Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8583

DefaultPolicyEvaluator's decisionCache doesn't support the same policy matching on multiple resources in the request

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide
      1. Create two resources, Ra and Rb, with an attribute that has two different values: Ra with attribute "location" set to "here" and Rb with attribute "location" set to "there".
      2. Create a scope on the resources, "read"
      3. Create a JS Policy that only grants if the resource's "location" attribute is equal to "here"
      4. Create a Permission based on the JS Policy and the "read" scope
      5. Evaluate the permission by requesting Ra
        1. Results match expectation: Ra is granted
      6. Evaluate the permission by requesting Rb
        1. Results match expectation: Rb is denied
      7. Evaluate the permission by requesting Ra and Rb, in that order
        1. Results do not match expectation: Ra and Rb are both granted
      8. Evaluate the permission by requesting Rb and Ra, in that order
        1. Results do not match expectation: Ra and Rb are both denied
      Show
      Create two resources, Ra and Rb, with an attribute that has two different values: Ra with attribute "location" set to "here" and Rb with attribute "location" set to "there". Create a scope on the resources, "read" Create a JS Policy that only grants if the resource's "location" attribute is equal to "here" Create a Permission based on the JS Policy and the "read" scope Evaluate the permission by requesting Ra Results match expectation: Ra is granted Evaluate the permission by requesting Rb Results match expectation: Rb is denied Evaluate the permission by requesting Ra and Rb, in that order Results do not match expectation: Ra and Rb are both granted Evaluate the permission by requesting Rb and Ra, in that order Results do not match expectation: Ra and Rb are both denied
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      I discovered a flaw in the design of the newly introduced cache in the DefaultPolicyEvaluator. The map key in this cache is a Policy, which means that for a given request there will only be results for the unique set of Policies that were matched by the request.

      For example, if a request contains two resources, Ra and Rb, that match on the same Policy, then only one decision result will be retained in the cache for both requested resources; thus, if Ra is granted by the Policy while Rb is denied, only the grant or the deny will be retained in the cache, depending on the order in which the permissions were evaluated.

      This appears to have been introduced by the fix for KEYCLOAK-4902.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor
                Reporter:
                daviderie David Erie
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: