Search in sources :

Example 6 with AuthorizationDeniedException

use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.

the class UserManagedAccessTest method testOnlyOwnerCanAccessResourceWithType.

/**
 * Makes sure permissions granted to a typed resource instance does not grant access to resource instances with the same type.
 *
 * @throws Exception
 */
@Test
public void testOnlyOwnerCanAccessResourceWithType() throws Exception {
    ResourceRepresentation typedResource = addResource("Typed Resource", getClient(getRealm()).toRepresentation().getId(), false, "ScopeA", "ScopeB");
    typedResource.setType("my:resource");
    getClient(getRealm()).authorization().resources().resource(typedResource.getId()).update(typedResource);
    resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
    resource.setType(typedResource.getType());
    getClient(getRealm()).authorization().resources().resource(resource.getId()).update(resource);
    ResourceRepresentation resourceB = addResource("Resource B", "marta", true, "ScopeA", "ScopeB");
    resourceB.setType(typedResource.getType());
    getClient(getRealm()).authorization().resources().resource(resourceB.getId()).update(resourceB);
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName(resource.getType() + " Permission");
    permission.setResourceType(resource.getType());
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().resource().create(permission).close();
    AuthorizationResponse response = authorize("marta", "password", resource.getName(), new String[] { "ScopeA", "ScopeB" });
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
        fail("User should not have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
    List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
    for (PermissionTicketRepresentation ticket : tickets) {
        ticket.setGranted(true);
        getAuthzClient().protection().permission().update(ticket);
    }
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
    } catch (AuthorizationDeniedException ade) {
        fail("User should have access to resource from another user");
    }
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    for (PermissionTicketRepresentation ticket : tickets) {
        getAuthzClient().protection().permission().delete(ticket.getId());
    }
    tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
    assertEquals(0, tickets.size());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
        fail("User should not have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 7 with AuthorizationDeniedException

use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.

the class UserManagedAccessTest method testUserGrantsAccessToResourceWithoutScopes.

@Test
public void testUserGrantsAccessToResourceWithoutScopes() throws Exception {
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    resource = addResource("Resource A", "marta", true);
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getId());
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().resource().create(permission).close();
    AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] {});
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] {});
        fail("User should have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
    PermissionResource permissionResource = getAuthzClient().protection().permission();
    List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(1, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertFalse(ticket.isGranted());
        ticket.setGranted(true);
        permissionResource.update(ticket);
    }
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(1, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertTrue(ticket.isGranted());
    }
    response = authorize("kolo", "password", resource.getId(), new String[] {});
    rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName());
    assertTrue(permissions.isEmpty());
    response = authorize("kolo", "password", resource.getId(), new String[] {});
    rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName());
    assertTrue(permissions.isEmpty());
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(1, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertTrue(ticket.isGranted());
    }
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        permissionResource.delete(ticket.getId());
    }
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertEquals(0, permissionTickets.size());
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) PermissionResource(org.keycloak.authorization.client.resource.PermissionResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 8 with AuthorizationDeniedException

use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.

the class GroupNamePolicyTest method testExactNameMatch.

@Test
public void testExactNameMatch() {
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    try {
        authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
    try {
        authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
    try {
        authzClient.authorization(authzClient.obtainAccessToken().getToken()).authorize(new AuthorizationRequest(ticket));
        fail("Should fail because service account is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 9 with AuthorizationDeniedException

use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.

the class GroupNamePolicyTest method testOnlyChildrenPolicy.

@Test
public void testOnlyChildrenPolicy() throws Exception {
    RealmResource realm = getRealm();
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource B");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    try {
        authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
    AuthorizationResponse response = authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    try {
        authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected role");
    } catch (AuthorizationDeniedException ignore) {
    }
    request = new PermissionRequest("Resource C");
    ticket = authzClient.protection().permission().create(request).getTicket();
    response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) RealmResource(org.keycloak.admin.client.resource.RealmResource) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 10 with AuthorizationDeniedException

use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.

the class KeycloakAdapterPolicyEnforcer method requestAuthorizationToken.

private AccessToken requestAuthorizationToken(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade httpFacade, Map<String, List<String>> claims) {
    if (getEnforcerConfig().getUserManagedAccess() != null) {
        return null;
    }
    try {
        KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();
        String accessTokenString = securityContext.getTokenString();
        KeycloakDeployment deployment = getPolicyEnforcer().getDeployment();
        AccessToken accessToken = securityContext.getToken();
        AuthorizationRequest authzRequest = new AuthorizationRequest();
        if (isBearerAuthorization(httpFacade) || accessToken.getAuthorization() != null) {
            authzRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
        }
        if (!claims.isEmpty()) {
            authzRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
            authzRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(claims)));
        }
        if (accessToken.getAuthorization() != null) {
            authzRequest.setRpt(accessTokenString);
        }
        LOGGER.debug("Obtaining authorization for authenticated user.");
        AuthorizationResponse authzResponse;
        if (isBearerAuthorization(httpFacade)) {
            authzRequest.setSubjectToken(accessTokenString);
            authzResponse = getAuthzClient().authorization().authorize(authzRequest);
        } else {
            authzResponse = getAuthzClient().authorization(accessTokenString).authorize(authzRequest);
        }
        if (authzResponse != null) {
            return AdapterTokenVerifier.verifyToken(authzResponse.getToken(), deployment);
        }
    } catch (AuthorizationDeniedException ignore) {
        LOGGER.debug("Authorization denied", ignore);
    } catch (Exception e) {
        LOGGER.debug("Authorization failed", e);
    }
    return null;
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) KeycloakSecurityContext(org.keycloak.KeycloakSecurityContext) AccessToken(org.keycloak.representations.AccessToken) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)

Aggregations

AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)17 Test (org.junit.Test)16 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)13 AccessToken (org.keycloak.representations.AccessToken)9 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)9 Permission (org.keycloak.representations.idm.authorization.Permission)9 AuthzClient (org.keycloak.authorization.client.AuthzClient)7 PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)7 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)7 PermissionTicketRepresentation (org.keycloak.representations.idm.authorization.PermissionTicketRepresentation)6 PermissionResource (org.keycloak.authorization.client.resource.PermissionResource)4 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)3 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)3 RealmResource (org.keycloak.admin.client.resource.RealmResource)2 GroupRepresentation (org.keycloak.representations.idm.GroupRepresentation)2 ArrayList (java.util.ArrayList)1 KeycloakSecurityContext (org.keycloak.KeycloakSecurityContext)1 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)1 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)1 ClientResource (org.keycloak.admin.client.resource.ClientResource)1