Examples with PermissionsResource org.keycloak.admin.client.resource.PermissionsResource used on opensource projects

Search in sources :

Example 1 with PermissionsResource

use of org.keycloak.admin.client.resource.PermissionsResource in project keycloak by keycloak.

the class PolicyEnforcerTest method testUsingSubjectToken.

@Test
public void testUsingSubjectToken() {
    ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
    ResourceRepresentation resource = createResource(clientResource, "Resource Subject Token", "/api/check-subject-token");
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getName());
    permission.addPolicy("Only User Policy");
    PermissionsResource permissions = clientResource.authorization().permissions();
    permissions.resource().create(permission).close();
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/check-subject-token");
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    httpFacade = createHttpFacade("/api/check-subject-token", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
}
Also used : PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) OAuthClient(org.keycloak.testsuite.util.OAuthClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) ClientResource(org.keycloak.admin.client.resource.ClientResource) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AuthorizationContext(org.keycloak.AuthorizationContext) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 2 with PermissionsResource

use of org.keycloak.admin.client.resource.PermissionsResource in project keycloak by keycloak.

the class DeployedScriptPolicyTest method testCreatePermission.

@Test
public void testCreatePermission() {
    AuthorizationResource authorization = getAuthorizationResource();
    PolicyRepresentation grantPolicy = new PolicyRepresentation();
    grantPolicy.setName("Grant Policy");
    grantPolicy.setType("script-policy-grant.js");
    authorization.policies().create(grantPolicy).close();
    PolicyRepresentation denyPolicy = new PolicyRepresentation();
    denyPolicy.setName("Deny Policy");
    denyPolicy.setType("script-policy-deny.js");
    authorization.policies().create(denyPolicy).close();
    PermissionsResource permissions = authorization.permissions();
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName("Test Deployed JS Permission");
    permission.addResource("Default Resource");
    permission.addPolicy(grantPolicy.getName());
    permissions.resource().create(permission).close();
    PolicyEvaluationRequest request = new PolicyEvaluationRequest();
    request.setUserId("marta");
    request.addResource("Default Resource");
    PolicyEvaluationResponse response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.PERMIT, response.getStatus());
    permission = permissions.resource().findByName(permission.getName());
    permission.addPolicy(denyPolicy.getName());
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.DENY, response.getStatus());
    permission.addPolicy(grantPolicy.getName());
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.DENY, response.getStatus());
    permission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.PERMIT, response.getStatus());
}
Also used : PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) PolicyEvaluationRequest(org.keycloak.representations.idm.authorization.PolicyEvaluationRequest) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) Test(org.junit.Test) AbstractAuthzTest(org.keycloak.testsuite.authz.AbstractAuthzTest)

Example 3 with PermissionsResource

use of org.keycloak.admin.client.resource.PermissionsResource in project keycloak by keycloak.

the class PolicyEnforcerTest method testLazyLoadPaths.

@Test
public void testLazyLoadPaths() {
    ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
    for (int i = 0; i < 200; i++) {
        ResourceRepresentation representation = new ResourceRepresentation();
        representation.setType("test");
        representation.setName("Resource " + i);
        representation.setUri("/api/" + i);
        javax.ws.rs.core.Response response = clientResource.authorization().resources().create(representation);
        representation.setId(response.readEntity(ResourceRepresentation.class).getId());
        response.close();
    }
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName("Test Permission");
    permission.setResourceType("test");
    permission.addPolicy("Only User Policy");
    PermissionsResource permissions = clientResource.authorization().permissions();
    permissions.resource().create(permission).close();
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-no-lazyload.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    assertEquals(205, policyEnforcer.getPaths().size());
    deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload.json"));
    policyEnforcer = deployment.getPolicyEnforcer();
    assertEquals(0, policyEnforcer.getPathMatcher().getPathCache().size());
    assertEquals(0, policyEnforcer.getPaths().size());
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    for (int i = 0; i < 101; i++) {
        policyEnforcer.enforce(createHttpFacade("/api/" + i, token));
    }
    assertEquals(101, policyEnforcer.getPathMatcher().getPathCache().size());
    for (int i = 101; i < 200; i++) {
        policyEnforcer.enforce(createHttpFacade("/api/" + i, token));
    }
    assertEquals(200, policyEnforcer.getPathMatcher().getPathCache().size());
    assertEquals(0, policyEnforcer.getPaths().size());
    ResourceRepresentation resource = clientResource.authorization().resources().findByName("Root").get(0);
    clientResource.authorization().resources().resource(resource.getId()).remove();
    deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload-with-paths.json"));
    policyEnforcer = deployment.getPolicyEnforcer();
    AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/0", token));
    assertTrue(context.isGranted());
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) AuthorizationContext(org.keycloak.AuthorizationContext) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) ClientResource(org.keycloak.admin.client.resource.ClientResource) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 4 with PermissionsResource

use of org.keycloak.admin.client.resource.PermissionsResource in project keycloak by keycloak.

the class PolicyEnforcerTest method testUsingInvalidToken.

@Test
public void testUsingInvalidToken() {
    ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
    ResourceRepresentation resource = createResource(clientResource, "Resource Subject Invalid Token", "/api/check-subject-token");
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getName());
    permission.addPolicy("Only User Policy");
    PermissionsResource permissions = clientResource.authorization().permissions();
    permissions.resource().create(permission).close();
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/check-subject-token");
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    httpFacade = createHttpFacade("/api/check-subject-token", token);
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    oauth.doLogout(response.getRefreshToken(), null);
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
}
Also used : PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) OAuthClient(org.keycloak.testsuite.util.OAuthClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) ClientResource(org.keycloak.admin.client.resource.ClientResource) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) AuthorizationContext(org.keycloak.AuthorizationContext) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 5 with PermissionsResource

use of org.keycloak.admin.client.resource.PermissionsResource in project keycloak by keycloak.

the class PolicyEnforcerTest method testMatchHttpVerbsToScopes.

@Test
public void testMatchHttpVerbsToScopes() {
    ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
    ResourceRepresentation resource = createResource(clientResource, "Resource With HTTP Scopes", "/api/resource-with-scope");
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getName());
    permission.addPolicy("Always Grant Policy");
    PermissionsResource permissions = clientResource.authorization().permissions();
    permissions.resource().create(permission).close();
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-match-http-verbs-scopes.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();
    OIDCHttpFacade httpFacade = createHttpFacade("/api/resource-with-scope", token);
    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    assertFalse("Should fail because resource does not have any scope named GET", context.isGranted());
    assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
    resource.addScope("GET", "POST");
    clientResource.authorization().resources().resource(resource.getId()).update(resource);
    deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-match-http-verbs-scopes.json"));
    policyEnforcer = deployment.getPolicyEnforcer();
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "POST");
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    // create a PATCH scope without associated it with the resource so that a PATCH request is denied accordingly even though
    // the scope exists on the server
    clientResource.authorization().scopes().create(new ScopeRepresentation("PATCH"));
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "PATCH");
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    ScopePermissionRepresentation postPermission = new ScopePermissionRepresentation();
    postPermission.setName("GET permission");
    postPermission.addScope("GET");
    postPermission.addPolicy("Always Deny Policy");
    permissions.scope().create(postPermission).close();
    httpFacade = createHttpFacade("/api/resource-with-scope", token);
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    postPermission = permissions.scope().findByName(postPermission.getName());
    postPermission.addScope("GET");
    postPermission.addPolicy("Always Grant Policy");
    permissions.scope().findById(postPermission.getId()).update(postPermission);
    AuthzClient authzClient = getAuthzClient("default-keycloak.json");
    AuthorizationResponse authorize = authzClient.authorization(token).authorize();
    token = authorize.getToken();
    httpFacade = createHttpFacade("/api/resource-with-scope", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "POST");
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    postPermission = permissions.scope().findByName(postPermission.getName());
    postPermission.addScope("GET");
    postPermission.addPolicy("Always Deny Policy");
    permissions.scope().findById(postPermission.getId()).update(postPermission);
    authorize = authzClient.authorization(token).authorize();
    token = authorize.getToken();
    httpFacade = createHttpFacade("/api/resource-with-scope", token);
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "POST");
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    postPermission = permissions.scope().findByName(postPermission.getName());
    postPermission.addScope("GET");
    postPermission.addPolicy("Always Grant Policy");
    permissions.scope().findById(postPermission.getId()).update(postPermission);
    authorize = authzClient.authorization(token).authorize();
    token = authorize.getToken();
    httpFacade = createHttpFacade("/api/resource-with-scope", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "POST");
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    postPermission = permissions.scope().findByName(postPermission.getName());
    postPermission.addScope("POST");
    postPermission.addPolicy("Always Deny Policy");
    permissions.scope().findById(postPermission.getId()).update(postPermission);
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(null, "GET");
    authorize = authzClient.authorization(token).authorize(request);
    token = authorize.getToken();
    httpFacade = createHttpFacade("/api/resource-with-scope", token);
    context = policyEnforcer.enforce(httpFacade);
    assertTrue(context.isGranted());
    httpFacade = createHttpFacade("/api/resource-with-scope", token, "POST");
    context = policyEnforcer.enforce(httpFacade);
    assertFalse(context.isGranted());
}
Also used : AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) OAuthClient(org.keycloak.testsuite.util.OAuthClient) OIDCHttpFacade(org.keycloak.adapters.OIDCHttpFacade) AuthorizationContext(org.keycloak.AuthorizationContext) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) AuthzClient(org.keycloak.authorization.client.AuthzClient) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) ClientResource(org.keycloak.admin.client.resource.ClientResource) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Aggregations

Test (org.junit.Test)5 PermissionsResource (org.keycloak.admin.client.resource.PermissionsResource)5 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)5 AuthorizationContext (org.keycloak.AuthorizationContext)4 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)4 PolicyEnforcer (org.keycloak.adapters.authorization.PolicyEnforcer)4 ClientResource (org.keycloak.admin.client.resource.ClientResource)4 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)4 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)4 OAuthClient (org.keycloak.testsuite.util.OAuthClient)4 OIDCHttpFacade (org.keycloak.adapters.OIDCHttpFacade)3 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)1 AuthzClient (org.keycloak.authorization.client.AuthzClient)1 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)1 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)1 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)1 PolicyEvaluationRequest (org.keycloak.representations.idm.authorization.PolicyEvaluationRequest)1 PolicyEvaluationResponse (org.keycloak.representations.idm.authorization.PolicyEvaluationResponse)1 PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)1 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial