Example 6 with RoleMappingResource
use of org.keycloak.admin.client.resource.RoleMappingResource in project keycloak by keycloak.
the class GroupTest method adminEndpointAccessibleWhenAdminRoleAssignedToUser.
/**
* Verifies that the role assigned to a user is correctly handled by Keycloak Admin endpoint.
* @link https://issues.jboss.org/browse/KEYCLOAK-2964
*/
@Test
public void adminEndpointAccessibleWhenAdminRoleAssignedToUser() {
String userName = "user-" + UUID.randomUUID();
final String realmName = AuthRealm.MASTER;
RealmResource realm = adminClient.realms().realm(realmName);
RoleRepresentation adminRole = realm.roles().get(AdminRoles.ADMIN).toRepresentation();
assertThat(adminRole, notNullValue());
assertThat(adminRole.getId(), notNullValue());
String userId = createUser(realmName, userName, "pwd");
assertThat(userId, notNullValue());
RoleMappingResource mappings = realm.users().get(userId).roles();
mappings.realmLevel().add(Collections.singletonList(adminRole));
try (Keycloak userClient = Keycloak.getInstance(getAuthServerContextRoot() + "/auth", realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {
assertThat(// Any admin operation will do
userClient.realms().findAll(), not(empty()));
}
}
Also used :
RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation)
RealmResource(org.keycloak.admin.client.resource.RealmResource)
Keycloak(org.keycloak.admin.client.Keycloak)
RoleMappingResource(org.keycloak.admin.client.resource.RoleMappingResource)
Test(org.junit.Test)
Example 7 with RoleMappingResource
use of org.keycloak.admin.client.resource.RoleMappingResource in project keycloak by keycloak.
the class GroupTest method adminEndpointAccessibleWhenAdminRoleAssignedToGroupAfterUserJoinedIt.
/**
* Verifies that the role assigned to a user's group is correctly handled by Keycloak Admin endpoint.
* @link https://issues.jboss.org/browse/KEYCLOAK-2964
*/
@Test
public void adminEndpointAccessibleWhenAdminRoleAssignedToGroupAfterUserJoinedIt() {
String userName = "user-" + UUID.randomUUID();
String groupName = "group-" + UUID.randomUUID();
final String realmName = AuthRealm.MASTER;
RealmResource realm = adminClient.realms().realm(realmName);
RoleRepresentation adminRole = realm.roles().get(AdminRoles.ADMIN).toRepresentation();
assertThat(adminRole, notNullValue());
assertThat(adminRole.getId(), notNullValue());
String userId = createUser(realmName, userName, "pwd");
GroupRepresentation group = GroupBuilder.create().name(groupName).build();
try (Response response = realm.groups().add(group)) {
String groupId = ApiUtil.getCreatedId(response);
realm.users().get(userId).joinGroup(groupId);
RoleMappingResource mappings = realm.groups().group(groupId).roles();
mappings.realmLevel().add(Collections.singletonList(adminRole));
}
try (Keycloak userClient = Keycloak.getInstance(getAuthServerContextRoot() + "/auth", realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {
assertThat(// Any admin operation will do
userClient.realms().findAll(), not(empty()));
}
}
Also used :
RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation)
Response(javax.ws.rs.core.Response)
GroupRepresentation(org.keycloak.representations.idm.GroupRepresentation)
RealmResource(org.keycloak.admin.client.resource.RealmResource)
Keycloak(org.keycloak.admin.client.Keycloak)
RoleMappingResource(org.keycloak.admin.client.resource.RoleMappingResource)
Test(org.junit.Test)
Example 8 with RoleMappingResource
use of org.keycloak.admin.client.resource.RoleMappingResource in project openremote by openremote.
the class ManagerKeycloakIdentityProvider method getRoles.
@Override
public Role[] getRoles(ClientRequestInfo clientRequestInfo, String realm, String userId) {
RoleMappingResource roleMappingResource = getRealms(clientRequestInfo).realm(realm).users().get(userId).roles();
ClientsResource clientsResource = getRealms(clientRequestInfo).realm(realm).clients();
String clientId = clientsResource.findByClientId(KEYCLOAK_CLIENT_ID).get(0).getId();
RolesResource rolesResource = clientsResource.get(clientId).roles();
List<RoleRepresentation> allRoles = rolesResource.list();
List<RoleRepresentation> effectiveRoles = roleMappingResource.clientLevel(clientId).listEffective();
List<Role> roles = new ArrayList<>();
for (RoleRepresentation roleRepresentation : allRoles) {
boolean isAssigned = false;
for (RoleRepresentation effectiveRole : effectiveRoles) {
if (effectiveRole.getId().equals(roleRepresentation.getId()))
isAssigned = true;
}
roles.add(new Role(roleRepresentation.getId(), roleRepresentation.getName(), roleRepresentation.isComposite(), isAssigned));
}
return roles.toArray(new Role[roles.size()]);
}
Also used :
ClientsResource(org.keycloak.admin.client.resource.ClientsResource)
ArrayList(java.util.ArrayList)
RolesResource(org.keycloak.admin.client.resource.RolesResource)
RoleMappingResource(org.keycloak.admin.client.resource.RoleMappingResource)
Example 9 with RoleMappingResource
use of org.keycloak.admin.client.resource.RoleMappingResource in project keycloak by keycloak.
the class ClientScopeTest method rolesCanBeAddedToScopeEvenWhenTheyAreAlreadyIndirectlyAssigned.
/**
* Test for KEYCLOAK-10603.
*/
@Test
public void rolesCanBeAddedToScopeEvenWhenTheyAreAlreadyIndirectlyAssigned() {
RealmResource realm = testRealmResource();
ClientScopeRepresentation clientScopeRep = new ClientScopeRepresentation();
clientScopeRep.setName("my-scope");
String clientScopeId = createClientScope(clientScopeRep);
createRealmRole("realm-composite");
createRealmRole("realm-child");
realm.roles().get("realm-composite").addComposites(Collections.singletonList(realm.roles().get("realm-child").toRepresentation()));
Response response = realm.clients().create(ClientBuilder.create().clientId("role-container-client").build());
String roleContainerClientUuid = ApiUtil.getCreatedId(response);
getCleanup().addClientUuid(roleContainerClientUuid);
response.close();
RoleRepresentation clientCompositeRole = RoleBuilder.create().name("client-composite").build();
realm.clients().get(roleContainerClientUuid).roles().create(clientCompositeRole);
realm.clients().get(roleContainerClientUuid).roles().create(RoleBuilder.create().name("client-child").build());
realm.clients().get(roleContainerClientUuid).roles().get("client-composite").addComposites(Collections.singletonList(realm.clients().get(roleContainerClientUuid).roles().get("client-child").toRepresentation()));
// Make indirect assignments: assign composite roles
RoleMappingResource scopesResource = realm.clientScopes().get(clientScopeId).getScopeMappings();
scopesResource.realmLevel().add(Collections.singletonList(realm.roles().get("realm-composite").toRepresentation()));
scopesResource.clientLevel(roleContainerClientUuid).add(Collections.singletonList(realm.clients().get(roleContainerClientUuid).roles().get("client-composite").toRepresentation()));
// check state before making the direct assignments
assertNames(scopesResource.realmLevel().listAll(), "realm-composite");
assertNames(scopesResource.realmLevel().listAvailable(), "realm-child", "offline_access", Constants.AUTHZ_UMA_AUTHORIZATION, Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
assertNames(scopesResource.realmLevel().listEffective(), "realm-composite", "realm-child");
assertNames(scopesResource.clientLevel(roleContainerClientUuid).listAll(), "client-composite");
assertNames(scopesResource.clientLevel(roleContainerClientUuid).listAvailable(), "client-child");
assertNames(scopesResource.clientLevel(roleContainerClientUuid).listEffective(), "client-composite", "client-child");
// Make direct assignments for roles which are already indirectly assigned
scopesResource.realmLevel().add(Collections.singletonList(realm.roles().get("realm-child").toRepresentation()));
scopesResource.clientLevel(roleContainerClientUuid).add(Collections.singletonList(realm.clients().get(roleContainerClientUuid).roles().get("client-child").toRepresentation()));
// List realm roles
assertNames(scopesResource.realmLevel().listAll(), "realm-composite", "realm-child");
assertNames(scopesResource.realmLevel().listAvailable(), "offline_access", Constants.AUTHZ_UMA_AUTHORIZATION, Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
assertNames(scopesResource.realmLevel().listEffective(), "realm-composite", "realm-child");
// List client roles
assertNames(scopesResource.clientLevel(roleContainerClientUuid).listAll(), "client-composite", "client-child");
assertNames(scopesResource.clientLevel(roleContainerClientUuid).listAvailable());
assertNames(scopesResource.clientLevel(roleContainerClientUuid).listEffective(), "client-composite", "client-child");
}
Also used :
Response(javax.ws.rs.core.Response)
RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation)
RealmResource(org.keycloak.admin.client.resource.RealmResource)
ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation)
RoleMappingResource(org.keycloak.admin.client.resource.RoleMappingResource)
Test(org.junit.Test)
Example 10 with RoleMappingResource
use of org.keycloak.admin.client.resource.RoleMappingResource in project keycloak by keycloak.
the class ClientScopeTest method testScopes.
@Test
public void testScopes() {
RoleRepresentation realmCompositeRole = createRealmRole("realm-composite");
RoleRepresentation realmChildRole = createRealmRole("realm-child");
testRealmResource().roles().get("realm-composite").addComposites(Collections.singletonList(realmChildRole));
assertAdminEvents.assertEvent(getRealmId(), OperationType.CREATE, AdminEventPaths.roleResourceCompositesPath("realm-composite"), Collections.singletonList(realmChildRole), ResourceType.REALM_ROLE);
// create client scope
ClientScopeRepresentation scopeRep = new ClientScopeRepresentation();
scopeRep.setName("bar-scope");
String scopeId = createClientScope(scopeRep);
// update with some scopes
String accountMgmtId = testRealmResource().clients().findByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).get(0).getId();
RoleRepresentation viewAccountRoleRep = testRealmResource().clients().get(accountMgmtId).roles().get(AccountRoles.VIEW_PROFILE).toRepresentation();
RoleMappingResource scopesResource = clientScopes().get(scopeId).getScopeMappings();
scopesResource.realmLevel().add(Collections.singletonList(realmCompositeRole));
assertAdminEvents.assertEvent(getRealmId(), OperationType.CREATE, AdminEventPaths.clientScopeRoleMappingsRealmLevelPath(scopeId), Collections.singletonList(realmCompositeRole), ResourceType.REALM_SCOPE_MAPPING);
scopesResource.clientLevel(accountMgmtId).add(Collections.singletonList(viewAccountRoleRep));
assertAdminEvents.assertEvent(getRealmId(), OperationType.CREATE, AdminEventPaths.clientScopeRoleMappingsClientLevelPath(scopeId, accountMgmtId), Collections.singletonList(viewAccountRoleRep), ResourceType.CLIENT_SCOPE_MAPPING);
// test that scopes are available (also through composite role)
List<RoleRepresentation> allRealm = scopesResource.realmLevel().listAll();
List<RoleRepresentation> availableRealm = scopesResource.realmLevel().listAvailable();
List<RoleRepresentation> effectiveRealm = scopesResource.realmLevel().listEffective();
List<RoleRepresentation> accountRoles = scopesResource.clientLevel(accountMgmtId).listAll();
assertNames(allRealm, "realm-composite");
assertNames(availableRealm, "realm-child", Constants.OFFLINE_ACCESS_ROLE, Constants.AUTHZ_UMA_AUTHORIZATION, Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
assertNames(effectiveRealm, "realm-composite", "realm-child");
assertNames(accountRoles, AccountRoles.VIEW_PROFILE);
MappingsRepresentation mappingsRep = clientScopes().get(scopeId).getScopeMappings().getAll();
assertNames(mappingsRep.getRealmMappings(), "realm-composite");
assertNames(mappingsRep.getClientMappings().get(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getMappings(), AccountRoles.VIEW_PROFILE);
// remove scopes
scopesResource.realmLevel().remove(Collections.singletonList(realmCompositeRole));
assertAdminEvents.assertEvent(getRealmId(), OperationType.DELETE, AdminEventPaths.clientScopeRoleMappingsRealmLevelPath(scopeId), Collections.singletonList(realmCompositeRole), ResourceType.REALM_SCOPE_MAPPING);
scopesResource.clientLevel(accountMgmtId).remove(Collections.singletonList(viewAccountRoleRep));
assertAdminEvents.assertEvent(getRealmId(), OperationType.DELETE, AdminEventPaths.clientScopeRoleMappingsClientLevelPath(scopeId, accountMgmtId), Collections.singletonList(viewAccountRoleRep), ResourceType.CLIENT_SCOPE_MAPPING);
// assert scopes are removed
allRealm = scopesResource.realmLevel().listAll();
availableRealm = scopesResource.realmLevel().listAvailable();
effectiveRealm = scopesResource.realmLevel().listEffective();
accountRoles = scopesResource.clientLevel(accountMgmtId).listAll();
assertNames(allRealm);
assertNames(availableRealm, "realm-composite", "realm-child", Constants.OFFLINE_ACCESS_ROLE, Constants.AUTHZ_UMA_AUTHORIZATION, Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
assertNames(effectiveRealm);
assertNames(accountRoles);
// remove scope
removeClientScope(scopeId);
}
Also used :
RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation)
MappingsRepresentation(org.keycloak.representations.idm.MappingsRepresentation)
ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation)
RoleMappingResource(org.keycloak.admin.client.resource.RoleMappingResource)
Test(org.junit.Test)
Aggregations
RoleMappingResource (org.keycloak.admin.client.resource.RoleMappingResource)14
Test (org.junit.Test)12
RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)12
Response (javax.ws.rs.core.Response)10
RealmResource (org.keycloak.admin.client.resource.RealmResource)8
GroupRepresentation (org.keycloak.representations.idm.GroupRepresentation)5
MappingsRepresentation (org.keycloak.representations.idm.MappingsRepresentation)5
Keycloak (org.keycloak.admin.client.Keycloak)3
AccessTokenResponse (org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)3
ArrayList (java.util.ArrayList)2
LinkedList (java.util.LinkedList)2
ClientsResource (org.keycloak.admin.client.resource.ClientsResource)2
ClientScopeRepresentation (org.keycloak.representations.idm.ClientScopeRepresentation)2
RolesResource (org.keycloak.admin.client.resource.RolesResource)1
RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)1
