Search in sources :

Example 21 with AuthzClient

use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.

the class PermissionManagementTest method removeUserWithPermissionTicketTest.

@Test
public void removeUserWithPermissionTicketTest() throws Exception {
    String userToRemoveID = createUser(REALM_NAME, "user-to-remove", "password");
    ResourceRepresentation resource = addResource("Resource A", "kolo", true);
    AuthzClient authzClient = getAuthzClient();
    PermissionResponse response = authzClient.protection("user-to-remove", "password").permission().create(new PermissionRequest(resource.getId()));
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("user-to-remove", "password").getToken());
    try {
        authzClient.authorization().authorize(request);
    } catch (Exception e) {
    }
    assertPersistence(response, resource);
    // Remove the user and expect the user and also hers permission tickets are successfully removed
    adminClient.realm(REALM_NAME).users().delete(userToRemoveID);
    assertThat(adminClient.realm(REALM_NAME).users().list().stream().map(UserRepresentation::getId).collect(Collectors.toList()), not(hasItem(userToRemoveID)));
    assertThat(getAuthzClient().protection().permission().findByResource(resource.getId()), is(empty()));
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 22 with AuthzClient

use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.

the class RolePolicyTest method testUserWithoutExpectedRole.

@Test
public void testUserWithoutExpectedRole() {
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    try {
        authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected role");
    } catch (AuthorizationDeniedException ignore) {
    }
    request.setResourceId("Resource B");
    ticket = authzClient.protection().permission().create(request).getTicket();
    assertNotNull(authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket)));
    UserRepresentation user = getRealm().users().search("kolo").get(0);
    RoleRepresentation roleA = getRealm().roles().get("Role A").toRepresentation();
    getRealm().users().get(user.getId()).roles().realmLevel().add(Arrays.asList(roleA));
    request.setResourceId("Resource A");
    ticket = authzClient.protection().permission().create(request).getTicket();
    assertNotNull(authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket)));
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 23 with AuthzClient

use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.

the class ConflictingScopePermissionTest method createResourcesAndScopes.

private void createResourcesAndScopes() throws IOException {
    AuthzClient authzClient = getAuthzClient();
    Set<ScopeRepresentation> scopes = new HashSet<>();
    scopes.add(new ScopeRepresentation("read"));
    scopes.add(new ScopeRepresentation("write"));
    scopes.add(new ScopeRepresentation("execute"));
    List<ResourceRepresentation> resources = new ArrayList<>();
    resources.add(new ResourceRepresentation("Resource A", scopes));
    resources.add(new ResourceRepresentation("Resource B", scopes));
    resources.add(new ResourceRepresentation("Resource C", scopes));
    resources.forEach(resource -> authzClient.protection().resource().create(resource));
}
Also used : AuthzClient(org.keycloak.authorization.client.AuthzClient) ArrayList(java.util.ArrayList) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) HashSet(java.util.HashSet) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation)

Example 24 with AuthzClient

use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.

the class GroupNamePolicyTest method testExactNameMatch.

@Test
public void testExactNameMatch() {
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    try {
        authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
    try {
        authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
    try {
        authzClient.authorization(authzClient.obtainAccessToken().getToken()).authorize(new AuthorizationRequest(ticket));
        fail("Should fail because service account is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 25 with AuthzClient

use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.

the class GroupNamePolicyTest method testOnlyChildrenPolicy.

@Test
public void testOnlyChildrenPolicy() throws Exception {
    RealmResource realm = getRealm();
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource B");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    try {
        authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
    AuthorizationResponse response = authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    try {
        authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected role");
    } catch (AuthorizationDeniedException ignore) {
    }
    request = new PermissionRequest("Resource C");
    ticket = authzClient.protection().permission().create(request).getTicket();
    response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) RealmResource(org.keycloak.admin.client.resource.RealmResource) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Aggregations

AuthzClient (org.keycloak.authorization.client.AuthzClient)70 Test (org.junit.Test)60 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)50 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)43 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)40 PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)31 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)29 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)27 ClientResource (org.keycloak.admin.client.resource.ClientResource)26 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)22 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)20 Permission (org.keycloak.representations.idm.authorization.Permission)20 OAuthClient (org.keycloak.testsuite.util.OAuthClient)20 Response (javax.ws.rs.core.Response)18 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)17 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)17 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)16 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)16 AccessToken (org.keycloak.representations.AccessToken)14 ArrayList (java.util.ArrayList)12