Examples with AuthorizationResource org.keycloak.authorization.client.resource.AuthorizationResource used on opensource projects

Search in sources :

Example 1 with AuthorizationResource

use of org.keycloak.authorization.client.resource.AuthorizationResource in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testDoNotGrantPermissionWhenObtainAllEntitlements.

@Test
public void testDoNotGrantPermissionWhenObtainAllEntitlements() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.addScope("Scope A", "Scope B");
    permission.addUser("kolo");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    protection.policy(resource.getId()).create(permission);
    AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "Scope A", "Scope B");
    AuthorizationResponse authzResponse = authorization.authorize(request);
    assertNotNull(authzResponse);
    AccessToken token = toAccessToken(authzResponse.getToken());
    assertNotNull(token.getAuthorization());
    Collection<Permission> permissions = token.getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    assertTrue(permissions.iterator().next().getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
    try {
        // policy engine does not evaluate custom policies when obtaining all entitlements
        getAuthzClient().authorization("kolo", "password").authorize();
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) AuthorizationResource(org.keycloak.authorization.client.resource.AuthorizationResource) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 2 with AuthorizationResource

use of org.keycloak.authorization.client.resource.AuthorizationResource in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testUserManagedPermission.

@Test
public void testUserManagedPermission() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.setDescription("Users from specific roles are allowed to access");
    permission.addScope("Scope A");
    permission.addRole("role_a");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    permission = protection.policy(resource.getId()).create(permission);
    AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "Scope A");
    AuthorizationResponse authzResponse = authorization.authorize(request);
    assertNotNull(authzResponse);
    permission.removeRole("role_a");
    permission.addRole("role_b");
    protection.policy(resource.getId()).update(permission);
    try {
        authorization.authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    try {
        getAuthzClient().authorization("alice", "password").authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    permission.addRole("role_a");
    protection.policy(resource.getId()).update(permission);
    authzResponse = authorization.authorize(request);
    assertNotNull(authzResponse);
    protection.policy(resource.getId()).delete(permission.getId());
    try {
        authorization.authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    try {
        getAuthzClient().protection("marta", "password").policy(resource.getId()).findById(permission.getId());
        fail("Permission must not exist");
    } catch (Exception e) {
        assertEquals(404, HttpResponseException.class.cast(e.getCause()).getStatusCode());
    }
    // create a user based permission, where only selected users are allowed access to the resource.
    permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.setDescription("Specific users are allowed access to the resource");
    permission.addScope("Scope A");
    permission.addUser("alice");
    protection.policy(resource.getId()).create(permission);
    // alice should be able to access the resource with the updated permission.
    authzResponse = getAuthzClient().authorization("alice", "password").authorize(request);
    assertNotNull(authzResponse);
    // kolo shouldn't be able to access the resource with the updated permission.
    try {
        authorization.authorize(request);
        fail("User should not have permission to access the protected resource");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) AuthorizationResource(org.keycloak.authorization.client.resource.AuthorizationResource) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 3 with AuthorizationResource

use of org.keycloak.authorization.client.resource.AuthorizationResource in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testOwnerAccess.

@Test
public void testOwnerAccess() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName(UUID.randomUUID().toString());
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource.setOwnerManagedAccess(true);
    ProtectionResource protection = getAuthzClient().protection();
    resource = protection.resource().create(resource);
    UmaPermissionRepresentation rep = null;
    try {
        rep = new UmaPermissionRepresentation();
        rep.setName("test");
        rep.addRole("role_b");
        rep = getAuthzClient().protection("marta", "password").policy(resource.getId()).create(rep);
    } catch (Exception e) {
        assertTrue(HttpResponseException.class.cast(e.getCause()).toString().contains("Only resources with owner managed accessed can have policies"));
    }
    AuthorizationResource authorization = getAuthzClient().authorization("marta", "password");
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "Scope A");
    AuthorizationResponse authorize = authorization.authorize(request);
    assertNotNull(authorize);
    try {
        getAuthzClient().authorization("kolo", "password").authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    rep.addRole("role_a");
    getAuthzClient().protection("marta", "password").policy(resource.getId()).update(rep);
    authorization = getAuthzClient().authorization("kolo", "password");
    assertNotNull(authorization.authorize(request));
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) AuthorizationResource(org.keycloak.authorization.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Aggregations

NotFoundException (javax.ws.rs.NotFoundException)3 Test (org.junit.Test)3 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)3 AuthorizationResource (org.keycloak.authorization.client.resource.AuthorizationResource)3 ProtectionResource (org.keycloak.authorization.client.resource.ProtectionResource)3 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)3 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)3 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)3 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)3 UmaPermissionRepresentation (org.keycloak.representations.idm.authorization.UmaPermissionRepresentation)3 AccessToken (org.keycloak.representations.AccessToken)1 Permission (org.keycloak.representations.idm.authorization.Permission)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial