Examples with KeycloakDeployment org.keycloak.adapters.KeycloakDeployment used on opensource projects

Search in sources :

Example 66 with KeycloakDeployment

use of org.keycloak.adapters.KeycloakDeployment in project keycloak by keycloak.

the class PolicyEnforcerTest method testMatchHttpVerbsToScopes.

@Test
public void testMatchHttpVerbsToScopes() {
    ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
    ResourceRepresentation resource = createResource(clientResource, "Resource With HTTP Scopes", "/api/resource-with-scope");
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getName());
    permission.addPolicy("Always Grant Policy");
    PermissionsResource permissions = clientResource.authorization().permissions();
    permissions.resource().create(permission).close();
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-match-http-verbs-scopes.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/resource-with-scope", token);
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    assertFalse("Should fail because resource does not have any scope named GET", context.isGranted());
    assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
    resource.addScope("GET", "POST");
    clientResource.authorization().resources().resource(resource.getId()).update(resource);
    deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-match-http-verbs-scopes.json"));
    policyEnforcer = deployment.getPolicyEnforcer();
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "POST");
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    // create a PATCH scope without associated it with the resource so that a PATCH request is denied accordingly even though
    // the scope exists on the server
    clientResource.authorization().scopes().create(new ScopeRepresentation("PATCH"));
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "PATCH");
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    ScopePermissionRepresentation postPermission = new ScopePermissionRepresentation();
    postPermission.setName("GET permission");
    postPermission.addScope("GET");
    postPermission.addPolicy("Always Deny Policy");
    permissions.scope().create(postPermission).close();
    httpFacade = createHttpFacade("/api/resource-with-scope", token);
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    postPermission = permissions.scope().findByName(postPermission.getName());
    postPermission.addScope("GET");
    postPermission.addPolicy("Always Grant Policy");
    permissions.scope().findById(postPermission.getId()).update(postPermission);
    AuthzClient authzClient = getAuthzClient("default-keycloak.json");
    AuthorizationResponse authorize = authzClient.authorization(token).authorize();
    token = authorize.getToken();
    httpFacade = createHttpFacade("/api/resource-with-scope", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "POST");
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    postPermission = permissions.scope().findByName(postPermission.getName());
    postPermission.addScope("GET");
    postPermission.addPolicy("Always Deny Policy");
    permissions.scope().findById(postPermission.getId()).update(postPermission);
    authorize = authzClient.authorization(token).authorize();
    token = authorize.getToken();
    httpFacade = createHttpFacade("/api/resource-with-scope", token);
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "POST");
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    postPermission = permissions.scope().findByName(postPermission.getName());
    postPermission.addScope("GET");
    postPermission.addPolicy("Always Grant Policy");
    permissions.scope().findById(postPermission.getId()).update(postPermission);
    authorize = authzClient.authorization(token).authorize();
    token = authorize.getToken();
    httpFacade = createHttpFacade("/api/resource-with-scope", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "POST");
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    postPermission = permissions.scope().findByName(postPermission.getName());
    postPermission.addScope("POST");
    postPermission.addPolicy("Always Deny Policy");
    permissions.scope().findById(postPermission.getId()).update(postPermission);
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(null, "GET");
    authorize = authzClient.authorization(token).authorize(request);
    token = authorize.getToken();
    httpFacade = createHttpFacade("/api/resource-with-scope", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "POST");
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
}
Also used : AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) OAuthClient(org.keycloak.testsuite.util.OAuthClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) AuthorizationContext(org.keycloak.AuthorizationContext) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) AuthzClient(org.keycloak.authorization.client.AuthzClient) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) ClientResource(org.keycloak.admin.client.resource.ClientResource) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 67 with KeycloakDeployment

use of org.keycloak.adapters.KeycloakDeployment in project keycloak by keycloak.

the class PolicyEnforcerTest method testBearerOnlyClientResponse.

@Test
public void testBearerOnlyClientResponse() {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea");
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    httpFacade = createHttpFacade("/api/resourcea", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resourceb");
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AuthorizationContext(org.keycloak.AuthorizationContext) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 68 with KeycloakDeployment

use of org.keycloak.adapters.KeycloakDeployment in project alfresco-repository by Alfresco.

the class IdentityServiceDeploymentFactoryBean method getObject.

@Override
public KeycloakDeployment getObject() throws Exception {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(this.identityServiceConfig);
    // This can be removed if the future versions of Keycloak accept timeout values through the config.
    if (deployment.getClient() != null) {
        int connectionTimeout = identityServiceConfig.getClientConnectionTimeout();
        int socketTimeout = identityServiceConfig.getClientSocketTimeout();
        HttpClient client = new HttpClientBuilder().establishConnectionTimeout(connectionTimeout, TimeUnit.MILLISECONDS).socketTimeout(socketTimeout, TimeUnit.MILLISECONDS).build(this.identityServiceConfig);
        deployment.setClient(client);
        if (logger.isDebugEnabled()) {
            logger.debug("Created HttpClient for Keycloak deployment with connection timeout: " + connectionTimeout + " ms, socket timeout: " + socketTimeout + " ms.");
        }
    } else {
        if (logger.isDebugEnabled()) {
            logger.debug("HttpClient for Keycloak deployment was not set.");
        }
    }
    if (logger.isInfoEnabled()) {
        logger.info("Keycloak JWKS URL: " + deployment.getJwksUrl());
        logger.info("Keycloak Realm: " + deployment.getRealm());
        logger.info("Keycloak Client ID: " + deployment.getResourceName());
    }
    return deployment;
}
Also used : KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) HttpClient(org.apache.http.client.HttpClient) HttpClientBuilder(org.keycloak.adapters.HttpClientBuilder)

Example 69 with KeycloakDeployment

use of org.keycloak.adapters.KeycloakDeployment in project alfresco-repository by Alfresco.

the class IdentityServiceRemoteUserMapperTest method applyHardcodedPublicKey.

/**
 * Finds the keycloak deployment bean and applies a hardcoded public key locator using the
 * provided public key.
 */
private void applyHardcodedPublicKey(PublicKey publicKey) {
    KeycloakDeployment deployment = (KeycloakDeployment) childApplicationContextFactory.getApplicationContext().getBean(DEPLOYMENT_BEAN_NAME);
    HardcodedPublicKeyLocator publicKeyLocator = new HardcodedPublicKeyLocator(publicKey);
    deployment.setPublicKeyLocator(publicKeyLocator);
}
Also used : HardcodedPublicKeyLocator(org.keycloak.adapters.rotation.HardcodedPublicKeyLocator) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment)

Aggregations

KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)69 Test (org.junit.Test)21 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)21 PolicyEnforcer (org.keycloak.adapters.authorization.PolicyEnforcer)20 AuthorizationContext (org.keycloak.AuthorizationContext)16 OIDCHttpFacade (org.keycloak.adapters.OIDCHttpFacade)14 RefreshableKeycloakSecurityContext (org.keycloak.adapters.RefreshableKeycloakSecurityContext)12 AdapterDeploymentContext (org.keycloak.adapters.AdapterDeploymentContext)11 OAuthClient (org.keycloak.testsuite.util.OAuthClient)11 AdapterTokenStore (org.keycloak.adapters.AdapterTokenStore)10 InputStream (java.io.InputStream)9 KeycloakSecurityContext (org.keycloak.KeycloakSecurityContext)9 AuthenticatedActionsHandler (org.keycloak.adapters.AuthenticatedActionsHandler)9 FileInputStream (java.io.FileInputStream)7 FileNotFoundException (java.io.FileNotFoundException)7 HashMap (java.util.HashMap)7 KeycloakConfigResolver (org.keycloak.adapters.KeycloakConfigResolver)6 AuthChallenge (org.keycloak.adapters.spi.AuthChallenge)6 AuthOutcome (org.keycloak.adapters.spi.AuthOutcome)6 List (java.util.List)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial