use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class PolicyEnforcerClaimsTest method testEnforceUMAAccessWithClaimsUsingBearerToken.
@Test
public void testEnforceUMAAccessWithClaimsUsingBearerToken() {
initAuthorizationSettings(getClientResource("resource-server-uma-test"));
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-uma-claims-test.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
HashMap<String, List<String>> headers = new HashMap<>();
HashMap<String, List<String>> parameters = new HashMap<>();
parameters.put("withdrawal.amount", Arrays.asList("50"));
AuthzClient authzClient = getAuthzClient("enforcer-uma-claims-test.json");
String token = authzClient.obtainAccessToken("marta", "password").getToken();
headers.put("Authorization", Arrays.asList("Bearer " + token));
AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
assertFalse(context.isGranted());
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(extractTicket(headers));
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(request);
token = response.getToken();
assertNotNull(token);
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
assertTrue(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("200"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
assertFalse(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("50"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
assertTrue(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("10"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
request = new AuthorizationRequest();
request.setTicket(extractTicket(headers));
response = authzClient.authorization("marta", "password").authorize(request);
token = response.getToken();
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "POST", token, headers, parameters));
assertTrue(context.isGranted());
request = new AuthorizationRequest();
request.setTicket(extractTicket(headers));
response = authzClient.authorization("marta", "password").authorize(request);
token = response.getToken();
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", "GET", token, headers, parameters));
assertTrue(context.isGranted());
assertEquals(1, context.getPermissions().size());
Permission permission = context.getPermissions().get(0);
assertEquals(parameters.get("withdrawal.amount").get(0), permission.getClaims().get("withdrawal.amount").iterator().next());
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsWithLimit.
@Test
public void testObtainAllEntitlementsWithLimit() throws Exception {
org.keycloak.authorization.client.resource.AuthorizationResource authorizationResource = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization("marta", "password");
AuthorizationResponse response = authorizationResource.authorize();
AccessToken accessToken = toAccessToken(response.getToken());
Authorization authorization = accessToken.getAuthorization();
assertTrue(authorization.getPermissions().size() >= 20);
AuthorizationRequest request = new AuthorizationRequest();
Metadata metadata = new Metadata();
metadata.setLimit(10);
request.setMetadata(metadata);
response = authorizationResource.authorize(request);
accessToken = toAccessToken(response.getToken());
authorization = accessToken.getAuthorization();
assertEquals(10, authorization.getPermissions().size());
metadata.setLimit(1);
request.setMetadata(metadata);
response = authorizationResource.authorize(request);
accessToken = toAccessToken(response.getToken());
authorization = accessToken.getAuthorization();
assertEquals(1, authorization.getPermissions().size());
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsForResourceWithResourcePermission.
@Test
public void testObtainAllEntitlementsForResourceWithResourcePermission() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("scope:view", "scope:update", "scope:delete");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addResource(resource.getId());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "scope:view", "scope:update", "scope:delete");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(3, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view")));
}
resource.setScopes(new HashSet<>());
resource.addScope("scope:view", "scope:update");
authorization.resources().resource(resource.getId()).update(resource);
request = new AuthorizationRequest();
request.addPermission(null, "scope:view", "scope:update", "scope:delete");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(2, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view", "scope:update")));
}
request = new AuthorizationRequest();
request.addPermission(resource.getId(), "scope:view", "scope:update", "scope:delete");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(2, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view", "scope:update")));
}
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class EntitlementAPITest method testResourceServerAsAudience.
private void testResourceServerAsAudience(String testClientId, String resourceServerClientId, String configFile) throws Exception {
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission("Resource 1");
String accessToken = new OAuthClient().realm("authz-test").clientId(testClientId).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
AuthorizationResponse response = getAuthzClient(configFile).authorization(accessToken).authorize(request);
AccessToken rpt = toAccessToken(response.getToken());
assertEquals(resourceServerClientId, rpt.getAudience()[0]);
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class EntitlementAPITest method testPermissionOrder.
@Test
public void testPermissionOrder() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("my_resource");
resource.addScope("entity:read");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ScopeRepresentation featureAccessScope = new ScopeRepresentation("feature:access");
authorization.scopes().create(featureAccessScope);
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addPolicy(policy.getName());
permission.addResource(resource.getId());
authorization.permissions().resource().create(permission).close();
ScopePermissionRepresentation scopePermission = new ScopePermissionRepresentation();
scopePermission.setName(KeycloakModelUtils.generateId());
scopePermission.addPolicy(policy.getName());
scopePermission.addScope(featureAccessScope.getName());
authorization.permissions().scope().create(scopePermission).close();
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "entity:read");
request.addPermission(null, "feature:access");
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationResponse response = authzClient.authorization().authorize(request);
AccessToken token = toAccessToken(response.getToken());
Authorization result = token.getAuthorization();
assertEquals(2, result.getPermissions().size());
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() == null && p.getScopes().contains(featureAccessScope.getName())));
String resourceId = resource.getId();
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() != null && p.getResourceId().equals(resourceId) && p.getScopes().contains("entity:read")));
request = new AuthorizationRequest();
request.addPermission(null, "feature:access");
request.addPermission(null, "entity:read");
response = authzClient.authorization().authorize(request);
token = toAccessToken(response.getToken());
result = token.getAuthorization();
assertEquals(2, result.getPermissions().size());
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() == null && p.getScopes().contains(featureAccessScope.getName())));
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() != null && p.getResourceId().equals(resourceId) && p.getScopes().contains("entity:read")));
}
Aggregations