Example 86 with AuthorizationResource
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class EntitlementAPITest method testProcessMappersForTargetAudience.
@Test
public void testProcessMappersForTargetAudience() throws Exception {
ClientResource publicClient = getClient(getRealm(), PUBLIC_TEST_CLIENT);
ProtocolMapperRepresentation customClaimMapper = new ProtocolMapperRepresentation();
customClaimMapper.setName("custom_claim");
customClaimMapper.setProtocolMapper(HardcodedClaim.PROVIDER_ID);
customClaimMapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
Map<String, String> config = new HashMap<>();
config.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "custom_claim");
config.put(HardcodedClaim.CLAIM_VALUE, PUBLIC_TEST_CLIENT);
config.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "true");
customClaimMapper.setConfig(config);
publicClient.getProtocolMappers().createMapper(customClaimMapper);
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
config.put(HardcodedClaim.CLAIM_VALUE, RESOURCE_SERVER_TEST);
client.getProtocolMappers().createMapper(customClaimMapper);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Sensors");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName("View Sensor");
permission.addResource(resource.getName());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
oauth.realm("authz-test");
oauth.clientId(PUBLIC_TEST_CLIENT);
oauth.doLogin("marta", "password");
// Token request
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
AccessToken token = toAccessToken(response.getAccessToken());
assertEquals(PUBLIC_TEST_CLIENT, token.getOtherClaims().get("custom_claim"));
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission("Sensors");
AuthorizationResponse authorizationResponse = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(response.getAccessToken()).authorize(request);
token = toAccessToken(authorizationResponse.getToken());
assertEquals(RESOURCE_SERVER_TEST, token.getOtherClaims().get("custom_claim"));
assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
authorizationResponse = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(response.getAccessToken()).authorize(request);
token = toAccessToken(authorizationResponse.getToken());
assertEquals(RESOURCE_SERVER_TEST, token.getOtherClaims().get("custom_claim"));
assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
}
Also used :
AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest)
HashMap(java.util.HashMap)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation)
AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource)
ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation)
ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)
Response(javax.ws.rs.core.Response)
TokenIntrospectionResponse(org.keycloak.authorization.client.representation.TokenIntrospectionResponse)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse)
AccessToken(org.keycloak.representations.AccessToken)
ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
Test(org.junit.Test)
Example 87 with AuthorizationResource
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsForResourceType.
@Test
public void testObtainAllEntitlementsForResourceType() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
for (int i = 0; i < 10; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setType("type-one");
resource.setName(KeycloakModelUtils.generateId());
authorization.resources().create(resource).close();
}
for (int i = 0; i < 10; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setType("type-two");
resource.setName(KeycloakModelUtils.generateId());
authorization.resources().create(resource).close();
}
for (int i = 0; i < 10; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setType("type-three");
resource.setName(KeycloakModelUtils.generateId());
authorization.resources().create(resource).close();
}
for (int i = 0; i < 10; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setType("type-four");
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("scope:view", "scope:update");
authorization.resources().create(resource).close();
}
for (int i = 0; i < 10; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setType("type-five");
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("scope:view");
authorization.resources().create(resource).close();
}
ResourcePermissionRepresentation resourcePermission = new ResourcePermissionRepresentation();
resourcePermission.setName(KeycloakModelUtils.generateId());
resourcePermission.setResourceType("type-one");
resourcePermission.addPolicy(policy.getName());
authorization.permissions().resource().create(resourcePermission).close();
resourcePermission = new ResourcePermissionRepresentation();
resourcePermission.setName(KeycloakModelUtils.generateId());
resourcePermission.setResourceType("type-two");
resourcePermission.addPolicy(policy.getName());
authorization.permissions().resource().create(resourcePermission).close();
resourcePermission = new ResourcePermissionRepresentation();
resourcePermission.setName(KeycloakModelUtils.generateId());
resourcePermission.setResourceType("type-three");
resourcePermission.addPolicy(policy.getName());
authorization.permissions().resource().create(resourcePermission).close();
ScopePermissionRepresentation scopePersmission = new ScopePermissionRepresentation();
scopePersmission.setName(KeycloakModelUtils.generateId());
scopePersmission.setResourceType("type-four");
scopePersmission.addScope("scope:view");
scopePersmission.addPolicy(policy.getName());
authorization.permissions().scope().create(scopePersmission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission("resource-type:type-one");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(10, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type:type-three");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(10, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type:type-four", "scope:view");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(10, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(1, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view")));
}
request = new AuthorizationRequest();
request.addPermission("resource-type:type-five", "scope:view");
try {
authzClient.authorization(accessToken).authorize(request);
fail("no type-five resources can be granted since scope permission for scope:view only applies to type-four");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
for (int i = 0; i < 5; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setOwner("kolo");
resource.setType("type-two");
resource.setName(KeycloakModelUtils.generateId());
authorization.resources().create(resource).close();
}
request = new AuthorizationRequest();
request.addPermission("resource-type-any:type-two");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(15, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-owner:type-two");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(5, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-instance:type-two");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(5, permissions.size());
Permission next = permissions.iterator().next();
ResourceResource resourceMgmt = client.authorization().resources().resource(next.getResourceId());
ResourceRepresentation representation = resourceMgmt.toRepresentation();
representation.setType("type-three");
resourceMgmt.update(representation);
request = new AuthorizationRequest();
request.addPermission("resource-type-instance:type-two");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(4, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-instance:type-three");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-any:type-three");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(11, permissions.size());
for (int i = 0; i < 2; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setOwner("marta");
resource.setType("type-one");
resource.setName(KeycloakModelUtils.generateId());
authorization.resources().create(resource).close();
}
request = new AuthorizationRequest();
request.addPermission("resource-type:type-one");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(10, permissions.size());
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
request = new AuthorizationRequest();
request.addPermission("resource-type-owner:type-one");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(2, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-instance:type-one");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(2, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-any:type-one");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(12, permissions.size());
}
Also used :
AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation)
HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException)
ResourceResource(org.keycloak.admin.client.resource.ResourceResource)
AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource)
ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation)
ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
AuthzClient(org.keycloak.authorization.client.AuthzClient)
Permission(org.keycloak.representations.idm.authorization.Permission)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)
Test(org.junit.Test)
Example 88 with AuthorizationResource
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsForScopeWithDeny.
@Test
public void testObtainAllEntitlementsForScopeWithDeny() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
authorization.scopes().create(new ScopeRepresentation("sensors:view")).close();
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "sensors:view");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertNull(grantedPermission.getResourceId());
assertEquals(1, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("sensors:view")));
}
}
Also used :
AuthzClient(org.keycloak.authorization.client.AuthzClient)
AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation)
Permission(org.keycloak.representations.idm.authorization.Permission)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation)
AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource)
ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
Test(org.junit.Test)
Example 89 with AuthorizationResource
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class EntitlementAPITest method testOverridePermission.
@Test
public void testOverridePermission() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation onlyOwnerPolicy = createOnlyOwnerPolicy();
authorization.policies().js().create(onlyOwnerPolicy).close();
ResourceRepresentation typedResource = new ResourceRepresentation();
typedResource.setType("resource");
typedResource.setName(KeycloakModelUtils.generateId());
typedResource.addScope("read", "update");
try (Response response = authorization.resources().create(typedResource)) {
typedResource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation typedResourcePermission = new ResourcePermissionRepresentation();
typedResourcePermission.setName(KeycloakModelUtils.generateId());
typedResourcePermission.setResourceType("resource");
typedResourcePermission.addPolicy(onlyOwnerPolicy.getName());
try (Response response = authorization.permissions().resource().create(typedResourcePermission)) {
typedResourcePermission = response.readEntity(ResourcePermissionRepresentation.class);
}
ResourceRepresentation martaResource = new ResourceRepresentation();
martaResource.setType("resource");
martaResource.setName(KeycloakModelUtils.generateId());
martaResource.addScope("read", "update");
martaResource.setOwner("marta");
try (Response response = authorization.resources().create(martaResource)) {
martaResource = response.readEntity(ResourceRepresentation.class);
}
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(martaResource.getName());
// marta can access her resource
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
request = new AuthorizationRequest();
request.addPermission(martaResource.getId());
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
UserPolicyRepresentation onlyKoloPolicy = new UserPolicyRepresentation();
onlyKoloPolicy.setName(KeycloakModelUtils.generateId());
onlyKoloPolicy.addUser("kolo");
authorization.policies().user().create(onlyKoloPolicy).close();
ResourcePermissionRepresentation martaResourcePermission = new ResourcePermissionRepresentation();
martaResourcePermission.setName(KeycloakModelUtils.generateId());
martaResourcePermission.addResource(martaResource.getId());
martaResourcePermission.addPolicy(onlyKoloPolicy.getName());
try (Response response1 = authorization.permissions().resource().create(martaResourcePermission)) {
martaResourcePermission = response1.readEntity(ResourcePermissionRepresentation.class);
}
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
typedResourcePermission.setResourceType(null);
typedResourcePermission.addResource(typedResource.getName());
authorization.permissions().resource().findById(typedResourcePermission.getId()).update(typedResourcePermission);
// now kolo can access marta's resources, last permission is overriding policies from typed resource
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
ScopePermissionRepresentation martaResourceUpdatePermission = new ScopePermissionRepresentation();
martaResourceUpdatePermission.setName(KeycloakModelUtils.generateId());
martaResourceUpdatePermission.addResource(martaResource.getId());
martaResourceUpdatePermission.addScope("update");
martaResourceUpdatePermission.addPolicy(onlyOwnerPolicy.getName());
try (Response response1 = authorization.permissions().scope().create(martaResourceUpdatePermission)) {
martaResourceUpdatePermission = response1.readEntity(ScopePermissionRepresentation.class);
}
// now kolo can only read, but not update
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(1, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read"));
}
authorization.permissions().resource().findById(martaResourcePermission.getId()).remove();
try {
// after removing permission to marta resource, kolo can not access any scope in the resource
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
martaResourceUpdatePermission.addPolicy(onlyKoloPolicy.getName());
martaResourceUpdatePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).update(martaResourceUpdatePermission);
// now kolo can access because update permission changed to allow him to access the resource using an affirmative strategy
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(1, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("update"));
}
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
// marta can still access her resource
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("update", "read"));
}
authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).remove();
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
try {
// back to original setup, permissions not granted by the type resource
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
}
Also used :
AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation)
HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException)
AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource)
ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation)
ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)
Response(javax.ws.rs.core.Response)
TokenIntrospectionResponse(org.keycloak.authorization.client.representation.TokenIntrospectionResponse)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse)
AuthzClient(org.keycloak.authorization.client.AuthzClient)
UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation)
Permission(org.keycloak.representations.idm.authorization.Permission)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)
Test(org.junit.Test)
Example 90 with AuthorizationResource
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class EntitlementAPITest method configureAuthorization.
private void configureAuthorization(String clientId) throws Exception {
ClientResource client = getClient(getRealm(), clientId);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Default Policy");
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
for (int i = 1; i <= 20; i++) {
ResourceRepresentation resource = new ResourceRepresentation("Resource " + i);
authorization.resources().create(resource).close();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getName());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
}
}
Also used :
JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource)
ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation)
ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)
Aggregations
AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)110
Test (org.junit.Test)87
ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)46
ClientResource (org.keycloak.admin.client.resource.ClientResource)43
Response (javax.ws.rs.core.Response)41
JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)30
AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)28
ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)28
AuthzClient (org.keycloak.authorization.client.AuthzClient)27
AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)25
ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)23
Permission (org.keycloak.representations.idm.authorization.Permission)22
PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)19
OAuthClient (org.keycloak.testsuite.util.OAuthClient)19
TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)16
AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)16
PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)16
ResourceServerRepresentation (org.keycloak.representations.idm.authorization.ResourceServerRepresentation)15
ArrayList (java.util.ArrayList)14
HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)13
