Search in sources :

Example 31 with AuthorizationResource

use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.

the class GroupPathPolicyTest method createResource.

private void createResource(String name) {
    AuthorizationResource authorization = getClient().authorization();
    ResourceRepresentation resource = new ResourceRepresentation(name);
    authorization.resources().create(resource).close();
}
Also used : AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation)

Example 32 with AuthorizationResource

use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.

the class PermissionClaimTest method testClaimsFromDifferentResourcePermissions.

@Test
public void testClaimsFromDifferentResourcePermissions() throws Exception {
    ClientResource client = getClient(getRealm());
    AuthorizationResource authorization = client.authorization();
    ResourceRepresentation resourceA = new ResourceRepresentation(KeycloakModelUtils.generateId());
    resourceA.setType("typed-resource");
    authorization.resources().create(resourceA).close();
    ResourcePermissionRepresentation allScopesPermission = new ResourcePermissionRepresentation();
    allScopesPermission.setName(KeycloakModelUtils.generateId());
    allScopesPermission.addResource(resourceA.getName());
    allScopesPermission.addPolicy(claimAPolicy.getName(), claimBPolicy.getName());
    authorization.permissions().resource().create(allScopesPermission).close();
    ResourcePermissionRepresentation updatePermission = new ResourcePermissionRepresentation();
    updatePermission.setName(KeycloakModelUtils.generateId());
    updatePermission.addResource(resourceA.getName());
    updatePermission.addPolicy(claimCPolicy.getName());
    try (Response response = authorization.permissions().resource().create(updatePermission)) {
        updatePermission = response.readEntity(ResourcePermissionRepresentation.class);
    }
    AuthzClient authzClient = getAuthzClient();
    AuthorizationResponse response = authzClient.authorization("marta", "password").authorize();
    assertNotNull(response.getToken());
    AccessToken rpt = toAccessToken(response.getToken());
    Authorization authorizationClaim = rpt.getAuthorization();
    List<Permission> permissions = new ArrayList<>(authorizationClaim.getPermissions());
    assertEquals(1, permissions.size());
    for (Permission permission : permissions) {
        Map<String, Set<String>> claims = permission.getClaims();
        assertNotNull(claims);
        assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
        assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
        assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
    }
    updatePermission.addPolicy(denyPolicy.getName());
    authorization.permissions().resource().findById(updatePermission.getId()).update(updatePermission);
    try {
        authzClient.authorization("marta", "password").authorize();
        fail("can not access resource");
    } catch (RuntimeException expected) {
        assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
        assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
    }
    ResourceRepresentation resourceInstance = new ResourceRepresentation(KeycloakModelUtils.generateId(), "create", "update");
    resourceInstance.setType(resourceA.getType());
    resourceInstance.setOwner("marta");
    try (Response response1 = authorization.resources().create(resourceInstance)) {
        resourceInstance = response1.readEntity(ResourceRepresentation.class);
    }
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(null, "create", "update");
    try {
        authzClient.authorization("marta", "password").authorize(request);
        fail("can not access resource");
    } catch (RuntimeException expected) {
        assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
        assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
    }
    ResourcePermissionRepresentation resourceInstancePermission = new ResourcePermissionRepresentation();
    resourceInstancePermission.setName(KeycloakModelUtils.generateId());
    resourceInstancePermission.addResource(resourceInstance.getId());
    resourceInstancePermission.addPolicy(claimCPolicy.getName());
    try (Response response1 = authorization.permissions().resource().create(resourceInstancePermission)) {
        resourceInstancePermission = response1.readEntity(ResourcePermissionRepresentation.class);
    }
    response = authzClient.authorization("marta", "password").authorize(request);
    assertNotNull(response.getToken());
    rpt = toAccessToken(response.getToken());
    authorizationClaim = rpt.getAuthorization();
    permissions = new ArrayList<>(authorizationClaim.getPermissions());
    assertEquals(1, permissions.size());
    for (Permission permission : permissions) {
        Map<String, Set<String>> claims = permission.getClaims();
        assertNotNull(claims);
        assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
        assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
        assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
        assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
    }
    response = authzClient.authorization("marta", "password").authorize();
    assertNotNull(response.getToken());
    rpt = toAccessToken(response.getToken());
    authorizationClaim = rpt.getAuthorization();
    permissions = new ArrayList<>(authorizationClaim.getPermissions());
    assertEquals(1, permissions.size());
    for (Permission permission : permissions) {
        Map<String, Set<String>> claims = permission.getClaims();
        assertNotNull(claims);
        assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
        assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
        assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
        assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
        assertThat(permission.getScopes(), Matchers.containsInAnyOrder("create", "update"));
    }
    updatePermission.setPolicies(new HashSet<>());
    updatePermission.addPolicy(claimCPolicy.getName());
    authorization.permissions().resource().findById(updatePermission.getId()).update(updatePermission);
    response = authzClient.authorization("marta", "password").authorize();
    assertNotNull(response.getToken());
    rpt = toAccessToken(response.getToken());
    authorizationClaim = rpt.getAuthorization();
    permissions = new ArrayList<>(authorizationClaim.getPermissions());
    assertEquals(2, permissions.size());
    for (Permission permission : permissions) {
        Map<String, Set<String>> claims = permission.getClaims();
        assertNotNull(claims);
        assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
        assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
        assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
    }
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) ArrayList(java.util.ArrayList) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Response(javax.ws.rs.core.Response) Authorization(org.keycloak.representations.AccessToken.Authorization) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) ClientResource(org.keycloak.admin.client.resource.ClientResource) Test(org.junit.Test)

Example 33 with AuthorizationResource

use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.

the class PermissionClaimTest method configureAuthorization.

@Before
public void configureAuthorization() throws Exception {
    ClientResource client = getClient(getRealm());
    AuthorizationResource authorization = client.authorization();
    claimAPolicy = new JSPolicyRepresentation();
    claimAPolicy.setName("Claim A Policy");
    claimAPolicy.setCode("$evaluation.getPermission().addClaim('claim-a', 'claim-a');$evaluation.getPermission().addClaim('claim-a', 'claim-a1');$evaluation.grant();");
    authorization.policies().js().create(claimAPolicy).close();
    claimBPolicy = new JSPolicyRepresentation();
    claimBPolicy.setName("Policy Claim B");
    claimBPolicy.setCode("$evaluation.getPermission().addClaim('claim-b', 'claim-b');$evaluation.grant();");
    authorization.policies().js().create(claimBPolicy).close();
    claimCPolicy = new JSPolicyRepresentation();
    claimCPolicy.setName("Policy Claim C");
    claimCPolicy.setCode("$evaluation.getPermission().addClaim('claim-c', 'claim-c');$evaluation.grant();");
    authorization.policies().js().create(claimCPolicy).close();
    denyPolicy = new JSPolicyRepresentation();
    denyPolicy.setName("Deny Policy");
    denyPolicy.setCode("$evaluation.getPermission().addClaim('deny-policy', 'deny-policy');$evaluation.deny();");
    authorization.policies().js().create(denyPolicy).close();
}
Also used : JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Before(org.junit.Before)

Example 34 with AuthorizationResource

use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.

the class PermissionManagementTest method testRemoveScopeFromResource.

@Test
public void testRemoveScopeFromResource() throws Exception {
    ResourceRepresentation resource = addResource("Resource A", "kolo", true, "ScopeA", "ScopeB");
    PermissionRequest permissionRequest = new PermissionRequest(resource.getId(), "ScopeA", "ScopeB");
    AuthzClient authzClient = getAuthzClient();
    PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    assertNotNull(response.getTicket());
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    try {
        authzClient.authorization().authorize(request);
    } catch (Exception e) {
    }
    AuthorizationResource authorization = getClient(getRealm()).authorization();
    ResourceScopesResource scopes = authorization.scopes();
    ScopeRepresentation removedScope = scopes.findByName("ScopeA");
    List permissions = authzClient.protection().permission().findByScope(removedScope.getId());
    assertFalse(permissions.isEmpty());
    resource.setScopes(new HashSet<>());
    resource.addScope("ScopeB");
    authorization.resources().resource(resource.getId()).update(resource);
    permissions = authzClient.protection().permission().findByScope(removedScope.getId());
    assertTrue(permissions.isEmpty());
    ScopeRepresentation scopeB = scopes.findByName("ScopeB");
    permissions = authzClient.protection().permission().findByScope(scopeB.getId());
    assertFalse(permissions.isEmpty());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) ResourceScopesResource(org.keycloak.admin.client.resource.ResourceScopesResource) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) ArrayList(java.util.ArrayList) List(java.util.List) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 35 with AuthorizationResource

use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.

the class ConflictingScopePermissionTest method testMartaCanAccessResourceA.

/**
 * <p>Scope Read on Resource A has two conflicting permissions. One is granting access for Marta and the other for Kolo.
 *
 * <p>Scope Read should not be granted for Marta.
 */
@Test
public void testMartaCanAccessResourceA() throws Exception {
    ClientResource client = getClient(getRealm());
    AuthorizationResource authorization = client.authorization();
    ResourceServerRepresentation settings = authorization.getSettings();
    settings.setPolicyEnforcementMode(PolicyEnforcementMode.ENFORCING);
    settings.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    authorization.update(settings);
    Collection<Permission> permissions = getEntitlements("marta", "password");
    assertEquals(1, permissions.size());
    for (Permission permission : new ArrayList<>(permissions)) {
        String resourceSetName = permission.getResourceName();
        switch(resourceSetName) {
            case "Resource A":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            case "Resource C":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            default:
                fail("Unexpected permission for resource [" + resourceSetName + "]");
        }
    }
    assertTrue(permissions.isEmpty());
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) Permission(org.keycloak.representations.idm.authorization.Permission) ArrayList(java.util.ArrayList) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Test(org.junit.Test)

Aggregations

AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)110 Test (org.junit.Test)87 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)46 ClientResource (org.keycloak.admin.client.resource.ClientResource)43 Response (javax.ws.rs.core.Response)41 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)30 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)28 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)28 AuthzClient (org.keycloak.authorization.client.AuthzClient)27 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)25 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)23 Permission (org.keycloak.representations.idm.authorization.Permission)22 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)19 OAuthClient (org.keycloak.testsuite.util.OAuthClient)19 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)16 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)16 PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)16 ResourceServerRepresentation (org.keycloak.representations.idm.authorization.ResourceServerRepresentation)15 ArrayList (java.util.ArrayList)14 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)13