use of org.keycloak.representations.idm.authorization.AuthorizationRequest in project keycloak by keycloak.
the class EntitlementAPITest method testInvalidRequestWithClaimsFromPublicClient.
@Test
public void testInvalidRequestWithClaimsFromPublicClient() throws IOException {
oauth.realm("authz-test");
oauth.clientId(PUBLIC_TEST_CLIENT);
oauth.doLogin("marta", "password");
// Token request
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission("Resource 13");
HashMap<Object, Object> obj = new HashMap<>();
obj.put("claim-a", "claim-a");
request.setClaimToken(Base64Url.encode(JsonSerialization.writeValueAsBytes(obj)));
this.expectedException.expect(AuthorizationDeniedException.class);
this.expectedException.expectCause(Matchers.allOf(Matchers.instanceOf(HttpResponseException.class), Matchers.hasProperty("statusCode", Matchers.is(403))));
this.expectedException.expectMessage("Public clients are not allowed to send claims");
this.expectedException.reportMissingExceptionWithMessage("Should fail, public clients not allowed");
getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(response.getAccessToken()).authorize(request);
}
use of org.keycloak.representations.idm.authorization.AuthorizationRequest in project keycloak by keycloak.
the class EntitlementAPITest method testPermissionsAcrossResourceServers.
@Test
public void testPermissionsAcrossResourceServers() throws Exception {
String rsAId;
try (Response response = getRealm().clients().create(ClientBuilder.create().clientId("rs-a").secret("secret").serviceAccount().authorizationServicesEnabled(true).build())) {
rsAId = ApiUtil.getCreatedId(response);
}
String rsBId;
try (Response response = getRealm().clients().create(ClientBuilder.create().clientId("rs-b").secret("secret").serviceAccount().authorizationServicesEnabled(true).build())) {
rsBId = ApiUtil.getCreatedId(response);
}
ClientResource rsB = getRealm().clients().get(rsBId);
rsB.authorization().resources().create(new ResourceRepresentation("Resource A"));
JSPolicyRepresentation grantPolicy = new JSPolicyRepresentation();
grantPolicy.setName("Grant Policy");
grantPolicy.setCode("$evaluation.grant();");
rsB.authorization().policies().js().create(grantPolicy);
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName("Resource A Permission");
permission.addResource("Resource A");
permission.addPolicy(grantPolicy.getName());
rsB.authorization().permissions().resource().create(permission);
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
Configuration config = authzClient.getConfiguration();
config.setResource("rs-a");
authzClient = AuthzClient.create(config);
AccessTokenResponse accessTokenResponse = authzClient.obtainAccessToken();
AccessToken accessToken = toAccessToken(accessTokenResponse.getToken());
config.setResource("rs-b");
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission("Resource A");
AuthorizationResponse response = authzClient.authorization(accessTokenResponse.getToken()).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
assertEquals("Resource A", permissions.iterator().next().getResourceName());
}
use of org.keycloak.representations.idm.authorization.AuthorizationRequest in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsForScopeWithDeny.
@Test
public void testObtainAllEntitlementsForScopeWithDeny() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
authorization.scopes().create(new ScopeRepresentation("sensors:view")).close();
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "sensors:view");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertNull(grantedPermission.getResourceId());
assertEquals(1, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("sensors:view")));
}
}
use of org.keycloak.representations.idm.authorization.AuthorizationRequest in project keycloak by keycloak.
the class EntitlementAPITest method testOverridePermission.
@Test
public void testOverridePermission() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation onlyOwnerPolicy = createOnlyOwnerPolicy();
authorization.policies().js().create(onlyOwnerPolicy).close();
ResourceRepresentation typedResource = new ResourceRepresentation();
typedResource.setType("resource");
typedResource.setName(KeycloakModelUtils.generateId());
typedResource.addScope("read", "update");
try (Response response = authorization.resources().create(typedResource)) {
typedResource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation typedResourcePermission = new ResourcePermissionRepresentation();
typedResourcePermission.setName(KeycloakModelUtils.generateId());
typedResourcePermission.setResourceType("resource");
typedResourcePermission.addPolicy(onlyOwnerPolicy.getName());
try (Response response = authorization.permissions().resource().create(typedResourcePermission)) {
typedResourcePermission = response.readEntity(ResourcePermissionRepresentation.class);
}
ResourceRepresentation martaResource = new ResourceRepresentation();
martaResource.setType("resource");
martaResource.setName(KeycloakModelUtils.generateId());
martaResource.addScope("read", "update");
martaResource.setOwner("marta");
try (Response response = authorization.resources().create(martaResource)) {
martaResource = response.readEntity(ResourceRepresentation.class);
}
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(martaResource.getName());
// marta can access her resource
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
request = new AuthorizationRequest();
request.addPermission(martaResource.getId());
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
UserPolicyRepresentation onlyKoloPolicy = new UserPolicyRepresentation();
onlyKoloPolicy.setName(KeycloakModelUtils.generateId());
onlyKoloPolicy.addUser("kolo");
authorization.policies().user().create(onlyKoloPolicy).close();
ResourcePermissionRepresentation martaResourcePermission = new ResourcePermissionRepresentation();
martaResourcePermission.setName(KeycloakModelUtils.generateId());
martaResourcePermission.addResource(martaResource.getId());
martaResourcePermission.addPolicy(onlyKoloPolicy.getName());
try (Response response1 = authorization.permissions().resource().create(martaResourcePermission)) {
martaResourcePermission = response1.readEntity(ResourcePermissionRepresentation.class);
}
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
typedResourcePermission.setResourceType(null);
typedResourcePermission.addResource(typedResource.getName());
authorization.permissions().resource().findById(typedResourcePermission.getId()).update(typedResourcePermission);
// now kolo can access marta's resources, last permission is overriding policies from typed resource
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
ScopePermissionRepresentation martaResourceUpdatePermission = new ScopePermissionRepresentation();
martaResourceUpdatePermission.setName(KeycloakModelUtils.generateId());
martaResourceUpdatePermission.addResource(martaResource.getId());
martaResourceUpdatePermission.addScope("update");
martaResourceUpdatePermission.addPolicy(onlyOwnerPolicy.getName());
try (Response response1 = authorization.permissions().scope().create(martaResourceUpdatePermission)) {
martaResourceUpdatePermission = response1.readEntity(ScopePermissionRepresentation.class);
}
// now kolo can only read, but not update
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(1, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read"));
}
authorization.permissions().resource().findById(martaResourcePermission.getId()).remove();
try {
// after removing permission to marta resource, kolo can not access any scope in the resource
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
martaResourceUpdatePermission.addPolicy(onlyKoloPolicy.getName());
martaResourceUpdatePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).update(martaResourceUpdatePermission);
// now kolo can access because update permission changed to allow him to access the resource using an affirmative strategy
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(1, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("update"));
}
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
// marta can still access her resource
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("update", "read"));
}
authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).remove();
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
try {
// back to original setup, permissions not granted by the type resource
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
}
use of org.keycloak.representations.idm.authorization.AuthorizationRequest in project keycloak by keycloak.
the class EntitlementAPITest method hasPermission.
private boolean hasPermission(String userName, String password, String resourceId, String... scopeIds) throws Exception {
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", userName, password).getAccessToken();
AuthorizationResponse response = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(accessToken).authorize(new AuthorizationRequest());
AccessToken rpt = toAccessToken(response.getToken());
Authorization authz = rpt.getAuthorization();
Collection<Permission> permissions = authz.getPermissions();
assertNotNull(permissions);
assertFalse(permissions.isEmpty());
for (Permission grantedPermission : permissions) {
if (grantedPermission.getResourceId().equals(resourceId)) {
return scopeIds == null || scopeIds.length == 0 || grantedPermission.getScopes().containsAll(Arrays.asList(scopeIds));
}
}
return false;
}
Aggregations