use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class EntitlementAPITest method testDenyScopeNotManagedByScopePolicy.
@Test
public void testDenyScopeNotManagedByScopePolicy() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("sensors:view", "sensors:update", "sensors:delete");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addResource(resource.getId());
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resource.getId(), "sensors:view");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(1, grantedPermission.getScopes().size());
assertThat(grantedPermission.getScopes(), hasItem("sensors:view"));
}
request = new AuthorizationRequest();
request.addPermission(resource.getId(), "sensors:update");
this.expectedException.expect(AuthorizationDeniedException.class);
this.expectedException.expectCause(Matchers.allOf(Matchers.instanceOf(HttpResponseException.class), Matchers.hasProperty("statusCode", Matchers.is(403))));
this.expectedException.reportMissingExceptionWithMessage("should fail, session invalidated");
authzClient.authorization().authorize(request);
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsForScope.
@Test
public void testObtainAllEntitlementsForScope() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
Set<String> resourceIds = new HashSet<>();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("sensors:view", "sensors:update", "sensors:delete");
try (Response response = authorization.resources().create(resource)) {
resourceIds.add(response.readEntity(ResourceRepresentation.class).getId());
}
resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("sensors:view", "sensors:update");
try (Response response = authorization.resources().create(resource)) {
resourceIds.add(response.readEntity(ResourceRepresentation.class).getId());
}
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addScope("sensors:view", "sensors:update");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "sensors:view");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(2, permissions.size());
for (Permission grantedPermission : permissions) {
assertTrue(resourceIds.containsAll(Arrays.asList(grantedPermission.getResourceId())));
assertEquals(1, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("sensors:view")));
}
request.addPermission(null, "sensors:view", "sensors:update");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(2, permissions.size());
for (Permission grantedPermission : permissions) {
assertTrue(resourceIds.containsAll(Arrays.asList(grantedPermission.getResourceId())));
assertEquals(2, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("sensors:view", "sensors:update")));
}
request.addPermission(null, "sensors:view", "sensors:update", "sensors:delete");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(2, permissions.size());
for (Permission grantedPermission : permissions) {
assertTrue(resourceIds.containsAll(Arrays.asList(grantedPermission.getResourceId())));
assertEquals(2, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("sensors:view", "sensors:update")));
}
request = new AuthorizationRequest();
request.addPermission(null, "sensors:view");
request.addPermission(null, "sensors:update");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(2, permissions.size());
for (Permission grantedPermission : permissions) {
assertTrue(resourceIds.containsAll(Arrays.asList(grantedPermission.getResourceId())));
assertEquals(2, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("sensors:view", "sensors:update")));
}
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class ImportAuthorizationSettingsTest method testImportUnorderedSettings.
@Test
public void testImportUnorderedSettings() throws Exception {
ClientResource clientResource = getClientResource();
ResourceServerRepresentation toImport = JsonSerialization.readValue(getClass().getResourceAsStream("/authorization-test/import-authorization-unordered-settings.json"), ResourceServerRepresentation.class);
realmsResouce().realm(getRealmId()).roles().create(new RoleRepresentation("user", null, false));
clientResource.roles().create(new RoleRepresentation("manage-albums", null, false));
AuthorizationResource authorizationResource = clientResource.authorization();
authorizationResource.importSettings(toImport);
assertEquals(13, authorizationResource.policies().policies().size());
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class EntitlementAPITest method testPermissionsWithResourceAttributes.
@Test
public void testPermissionsWithResourceAttributes() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation onlyPublicResourcesPolicy = new JSPolicyRepresentation();
onlyPublicResourcesPolicy.setName(KeycloakModelUtils.generateId());
onlyPublicResourcesPolicy.setCode("var createPermission = $evaluation.getPermission();\n" + "var resource = createPermission.getResource();\n" + "\n" + "if (resource) {\n" + " var attributes = resource.getAttributes();\n" + " var visibility = attributes.get('visibility');\n" + " \n" + " if (visibility && \"private\".equals(visibility.get(0))) {\n" + " $evaluation.deny();\n" + " } else {\n" + " $evaluation.grant();\n" + " }\n" + "}");
authorization.policies().js().create(onlyPublicResourcesPolicy).close();
JSPolicyRepresentation onlyOwnerPolicy = createOnlyOwnerPolicy();
authorization.policies().js().create(onlyOwnerPolicy).close();
ResourceRepresentation typedResource = new ResourceRepresentation();
typedResource.setType("resource");
typedResource.setName(KeycloakModelUtils.generateId());
try (Response response = authorization.resources().create(typedResource)) {
typedResource = response.readEntity(ResourceRepresentation.class);
}
ResourceRepresentation userResource = new ResourceRepresentation();
userResource.setName(KeycloakModelUtils.generateId());
userResource.setType("resource");
userResource.setOwner("marta");
Map<String, List<String>> attributes = new HashMap<>();
attributes.put("visibility", Arrays.asList("private"));
userResource.setAttributes(attributes);
try (Response response = authorization.resources().create(userResource)) {
userResource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation typedResourcePermission = new ResourcePermissionRepresentation();
typedResourcePermission.setName(KeycloakModelUtils.generateId());
typedResourcePermission.setResourceType("resource");
typedResourcePermission.addPolicy(onlyPublicResourcesPolicy.getName());
try (Response response = authorization.permissions().resource().create(typedResourcePermission)) {
typedResourcePermission = response.readEntity(ResourcePermissionRepresentation.class);
}
// marta can access any public resource
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(typedResource.getId());
request.addPermission(userResource.getId());
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(typedResource.getName(), grantedPermission.getResourceName());
}
typedResourcePermission.addPolicy(onlyOwnerPolicy.getName());
typedResourcePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.permissions().resource().findById(typedResourcePermission.getId()).update(typedResourcePermission);
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(2, permissions.size());
for (Permission grantedPermission : permissions) {
assertThat(Arrays.asList(typedResource.getName(), userResource.getName()), Matchers.hasItem(grantedPermission.getResourceName()));
}
typedResource.setAttributes(attributes);
authorization.resources().resource(typedResource.getId()).update(typedResource);
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertThat(userResource.getName(), Matchers.equalTo(grantedPermission.getResourceName()));
}
userResource.addScope("create", "read");
authorization.resources().resource(userResource.getId()).update(userResource);
typedResource.addScope("create", "read");
authorization.resources().resource(typedResource.getId()).update(typedResource);
ScopePermissionRepresentation createPermission = new ScopePermissionRepresentation();
createPermission.setName(KeycloakModelUtils.generateId());
createPermission.addScope("create");
createPermission.addPolicy(onlyPublicResourcesPolicy.getName());
authorization.permissions().scope().create(createPermission).close();
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertThat(userResource.getName(), Matchers.equalTo(grantedPermission.getResourceName()));
assertThat(grantedPermission.getScopes(), Matchers.not(Matchers.hasItem("create")));
}
typedResource.setAttributes(new HashMap<>());
authorization.resources().resource(typedResource.getId()).update(typedResource);
response = authzClient.authorization("marta", "password").authorize();
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
for (Permission grantedPermission : permissions) {
if (grantedPermission.getResourceName().equals(userResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.not(Matchers.hasItem("create")));
} else if (grantedPermission.getResourceName().equals(typedResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.containsInAnyOrder("create", "read"));
}
}
request = new AuthorizationRequest();
request.addPermission(typedResource.getId());
request.addPermission(userResource.getId());
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
for (Permission grantedPermission : permissions) {
if (grantedPermission.getResourceName().equals(userResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.not(Matchers.hasItem("create")));
} else if (grantedPermission.getResourceName().equals(typedResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.containsInAnyOrder("create", "read"));
}
}
request = new AuthorizationRequest();
request.addPermission(userResource.getId());
request.addPermission(typedResource.getId());
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
for (Permission grantedPermission : permissions) {
if (grantedPermission.getResourceName().equals(userResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.not(Matchers.hasItem("create")));
} else if (grantedPermission.getResourceName().equals(typedResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.containsInAnyOrder("create", "read"));
}
}
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class EntitlementAPITest method testServerDecisionStrategy.
@Test
public void testServerDecisionStrategy() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("read", "write", "delete");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
JSPolicyRepresentation grantPolicy = new JSPolicyRepresentation();
grantPolicy.setName(KeycloakModelUtils.generateId());
grantPolicy.setCode("$evaluation.grant();");
authorization.policies().js().create(grantPolicy).close();
JSPolicyRepresentation denyPolicy = new JSPolicyRepresentation();
denyPolicy.setName(KeycloakModelUtils.generateId());
denyPolicy.setCode("$evaluation.deny();");
authorization.policies().js().create(denyPolicy).close();
ResourcePermissionRepresentation resourcePermission = new ResourcePermissionRepresentation();
resourcePermission.setName(KeycloakModelUtils.generateId());
resourcePermission.addResource(resource.getId());
resourcePermission.addPolicy(denyPolicy.getName());
authorization.permissions().resource().create(resourcePermission).close();
ScopePermissionRepresentation scopePermission1 = new ScopePermissionRepresentation();
scopePermission1.setName(KeycloakModelUtils.generateId());
scopePermission1.addScope("read");
scopePermission1.addPolicy(grantPolicy.getName());
ScopePermissionsResource scopePermissions = authorization.permissions().scope();
scopePermissions.create(scopePermission1).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resource.getName());
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access the resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
ResourceServerRepresentation settings = authorization.getSettings();
settings.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.update(settings);
assertPermissions(authzClient, accessToken, request, resource, "read");
scopePermission1 = scopePermissions.findByName(scopePermission1.getName());
scopePermission1.addScope("read", "delete");
scopePermissions.findById(scopePermission1.getId()).update(scopePermission1);
assertPermissions(authzClient, accessToken, request, resource, "read", "delete");
ScopePermissionRepresentation scopePermission2 = new ScopePermissionRepresentation();
scopePermission2.setName(KeycloakModelUtils.generateId());
scopePermission2.addScope("write");
scopePermission2.addPolicy(grantPolicy.getName());
scopePermissions.create(scopePermission2).close();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
ScopePermissionRepresentation scopePermission3 = new ScopePermissionRepresentation();
scopePermission3.setName(KeycloakModelUtils.generateId());
scopePermission3.addResource(resource.getId());
scopePermission3.addScope("write", "read", "delete");
scopePermission3.addPolicy(grantPolicy.getName());
scopePermissions.create(scopePermission3).close();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
scopePermission2 = scopePermissions.findByName(scopePermission2.getName());
scopePermissions.findById(scopePermission2.getId()).remove();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
scopePermission1 = scopePermissions.findByName(scopePermission1.getName());
scopePermissions.findById(scopePermission1.getId()).remove();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
scopePermission3 = scopePermissions.findByName(scopePermission3.getName());
scopePermission3.addScope("write", "delete");
scopePermissions.findById(scopePermission3.getId()).update(scopePermission3);
assertPermissions(authzClient, accessToken, request, resource, "delete", "write");
scopePermissions.findById(scopePermission3.getId()).remove();
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access the resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
ResourcePermissionRepresentation grantResourcePermission = new ResourcePermissionRepresentation();
grantResourcePermission.setName(KeycloakModelUtils.generateId());
grantResourcePermission.addResource(resource.getId());
grantResourcePermission.addPolicy(grantPolicy.getName());
authorization.permissions().resource().create(grantResourcePermission).close();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
authorization.update(settings);
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access the resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
}
Aggregations