use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.
the class UserManagedAccessTest method testOnlyOwnerCanAccessResourceWithType.
/**
* Makes sure permissions granted to a typed resource instance does not grant access to resource instances with the same type.
*
* @throws Exception
*/
@Test
public void testOnlyOwnerCanAccessResourceWithType() throws Exception {
ResourceRepresentation typedResource = addResource("Typed Resource", getClient(getRealm()).toRepresentation().getId(), false, "ScopeA", "ScopeB");
typedResource.setType("my:resource");
getClient(getRealm()).authorization().resources().resource(typedResource.getId()).update(typedResource);
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
resource.setType(typedResource.getType());
getClient(getRealm()).authorization().resources().resource(resource.getId()).update(resource);
ResourceRepresentation resourceB = addResource("Resource B", "marta", true, "ScopeA", "ScopeB");
resourceB.setType(typedResource.getType());
getClient(getRealm()).authorization().resources().resource(resourceB.getId()).update(resourceB);
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getType() + " Permission");
permission.setResourceType(resource.getType());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", resource.getName(), new String[] { "ScopeA", "ScopeB" });
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
for (PermissionTicketRepresentation ticket : tickets) {
ticket.setGranted(true);
getAuthzClient().protection().permission().update(ticket);
}
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
} catch (AuthorizationDeniedException ade) {
fail("User should have access to resource from another user");
}
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
for (PermissionTicketRepresentation ticket : tickets) {
getAuthzClient().protection().permission().delete(ticket.getId());
}
tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
assertEquals(0, tickets.size());
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
}
use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.
the class UserManagedAccessTest method testUserGrantsAccessToResourceWithoutScopes.
@Test
public void testUserGrantsAccessToResourceWithoutScopes() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true);
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] {});
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A");
assertTrue(permissions.isEmpty());
try {
response = authorize("kolo", "password", resource.getId(), new String[] {});
fail("User should have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
response = authorize("kolo", "password", resource.getId(), new String[] {});
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName());
assertTrue(permissions.isEmpty());
response = authorize("kolo", "password", resource.getId(), new String[] {});
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName());
assertTrue(permissions.isEmpty());
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
for (PermissionTicketRepresentation ticket : permissionTickets) {
permissionResource.delete(ticket.getId());
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertEquals(0, permissionTickets.size());
}
use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.
the class GroupNamePolicyTest method testExactNameMatch.
@Test
public void testExactNameMatch() {
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource A");
String ticket = authzClient.protection().permission().create(request).getTicket();
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
try {
authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
try {
authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
try {
authzClient.authorization(authzClient.obtainAccessToken().getToken()).authorize(new AuthorizationRequest(ticket));
fail("Should fail because service account is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
}
use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.
the class GroupNamePolicyTest method testOnlyChildrenPolicy.
@Test
public void testOnlyChildrenPolicy() throws Exception {
RealmResource realm = getRealm();
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource B");
String ticket = authzClient.protection().permission().create(request).getTicket();
try {
authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
AuthorizationResponse response = authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
try {
authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected role");
} catch (AuthorizationDeniedException ignore) {
}
request = new PermissionRequest("Resource C");
ticket = authzClient.protection().permission().create(request).getTicket();
response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
}
use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.
the class KeycloakAdapterPolicyEnforcer method requestAuthorizationToken.
private AccessToken requestAuthorizationToken(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade httpFacade, Map<String, List<String>> claims) {
if (getEnforcerConfig().getUserManagedAccess() != null) {
return null;
}
try {
KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();
String accessTokenString = securityContext.getTokenString();
KeycloakDeployment deployment = getPolicyEnforcer().getDeployment();
AccessToken accessToken = securityContext.getToken();
AuthorizationRequest authzRequest = new AuthorizationRequest();
if (isBearerAuthorization(httpFacade) || accessToken.getAuthorization() != null) {
authzRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
}
if (!claims.isEmpty()) {
authzRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
authzRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(claims)));
}
if (accessToken.getAuthorization() != null) {
authzRequest.setRpt(accessTokenString);
}
LOGGER.debug("Obtaining authorization for authenticated user.");
AuthorizationResponse authzResponse;
if (isBearerAuthorization(httpFacade)) {
authzRequest.setSubjectToken(accessTokenString);
authzResponse = getAuthzClient().authorization().authorize(authzRequest);
} else {
authzResponse = getAuthzClient().authorization(accessTokenString).authorize(authzRequest);
}
if (authzResponse != null) {
return AdapterTokenVerifier.verifyToken(authzResponse.getToken(), deployment);
}
} catch (AuthorizationDeniedException ignore) {
LOGGER.debug("Authorization denied", ignore);
} catch (Exception e) {
LOGGER.debug("Authorization failed", e);
}
return null;
}
Aggregations