[0].name = admin operation
keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/

logging.level.org.keycloak=DEBUG
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG

# policy enforcer
keycloak.policy-enforcer-config.enforcement-mode=ENFORCING
keycloak.policy-enforcer-config.lazy-load-paths=true
keycloak.policy-enforcer-config.on-deny-redirect-to=/public

keycloak.policy-enforcer-config.paths[0].name=Public Resources
keycloak.policy-enforcer-config.paths[0].path=/*

keycloak.policy-enforcer-config.paths[1].name=Admin Resources
keycloak.policy-enforcer-config.paths[1].path=/admin/*
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[some-claim]={request.uri}
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[claims-from-document]={request.uri}

keycloak.policy-enforcer-config.paths[2].name=Documents
keycloak.policy-enforcer-config.paths[2].path=/documents/
keycloak.policy-enforcer-config.paths[2].methods[0].method=POST
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=create
keycloak.policy-enforcer-config.paths[2].methods[1].method=GET
keycloak.policy-enforcer-config.paths[2].methods[1].scopes[0]=list
keycloak.policy-enforcer-config.paths[3].name=Documents
keycloak.policy-enforcer-config.paths[3].path=/documents/{id}
keycloak.policy-enforcer-config.paths[3].methods[0].method=GET
keycloak.policy-enforcer-config.paths[3].methods[0].scopes[0]=get
keycloak.policy-enforcer-config.paths[3].methods[1].method=POST
keycloak.policy-enforcer-config.paths[3].methods[1].scopes[0]=update
keycloak.policy-enforcer-config.paths[3].methods[2].method=DELETE
keycloak.policy-enforcer-config.paths[3].methods[2].scopes[0]=delete

Client authorisation config:
{
  "allowRemoteResourceManagement": true,
  "policyEnforcementMode": "ENFORCING",
  "resources": [
    {
      "name": "Admin Resources",
      "type": "urn:docs-svc-uma:resources:admin",
      "ownerManagedAccess": false,
      "attributes": {},
      "_id": "0ca1b086-c3d1-47eb-8fa6-3bb699af8791",
      "uris": [
        "/admin/*",
        "/admin"
      ],
      "icon_uri": ""
    },
    {
      "name": "Documents",
      "type": "urn:docs-svc-uma:resources:documents",
      "ownerManagedAccess": false,
      "attributes": {},
      "_id": "b14999a7-0853-4063-8fe6-c0469a975846",
      "uris": [
        "/documents/{id}",
        "/documents/"
      ],
      "scopes": [
        {
          "name": "view"
        },
        {
          "name": "update"
        },
        {
          "name": "delete"
        },
        {
          "name": "create"
        },
        {
          "name": "list"
        }
      ]
    }
  ],
  "policies": [
    {
      "id": "72f8ced8-8b2f-41f3-be41-c371e5d66788",
      "name": "Default Policy",
      "description": "A policy that grants access only for users within this realm",
      "type": "js",
      "logic": "POSITIVE",
      "decisionStrategy": "AFFIRMATIVE",
      "config": {
        "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
      }
    },
    {
      "id": "b786a8bb-3705-4df6-86cd-c041065d3703",
      "name": "Never",
      "type": "js",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "code": "$evaluation.deny();"
      }
    },
    {
      "id": "6ca70fa3-907b-4368-97cb-3aadc1b6d5db",
      "name": "List Documents",
      "type": "scope",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"Documents\"]",
        "scopes": "[\"list\"]",
        "applyPolicies": "[\"Default Policy\"]"
      }
    }
  ],
  "scopes": [
    {
      "id": "be6a7101-f5a3-4b9f-a6be-349e167e89ae",
      "name": "create"
    },
    {
      "id": "ba3a7575-db45-407b-b74a-4e8b1fc461c2",
      "name": "delete"
    },
    {
      "id": "e749c197-b70a-4ccd-a719-1c9ef40b6050",
      "name": "update"
    },
    {
      "id": "d72a9d39-3750-41c4-954f-0db7853cb964",
      "name": "list"
    },
    {
      "id": "6ee46777-a0ee-492a-bb4e-ef8aaeb8f402",
      "name": "view",
      "iconUri": ""
    }
  ]
}

More information about the keycloak-user mailing list