Examples with AuthorizationRequest org.keycloak.representations.idm.authorization.AuthorizationRequest used on opensource projects

Search in sources :

Example 1 with AuthorizationRequest

use of org.keycloak.representations.idm.authorization.AuthorizationRequest in project keycloak by keycloak.

the class DecisionPermissionCollector method createPermission.

private Permission createPermission(Resource resource, Set<String> scopes, Map<String, Set<String>> claims, AuthorizationRequest request) {
    AuthorizationRequest.Metadata metadata = null;
    if (request != null) {
        metadata = request.getMetadata();
    }
    Permission permission;
    if (resource != null) {
        String resourceName = metadata == null || metadata.getIncludeResourceName() ? resource.getName() : null;
        permission = new Permission(resource.getId(), resourceName, scopes, claims);
    } else {
        permission = new Permission(null, null, scopes, claims);
    }
    onGrant(permission);
    return permission;
}
Also used : AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) Permission(org.keycloak.representations.idm.authorization.Permission)

Example 2 with AuthorizationRequest

use of org.keycloak.representations.idm.authorization.AuthorizationRequest in project keycloak by keycloak.

the class PolicyEnforcerClaimsTest method testEnforceUMAAccessWithClaimsUsingBearerToken.

@Test
public void testEnforceUMAAccessWithClaimsUsingBearerToken() {
    initAuthorizationSettings(getClientResource("resource-server-uma-test"));
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-uma-claims-test.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
    HashMap<String, List<String>> headers = new HashMap<>();
    HashMap<String, List<String>> parameters = new HashMap<>();
    parameters.put("withdrawal.amount", Arrays.asList("50"));
    AuthzClient authzClient = getAuthzClient("enforcer-uma-claims-test.json");
    String token = authzClient.obtainAccessToken("marta", "password").getToken();
    headers.put("Authorization", Arrays.asList("Bearer " + token));
    AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
    assertFalse(context.isGranted());
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(extractTicket(headers));
    AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(request);
    token = response.getToken();
    assertNotNull(token);
    context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
    assertTrue(context.isGranted());
    parameters.put("withdrawal.amount", Arrays.asList("200"));
    context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
    assertFalse(context.isGranted());
    parameters.put("withdrawal.amount", Arrays.asList("50"));
    context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
    assertTrue(context.isGranted());
    parameters.put("withdrawal.amount", Arrays.asList("10"));
    context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
    request = new AuthorizationRequest();
    request.setTicket(extractTicket(headers));
    response = authzClient.authorization("marta", "password").authorize(request);
    token = response.getToken();
    context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
    assertTrue(context.isGranted());
    request = new AuthorizationRequest();
    request.setTicket(extractTicket(headers));
    response = authzClient.authorization("marta", "password").authorize(request);
    token = response.getToken();
    context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "GET", token, headers, parameters));
    assertTrue(context.isGranted());
    assertEquals(1, context.getPermissions().size());
    Permission permission = context.getPermissions().get(0);
    assertEquals(parameters.get("withdrawal.amount").get(0), permission.getClaims().get("withdrawal.amount").iterator().next());
}
Also used : AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) HashMap(java.util.HashMap) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) Permission(org.keycloak.representations.idm.authorization.Permission) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) List(java.util.List) AuthorizationContext(org.keycloak.AuthorizationContext) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 3 with AuthorizationRequest

use of org.keycloak.representations.idm.authorization.AuthorizationRequest in project keycloak by keycloak.

the class PolicyEvaluationService method createPermissions.

private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization, AuthorizationRequest request) {
    return representation.getResources().stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
        StoreFactory storeFactory = authorization.getStoreFactory();
        if (resource == null) {
            resource = new ResourceRepresentation();
        }
        Set<ScopeRepresentation> givenScopes = resource.getScopes();
        if (givenScopes == null) {
            givenScopes = new HashSet<>();
        }
        ScopeStore scopeStore = storeFactory.getScopeStore();
        Set<Scope> scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId())).collect(Collectors.toSet());
        if (resource.getId() != null) {
            Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId());
            return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, resourceServer, scopes, authorization, request))).stream();
        } else if (resource.getType() != null) {
            return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, resourceServer, scopes, authorization, request));
        } else {
            if (scopes.isEmpty()) {
                return Stream.empty();
            }
            List<Resource> resources = storeFactory.getResourceStore().findByScope(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
            if (resources.isEmpty()) {
                return scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer));
            }
            return resources.stream().map(resource12 -> Permissions.createResourcePermissions(resource12, resourceServer, scopes, authorization, request));
        }
    }).collect(Collectors.toList());
}
Also used : ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) Arrays(java.util.Arrays) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Produces(javax.ws.rs.Produces) Permissions(org.keycloak.authorization.permission.Permissions) OAuthErrorException(org.keycloak.OAuthErrorException) Consumes(javax.ws.rs.Consumes) AuthenticationManager(org.keycloak.services.managers.AuthenticationManager) AccessToken(org.keycloak.representations.AccessToken) DecisionPermissionCollector(org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector) ErrorResponseException(org.keycloak.services.ErrorResponseException) Map(java.util.Map) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RealmModel(org.keycloak.models.RealmModel) PolicyEvaluationResponseBuilder(org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder) Collection(java.util.Collection) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) List(java.util.List) ScopeStore(org.keycloak.authorization.store.ScopeStore) Stream(java.util.stream.Stream) Response(javax.ws.rs.core.Response) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol) ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) Attributes(org.keycloak.authorization.attribute.Attributes) Permission(org.keycloak.representations.idm.authorization.Permission) Logger(org.jboss.logging.Logger) StoreFactory(org.keycloak.authorization.store.StoreFactory) HashMap(java.util.HashMap) TokenManager(org.keycloak.protocol.oidc.TokenManager) Function(java.util.function.Function) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) PolicyEvaluationRequest(org.keycloak.representations.idm.authorization.PolicyEvaluationRequest) UserModel(org.keycloak.models.UserModel) ClientSessionContext(org.keycloak.models.ClientSessionContext) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) Status(javax.ws.rs.core.Response.Status) ResourceServer(org.keycloak.authorization.model.ResourceServer) POST(javax.ws.rs.POST) AdminPermissionEvaluator(org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator) KeycloakSession(org.keycloak.models.KeycloakSession) UserSessionModel(org.keycloak.models.UserSessionModel) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) Result(org.keycloak.authorization.policy.evaluation.Result) Urls(org.keycloak.services.Urls) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) Resource(org.keycloak.authorization.model.Resource) ScopeStore(org.keycloak.authorization.store.ScopeStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Function(java.util.function.Function) Scope(org.keycloak.authorization.model.Scope) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) List(java.util.List) ArrayList(java.util.ArrayList) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Example 4 with AuthorizationRequest

use of org.keycloak.representations.idm.authorization.AuthorizationRequest in project keycloak by keycloak.

the class EntitlementAPITest method testObtainAllEntitlementsWithLimit.

@Test
public void testObtainAllEntitlementsWithLimit() throws Exception {
    org.keycloak.authorization.client.resource.AuthorizationResource authorizationResource = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization("marta", "password");
    AuthorizationResponse response = authorizationResource.authorize();
    AccessToken accessToken = toAccessToken(response.getToken());
    Authorization authorization = accessToken.getAuthorization();
    assertTrue(authorization.getPermissions().size() >= 20);
    AuthorizationRequest request = new AuthorizationRequest();
    Metadata metadata = new Metadata();
    metadata.setLimit(10);
    request.setMetadata(metadata);
    response = authorizationResource.authorize(request);
    accessToken = toAccessToken(response.getToken());
    authorization = accessToken.getAuthorization();
    assertEquals(10, authorization.getPermissions().size());
    metadata.setLimit(1);
    request.setMetadata(metadata);
    response = authorizationResource.authorize(request);
    accessToken = toAccessToken(response.getToken());
    authorization = accessToken.getAuthorization();
    assertEquals(1, authorization.getPermissions().size());
}
Also used : Authorization(org.keycloak.representations.AccessToken.Authorization) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AccessToken(org.keycloak.representations.AccessToken) Metadata(org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 5 with AuthorizationRequest

use of org.keycloak.representations.idm.authorization.AuthorizationRequest in project keycloak by keycloak.

the class EntitlementAPITest method testObtainAllEntitlementsForResourceWithResourcePermission.

@Test
public void testObtainAllEntitlementsForResourceWithResourcePermission() throws Exception {
    ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
    AuthorizationResource authorization = client.authorization();
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName(KeycloakModelUtils.generateId());
    policy.setCode("$evaluation.grant();");
    authorization.policies().js().create(policy).close();
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName(KeycloakModelUtils.generateId());
    resource.addScope("scope:view", "scope:update", "scope:delete");
    try (Response response = authorization.resources().create(resource)) {
        resource = response.readEntity(ResourceRepresentation.class);
    }
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName(KeycloakModelUtils.generateId());
    permission.addResource(resource.getId());
    permission.addPolicy(policy.getName());
    authorization.permissions().resource().create(permission).close();
    String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
    AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(null, "scope:view", "scope:update", "scope:delete");
    AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
    assertNotNull(response.getToken());
    Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    for (Permission grantedPermission : permissions) {
        assertEquals(resource.getId(), grantedPermission.getResourceId());
        assertEquals(3, grantedPermission.getScopes().size());
        assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view")));
    }
    resource.setScopes(new HashSet<>());
    resource.addScope("scope:view", "scope:update");
    authorization.resources().resource(resource.getId()).update(resource);
    request = new AuthorizationRequest();
    request.addPermission(null, "scope:view", "scope:update", "scope:delete");
    response = authzClient.authorization(accessToken).authorize(request);
    assertNotNull(response.getToken());
    permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    for (Permission grantedPermission : permissions) {
        assertEquals(resource.getId(), grantedPermission.getResourceId());
        assertEquals(2, grantedPermission.getScopes().size());
        assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view", "scope:update")));
    }
    request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "scope:view", "scope:update", "scope:delete");
    response = authzClient.authorization(accessToken).authorize(request);
    assertNotNull(response.getToken());
    permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    for (Permission grantedPermission : permissions) {
        assertEquals(resource.getId(), grantedPermission.getResourceId());
        assertEquals(2, grantedPermission.getScopes().size());
        assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view", "scope:update")));
    }
}
Also used : AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) OAuthClient(org.keycloak.testsuite.util.OAuthClient) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Response(javax.ws.rs.core.Response) TokenIntrospectionResponse(org.keycloak.authorization.client.representation.TokenIntrospectionResponse) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) Permission(org.keycloak.representations.idm.authorization.Permission) ClientResource(org.keycloak.admin.client.resource.ClientResource) Test(org.junit.Test)

Aggregations

AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)74 Test (org.junit.Test)61 AuthzClient (org.keycloak.authorization.client.AuthzClient)50 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)46 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)44 PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)31 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)30 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)28 Permission (org.keycloak.representations.idm.authorization.Permission)28 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)25 ClientResource (org.keycloak.admin.client.resource.ClientResource)24 OAuthClient (org.keycloak.testsuite.util.OAuthClient)24 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)20 Response (javax.ws.rs.core.Response)19 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)18 AccessToken (org.keycloak.representations.AccessToken)18 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)18 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)16 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)16 ArrayList (java.util.ArrayList)15
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial