fix(ResourcePermissionSetter): validate incoming scopes against known resource scopes

Neunerlei · Neunerlei · commit 26d489980455 · 2025-02-24T19:26:38.000+01:00
diff --git a/src/main/java/com/hawk/keycloak/resources/service/ResourcePermissionSetter.java b/src/main/java/com/hawk/keycloak/resources/service/ResourcePermissionSetter.java
@@ -9,7 +9,6 @@
 import org.keycloak.authorization.store.PermissionTicketStore;
 import org.keycloak.authorization.store.ScopeStore;
 import org.keycloak.events.admin.OperationType;
-import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakUriInfo;
 import org.keycloak.models.UserModel;
 import org.keycloak.services.resources.admin.AdminEventBuilder;
@@ -38,6 +37,13 @@ public void setPermissions(
         }
 
         List<String> knownScopesOfResource = resource.getScopes().stream().map(Scope::getName).toList();
+
+        for (String scope : scopes) {
+            if(!knownScopesOfResource.contains(scope)){
+                throw new BadRequestException("The scope \"" + scope + "\" is not allowed for the resource");
+            }
+        }
+
         List<PermissionTicket> tickets = findTickets(resource, user);
 
         boolean triggerEvent = false;
@@ -58,9 +64,6 @@ public void setPermissions(
                 if(scope == null){
                     throw new BadRequestException("The scope \"" + scopeName + "\" does not exist");
                 }
-                if(!knownScopesOfResource.contains(scope.getName())){
-                    throw new BadRequestException("The scope \"" + scopeName + "\" is not allowed for the resource");
-                }
 
                 Iterator<PermissionTicket> ticketIterator = tickets.iterator();
 
