Search in sources :

Example 76 with AuthorizationResource

use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.

the class AbstractPhotozExampleAdapterTest method testOverridePermissionFromResourceParent.

@Test
public void testOverridePermissionFromResourceParent() throws Exception {
    loginToClientPage(aliceUser);
    String resourceName = "My-Resource-Instance";
    clientPage.createAlbum(resourceName);
    clientPage.viewAlbum(resourceName, this::assertWasNotDenied);
    clientPage.deleteAlbum(resourceName, this::assertWasNotDenied);
    clientPage.createAlbum(resourceName);
    loginToClientPage(adminUser);
    clientPage.navigateToAdminAlbum(this::assertWasNotDenied);
    clientPage.viewAlbum(resourceName, this::assertWasNotDenied);
    clientPage.deleteAlbum(resourceName, this::assertWasNotDenied);
    loginToClientPage(aliceUser);
    clientPage.createAlbum(resourceName);
    AuthorizationResource authorizationResource = getAuthorizationResource();
    authorizationResource.resources().resources().forEach(resource -> {
        if (resource.getName().equals(resourceName)) {
            try {
                PolicyRepresentation resourceInstancePermission = new PolicyRepresentation();
                resourceInstancePermission.setName(resourceName + "Permission");
                resourceInstancePermission.setType("resource");
                Map<String, String> config = new HashMap<>();
                config.put("resources", JsonSerialization.writeValueAsString(Arrays.asList(resource.getId())));
                config.put("applyPolicies", JsonSerialization.writeValueAsString(Arrays.asList("Only Owner Policy")));
                resourceInstancePermission.setConfig(config);
                authorizationResource.policies().create(resourceInstancePermission);
            } catch (IOException e) {
                throw new RuntimeException("Error creating policy.", e);
            }
        }
    });
    printUpdatedPolicies();
    loginToClientPage(adminUser);
    clientPage.navigateToAdminAlbum(this::assertWasNotDenied);
    clientPage.viewAlbum(resourceName, this::assertWasDenied);
    clientPage.deleteAlbum(resourceName, this::assertWasDenied);
    loginToClientPage(aliceUser);
    clientPage.deleteAlbum(resourceName, this::assertWasNotDenied);
    assertThat(getResourcesOfUser("alice"), is(empty()));
}
Also used : PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) HashMap(java.util.HashMap) Matchers.containsString(org.hamcrest.Matchers.containsString) IOException(java.io.IOException) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Test(org.junit.Test)

Example 77 with AuthorizationResource

use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.

the class LifespanAdapterTest method testPathConfigInvalidation.

@Test
public void testPathConfigInvalidation() throws Exception {
    loginToClientPage(aliceUser);
    assertSuccess();
    ResourceRepresentation resource = getAuthorizationResource().resources().findByName("Profile Resource").get(0);
    AuthorizationResource authorizationResource = getAuthorizationResource();
    authorizationResource.resources().resource(resource.getId()).remove();
    assertThat(getAuthorizationResource().resources().findByName("Profile Resource").isEmpty(), Matchers.is(true));
    loginToClientPage(aliceUser);
    // should throw an error because the resource was removed and cache entry did not expire yet
    assertFailure();
    setTimeOffsetOfAdapter(40);
    loginToClientPage(aliceUser);
    assertSuccess();
    setTimeOffsetOfAdapter(0);
    try (Response response = authorizationResource.resources().create(resource)) {
        resource = response.readEntity(ResourceRepresentation.class);
    }
    loginToClientPage(aliceUser);
    assertSuccess();
    RealmResource realm = this.realmsResouce().realm(REALM_NAME);
    UserRepresentation userRepresentation = realm.users().search(aliceUser.getUsername()).get(0);
    UserResource userResource = realm.users().get(userRepresentation.getId());
    userRepresentation.setEmail("alice@anotherdomain.org");
    userResource.update(userRepresentation);
    loginToClientPage(aliceUser);
    assertTicket();
    try {
        PolicyRepresentation resourceInstancePermission = new PolicyRepresentation();
        resourceInstancePermission.setName("View User Permission");
        resourceInstancePermission.setType("resource");
        Map<String, String> config = new HashMap<>();
        config.put("resources", JsonSerialization.writeValueAsString(Collections.singletonList(resource.getId())));
        config.put("applyPolicies", JsonSerialization.writeValueAsString(Collections.singletonList("Only From @keycloak.org or Admin")));
        resourceInstancePermission.setConfig(config);
        authorizationResource.policies().create(resourceInstancePermission);
    } catch (IOException e) {
        throw new RuntimeException("Error creating policy.", e);
    }
    loginToClientPage(aliceUser);
    // should throw an error because the resource was removed and cache entry did not expire yet
    assertFailure();
    userRepresentation.setEmail("alice@keycloak.org");
    userResource.update(userRepresentation);
    loginToClientPage(aliceUser);
    assertSuccess();
}
Also used : Response(javax.ws.rs.core.Response) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) HashMap(java.util.HashMap) RealmResource(org.keycloak.admin.client.resource.RealmResource) UserResource(org.keycloak.admin.client.resource.UserResource) IOException(java.io.IOException) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 78 with AuthorizationResource

use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.

the class ConflictingScopePermissionTest method testWithDisabledMode.

@Test
public void testWithDisabledMode() throws Exception {
    ClientResource client = getClient(getRealm());
    AuthorizationResource authorization = client.authorization();
    ResourceServerRepresentation settings = authorization.getSettings();
    settings.setPolicyEnforcementMode(PolicyEnforcementMode.DISABLED);
    settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
    authorization.update(settings);
    Collection<Permission> permissions = getEntitlements("marta", "password");
    assertEquals(3, permissions.size());
    for (Permission permission : new ArrayList<>(permissions)) {
        String resourceSetName = permission.getResourceName();
        switch(resourceSetName) {
            case "Resource A":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            case "Resource C":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            case "Resource B":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            default:
                fail("Unexpected permission for resource [" + resourceSetName + "]");
        }
    }
    assertTrue(permissions.isEmpty());
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) Permission(org.keycloak.representations.idm.authorization.Permission) ArrayList(java.util.ArrayList) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Test(org.junit.Test)

Example 79 with AuthorizationResource

use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.

the class PermissionManagementTest method testDeleteScopeAndPermissionTicket.

@Test
public void testDeleteScopeAndPermissionTicket() throws Exception {
    ResourceRepresentation resource = addResource("Resource A", "kolo", true, "ScopeA", "ScopeB", "ScopeC");
    PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
    permissionRequest.setScopes(new HashSet<>(Arrays.asList("ScopeA", "ScopeB", "ScopeC")));
    AuthzClient authzClient = getAuthzClient();
    PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    assertNotNull(response.getTicket());
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    try {
        authzClient.authorization().authorize(request);
    } catch (Exception e) {
    }
    assertEquals(3, authzClient.protection().permission().findByResource(resource.getId()).size());
    AuthorizationResource authorization = getClient(getRealm()).authorization();
    ResourceScopesResource scopes = authorization.scopes();
    ScopeRepresentation scope = scopes.findByName("ScopeA");
    List permissions = authzClient.protection().permission().findByScope(scope.getId());
    assertFalse(permissions.isEmpty());
    assertEquals(1, permissions.size());
    resource.setScopes(Collections.emptySet());
    authorization.resources().resource(resource.getId()).update(resource);
    scopes.scope(scope.getId()).remove();
    assertTrue(authzClient.protection().permission().findByScope(scope.getId()).isEmpty());
    assertEquals(0, authzClient.protection().permission().findByResource(resource.getId()).size());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) ResourceScopesResource(org.keycloak.admin.client.resource.ResourceScopesResource) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) ArrayList(java.util.ArrayList) List(java.util.List) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 80 with AuthorizationResource

use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.

the class ConflictingScopePermissionTest method testWithPermissiveMode.

@Test
public void testWithPermissiveMode() throws Exception {
    ClientResource client = getClient(getRealm());
    AuthorizationResource authorization = client.authorization();
    ResourceServerRepresentation settings = authorization.getSettings();
    settings.setPolicyEnforcementMode(PolicyEnforcementMode.PERMISSIVE);
    settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
    authorization.update(settings);
    Collection<Permission> permissions = getEntitlements("marta", "password");
    assertEquals(3, permissions.size());
    for (Permission permission : new ArrayList<>(permissions)) {
        String resourceSetName = permission.getResourceName();
        switch(resourceSetName) {
            case "Resource A":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write"));
                permissions.remove(permission);
                break;
            case "Resource C":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            case "Resource B":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            default:
                fail("Unexpected permission for resource [" + resourceSetName + "]");
        }
    }
    assertTrue(permissions.isEmpty());
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) Permission(org.keycloak.representations.idm.authorization.Permission) ArrayList(java.util.ArrayList) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Test(org.junit.Test)

Aggregations

AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)110 Test (org.junit.Test)87 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)46 ClientResource (org.keycloak.admin.client.resource.ClientResource)43 Response (javax.ws.rs.core.Response)41 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)30 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)28 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)28 AuthzClient (org.keycloak.authorization.client.AuthzClient)27 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)25 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)23 Permission (org.keycloak.representations.idm.authorization.Permission)22 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)19 OAuthClient (org.keycloak.testsuite.util.OAuthClient)19 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)16 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)16 PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)16 ResourceServerRepresentation (org.keycloak.representations.idm.authorization.ResourceServerRepresentation)15 ArrayList (java.util.ArrayList)14 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)13