Search in sources :

Example 21 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class FineGrainAdminUnitTest method setupUsers.

public static void setupUsers(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    ClientModel client = realm.getClientByClientId(CLIENT_NAME);
    RoleModel realmRole = realm.getRole("realm-role");
    RoleModel realmRole2 = realm.getRole("realm-role2");
    RoleModel clientRole = client.getRole("client-role");
    RoleModel mapperRole = realm.getRole("mapper");
    RoleModel managerRole = realm.getRole("manager");
    RoleModel compositeRole = realm.getRole("composite-role");
    ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
    RoleModel adminRole = realmManagementClient.getRole(AdminRoles.REALM_ADMIN);
    RoleModel queryGroupsRole = realmManagementClient.getRole(AdminRoles.QUERY_GROUPS);
    RoleModel queryUsersRole = realmManagementClient.getRole(AdminRoles.QUERY_USERS);
    RoleModel queryClientsRole = realmManagementClient.getRole(AdminRoles.QUERY_CLIENTS);
    UserModel nomapAdmin = session.users().addUser(realm, "nomap-admin");
    nomapAdmin.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, nomapAdmin, UserCredentialModel.password("password"));
    nomapAdmin.grantRole(adminRole);
    UserModel anotherAdmin = session.users().addUser(realm, "anotherAdmin");
    anotherAdmin.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, anotherAdmin, UserCredentialModel.password("password"));
    anotherAdmin.grantRole(adminRole);
    UserModel authorizedUser = session.users().addUser(realm, "authorized");
    authorizedUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, authorizedUser, UserCredentialModel.password("password"));
    authorizedUser.grantRole(mapperRole);
    authorizedUser.grantRole(managerRole);
    UserModel authorizedComposite = session.users().addUser(realm, "authorizedComposite");
    authorizedComposite.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, authorizedComposite, UserCredentialModel.password("password"));
    authorizedComposite.grantRole(compositeRole);
    UserModel unauthorizedUser = session.users().addUser(realm, "unauthorized");
    unauthorizedUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, unauthorizedUser, UserCredentialModel.password("password"));
    UserModel unauthorizedMapper = session.users().addUser(realm, "unauthorizedMapper");
    unauthorizedMapper.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, unauthorizedMapper, UserCredentialModel.password("password"));
    unauthorizedMapper.grantRole(managerRole);
    UserModel user1 = session.users().addUser(realm, "user1");
    user1.setEnabled(true);
    // group management
    AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
    GroupModel group = KeycloakModelUtils.findGroupByPath(realm, "top");
    UserModel groupMember = session.users().addUser(realm, "groupMember");
    groupMember.joinGroup(group);
    groupMember.setEnabled(true);
    UserModel groupManager = session.users().addUser(realm, "groupManager");
    groupManager.grantRole(queryGroupsRole);
    groupManager.grantRole(queryUsersRole);
    groupManager.setEnabled(true);
    groupManager.grantRole(mapperRole);
    session.userCredentialManager().updateCredential(realm, groupManager, UserCredentialModel.password("password"));
    UserModel groupManagerNoMapper = session.users().addUser(realm, "noMapperGroupManager");
    groupManagerNoMapper.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, groupManagerNoMapper, UserCredentialModel.password("password"));
    groupManagerNoMapper.grantRole(queryGroupsRole);
    groupManagerNoMapper.grantRole(queryUsersRole);
    UserPolicyRepresentation groupManagerRep = new UserPolicyRepresentation();
    groupManagerRep.setName("groupManagers");
    groupManagerRep.addUser("groupManager");
    groupManagerRep.addUser("noMapperGroupManager");
    ResourceServer server = permissions.realmResourceServer();
    Policy groupManagerPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupManagerRep, server);
    permissions.groups().manageMembersPermission(group).addAssociatedPolicy(groupManagerPolicy);
    permissions.groups().manageMembershipPermission(group).addAssociatedPolicy(groupManagerPolicy);
    permissions.groups().viewPermission(group).addAssociatedPolicy(groupManagerPolicy);
    UserModel clientMapper = session.users().addUser(realm, "clientMapper");
    clientMapper.setEnabled(true);
    clientMapper.grantRole(managerRole);
    clientMapper.grantRole(queryUsersRole);
    session.userCredentialManager().updateCredential(realm, clientMapper, UserCredentialModel.password("password"));
    Policy clientMapperPolicy = permissions.clients().mapRolesPermission(client);
    UserPolicyRepresentation userRep = new UserPolicyRepresentation();
    userRep.setName("userClientMapper");
    userRep.addUser("clientMapper");
    Policy userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
    clientMapperPolicy.addAssociatedPolicy(userPolicy);
    UserModel clientManager = session.users().addUser(realm, "clientManager");
    clientManager.setEnabled(true);
    clientManager.grantRole(queryClientsRole);
    session.userCredentialManager().updateCredential(realm, clientManager, UserCredentialModel.password("password"));
    Policy clientManagerPolicy = permissions.clients().managePermission(client);
    userRep = new UserPolicyRepresentation();
    userRep.setName("clientManager");
    userRep.addUser("clientManager");
    userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
    clientManagerPolicy.addAssociatedPolicy(userPolicy);
    UserModel clientConfigurer = session.users().addUser(realm, "clientConfigurer");
    clientConfigurer.setEnabled(true);
    clientConfigurer.grantRole(queryClientsRole);
    session.userCredentialManager().updateCredential(realm, clientConfigurer, UserCredentialModel.password("password"));
    Policy clientConfigurePolicy = permissions.clients().configurePermission(client);
    userRep = new UserPolicyRepresentation();
    userRep.setName("clientConfigure");
    userRep.addUser("clientConfigurer");
    userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
    clientConfigurePolicy.addAssociatedPolicy(userPolicy);
    UserModel groupViewer = session.users().addUser(realm, "groupViewer");
    groupViewer.grantRole(queryGroupsRole);
    groupViewer.grantRole(queryUsersRole);
    groupViewer.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, groupViewer, UserCredentialModel.password("password"));
    UserPolicyRepresentation groupViewMembersRep = new UserPolicyRepresentation();
    groupViewMembersRep.setName("groupMemberViewers");
    groupViewMembersRep.addUser("groupViewer");
    Policy groupViewMembersPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupViewMembersRep, server);
    Policy groupViewMembersPermission = permissions.groups().viewMembersPermission(group);
    groupViewMembersPermission.addAssociatedPolicy(groupViewMembersPolicy);
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) Policy(org.keycloak.authorization.model.Policy) ClientModel(org.keycloak.models.ClientModel) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) GroupModel(org.keycloak.models.GroupModel) RoleModel(org.keycloak.models.RoleModel) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Example 22 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class FineGrainAdminUnitTest method setupPolices.

public static void setupPolices(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
    RoleModel realmRole = realm.addRole("realm-role");
    RoleModel realmRole2 = realm.addRole("realm-role2");
    ClientModel client1 = realm.addClient(CLIENT_NAME);
    realm.addClientScope("scope");
    client1.setFullScopeAllowed(false);
    RoleModel client1Role = client1.addRole("client-role");
    GroupModel group = realm.createGroup("top");
    RoleModel mapperRole = realm.addRole("mapper");
    RoleModel managerRole = realm.addRole("manager");
    RoleModel compositeRole = realm.addRole("composite-role");
    compositeRole.addCompositeRole(mapperRole);
    compositeRole.addCompositeRole(managerRole);
    // realm-role and application.client-role will have a role policy associated with their map-role permission
    {
        permissions.roles().setPermissionsEnabled(client1Role, true);
        Policy mapRolePermission = permissions.roles().mapRolePermission(client1Role);
        ResourceServer server = permissions.roles().resourceServer(client1Role);
        Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
        mapRolePermission.addAssociatedPolicy(mapperPolicy);
    }
    {
        permissions.roles().setPermissionsEnabled(realmRole, true);
        Policy mapRolePermission = permissions.roles().mapRolePermission(realmRole);
        ResourceServer server = permissions.roles().resourceServer(realmRole);
        Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
        mapRolePermission.addAssociatedPolicy(mapperPolicy);
    }
    // realmRole2 will have an empty map-role policy
    {
        permissions.roles().setPermissionsEnabled(realmRole2, true);
    }
    // setup Users manage policies
    {
        permissions.users().setPermissionsEnabled(true);
        ResourceServer server = permissions.realmResourceServer();
        Policy managerPolicy = permissions.roles().rolePolicy(server, managerRole);
        Policy permission = permissions.users().managePermission();
        permission.addAssociatedPolicy(managerPolicy);
        permission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    }
    {
        permissions.groups().setPermissionsEnabled(group, true);
    }
    {
        permissions.clients().setPermissionsEnabled(client1, true);
    }
    // setup Users impersonate policy
    {
        ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
        RoleModel adminRole = realmManagementClient.getRole(AdminRoles.REALM_ADMIN);
        permissions.users().setPermissionsEnabled(true);
        ResourceServer server = permissions.realmResourceServer();
        Policy adminPolicy = permissions.roles().rolePolicy(server, adminRole);
        adminPolicy.setLogic(Logic.NEGATIVE);
        Policy permission = permissions.users().userImpersonatedPermission();
        permission.addAssociatedPolicy(adminPolicy);
        permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
    }
}
Also used : RealmModel(org.keycloak.models.RealmModel) Policy(org.keycloak.authorization.model.Policy) ClientModel(org.keycloak.models.ClientModel) GroupModel(org.keycloak.models.GroupModel) RoleModel(org.keycloak.models.RoleModel) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Example 23 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class FineGrainAdminUnitTest method setupTokenExchange.

private static void setupTokenExchange(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName("master");
    ClientModel client = session.clients().getClientByClientId(realm, "tokenexclient");
    if (client != null) {
        return;
    }
    ClientModel tokenexclient = realm.addClient("tokenexclient");
    tokenexclient.setEnabled(true);
    tokenexclient.addRedirectUri("http://localhost:*");
    tokenexclient.setPublicClient(false);
    tokenexclient.setSecret("password");
    tokenexclient.setDirectAccessGrantsEnabled(true);
    // permission for client to client exchange to "target" client
    ClientModel adminCli = realm.getClientByClientId(ConfigUtil.DEFAULT_CLIENT);
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    management.clients().setPermissionsEnabled(adminCli, true);
    ClientPolicyRepresentation clientRep = new ClientPolicyRepresentation();
    clientRep.setName("to");
    clientRep.addClient(tokenexclient.getId());
    ResourceServer server = management.realmResourceServer();
    Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server);
    management.clients().exchangeToPermission(adminCli).addAssociatedPolicy(clientPolicy);
}
Also used : RealmModel(org.keycloak.models.RealmModel) Policy(org.keycloak.authorization.model.Policy) ClientModel(org.keycloak.models.ClientModel) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Example 24 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class AuthzCleanupTest method setup.

public static void setup(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    session.getContext().setRealm(realm);
    AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
    ClientModel myclient = realm.getClientByClientId("myclient");
    ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(myclient);
    createRolePolicy(authz, resourceServer, myclient.getClientId() + "/client-role-1");
    createRolePolicy(authz, resourceServer, myclient.getClientId() + "/client-role-2");
}
Also used : RealmModel(org.keycloak.models.RealmModel) ClientModel(org.keycloak.models.ClientModel) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 25 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class ClientTokenExchangeTest method setupRealm.

public static void setupRealm(KeycloakSession session) {
    addDirectExchanger(session);
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel exampleRole = realm.getRole("example");
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    ClientModel target = realm.getClientByClientId("target");
    assertNotNull(target);
    RoleModel impersonateRole = management.getRealmManagementClient().getRole(ImpersonationConstants.IMPERSONATION_ROLE);
    ClientModel clientExchanger = realm.addClient("client-exchanger");
    clientExchanger.setClientId("client-exchanger");
    clientExchanger.setPublicClient(false);
    clientExchanger.setDirectAccessGrantsEnabled(true);
    clientExchanger.setEnabled(true);
    clientExchanger.setSecret("secret");
    clientExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    clientExchanger.setFullScopeAllowed(false);
    clientExchanger.addScopeMapping(impersonateRole);
    clientExchanger.addProtocolMapper(UserSessionNoteMapper.createUserSessionNoteMapper(IMPERSONATOR_ID));
    clientExchanger.addProtocolMapper(UserSessionNoteMapper.createUserSessionNoteMapper(IMPERSONATOR_USERNAME));
    ClientModel illegal = realm.addClient("illegal");
    illegal.setClientId("illegal");
    illegal.setPublicClient(false);
    illegal.setDirectAccessGrantsEnabled(true);
    illegal.setEnabled(true);
    illegal.setSecret("secret");
    illegal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    illegal.setFullScopeAllowed(false);
    ClientModel legal = realm.addClient("legal");
    legal.setClientId("legal");
    legal.setPublicClient(false);
    legal.setDirectAccessGrantsEnabled(true);
    legal.setEnabled(true);
    legal.setSecret("secret");
    legal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    legal.setFullScopeAllowed(false);
    ClientModel directLegal = realm.addClient("direct-legal");
    directLegal.setClientId("direct-legal");
    directLegal.setPublicClient(false);
    directLegal.setDirectAccessGrantsEnabled(true);
    directLegal.setEnabled(true);
    directLegal.setSecret("secret");
    directLegal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directLegal.setFullScopeAllowed(false);
    ClientModel directPublic = realm.addClient("direct-public");
    directPublic.setClientId("direct-public");
    directPublic.setPublicClient(true);
    directPublic.setDirectAccessGrantsEnabled(true);
    directPublic.setEnabled(true);
    directPublic.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directPublic.setFullScopeAllowed(false);
    ClientModel directNoSecret = realm.addClient("direct-no-secret");
    directNoSecret.setClientId("direct-no-secret");
    directNoSecret.setPublicClient(false);
    directNoSecret.setDirectAccessGrantsEnabled(true);
    directNoSecret.setEnabled(true);
    directNoSecret.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directNoSecret.setFullScopeAllowed(false);
    ClientModel noRefreshToken = realm.addClient("no-refresh-token");
    noRefreshToken.setClientId("no-refresh-token");
    noRefreshToken.setPublicClient(false);
    noRefreshToken.setDirectAccessGrantsEnabled(true);
    noRefreshToken.setEnabled(true);
    noRefreshToken.setSecret("secret");
    noRefreshToken.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    noRefreshToken.setFullScopeAllowed(false);
    noRefreshToken.getAttributes().put(OIDCConfigAttributes.USE_REFRESH_TOKEN, "false");
    // permission for client to client exchange to "target" client
    ClientPolicyRepresentation clientRep = new ClientPolicyRepresentation();
    clientRep.setName("to");
    clientRep.addClient(clientExchanger.getId());
    clientRep.addClient(legal.getId());
    clientRep.addClient(directLegal.getId());
    clientRep.addClient(noRefreshToken.getId());
    ResourceServer server = management.realmResourceServer();
    Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server);
    management.clients().exchangeToPermission(target).addAssociatedPolicy(clientPolicy);
    // permission for user impersonation for a client
    ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
    clientImpersonateRep.setName("clientImpersonators");
    clientImpersonateRep.addClient(directLegal.getId());
    clientImpersonateRep.addClient(directPublic.getId());
    clientImpersonateRep.addClient(directNoSecret.getId());
    server = management.realmResourceServer();
    Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
    management.users().setPermissionsEnabled(true);
    management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
    management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    UserModel user = session.users().addUser(realm, "user");
    user.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password("password"));
    user.grantRole(exampleRole);
    user.grantRole(impersonateRole);
    UserModel bad = session.users().addUser(realm, "bad-impersonator");
    bad.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, bad, UserCredentialModel.password("password"));
}
Also used : RealmModel(org.keycloak.models.RealmModel) Policy(org.keycloak.authorization.model.Policy) UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) RoleModel(org.keycloak.models.RoleModel) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Aggregations

ResourceServer (org.keycloak.authorization.model.ResourceServer)81 Policy (org.keycloak.authorization.model.Policy)50 Resource (org.keycloak.authorization.model.Resource)40 ClientModel (org.keycloak.models.ClientModel)37 Scope (org.keycloak.authorization.model.Scope)30 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)26 StoreFactory (org.keycloak.authorization.store.StoreFactory)21 RealmModel (org.keycloak.models.RealmModel)20 UserModel (org.keycloak.models.UserModel)13 HashSet (java.util.HashSet)12 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11 Map (java.util.Map)10 DefaultEvaluation (org.keycloak.authorization.policy.evaluation.DefaultEvaluation)10 PolicyProvider (org.keycloak.authorization.policy.provider.PolicyProvider)10 List (java.util.List)9 AdminPermissionManagement (org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)9 ArrayList (java.util.ArrayList)8 Collection (java.util.Collection)8 HashMap (java.util.HashMap)8 ResourcePermission (org.keycloak.authorization.permission.ResourcePermission)8