use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class AbstractPhotozExampleAdapterTest method testOverridePermissionFromResourceParent.
@Test
public void testOverridePermissionFromResourceParent() throws Exception {
loginToClientPage(aliceUser);
String resourceName = "My-Resource-Instance";
clientPage.createAlbum(resourceName);
clientPage.viewAlbum(resourceName, this::assertWasNotDenied);
clientPage.deleteAlbum(resourceName, this::assertWasNotDenied);
clientPage.createAlbum(resourceName);
loginToClientPage(adminUser);
clientPage.navigateToAdminAlbum(this::assertWasNotDenied);
clientPage.viewAlbum(resourceName, this::assertWasNotDenied);
clientPage.deleteAlbum(resourceName, this::assertWasNotDenied);
loginToClientPage(aliceUser);
clientPage.createAlbum(resourceName);
AuthorizationResource authorizationResource = getAuthorizationResource();
authorizationResource.resources().resources().forEach(resource -> {
if (resource.getName().equals(resourceName)) {
try {
PolicyRepresentation resourceInstancePermission = new PolicyRepresentation();
resourceInstancePermission.setName(resourceName + "Permission");
resourceInstancePermission.setType("resource");
Map<String, String> config = new HashMap<>();
config.put("resources", JsonSerialization.writeValueAsString(Arrays.asList(resource.getId())));
config.put("applyPolicies", JsonSerialization.writeValueAsString(Arrays.asList("Only Owner Policy")));
resourceInstancePermission.setConfig(config);
authorizationResource.policies().create(resourceInstancePermission);
} catch (IOException e) {
throw new RuntimeException("Error creating policy.", e);
}
}
});
printUpdatedPolicies();
loginToClientPage(adminUser);
clientPage.navigateToAdminAlbum(this::assertWasNotDenied);
clientPage.viewAlbum(resourceName, this::assertWasDenied);
clientPage.deleteAlbum(resourceName, this::assertWasDenied);
loginToClientPage(aliceUser);
clientPage.deleteAlbum(resourceName, this::assertWasNotDenied);
assertThat(getResourcesOfUser("alice"), is(empty()));
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class LifespanAdapterTest method testPathConfigInvalidation.
@Test
public void testPathConfigInvalidation() throws Exception {
loginToClientPage(aliceUser);
assertSuccess();
ResourceRepresentation resource = getAuthorizationResource().resources().findByName("Profile Resource").get(0);
AuthorizationResource authorizationResource = getAuthorizationResource();
authorizationResource.resources().resource(resource.getId()).remove();
assertThat(getAuthorizationResource().resources().findByName("Profile Resource").isEmpty(), Matchers.is(true));
loginToClientPage(aliceUser);
// should throw an error because the resource was removed and cache entry did not expire yet
assertFailure();
setTimeOffsetOfAdapter(40);
loginToClientPage(aliceUser);
assertSuccess();
setTimeOffsetOfAdapter(0);
try (Response response = authorizationResource.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
loginToClientPage(aliceUser);
assertSuccess();
RealmResource realm = this.realmsResouce().realm(REALM_NAME);
UserRepresentation userRepresentation = realm.users().search(aliceUser.getUsername()).get(0);
UserResource userResource = realm.users().get(userRepresentation.getId());
userRepresentation.setEmail("alice@anotherdomain.org");
userResource.update(userRepresentation);
loginToClientPage(aliceUser);
assertTicket();
try {
PolicyRepresentation resourceInstancePermission = new PolicyRepresentation();
resourceInstancePermission.setName("View User Permission");
resourceInstancePermission.setType("resource");
Map<String, String> config = new HashMap<>();
config.put("resources", JsonSerialization.writeValueAsString(Collections.singletonList(resource.getId())));
config.put("applyPolicies", JsonSerialization.writeValueAsString(Collections.singletonList("Only From @keycloak.org or Admin")));
resourceInstancePermission.setConfig(config);
authorizationResource.policies().create(resourceInstancePermission);
} catch (IOException e) {
throw new RuntimeException("Error creating policy.", e);
}
loginToClientPage(aliceUser);
// should throw an error because the resource was removed and cache entry did not expire yet
assertFailure();
userRepresentation.setEmail("alice@keycloak.org");
userResource.update(userRepresentation);
loginToClientPage(aliceUser);
assertSuccess();
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class ConflictingScopePermissionTest method testWithDisabledMode.
@Test
public void testWithDisabledMode() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceServerRepresentation settings = authorization.getSettings();
settings.setPolicyEnforcementMode(PolicyEnforcementMode.DISABLED);
settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
authorization.update(settings);
Collection<Permission> permissions = getEntitlements("marta", "password");
assertEquals(3, permissions.size());
for (Permission permission : new ArrayList<>(permissions)) {
String resourceSetName = permission.getResourceName();
switch(resourceSetName) {
case "Resource A":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
permissions.remove(permission);
break;
case "Resource C":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
permissions.remove(permission);
break;
case "Resource B":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
permissions.remove(permission);
break;
default:
fail("Unexpected permission for resource [" + resourceSetName + "]");
}
}
assertTrue(permissions.isEmpty());
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class PermissionManagementTest method testDeleteScopeAndPermissionTicket.
@Test
public void testDeleteScopeAndPermissionTicket() throws Exception {
ResourceRepresentation resource = addResource("Resource A", "kolo", true, "ScopeA", "ScopeB", "ScopeC");
PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
permissionRequest.setScopes(new HashSet<>(Arrays.asList("ScopeA", "ScopeB", "ScopeC")));
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
assertNotNull(response.getTicket());
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
}
assertEquals(3, authzClient.protection().permission().findByResource(resource.getId()).size());
AuthorizationResource authorization = getClient(getRealm()).authorization();
ResourceScopesResource scopes = authorization.scopes();
ScopeRepresentation scope = scopes.findByName("ScopeA");
List permissions = authzClient.protection().permission().findByScope(scope.getId());
assertFalse(permissions.isEmpty());
assertEquals(1, permissions.size());
resource.setScopes(Collections.emptySet());
authorization.resources().resource(resource.getId()).update(resource);
scopes.scope(scope.getId()).remove();
assertTrue(authzClient.protection().permission().findByScope(scope.getId()).isEmpty());
assertEquals(0, authzClient.protection().permission().findByResource(resource.getId()).size());
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class ConflictingScopePermissionTest method testWithPermissiveMode.
@Test
public void testWithPermissiveMode() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceServerRepresentation settings = authorization.getSettings();
settings.setPolicyEnforcementMode(PolicyEnforcementMode.PERMISSIVE);
settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
authorization.update(settings);
Collection<Permission> permissions = getEntitlements("marta", "password");
assertEquals(3, permissions.size());
for (Permission permission : new ArrayList<>(permissions)) {
String resourceSetName = permission.getResourceName();
switch(resourceSetName) {
case "Resource A":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write"));
permissions.remove(permission);
break;
case "Resource C":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
permissions.remove(permission);
break;
case "Resource B":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
permissions.remove(permission);
break;
default:
fail("Unexpected permission for resource [" + resourceSetName + "]");
}
}
assertTrue(permissions.isEmpty());
}
Aggregations