[keycloak-dev] Can't get results from IterablePermissionEvaluator

Perot Francis francis.perot at elca.ch
Wed Jul 17 02:41:39 EDT 2019


Hi,

While debugging my Keycloak SPI, I think I found a bug.
When calling IterablePermissionEvaluator.evaluate(...), I can see that permissions and policyEvaluator are used to update a decision with different results (field Map<ResourcePermission, Result> results in AbstractDecisionCollector) then a call to decision.onComplete() should validate found results.
In fact, decision.onComplete() is a method from AbstractDecisionCollector which calls onComplete(Collection<Result> permissions) but this one is empty in AbstractDecisionCollector and is not overridden in DecisionPermissionCollector which is the actual instanciated class in IterablePermissionEvaluator.
Finally, when calling decision.results() in IterablePermissionEvaluator.evaluate(...), the result will always be empty.

I think that AbstractDecisionCollector (or DecisionPermissionCollector) should be defined with :
    protected void onComplete(Collection<Result> permissions) {
        permissions.forEach(this::onComplete);
    }

Or maybe I missed something ?

Thanks,
Francis


More information about the keycloak-dev mailing list