Search in sources :

Example 1 with OIDCHttpFacade

use of org.keycloak.adapters.OIDCHttpFacade in project keycloak by keycloak.

the class KeycloakAdapterPolicyEnforcer method challenge.

@Override
protected boolean challenge(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade httpFacade) {
    if (isBearerAuthorization(httpFacade)) {
        HttpFacade.Response response = httpFacade.getResponse();
        AuthzClient authzClient = getAuthzClient();
        String ticket = getPermissionTicket(pathConfig, methodConfig, authzClient, httpFacade);
        if (ticket != null) {
            response.setStatus(401);
            response.setHeader("WWW-Authenticate", new StringBuilder("UMA realm=\"").append(authzClient.getConfiguration().getRealm()).append("\"").append(",as_uri=\"").append(authzClient.getServerConfiguration().getIssuer()).append("\"").append(",ticket=\"").append(ticket).append("\"").toString());
        } else {
            response.setStatus(403);
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Sending challenge");
        }
        return true;
    }
    handleAccessDenied(httpFacade);
    return true;
}
Also used : AuthzClient(org.keycloak.authorization.client.AuthzClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) HttpFacade(org.keycloak.adapters.spi.HttpFacade)

Example 2 with OIDCHttpFacade

use of org.keycloak.adapters.OIDCHttpFacade in project keycloak by keycloak.

the class PolicyEnforcerTest method testOnDenyRedirectTo.

@Test
public void testOnDenyRedirectTo() {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-on-deny-redirect.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea");
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    TestResponse response = TestResponse.class.cast(httpFacade.getResponse());
    assertEquals(302, response.getStatus());
    List<String> location = response.getHeaders().getOrDefault("Location", Collections.emptyList());
    assertFalse(location.isEmpty());
    assertEquals("/accessDenied", location.get(0));
}
Also used : OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AuthorizationContext(org.keycloak.AuthorizationContext) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 3 with OIDCHttpFacade

use of org.keycloak.adapters.OIDCHttpFacade in project keycloak by keycloak.

the class PolicyEnforcerTest method testEnforcementModeDisabled.

@Test
public void testEnforcementModeDisabled() {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/resource/public");
    policyEnforcer.enforce(httpFacade);
    TestResponse response = TestResponse.class.cast(httpFacade.getResponse());
    assertEquals(401, response.getStatus());
}
Also used : OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 4 with OIDCHttpFacade

use of org.keycloak.adapters.OIDCHttpFacade in project keycloak by keycloak.

the class PolicyEnforcerTest method testMappedPathEnforcementModeDisabled.

@Test
public void testMappedPathEnforcementModeDisabled() {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode-path.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/resource/public");
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resourceb");
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    TestResponse response = TestResponse.class.cast(httpFacade.getResponse());
    assertEquals(403, response.getStatus());
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String token = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE), null).getAccessToken();
    httpFacade = createHttpFacade("/api/resourcea", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resourceb", token);
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    response = TestResponse.class.cast(httpFacade.getResponse());
    assertEquals(403, response.getStatus());
    httpFacade = createHttpFacade("/api/resource/public", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
}
Also used : OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AuthorizationContext(org.keycloak.AuthorizationContext) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 5 with OIDCHttpFacade

use of org.keycloak.adapters.OIDCHttpFacade in project keycloak by keycloak.

the class PolicyEnforcerTest method testUsingSubjectToken.

@Test
public void testUsingSubjectToken() {
    ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
    ResourceRepresentation resource = createResource(clientResource, "Resource Subject Token", "/api/check-subject-token");
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getName());
    permission.addPolicy("Only User Policy");
    PermissionsResource permissions = clientResource.authorization().permissions();
    permissions.resource().create(permission).close();
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/check-subject-token");
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    httpFacade = createHttpFacade("/api/check-subject-token", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
}
Also used : PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) OAuthClient(org.keycloak.testsuite.util.OAuthClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) ClientResource(org.keycloak.admin.client.resource.ClientResource) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AuthorizationContext(org.keycloak.AuthorizationContext) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Aggregations

OIDCHttpFacade (org.keycloak.adapters.OIDCHttpFacade)17 Test (org.junit.Test)13 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)13 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)13 PolicyEnforcer (org.keycloak.adapters.authorization.PolicyEnforcer)11 AuthorizationContext (org.keycloak.AuthorizationContext)10 OAuthClient (org.keycloak.testsuite.util.OAuthClient)8 KeycloakSecurityContext (org.keycloak.KeycloakSecurityContext)3 ClientResource (org.keycloak.admin.client.resource.ClientResource)3 PermissionsResource (org.keycloak.admin.client.resource.PermissionsResource)3 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)3 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)3 Set (java.util.Set)2 AuthenticatedActionsHandler (org.keycloak.adapters.AuthenticatedActionsHandler)2 AuthzClient (org.keycloak.authorization.client.AuthzClient)2 Permission (org.keycloak.representations.idm.authorization.Permission)2 JsonNode (com.fasterxml.jackson.databind.JsonNode)1 HashMap (java.util.HashMap)1 List (java.util.List)1 AtomicBoolean (java.util.concurrent.atomic.AtomicBoolean)1