use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.
the class GroupPathPolicyTest method testOnlyChildrenPolicy.
@Test
public void testOnlyChildrenPolicy() throws Exception {
RealmResource realm = getRealm();
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource B");
String ticket = authzClient.protection().permission().create(request).getTicket();
try {
authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected role");
} catch (AuthorizationDeniedException ignore) {
}
GroupRepresentation group = getGroup("/Group A/Group B/Group C");
UserRepresentation user = realm.users().search("kolo").get(0);
realm.users().get(user.getId()).joinGroup(group.getId());
AuthorizationResponse response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
try {
authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected role");
} catch (AuthorizationDeniedException ignore) {
}
}
use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.
the class ClientScopePolicyTest method testWithoutExpectedClientScope.
@Test
public void testWithoutExpectedClientScope() {
// Access Resource A with client scope baz.
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource A");
String ticket = authzClient.protection().permission().create(request).getTicket();
try {
authzClient.authorization("marta", "password", "baz").authorize(new AuthorizationRequest(ticket));
fail("Should fail.");
} catch (AuthorizationDeniedException ignore) {
}
// Access Resource B with client scope foo.
request = new PermissionRequest("Resource B");
ticket = authzClient.protection().permission().create(request).getTicket();
try {
authzClient.authorization("marta", "password", "foo").authorize(new AuthorizationRequest(ticket));
fail("Should fail.");
} catch (AuthorizationDeniedException ignore) {
}
}
use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.
the class UserManagedAccessTest method testScopePermissionsToScopeOnly.
@Test
public void testScopePermissionsToScopeOnly() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] { "ScopeA", "ScopeB" });
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA" });
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
PermissionTicketRepresentation ticket = permissionTickets.get(0);
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA");
assertTrue(permissions.isEmpty());
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
// must have two permission tickets, one persisted during the first authorize call for ScopeA and another for the second call to authorize for ScopeB
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation representation : new ArrayList<>(permissionTickets)) {
if (representation.isGranted()) {
permissionResource.delete(representation.getId());
}
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertEquals(1, permissionTickets.size());
}
use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.
the class UserManagedAccessTest method testUserGrantedAccessConsideredWhenRequestingAuthorizationByResourceName.
@Test
public void testUserGrantedAccessConsideredWhenRequestingAuthorizationByResourceName() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
try {
AuthorizationResponse response = authorize("kolo", "password", resource.getId(), new String[] {});
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
AuthorizationRequest request = new AuthorizationRequest();
// No resource id used in request, only name
request.addPermission("Resource A", "ScopeA", "ScopeB");
List<Permission> permissions = authorize("kolo", "password", request);
assertEquals(1, permissions.size());
Permission koloPermission = permissions.get(0);
assertEquals("Resource A", koloPermission.getResourceName());
assertTrue(koloPermission.getScopes().containsAll(Arrays.asList("ScopeA", "ScopeB")));
ResourceRepresentation resourceRep = getAuthzClient().protection().resource().findById(resource.getId());
resourceRep.setName("Resource A Changed");
getAuthzClient().protection().resource().update(resourceRep);
request = new AuthorizationRequest();
// Try to use the old name
request.addPermission("Resource A", "ScopeA", "ScopeB");
try {
authorize("kolo", "password", request);
fail("User should not have access to resource from another user");
} catch (RuntimeException ade) {
assertTrue(ade.getCause().toString().contains("invalid_resource"));
}
request = new AuthorizationRequest();
request.addPermission(resourceRep.getName(), "ScopeA", "ScopeB");
permissions = authorize("kolo", "password", request);
assertEquals(1, permissions.size());
koloPermission = permissions.get(0);
assertEquals(resourceRep.getName(), koloPermission.getResourceName());
assertTrue(koloPermission.getScopes().containsAll(Arrays.asList("ScopeA", "ScopeB")));
}
use of org.keycloak.authorization.client.AuthorizationDeniedException in project keycloak by keycloak.
the class UserManagedAccessTest method testUserGrantsAccessToResource.
@Test
public void testUserGrantsAccessToResource() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
ClientResource client = getClient(getRealm());
client.authorization().permissions().resource().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] { "ScopeA", "ScopeB" });
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
getTestContext().getTestingClient().testing().clearEventQueue();
try {
response = authorize("kolo", "password", resource.getId(), new String[] {});
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
String realmId = getRealm().toRepresentation().getId();
String clientId = client.toRepresentation().getClientId();
events.expectLogin().realm(realmId).client(clientId).user(isUUID()).clearDetails().assertEvent();
events.expectLogin().realm(realmId).client(clientId).user(isUUID()).clearDetails().assertEvent();
events.expect(EventType.PERMISSION_TOKEN_ERROR).realm(realmId).client(clientId).user(isUUID()).session((String) null).error("access_denied").detail("reason", "request_submitted").assertEvent();
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
getTestContext().getTestingClient().testing().clearEventQueue();
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
events.expectLogin().realm(realmId).client(clientId).user(isUUID()).clearDetails().assertEvent();
events.expectLogin().realm(realmId).client(clientId).user(isUUID()).clearDetails().assertEvent();
events.expect(EventType.PERMISSION_TOKEN).realm(realmId).client(clientId).user(isUUID()).session((String) null).clearDetails().assertEvent();
}
Aggregations