use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.
the class PermissionTicketServiceTest method create_errorMultipleResource_missingScope.
@Test
public void create_errorMultipleResource_missingScope() {
// Prepare request
List<PermissionRequest> request = Arrays.asList(new PermissionRequest().setResourceId("one").setResourceScopes(Arrays.asList("a", "b")), new PermissionRequest().setResourceId("two").setResourceScopes(Arrays.asList("c", "d")));
// Prepare Resource
Flowable<Resource> found = Flowable.just(new Resource().setId("one").setResourceScopes(Arrays.asList("a", "b")), new Resource().setId("two").setResourceScopes(Arrays.asList("not", "same")));
when(resourceService.findByDomainAndClientAndResources(DOMAIN_ID, CLIENT_ID, Arrays.asList("one", "two"))).thenReturn(found);
TestObserver<PermissionTicket> testObserver = service.create(request, DOMAIN_ID, CLIENT_ID).test();
testObserver.assertNotComplete();
testObserver.assertError(err -> ((InvalidPermissionRequestException) err).getOAuth2ErrorCode().equals("invalid_scope"));
verify(repository, times(0)).create(any());
}
use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.
the class PermissionTicketServiceTest method create_errorMultipleResource_moreThanOneResourceOwner.
@Test
public void create_errorMultipleResource_moreThanOneResourceOwner() {
// Prepare request
List<PermissionRequest> request = Arrays.asList(new PermissionRequest().setResourceId("one").setResourceScopes(Arrays.asList("a", "b")), new PermissionRequest().setResourceId("two").setResourceScopes(Arrays.asList("c", "d")));
// Prepare Resource
Flowable<Resource> found = Flowable.fromIterable(request).map(s -> new Resource().setId(s.getResourceId()).setResourceScopes(s.getResourceScopes()).setUserId("user_" + s.getResourceId()));
when(resourceService.findByDomainAndClientAndResources(DOMAIN_ID, CLIENT_ID, Arrays.asList("one", "two"))).thenReturn(found);
TestObserver<PermissionTicket> testObserver = service.create(request, DOMAIN_ID, CLIENT_ID).test();
testObserver.assertNotComplete();
testObserver.assertError(err -> ((InvalidPermissionRequestException) err).getOAuth2ErrorCode().equals("invalid_resource_id"));
verify(repository, times(0)).create(any());
}
use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.
the class UMATokenGranter method executePolicies.
/**
* The resource owner works with the authorization server to configure policy conditions (authorization grant rules), which the authorization server executes in the process of issuing access tokens.
* The authorization process makes use of claims gathered from the requesting party and client in order to satisfy all operative operative policy conditions.
* @param oAuth2Request OAuth 2.0 Token Request
* @param client client
* @param endUser requesting party
* @return
*/
private Single<OAuth2Request> executePolicies(OAuth2Request oAuth2Request, Client client, User endUser) {
List<PermissionRequest> permissionRequests = oAuth2Request.getPermissions();
if (permissionRequests == null || permissionRequests.isEmpty()) {
return Single.just(oAuth2Request);
}
List<String> resourceIds = permissionRequests.stream().map(PermissionRequest::getResourceId).collect(Collectors.toList());
// find access policies for the given resources
return resourceService.findAccessPoliciesByResources(resourceIds).map(accessPolicy -> {
Rule rule = new DefaultRule(accessPolicy);
Optional<PermissionRequest> permission = permissionRequests.stream().filter(permissionRequest -> permissionRequest.getResourceId().equals(accessPolicy.getResource())).findFirst();
if (permission.isPresent()) {
((DefaultRule) rule).setMetadata(Collections.singletonMap("permissionRequest", permission.get()));
}
return rule;
}).toList().flatMap(rules -> {
// no policy registered, continue
if (rules.isEmpty()) {
return Single.just(oAuth2Request);
}
// prepare the execution context
ExecutionContext simpleExecutionContext = new SimpleExecutionContext(oAuth2Request, oAuth2Request.getHttpResponse());
ExecutionContext executionContext = executionContextFactory.create(simpleExecutionContext);
executionContext.setAttribute("client", new ClientProperties(client));
if (endUser != null) {
executionContext.setAttribute("user", new UserProperties(endUser));
}
// execute the policies
return rulesEngine.fire(rules, executionContext).toSingleDefault(oAuth2Request).onErrorResumeNext(ex -> Single.error(new InvalidGrantException("Policy conditions are not met for actual request parameters")));
});
}
use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.
the class UMATokenGranter method convert.
private Map<String, PermissionRequest> convert(List<HashMap> permissions) {
Map<String, PermissionRequest> result = new LinkedHashMap<>(permissions.size());
for (HashMap permission : permissions) {
JsonObject json = new JsonObject(permission);
PermissionRequest permissionRequest = json.mapTo(PermissionRequest.class);
result.put(permissionRequest.getResourceId(), permissionRequest);
}
return result;
}
use of io.gravitee.am.model.uma.PermissionRequest in project gravitee-access-management by gravitee-io.
the class TokenServiceTest method shouldCreateWithPermissions.
@Test
public void shouldCreateWithPermissions() {
OAuth2Request oAuth2Request = new OAuth2Request();
oAuth2Request.setPermissions(Arrays.asList(new PermissionRequest().setResourceId("rs_one")));
Client client = new Client();
client.setClientId("my-client-id");
ExecutionContext executionContext = mock(ExecutionContext.class);
ArgumentCaptor<JWT> jwtCaptor = ArgumentCaptor.forClass(JWT.class);
when(jwtService.encode(jwtCaptor.capture(), any(Client.class))).thenReturn(Single.just(""));
when(tokenEnhancer.enhance(any(), any(), any(), any(), any())).thenReturn(Single.just(new AccessToken("token-id")));
when(executionContextFactory.create(any())).thenReturn(executionContext);
doNothing().when(tokenManager).storeAccessToken(any());
TestObserver<Token> testObserver = tokenService.create(oAuth2Request, client, null).test();
testObserver.assertComplete();
testObserver.assertNoErrors();
JWT jwt = jwtCaptor.getValue();
assertTrue(jwt != null && jwt.get("permissions") != null);
verify(tokenManager, times(1)).storeAccessToken(any());
verify(accessTokenRepository, never()).delete(anyString());
verify(refreshTokenRepository, never()).delete(anyString());
}
Aggregations