use of org.keycloak.models.RealmModel in project keycloak by keycloak.
the class FineGrainAdminUnitTest method testClientsSearchAfterFirstPage.
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testClientsSearchAfterFirstPage() {
testingClient.server().run(session -> {
RealmModel realm = session.realms().getRealmByName("test");
session.getContext().setRealm(realm);
ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
UserModel regularAdminUser = session.users().addUser(realm, "regular-admin-user");
session.userCredentialManager().updateCredential(realm, regularAdminUser, UserCredentialModel.password("password"));
regularAdminUser.grantRole(realmAdminClient.getRole(AdminRoles.QUERY_CLIENTS));
regularAdminUser.setEnabled(true);
UserPolicyRepresentation userPolicyRepresentation = new UserPolicyRepresentation();
userPolicyRepresentation.setName("Only " + regularAdminUser.getUsername());
userPolicyRepresentation.addUser(regularAdminUser.getId());
AdminPermissionManagement management = AdminPermissions.management(session, realm);
ClientPermissionManagement clientPermission = management.clients();
for (int i = 15; i < 30; i++) {
ClientModel clientModel = realm.addClient("client-search-" + (i < 10 ? "0" + i : i));
clientPermission.setPermissionsEnabled(clientModel, true);
Policy policy = clientPermission.viewPermission(clientModel);
AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class);
if (i == 15) {
provider.getStoreFactory().getPolicyStore().create(userPolicyRepresentation, management.realmResourceServer());
}
policy.addAssociatedPolicy(provider.getStoreFactory().getPolicyStore().findByName("Only regular-admin-user", realmAdminClient.getId()));
}
});
try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth", "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {
List<ClientRepresentation> clients = new ArrayList<>();
List<ClientRepresentation> result = client.realm("test").clients().findAll("client-search-", true, true, 0, 10);
clients.addAll(result);
Assert.assertEquals(10, result.size());
Assert.assertThat(result.stream().map(rep -> rep.getClientId()).collect(Collectors.toList()), Matchers.is(Arrays.asList("client-search-15", "client-search-16", "client-search-17", "client-search-18", "client-search-19", "client-search-20", "client-search-21", "client-search-22", "client-search-23", "client-search-24")));
result = client.realm("test").clients().findAll("client-search-", true, true, 10, 10);
clients.addAll(result);
Assert.assertEquals(5, result.size());
Assert.assertThat(result.stream().map(rep -> rep.getClientId()).collect(Collectors.toList()), Matchers.is(Arrays.asList("client-search-25", "client-search-26", "client-search-27", "client-search-28", "client-search-29")));
result = client.realm("test").clients().findAll("client-search-", true, true, 20, 10);
clients.addAll(result);
Assert.assertTrue(result.isEmpty());
}
}
use of org.keycloak.models.RealmModel in project keycloak by keycloak.
the class FineGrainAdminUnitTest method setupPolices.
public static void setupPolices(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
RoleModel realmRole = realm.addRole("realm-role");
RoleModel realmRole2 = realm.addRole("realm-role2");
ClientModel client1 = realm.addClient(CLIENT_NAME);
realm.addClientScope("scope");
client1.setFullScopeAllowed(false);
RoleModel client1Role = client1.addRole("client-role");
GroupModel group = realm.createGroup("top");
RoleModel mapperRole = realm.addRole("mapper");
RoleModel managerRole = realm.addRole("manager");
RoleModel compositeRole = realm.addRole("composite-role");
compositeRole.addCompositeRole(mapperRole);
compositeRole.addCompositeRole(managerRole);
// realm-role and application.client-role will have a role policy associated with their map-role permission
{
permissions.roles().setPermissionsEnabled(client1Role, true);
Policy mapRolePermission = permissions.roles().mapRolePermission(client1Role);
ResourceServer server = permissions.roles().resourceServer(client1Role);
Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
mapRolePermission.addAssociatedPolicy(mapperPolicy);
}
{
permissions.roles().setPermissionsEnabled(realmRole, true);
Policy mapRolePermission = permissions.roles().mapRolePermission(realmRole);
ResourceServer server = permissions.roles().resourceServer(realmRole);
Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
mapRolePermission.addAssociatedPolicy(mapperPolicy);
}
// realmRole2 will have an empty map-role policy
{
permissions.roles().setPermissionsEnabled(realmRole2, true);
}
// setup Users manage policies
{
permissions.users().setPermissionsEnabled(true);
ResourceServer server = permissions.realmResourceServer();
Policy managerPolicy = permissions.roles().rolePolicy(server, managerRole);
Policy permission = permissions.users().managePermission();
permission.addAssociatedPolicy(managerPolicy);
permission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
}
{
permissions.groups().setPermissionsEnabled(group, true);
}
{
permissions.clients().setPermissionsEnabled(client1, true);
}
// setup Users impersonate policy
{
ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
RoleModel adminRole = realmManagementClient.getRole(AdminRoles.REALM_ADMIN);
permissions.users().setPermissionsEnabled(true);
ResourceServer server = permissions.realmResourceServer();
Policy adminPolicy = permissions.roles().rolePolicy(server, adminRole);
adminPolicy.setLogic(Logic.NEGATIVE);
Policy permission = permissions.users().userImpersonatedPermission();
permission.addAssociatedPolicy(adminPolicy);
permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
}
}
use of org.keycloak.models.RealmModel in project keycloak by keycloak.
the class FineGrainAdminUnitTest method setupDeleteTest.
// testRestEvaluationMasterRealm
// testRestEvaluationMasterAdminTestRealm
// test role deletion that it cleans up authz objects
public static void setupDeleteTest(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
RoleModel removedRole = realm.addRole("removedRole");
ClientModel client = realm.addClient("removedClient");
RoleModel removedClientRole = client.addRole("removedClientRole");
GroupModel removedGroup = realm.createGroup("removedGroup");
AdminPermissionManagement management = AdminPermissions.management(session, realm);
management.roles().setPermissionsEnabled(removedRole, true);
management.roles().setPermissionsEnabled(removedClientRole, true);
management.groups().setPermissionsEnabled(removedGroup, true);
management.clients().setPermissionsEnabled(client, true);
management.users().setPermissionsEnabled(true);
}
use of org.keycloak.models.RealmModel in project keycloak by keycloak.
the class FineGrainAdminUnitTest method setupTokenExchange.
private static void setupTokenExchange(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName("master");
ClientModel client = session.clients().getClientByClientId(realm, "tokenexclient");
if (client != null) {
return;
}
ClientModel tokenexclient = realm.addClient("tokenexclient");
tokenexclient.setEnabled(true);
tokenexclient.addRedirectUri("http://localhost:*");
tokenexclient.setPublicClient(false);
tokenexclient.setSecret("password");
tokenexclient.setDirectAccessGrantsEnabled(true);
// permission for client to client exchange to "target" client
ClientModel adminCli = realm.getClientByClientId(ConfigUtil.DEFAULT_CLIENT);
AdminPermissionManagement management = AdminPermissions.management(session, realm);
management.clients().setPermissionsEnabled(adminCli, true);
ClientPolicyRepresentation clientRep = new ClientPolicyRepresentation();
clientRep.setName("to");
clientRep.addClient(tokenexclient.getId());
ResourceServer server = management.realmResourceServer();
Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server);
management.clients().exchangeToPermission(adminCli).addAssociatedPolicy(clientPolicy);
}
use of org.keycloak.models.RealmModel in project keycloak by keycloak.
the class FineGrainAdminUnitTest method setup5152.
public static void setup5152(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
RoleModel realmAdminRole = realmAdminClient.getRole(AdminRoles.REALM_ADMIN);
UserModel realmUser = session.users().addUser(realm, "realm-admin");
realmUser.grantRole(realmAdminRole);
realmUser.setEnabled(true);
session.userCredentialManager().updateCredential(realm, realmUser, UserCredentialModel.password("password"));
}
Aggregations