use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.
the class PermissionManagementTest method removeUserWithPermissionTicketTest.
@Test
public void removeUserWithPermissionTicketTest() throws Exception {
String userToRemoveID = createUser(REALM_NAME, "user-to-remove", "password");
ResourceRepresentation resource = addResource("Resource A", "kolo", true);
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("user-to-remove", "password").permission().create(new PermissionRequest(resource.getId()));
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("user-to-remove", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
}
assertPersistence(response, resource);
// Remove the user and expect the user and also hers permission tickets are successfully removed
adminClient.realm(REALM_NAME).users().delete(userToRemoveID);
assertThat(adminClient.realm(REALM_NAME).users().list().stream().map(UserRepresentation::getId).collect(Collectors.toList()), not(hasItem(userToRemoveID)));
assertThat(getAuthzClient().protection().permission().findByResource(resource.getId()), is(empty()));
}
use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.
the class RolePolicyTest method testUserWithoutExpectedRole.
@Test
public void testUserWithoutExpectedRole() {
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource A");
String ticket = authzClient.protection().permission().create(request).getTicket();
try {
authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected role");
} catch (AuthorizationDeniedException ignore) {
}
request.setResourceId("Resource B");
ticket = authzClient.protection().permission().create(request).getTicket();
assertNotNull(authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket)));
UserRepresentation user = getRealm().users().search("kolo").get(0);
RoleRepresentation roleA = getRealm().roles().get("Role A").toRepresentation();
getRealm().users().get(user.getId()).roles().realmLevel().add(Arrays.asList(roleA));
request.setResourceId("Resource A");
ticket = authzClient.protection().permission().create(request).getTicket();
assertNotNull(authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket)));
}
use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.
the class ConflictingScopePermissionTest method createResourcesAndScopes.
private void createResourcesAndScopes() throws IOException {
AuthzClient authzClient = getAuthzClient();
Set<ScopeRepresentation> scopes = new HashSet<>();
scopes.add(new ScopeRepresentation("read"));
scopes.add(new ScopeRepresentation("write"));
scopes.add(new ScopeRepresentation("execute"));
List<ResourceRepresentation> resources = new ArrayList<>();
resources.add(new ResourceRepresentation("Resource A", scopes));
resources.add(new ResourceRepresentation("Resource B", scopes));
resources.add(new ResourceRepresentation("Resource C", scopes));
resources.forEach(resource -> authzClient.protection().resource().create(resource));
}
use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.
the class GroupNamePolicyTest method testExactNameMatch.
@Test
public void testExactNameMatch() {
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource A");
String ticket = authzClient.protection().permission().create(request).getTicket();
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
try {
authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
try {
authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
try {
authzClient.authorization(authzClient.obtainAccessToken().getToken()).authorize(new AuthorizationRequest(ticket));
fail("Should fail because service account is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
}
use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.
the class GroupNamePolicyTest method testOnlyChildrenPolicy.
@Test
public void testOnlyChildrenPolicy() throws Exception {
RealmResource realm = getRealm();
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource B");
String ticket = authzClient.protection().permission().create(request).getTicket();
try {
authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
AuthorizationResponse response = authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
try {
authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected role");
} catch (AuthorizationDeniedException ignore) {
}
request = new PermissionRequest("Resource C");
ticket = authzClient.protection().permission().create(request).getTicket();
response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
}
Aggregations