Search in sources :

Example 91 with RealmModel

use of org.keycloak.models.RealmModel in project keycloak by keycloak.

the class FineGrainAdminUnitTest method testClientsSearchAfterFirstPage.

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testClientsSearchAfterFirstPage() {
    testingClient.server().run(session -> {
        RealmModel realm = session.realms().getRealmByName("test");
        session.getContext().setRealm(realm);
        ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
        UserModel regularAdminUser = session.users().addUser(realm, "regular-admin-user");
        session.userCredentialManager().updateCredential(realm, regularAdminUser, UserCredentialModel.password("password"));
        regularAdminUser.grantRole(realmAdminClient.getRole(AdminRoles.QUERY_CLIENTS));
        regularAdminUser.setEnabled(true);
        UserPolicyRepresentation userPolicyRepresentation = new UserPolicyRepresentation();
        userPolicyRepresentation.setName("Only " + regularAdminUser.getUsername());
        userPolicyRepresentation.addUser(regularAdminUser.getId());
        AdminPermissionManagement management = AdminPermissions.management(session, realm);
        ClientPermissionManagement clientPermission = management.clients();
        for (int i = 15; i < 30; i++) {
            ClientModel clientModel = realm.addClient("client-search-" + (i < 10 ? "0" + i : i));
            clientPermission.setPermissionsEnabled(clientModel, true);
            Policy policy = clientPermission.viewPermission(clientModel);
            AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class);
            if (i == 15) {
                provider.getStoreFactory().getPolicyStore().create(userPolicyRepresentation, management.realmResourceServer());
            }
            policy.addAssociatedPolicy(provider.getStoreFactory().getPolicyStore().findByName("Only regular-admin-user", realmAdminClient.getId()));
        }
    });
    try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth", "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {
        List<ClientRepresentation> clients = new ArrayList<>();
        List<ClientRepresentation> result = client.realm("test").clients().findAll("client-search-", true, true, 0, 10);
        clients.addAll(result);
        Assert.assertEquals(10, result.size());
        Assert.assertThat(result.stream().map(rep -> rep.getClientId()).collect(Collectors.toList()), Matchers.is(Arrays.asList("client-search-15", "client-search-16", "client-search-17", "client-search-18", "client-search-19", "client-search-20", "client-search-21", "client-search-22", "client-search-23", "client-search-24")));
        result = client.realm("test").clients().findAll("client-search-", true, true, 10, 10);
        clients.addAll(result);
        Assert.assertEquals(5, result.size());
        Assert.assertThat(result.stream().map(rep -> rep.getClientId()).collect(Collectors.toList()), Matchers.is(Arrays.asList("client-search-25", "client-search-26", "client-search-27", "client-search-28", "client-search-29")));
        result = client.realm("test").clients().findAll("client-search-", true, true, 20, 10);
        clients.addAll(result);
        Assert.assertTrue(result.isEmpty());
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ArrayList(java.util.ArrayList) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) ClientPermissionManagement(org.keycloak.services.resources.admin.permissions.ClientPermissionManagement) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) Keycloak(org.keycloak.admin.client.Keycloak) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 92 with RealmModel

use of org.keycloak.models.RealmModel in project keycloak by keycloak.

the class FineGrainAdminUnitTest method setupPolices.

public static void setupPolices(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
    RoleModel realmRole = realm.addRole("realm-role");
    RoleModel realmRole2 = realm.addRole("realm-role2");
    ClientModel client1 = realm.addClient(CLIENT_NAME);
    realm.addClientScope("scope");
    client1.setFullScopeAllowed(false);
    RoleModel client1Role = client1.addRole("client-role");
    GroupModel group = realm.createGroup("top");
    RoleModel mapperRole = realm.addRole("mapper");
    RoleModel managerRole = realm.addRole("manager");
    RoleModel compositeRole = realm.addRole("composite-role");
    compositeRole.addCompositeRole(mapperRole);
    compositeRole.addCompositeRole(managerRole);
    // realm-role and application.client-role will have a role policy associated with their map-role permission
    {
        permissions.roles().setPermissionsEnabled(client1Role, true);
        Policy mapRolePermission = permissions.roles().mapRolePermission(client1Role);
        ResourceServer server = permissions.roles().resourceServer(client1Role);
        Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
        mapRolePermission.addAssociatedPolicy(mapperPolicy);
    }
    {
        permissions.roles().setPermissionsEnabled(realmRole, true);
        Policy mapRolePermission = permissions.roles().mapRolePermission(realmRole);
        ResourceServer server = permissions.roles().resourceServer(realmRole);
        Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
        mapRolePermission.addAssociatedPolicy(mapperPolicy);
    }
    // realmRole2 will have an empty map-role policy
    {
        permissions.roles().setPermissionsEnabled(realmRole2, true);
    }
    // setup Users manage policies
    {
        permissions.users().setPermissionsEnabled(true);
        ResourceServer server = permissions.realmResourceServer();
        Policy managerPolicy = permissions.roles().rolePolicy(server, managerRole);
        Policy permission = permissions.users().managePermission();
        permission.addAssociatedPolicy(managerPolicy);
        permission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    }
    {
        permissions.groups().setPermissionsEnabled(group, true);
    }
    {
        permissions.clients().setPermissionsEnabled(client1, true);
    }
    // setup Users impersonate policy
    {
        ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
        RoleModel adminRole = realmManagementClient.getRole(AdminRoles.REALM_ADMIN);
        permissions.users().setPermissionsEnabled(true);
        ResourceServer server = permissions.realmResourceServer();
        Policy adminPolicy = permissions.roles().rolePolicy(server, adminRole);
        adminPolicy.setLogic(Logic.NEGATIVE);
        Policy permission = permissions.users().userImpersonatedPermission();
        permission.addAssociatedPolicy(adminPolicy);
        permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
    }
}
Also used : RealmModel(org.keycloak.models.RealmModel) Policy(org.keycloak.authorization.model.Policy) ClientModel(org.keycloak.models.ClientModel) GroupModel(org.keycloak.models.GroupModel) RoleModel(org.keycloak.models.RoleModel) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Example 93 with RealmModel

use of org.keycloak.models.RealmModel in project keycloak by keycloak.

the class FineGrainAdminUnitTest method setupDeleteTest.

// testRestEvaluationMasterRealm
// testRestEvaluationMasterAdminTestRealm
// test role deletion that it cleans up authz objects
public static void setupDeleteTest(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel removedRole = realm.addRole("removedRole");
    ClientModel client = realm.addClient("removedClient");
    RoleModel removedClientRole = client.addRole("removedClientRole");
    GroupModel removedGroup = realm.createGroup("removedGroup");
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    management.roles().setPermissionsEnabled(removedRole, true);
    management.roles().setPermissionsEnabled(removedClientRole, true);
    management.groups().setPermissionsEnabled(removedGroup, true);
    management.clients().setPermissionsEnabled(client, true);
    management.users().setPermissionsEnabled(true);
}
Also used : RealmModel(org.keycloak.models.RealmModel) ClientModel(org.keycloak.models.ClientModel) GroupModel(org.keycloak.models.GroupModel) RoleModel(org.keycloak.models.RoleModel) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Example 94 with RealmModel

use of org.keycloak.models.RealmModel in project keycloak by keycloak.

the class FineGrainAdminUnitTest method setupTokenExchange.

private static void setupTokenExchange(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName("master");
    ClientModel client = session.clients().getClientByClientId(realm, "tokenexclient");
    if (client != null) {
        return;
    }
    ClientModel tokenexclient = realm.addClient("tokenexclient");
    tokenexclient.setEnabled(true);
    tokenexclient.addRedirectUri("http://localhost:*");
    tokenexclient.setPublicClient(false);
    tokenexclient.setSecret("password");
    tokenexclient.setDirectAccessGrantsEnabled(true);
    // permission for client to client exchange to "target" client
    ClientModel adminCli = realm.getClientByClientId(ConfigUtil.DEFAULT_CLIENT);
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    management.clients().setPermissionsEnabled(adminCli, true);
    ClientPolicyRepresentation clientRep = new ClientPolicyRepresentation();
    clientRep.setName("to");
    clientRep.addClient(tokenexclient.getId());
    ResourceServer server = management.realmResourceServer();
    Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server);
    management.clients().exchangeToPermission(adminCli).addAssociatedPolicy(clientPolicy);
}
Also used : RealmModel(org.keycloak.models.RealmModel) Policy(org.keycloak.authorization.model.Policy) ClientModel(org.keycloak.models.ClientModel) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Example 95 with RealmModel

use of org.keycloak.models.RealmModel in project keycloak by keycloak.

the class FineGrainAdminUnitTest method setup5152.

public static void setup5152(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
    RoleModel realmAdminRole = realmAdminClient.getRole(AdminRoles.REALM_ADMIN);
    UserModel realmUser = session.users().addUser(realm, "realm-admin");
    realmUser.grantRole(realmAdminRole);
    realmUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, realmUser, UserCredentialModel.password("password"));
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) RoleModel(org.keycloak.models.RoleModel)

Aggregations

RealmModel (org.keycloak.models.RealmModel)591 Test (org.junit.Test)249 UserModel (org.keycloak.models.UserModel)225 KeycloakSession (org.keycloak.models.KeycloakSession)152 ClientModel (org.keycloak.models.ClientModel)149 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)90 ModelTest (org.keycloak.testsuite.arquillian.annotation.ModelTest)84 ComponentModel (org.keycloak.component.ComponentModel)83 RoleModel (org.keycloak.models.RoleModel)73 UserSessionModel (org.keycloak.models.UserSessionModel)64 LDAPObject (org.keycloak.storage.ldap.idm.model.LDAPObject)62 List (java.util.List)55 LDAPStorageProvider (org.keycloak.storage.ldap.LDAPStorageProvider)51 GroupModel (org.keycloak.models.GroupModel)47 HashMap (java.util.HashMap)38 Collectors (java.util.stream.Collectors)34 CachedUserModel (org.keycloak.models.cache.CachedUserModel)34 Path (javax.ws.rs.Path)30 AbstractAuthTest (org.keycloak.testsuite.AbstractAuthTest)30 Map (java.util.Map)29