Search in sources :

Example 36 with RoleModel

use of org.keycloak.models.RoleModel in project keycloak by keycloak.

the class ClientTokenExchangeTest method setupRealm.

public static void setupRealm(KeycloakSession session) {
    addDirectExchanger(session);
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel exampleRole = realm.getRole("example");
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    ClientModel target = realm.getClientByClientId("target");
    assertNotNull(target);
    RoleModel impersonateRole = management.getRealmManagementClient().getRole(ImpersonationConstants.IMPERSONATION_ROLE);
    ClientModel clientExchanger = realm.addClient("client-exchanger");
    clientExchanger.setClientId("client-exchanger");
    clientExchanger.setPublicClient(false);
    clientExchanger.setDirectAccessGrantsEnabled(true);
    clientExchanger.setEnabled(true);
    clientExchanger.setSecret("secret");
    clientExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    clientExchanger.setFullScopeAllowed(false);
    clientExchanger.addScopeMapping(impersonateRole);
    clientExchanger.addProtocolMapper(UserSessionNoteMapper.createUserSessionNoteMapper(IMPERSONATOR_ID));
    clientExchanger.addProtocolMapper(UserSessionNoteMapper.createUserSessionNoteMapper(IMPERSONATOR_USERNAME));
    ClientModel illegal = realm.addClient("illegal");
    illegal.setClientId("illegal");
    illegal.setPublicClient(false);
    illegal.setDirectAccessGrantsEnabled(true);
    illegal.setEnabled(true);
    illegal.setSecret("secret");
    illegal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    illegal.setFullScopeAllowed(false);
    ClientModel legal = realm.addClient("legal");
    legal.setClientId("legal");
    legal.setPublicClient(false);
    legal.setDirectAccessGrantsEnabled(true);
    legal.setEnabled(true);
    legal.setSecret("secret");
    legal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    legal.setFullScopeAllowed(false);
    ClientModel directLegal = realm.addClient("direct-legal");
    directLegal.setClientId("direct-legal");
    directLegal.setPublicClient(false);
    directLegal.setDirectAccessGrantsEnabled(true);
    directLegal.setEnabled(true);
    directLegal.setSecret("secret");
    directLegal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directLegal.setFullScopeAllowed(false);
    ClientModel directPublic = realm.addClient("direct-public");
    directPublic.setClientId("direct-public");
    directPublic.setPublicClient(true);
    directPublic.setDirectAccessGrantsEnabled(true);
    directPublic.setEnabled(true);
    directPublic.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directPublic.setFullScopeAllowed(false);
    ClientModel directNoSecret = realm.addClient("direct-no-secret");
    directNoSecret.setClientId("direct-no-secret");
    directNoSecret.setPublicClient(false);
    directNoSecret.setDirectAccessGrantsEnabled(true);
    directNoSecret.setEnabled(true);
    directNoSecret.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directNoSecret.setFullScopeAllowed(false);
    ClientModel noRefreshToken = realm.addClient("no-refresh-token");
    noRefreshToken.setClientId("no-refresh-token");
    noRefreshToken.setPublicClient(false);
    noRefreshToken.setDirectAccessGrantsEnabled(true);
    noRefreshToken.setEnabled(true);
    noRefreshToken.setSecret("secret");
    noRefreshToken.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    noRefreshToken.setFullScopeAllowed(false);
    noRefreshToken.getAttributes().put(OIDCConfigAttributes.USE_REFRESH_TOKEN, "false");
    // permission for client to client exchange to "target" client
    ClientPolicyRepresentation clientRep = new ClientPolicyRepresentation();
    clientRep.setName("to");
    clientRep.addClient(clientExchanger.getId());
    clientRep.addClient(legal.getId());
    clientRep.addClient(directLegal.getId());
    clientRep.addClient(noRefreshToken.getId());
    ResourceServer server = management.realmResourceServer();
    Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server);
    management.clients().exchangeToPermission(target).addAssociatedPolicy(clientPolicy);
    // permission for user impersonation for a client
    ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
    clientImpersonateRep.setName("clientImpersonators");
    clientImpersonateRep.addClient(directLegal.getId());
    clientImpersonateRep.addClient(directPublic.getId());
    clientImpersonateRep.addClient(directNoSecret.getId());
    server = management.realmResourceServer();
    Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
    management.users().setPermissionsEnabled(true);
    management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
    management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    UserModel user = session.users().addUser(realm, "user");
    user.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password("password"));
    user.grantRole(exampleRole);
    user.grantRole(impersonateRole);
    UserModel bad = session.users().addUser(realm, "bad-impersonator");
    bad.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, bad, UserCredentialModel.password("password"));
}
Also used : RealmModel(org.keycloak.models.RealmModel) Policy(org.keycloak.authorization.model.Policy) UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) RoleModel(org.keycloak.models.RoleModel) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Example 37 with RoleModel

use of org.keycloak.models.RoleModel in project keycloak by keycloak.

the class ClientTokenExchangeTest method addDirectExchanger.

private static void addDirectExchanger(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel exampleRole = realm.addRole("example");
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    ClientModel target = realm.addClient("target");
    target.setName("target");
    target.setClientId("target");
    target.setDirectAccessGrantsEnabled(true);
    target.setEnabled(true);
    target.setSecret("secret");
    target.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    target.setFullScopeAllowed(false);
    target.addScopeMapping(exampleRole);
    ClientModel directExchanger = realm.addClient("direct-exchanger");
    directExchanger.setName("direct-exchanger");
    directExchanger.setClientId("direct-exchanger");
    directExchanger.setPublicClient(false);
    directExchanger.setDirectAccessGrantsEnabled(true);
    directExchanger.setEnabled(true);
    directExchanger.setSecret("secret");
    directExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directExchanger.setFullScopeAllowed(false);
    // permission for client to client exchange to "target" client
    management.clients().setPermissionsEnabled(target, true);
    ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
    clientImpersonateRep.setName("clientImpersonatorsDirect");
    clientImpersonateRep.addClient(directExchanger.getId());
    ResourceServer server = management.realmResourceServer();
    Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
    management.users().setPermissionsEnabled(true);
    management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
    management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    UserModel impersonatedUser = session.users().addUser(realm, "impersonated-user");
    impersonatedUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, impersonatedUser, UserCredentialModel.password("password"));
    impersonatedUser.grantRole(exampleRole);
}
Also used : RealmModel(org.keycloak.models.RealmModel) Policy(org.keycloak.authorization.model.Policy) UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) RoleModel(org.keycloak.models.RoleModel) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Example 38 with RoleModel

use of org.keycloak.models.RoleModel in project keycloak by keycloak.

the class UserModelTest method testGrantToAll.

@Test
@ModelTest
public void testGrantToAll(KeycloakSession session) throws Exception {
    KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession sesGrantToAll1) -> {
        KeycloakSession currentSession = sesGrantToAll1;
        RealmModel realm1 = currentSession.realms().getRealmByName("realm1");
        realm1.addRole("role1");
        currentSession.users().addUser(realm1, "user1");
        currentSession.users().addUser(realm1, "user2");
        RealmModel realm2 = currentSession.realms().getRealmByName("realm2");
        currentSession.users().addUser(realm2, "user1");
    });
    KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession sesGrantToAll2) -> {
        KeycloakSession currentSession = sesGrantToAll2;
        RealmModel realm1 = currentSession.realms().getRealmByName("realm1");
        RoleModel role1 = realm1.getRole("role1");
        currentSession.users().grantToAllUsers(realm1, role1);
    });
    KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession sesGrantToAll2) -> {
        KeycloakSession currentSession = sesGrantToAll2;
        RealmModel realm1 = currentSession.realms().getRealmByName("realm1");
        RoleModel role1 = realm1.getRole("role1");
        UserModel user1 = currentSession.users().getUserByUsername(realm1, "user1");
        UserModel user2 = currentSession.users().getUserByUsername(realm1, "user2");
        Assert.assertTrue(user1.hasRole(role1));
        Assert.assertTrue(user2.hasRole(role1));
        RealmModel realm2 = currentSession.realms().getRealmByName("realm2");
        UserModel realm2User1 = currentSession.users().getUserByUsername(realm2, "user1");
        Assert.assertFalse(realm2User1.hasRole(role1));
        currentSession.realms().removeRealm(realm1.getId());
        currentSession.realms().removeRealm(realm2.getId());
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) KeycloakSession(org.keycloak.models.KeycloakSession) RoleModel(org.keycloak.models.RoleModel) ModelTest(org.keycloak.testsuite.arquillian.annotation.ModelTest) ModelTest(org.keycloak.testsuite.arquillian.annotation.ModelTest) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 39 with RoleModel

use of org.keycloak.models.RoleModel in project keycloak by keycloak.

the class CompositeRolesModelTest method testComposites.

@Test
@ModelTest
public void testComposites(KeycloakSession session) {
    KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (KeycloakSession session5) -> {
        RealmModel realm = session5.realms().getRealm("TestComposites");
        Set<RoleModel> requestedRoles = getRequestedRoles(realm.getClientByClientId("APP_COMPOSITE_APPLICATION"), session.users().getUserByUsername(realm, "APP_COMPOSITE_USER"));
        Assert.assertEquals(5, requestedRoles.size());
        assertContains(realm, "APP_COMPOSITE_APPLICATION", "APP_COMPOSITE_ROLE", requestedRoles);
        assertContains(realm, "APP_COMPOSITE_APPLICATION", "APP_COMPOSITE_CHILD", requestedRoles);
        assertContains(realm, "APP_COMPOSITE_APPLICATION", "APP_ROLE_2", requestedRoles);
        assertContains(realm, "APP_ROLE_APPLICATION", "APP_ROLE_1", requestedRoles);
        assertContains(realm, "realm", "REALM_ROLE_1", requestedRoles);
        Set<RoleModel> requestedRoles2 = getRequestedRoles(realm.getClientByClientId("APP_COMPOSITE_APPLICATION"), session5.users().getUserByUsername(realm, "REALM_APP_COMPOSITE_USER"));
        Assert.assertEquals(4, requestedRoles2.size());
        assertContains(realm, "APP_ROLE_APPLICATION", "APP_ROLE_1", requestedRoles2);
        requestedRoles = getRequestedRoles(realm.getClientByClientId("REALM_COMPOSITE_1_APPLICATION"), session5.users().getUserByUsername(realm, "REALM_COMPOSITE_1_USER"));
        Assert.assertEquals(1, requestedRoles.size());
        assertContains(realm, "realm", "REALM_COMPOSITE_1", requestedRoles);
        requestedRoles = getRequestedRoles(realm.getClientByClientId("REALM_COMPOSITE_2_APPLICATION"), session5.users().getUserByUsername(realm, "REALM_COMPOSITE_1_USER"));
        Assert.assertEquals(3, requestedRoles.size());
        assertContains(realm, "realm", "REALM_COMPOSITE_1", requestedRoles);
        assertContains(realm, "realm", "REALM_COMPOSITE_CHILD", requestedRoles);
        assertContains(realm, "realm", "REALM_ROLE_4", requestedRoles);
        requestedRoles = getRequestedRoles(realm.getClientByClientId("REALM_ROLE_1_APPLICATION"), session5.users().getUserByUsername(realm, "REALM_COMPOSITE_1_USER"));
        Assert.assertEquals(1, requestedRoles.size());
        assertContains(realm, "realm", "REALM_ROLE_1", requestedRoles);
        requestedRoles = getRequestedRoles(realm.getClientByClientId("REALM_COMPOSITE_1_APPLICATION"), session5.users().getUserByUsername(realm, "REALM_ROLE_1_USER"));
        Assert.assertEquals(1, requestedRoles.size());
        assertContains(realm, "realm", "REALM_ROLE_1", requestedRoles);
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) KeycloakSession(org.keycloak.models.KeycloakSession) RoleModel(org.keycloak.models.RoleModel) ModelTest(org.keycloak.testsuite.arquillian.annotation.ModelTest) ModelTest(org.keycloak.testsuite.arquillian.annotation.ModelTest) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 40 with RoleModel

use of org.keycloak.models.RoleModel in project keycloak by keycloak.

the class CompositeRolesModelTest method assertContains.

private static void assertContains(RealmModel realm, String appName, String roleName, Set<RoleModel> requestedRoles) {
    RoleModel expectedRole = getRole(realm, appName, roleName);
    Assert.assertTrue(requestedRoles.contains(expectedRole));
    // Check if requestedRole has correct role container
    for (RoleModel role : requestedRoles) {
        if (role.equals(expectedRole)) {
            Assert.assertEquals(role.getContainer(), expectedRole.getContainer());
        }
    }
}
Also used : RoleModel(org.keycloak.models.RoleModel)

Aggregations

RoleModel (org.keycloak.models.RoleModel)153 ClientModel (org.keycloak.models.ClientModel)73 RealmModel (org.keycloak.models.RealmModel)69 UserModel (org.keycloak.models.UserModel)36 Path (javax.ws.rs.Path)29 Test (org.junit.Test)29 NotFoundException (javax.ws.rs.NotFoundException)25 NoCache (org.jboss.resteasy.annotations.cache.NoCache)20 KeycloakSession (org.keycloak.models.KeycloakSession)19 Consumes (javax.ws.rs.Consumes)17 List (java.util.List)16 GET (javax.ws.rs.GET)16 Produces (javax.ws.rs.Produces)16 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)15 LinkedList (java.util.LinkedList)14 HashMap (java.util.HashMap)13 ArrayList (java.util.ArrayList)12 GroupModel (org.keycloak.models.GroupModel)12 RoleContainerModel (org.keycloak.models.RoleContainerModel)12 Policy (org.keycloak.authorization.model.Policy)11