Search in sources :

Example 6 with OIDCHttpFacade

use of org.keycloak.adapters.OIDCHttpFacade in project keycloak by keycloak.

the class PolicyEnforcerTest method testNotAuthenticatedDenyUnmapedPath.

@Test
public void testNotAuthenticatedDenyUnmapedPath() {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/unmmaped");
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    TestResponse response = TestResponse.class.cast(httpFacade.getResponse());
    assertEquals(403, response.getStatus());
}
Also used : OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AuthorizationContext(org.keycloak.AuthorizationContext) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 7 with OIDCHttpFacade

use of org.keycloak.adapters.OIDCHttpFacade in project keycloak by keycloak.

the class PolicyEnforcerTest method testDefaultWWWAuthenticateCorsHeader.

@Test
public void testDefaultWWWAuthenticateCorsHeader() {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode-path.json"));
    deployment.setCors(true);
    Map<String, List<String>> headers = new HashMap<>();
    headers.put(CorsHeaders.ORIGIN, Arrays.asList("http://localhost:8180"));
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String token = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE), null).getAccessToken();
    OIDCHttpFacade httpFacade = createHttpFacade("http://server/api/resource/public", HttpMethod.OPTIONS, token, headers, Collections.emptyMap(), null, deployment);
    new AuthenticatedActionsHandler(deployment, httpFacade).handledRequest();
    assertEquals(HttpHeaders.WWW_AUTHENTICATE, headers.get(CorsHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).get(0));
}
Also used : AuthenticatedActionsHandler(org.keycloak.adapters.AuthenticatedActionsHandler) HashMap(java.util.HashMap) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) List(java.util.List) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 8 with OIDCHttpFacade

use of org.keycloak.adapters.OIDCHttpFacade in project keycloak by keycloak.

the class PolicyEnforcerTest method testResolvingClaimsOnce.

@Test
public void testResolvingClaimsOnce() {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea", token, new Function<String, String>() {

        AtomicBoolean resolved = new AtomicBoolean();

        @Override
        public String apply(String s) {
            Assert.assertTrue(resolved.compareAndSet(false, true));
            return "value-" + s;
        }
    });
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    Permission permission = context.getPermissions().get(0);
    Map<String, Set<String>> claims = permission.getClaims();
    assertTrue(context.isGranted());
    assertEquals("value-claim-a", claims.get("claim-a").iterator().next());
    assertEquals("claim-b", claims.get("claim-b").iterator().next());
}
Also used : Set(java.util.Set) OAuthClient(org.keycloak.testsuite.util.OAuthClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) AuthorizationContext(org.keycloak.AuthorizationContext) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) Permission(org.keycloak.representations.idm.authorization.Permission) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 9 with OIDCHttpFacade

use of org.keycloak.adapters.OIDCHttpFacade in project keycloak by keycloak.

the class KeycloakSecurityContextPlaceHolderResolver method resolve.

@Override
public List<String> resolve(String placeHolder, HttpFacade httpFacade) {
    String source = placeHolder.substring(placeHolder.indexOf('.') + 1);
    OIDCHttpFacade oidcHttpFacade = OIDCHttpFacade.class.cast(httpFacade);
    KeycloakSecurityContext securityContext = oidcHttpFacade.getSecurityContext();
    if (securityContext == null) {
        return null;
    }
    if (source.endsWith("access_token")) {
        return Arrays.asList(securityContext.getTokenString());
    }
    if (source.endsWith("id_token")) {
        return Arrays.asList(securityContext.getIdTokenString());
    }
    JsonNode jsonNode;
    if (source.startsWith("access_token[")) {
        jsonNode = JsonSerialization.mapper.valueToTree(securityContext.getToken());
    } else if (source.startsWith("id_token[")) {
        jsonNode = JsonSerialization.mapper.valueToTree(securityContext.getIdToken());
    } else {
        throw new RuntimeException("Invalid placeholder [" + placeHolder + "]");
    }
    return JsonUtils.getValues(jsonNode, getParameter(source, "Invalid placeholder [" + placeHolder + "]"));
}
Also used : KeycloakSecurityContext(org.keycloak.KeycloakSecurityContext) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) JsonNode(com.fasterxml.jackson.databind.JsonNode)

Example 10 with OIDCHttpFacade

use of org.keycloak.adapters.OIDCHttpFacade in project keycloak by keycloak.

the class SpringSecurityCookieTokenStore method checkCurrentToken.

@Override
public void checkCurrentToken() {
    final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = checkPrincipalFromCookie();
    if (principal != null) {
        final RefreshableKeycloakSecurityContext securityContext = principal.getKeycloakSecurityContext();
        KeycloakSecurityContext current = ((OIDCHttpFacade) facade).getSecurityContext();
        if (current != null) {
            securityContext.setAuthorizationContext(current.getAuthorizationContext());
        }
        final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(securityContext);
        final OidcKeycloakAccount account = new SimpleKeycloakAccount(principal, roles, securityContext);
        SecurityContextHolder.getContext().setAuthentication(new KeycloakAuthenticationToken(account, false));
    } else {
        super.checkCurrentToken();
    }
    cookieChecked = true;
}
Also used : OidcKeycloakAccount(org.keycloak.adapters.OidcKeycloakAccount) RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext) RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext) KeycloakSecurityContext(org.keycloak.KeycloakSecurityContext) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) SimpleKeycloakAccount(org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount)

Aggregations

OIDCHttpFacade (org.keycloak.adapters.OIDCHttpFacade)17 Test (org.junit.Test)13 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)13 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)13 PolicyEnforcer (org.keycloak.adapters.authorization.PolicyEnforcer)11 AuthorizationContext (org.keycloak.AuthorizationContext)10 OAuthClient (org.keycloak.testsuite.util.OAuthClient)8 KeycloakSecurityContext (org.keycloak.KeycloakSecurityContext)3 ClientResource (org.keycloak.admin.client.resource.ClientResource)3 PermissionsResource (org.keycloak.admin.client.resource.PermissionsResource)3 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)3 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)3 Set (java.util.Set)2 AuthenticatedActionsHandler (org.keycloak.adapters.AuthenticatedActionsHandler)2 AuthzClient (org.keycloak.authorization.client.AuthzClient)2 Permission (org.keycloak.representations.idm.authorization.Permission)2 JsonNode (com.fasterxml.jackson.databind.JsonNode)1 HashMap (java.util.HashMap)1 List (java.util.List)1 AtomicBoolean (java.util.concurrent.atomic.AtomicBoolean)1