Search in sources :

Example 11 with AuthorizationContext

use of org.keycloak.AuthorizationContext in project keycloak by keycloak.

the class PolicyEnforcerClaimsTest method testEnforceEntitlementAccessWithClaimsWithBearerToken.

@Test
public void testEnforceEntitlementAccessWithClaimsWithBearerToken() {
    initAuthorizationSettings(getClientResource("resource-server-test"));
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-entitlement-claims-test.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    HashMap<String, List<String>> headers = new HashMap<>();
    HashMap<String, List<String>> parameters = new HashMap<>();
    AuthzClient authzClient = getAuthzClient("enforcer-entitlement-claims-test.json");
    String token = authzClient.obtainAccessToken("marta", "password").getToken();
    headers.put("Authorization", Arrays.asList("Bearer " + token));
    AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
    assertFalse(context.isGranted());
    parameters.put("withdrawal.amount", Arrays.asList("50"));
    context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
    assertTrue(context.isGranted());
    parameters.put("withdrawal.amount", Arrays.asList("200"));
    context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
    assertFalse(context.isGranted());
    parameters.put("withdrawal.amount", Arrays.asList("50"));
    context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
    assertTrue(context.isGranted());
    parameters.put("withdrawal.amount", Arrays.asList("10"));
    context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
    assertTrue(context.isGranted());
}
Also used : AuthzClient(org.keycloak.authorization.client.AuthzClient) HashMap(java.util.HashMap) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) List(java.util.List) AuthorizationContext(org.keycloak.AuthorizationContext) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 12 with AuthorizationContext

use of org.keycloak.AuthorizationContext in project keycloak by keycloak.

the class PolicyEnforcerTest method testSetMethodConfigs.

@Test
public void testSetMethodConfigs() {
    ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
    ResourceRepresentation representation = new ResourceRepresentation();
    representation.setName(KeycloakModelUtils.generateId());
    representation.setUris(Collections.singleton("/api-method/*"));
    ResourcesResource resources = clientResource.authorization().resources();
    javax.ws.rs.core.Response response = resources.create(representation);
    representation.setId(response.readEntity(ResourceRepresentation.class).getId());
    response.close();
    try {
        KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-paths-use-method-config.json"));
        PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
        oauth.realm(REALM_NAME);
        oauth.clientId("public-client-test");
        oauth.doLogin("marta", "password");
        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
        OAuthClient.AccessTokenResponse tokeResponse = oauth.doAccessTokenRequest(code, null);
        String token = tokeResponse.getAccessToken();
        AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api-method/foo", token));
        // GET is disabled in the config
        assertTrue(context.isGranted());
        PolicyEnforcerConfig.PathConfig pathConfig = policyEnforcer.getPaths().get("/api-method/*");
        assertNotNull(pathConfig);
        List<PolicyEnforcerConfig.MethodConfig> methods = pathConfig.getMethods();
        assertEquals(1, methods.size());
        assertTrue(PolicyEnforcerConfig.ScopeEnforcementMode.DISABLED.equals(methods.get(0).getScopesEnforcementMode()));
        // other verbs should be protected
        context = policyEnforcer.enforce(createHttpFacade("/api-method/foo", token, "POST"));
        assertFalse(context.isGranted());
    } finally {
        resources.resource(representation.getId()).remove();
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) AuthorizationContext(org.keycloak.AuthorizationContext) ResourcesResource(org.keycloak.admin.client.resource.ResourcesResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) ClientResource(org.keycloak.admin.client.resource.ClientResource) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) PolicyEnforcerConfig(org.keycloak.representations.adapters.config.PolicyEnforcerConfig) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 13 with AuthorizationContext

use of org.keycloak.AuthorizationContext in project keycloak by keycloak.

the class PolicyEnforcerTest method testLazyLoadPaths.

@Test
public void testLazyLoadPaths() {
    ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
    for (int i = 0; i < 200; i++) {
        ResourceRepresentation representation = new ResourceRepresentation();
        representation.setType("test");
        representation.setName("Resource " + i);
        representation.setUri("/api/" + i);
        javax.ws.rs.core.Response response = clientResource.authorization().resources().create(representation);
        representation.setId(response.readEntity(ResourceRepresentation.class).getId());
        response.close();
    }
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName("Test Permission");
    permission.setResourceType("test");
    permission.addPolicy("Only User Policy");
    PermissionsResource permissions = clientResource.authorization().permissions();
    permissions.resource().create(permission).close();
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-no-lazyload.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    assertEquals(205, policyEnforcer.getPaths().size());
    deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload.json"));
    policyEnforcer = deployment.getPolicyEnforcer();
    assertEquals(0, policyEnforcer.getPathMatcher().getPathCache().size());
    assertEquals(0, policyEnforcer.getPaths().size());
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    for (int i = 0; i < 101; i++) {
        policyEnforcer.enforce(createHttpFacade("/api/" + i, token));
    }
    assertEquals(101, policyEnforcer.getPathMatcher().getPathCache().size());
    for (int i = 101; i < 200; i++) {
        policyEnforcer.enforce(createHttpFacade("/api/" + i, token));
    }
    assertEquals(200, policyEnforcer.getPathMatcher().getPathCache().size());
    assertEquals(0, policyEnforcer.getPaths().size());
    ResourceRepresentation resource = clientResource.authorization().resources().findByName("Root").get(0);
    clientResource.authorization().resources().resource(resource.getId()).remove();
    deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload-with-paths.json"));
    policyEnforcer = deployment.getPolicyEnforcer();
    AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/0", token));
    assertTrue(context.isGranted());
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) AuthorizationContext(org.keycloak.AuthorizationContext) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) ClientResource(org.keycloak.admin.client.resource.ClientResource) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 14 with AuthorizationContext

use of org.keycloak.AuthorizationContext in project keycloak by keycloak.

the class PolicyEnforcerTest method testCustomClaimProvider.

@Test
public void testCustomClaimProvider() {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea", token);
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    Permission permission = context.getPermissions().get(0);
    Map<String, Set<String>> claims = permission.getClaims();
    assertTrue(context.isGranted());
    assertEquals("test", claims.get("resolved-claim").iterator().next());
}
Also used : Set(java.util.Set) OAuthClient(org.keycloak.testsuite.util.OAuthClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) Permission(org.keycloak.representations.idm.authorization.Permission) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AuthorizationContext(org.keycloak.AuthorizationContext) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 15 with AuthorizationContext

use of org.keycloak.AuthorizationContext in project keycloak by keycloak.

the class PolicyEnforcerTest method testPathConfigurationPrecendenceWhenLazyLoadingPaths.

@Test
public void testPathConfigurationPrecendenceWhenLazyLoadingPaths() {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-paths.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea");
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    httpFacade = createHttpFacade("/api/resourcea", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/");
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AuthorizationContext(org.keycloak.AuthorizationContext) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Aggregations

AuthorizationContext (org.keycloak.AuthorizationContext)18 PolicyEnforcer (org.keycloak.adapters.authorization.PolicyEnforcer)17 Test (org.junit.Test)16 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)16 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)16 OIDCHttpFacade (org.keycloak.adapters.OIDCHttpFacade)10 OAuthClient (org.keycloak.testsuite.util.OAuthClient)10 ClientResource (org.keycloak.admin.client.resource.ClientResource)5 Permission (org.keycloak.representations.idm.authorization.Permission)5 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)5 HashMap (java.util.HashMap)4 List (java.util.List)4 PermissionsResource (org.keycloak.admin.client.resource.PermissionsResource)4 AuthzClient (org.keycloak.authorization.client.AuthzClient)4 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)4 Set (java.util.Set)2 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)2 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)2 IOException (java.io.IOException)1 AtomicBoolean (java.util.concurrent.atomic.AtomicBoolean)1