use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class GroupPathPolicyTest method createResource.
private void createResource(String name) {
AuthorizationResource authorization = getClient().authorization();
ResourceRepresentation resource = new ResourceRepresentation(name);
authorization.resources().create(resource).close();
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class PermissionClaimTest method testClaimsFromDifferentResourcePermissions.
@Test
public void testClaimsFromDifferentResourcePermissions() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resourceA = new ResourceRepresentation(KeycloakModelUtils.generateId());
resourceA.setType("typed-resource");
authorization.resources().create(resourceA).close();
ResourcePermissionRepresentation allScopesPermission = new ResourcePermissionRepresentation();
allScopesPermission.setName(KeycloakModelUtils.generateId());
allScopesPermission.addResource(resourceA.getName());
allScopesPermission.addPolicy(claimAPolicy.getName(), claimBPolicy.getName());
authorization.permissions().resource().create(allScopesPermission).close();
ResourcePermissionRepresentation updatePermission = new ResourcePermissionRepresentation();
updatePermission.setName(KeycloakModelUtils.generateId());
updatePermission.addResource(resourceA.getName());
updatePermission.addPolicy(claimCPolicy.getName());
try (Response response = authorization.permissions().resource().create(updatePermission)) {
updatePermission = response.readEntity(ResourcePermissionRepresentation.class);
}
AuthzClient authzClient = getAuthzClient();
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize();
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
Authorization authorizationClaim = rpt.getAuthorization();
List<Permission> permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(1, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
}
updatePermission.addPolicy(denyPolicy.getName());
authorization.permissions().resource().findById(updatePermission.getId()).update(updatePermission);
try {
authzClient.authorization("marta", "password").authorize();
fail("can not access resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
ResourceRepresentation resourceInstance = new ResourceRepresentation(KeycloakModelUtils.generateId(), "create", "update");
resourceInstance.setType(resourceA.getType());
resourceInstance.setOwner("marta");
try (Response response1 = authorization.resources().create(resourceInstance)) {
resourceInstance = response1.readEntity(ResourceRepresentation.class);
}
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "create", "update");
try {
authzClient.authorization("marta", "password").authorize(request);
fail("can not access resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
ResourcePermissionRepresentation resourceInstancePermission = new ResourcePermissionRepresentation();
resourceInstancePermission.setName(KeycloakModelUtils.generateId());
resourceInstancePermission.addResource(resourceInstance.getId());
resourceInstancePermission.addPolicy(claimCPolicy.getName());
try (Response response1 = authorization.permissions().resource().create(resourceInstancePermission)) {
resourceInstancePermission = response1.readEntity(ResourcePermissionRepresentation.class);
}
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
rpt = toAccessToken(response.getToken());
authorizationClaim = rpt.getAuthorization();
permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(1, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
}
response = authzClient.authorization("marta", "password").authorize();
assertNotNull(response.getToken());
rpt = toAccessToken(response.getToken());
authorizationClaim = rpt.getAuthorization();
permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(1, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
assertThat(permission.getScopes(), Matchers.containsInAnyOrder("create", "update"));
}
updatePermission.setPolicies(new HashSet<>());
updatePermission.addPolicy(claimCPolicy.getName());
authorization.permissions().resource().findById(updatePermission.getId()).update(updatePermission);
response = authzClient.authorization("marta", "password").authorize();
assertNotNull(response.getToken());
rpt = toAccessToken(response.getToken());
authorizationClaim = rpt.getAuthorization();
permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(2, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
}
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class PermissionClaimTest method configureAuthorization.
@Before
public void configureAuthorization() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
claimAPolicy = new JSPolicyRepresentation();
claimAPolicy.setName("Claim A Policy");
claimAPolicy.setCode("$evaluation.getPermission().addClaim('claim-a', 'claim-a');$evaluation.getPermission().addClaim('claim-a', 'claim-a1');$evaluation.grant();");
authorization.policies().js().create(claimAPolicy).close();
claimBPolicy = new JSPolicyRepresentation();
claimBPolicy.setName("Policy Claim B");
claimBPolicy.setCode("$evaluation.getPermission().addClaim('claim-b', 'claim-b');$evaluation.grant();");
authorization.policies().js().create(claimBPolicy).close();
claimCPolicy = new JSPolicyRepresentation();
claimCPolicy.setName("Policy Claim C");
claimCPolicy.setCode("$evaluation.getPermission().addClaim('claim-c', 'claim-c');$evaluation.grant();");
authorization.policies().js().create(claimCPolicy).close();
denyPolicy = new JSPolicyRepresentation();
denyPolicy.setName("Deny Policy");
denyPolicy.setCode("$evaluation.getPermission().addClaim('deny-policy', 'deny-policy');$evaluation.deny();");
authorization.policies().js().create(denyPolicy).close();
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class PermissionManagementTest method testRemoveScopeFromResource.
@Test
public void testRemoveScopeFromResource() throws Exception {
ResourceRepresentation resource = addResource("Resource A", "kolo", true, "ScopeA", "ScopeB");
PermissionRequest permissionRequest = new PermissionRequest(resource.getId(), "ScopeA", "ScopeB");
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
assertNotNull(response.getTicket());
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
}
AuthorizationResource authorization = getClient(getRealm()).authorization();
ResourceScopesResource scopes = authorization.scopes();
ScopeRepresentation removedScope = scopes.findByName("ScopeA");
List permissions = authzClient.protection().permission().findByScope(removedScope.getId());
assertFalse(permissions.isEmpty());
resource.setScopes(new HashSet<>());
resource.addScope("ScopeB");
authorization.resources().resource(resource.getId()).update(resource);
permissions = authzClient.protection().permission().findByScope(removedScope.getId());
assertTrue(permissions.isEmpty());
ScopeRepresentation scopeB = scopes.findByName("ScopeB");
permissions = authzClient.protection().permission().findByScope(scopeB.getId());
assertFalse(permissions.isEmpty());
}
use of org.keycloak.admin.client.resource.AuthorizationResource in project keycloak by keycloak.
the class ConflictingScopePermissionTest method testMartaCanAccessResourceA.
/**
* <p>Scope Read on Resource A has two conflicting permissions. One is granting access for Marta and the other for Kolo.
*
* <p>Scope Read should not be granted for Marta.
*/
@Test
public void testMartaCanAccessResourceA() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceServerRepresentation settings = authorization.getSettings();
settings.setPolicyEnforcementMode(PolicyEnforcementMode.ENFORCING);
settings.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.update(settings);
Collection<Permission> permissions = getEntitlements("marta", "password");
assertEquals(1, permissions.size());
for (Permission permission : new ArrayList<>(permissions)) {
String resourceSetName = permission.getResourceName();
switch(resourceSetName) {
case "Resource A":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
permissions.remove(permission);
break;
case "Resource C":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
permissions.remove(permission);
break;
default:
fail("Unexpected permission for resource [" + resourceSetName + "]");
}
}
assertTrue(permissions.isEmpty());
}
Aggregations