use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class EntitlementAPITest method testPermissionsWithResourceAttributes.
@Test
public void testPermissionsWithResourceAttributes() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation onlyPublicResourcesPolicy = new JSPolicyRepresentation();
onlyPublicResourcesPolicy.setName(KeycloakModelUtils.generateId());
onlyPublicResourcesPolicy.setCode("var createPermission = $evaluation.getPermission();\n" + "var resource = createPermission.getResource();\n" + "\n" + "if (resource) {\n" + " var attributes = resource.getAttributes();\n" + " var visibility = attributes.get('visibility');\n" + " \n" + " if (visibility && \"private\".equals(visibility.get(0))) {\n" + " $evaluation.deny();\n" + " } else {\n" + " $evaluation.grant();\n" + " }\n" + "}");
authorization.policies().js().create(onlyPublicResourcesPolicy).close();
JSPolicyRepresentation onlyOwnerPolicy = createOnlyOwnerPolicy();
authorization.policies().js().create(onlyOwnerPolicy).close();
ResourceRepresentation typedResource = new ResourceRepresentation();
typedResource.setType("resource");
typedResource.setName(KeycloakModelUtils.generateId());
try (Response response = authorization.resources().create(typedResource)) {
typedResource = response.readEntity(ResourceRepresentation.class);
}
ResourceRepresentation userResource = new ResourceRepresentation();
userResource.setName(KeycloakModelUtils.generateId());
userResource.setType("resource");
userResource.setOwner("marta");
Map<String, List<String>> attributes = new HashMap<>();
attributes.put("visibility", Arrays.asList("private"));
userResource.setAttributes(attributes);
try (Response response = authorization.resources().create(userResource)) {
userResource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation typedResourcePermission = new ResourcePermissionRepresentation();
typedResourcePermission.setName(KeycloakModelUtils.generateId());
typedResourcePermission.setResourceType("resource");
typedResourcePermission.addPolicy(onlyPublicResourcesPolicy.getName());
try (Response response = authorization.permissions().resource().create(typedResourcePermission)) {
typedResourcePermission = response.readEntity(ResourcePermissionRepresentation.class);
}
// marta can access any public resource
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(typedResource.getId());
request.addPermission(userResource.getId());
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(typedResource.getName(), grantedPermission.getResourceName());
}
typedResourcePermission.addPolicy(onlyOwnerPolicy.getName());
typedResourcePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.permissions().resource().findById(typedResourcePermission.getId()).update(typedResourcePermission);
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(2, permissions.size());
for (Permission grantedPermission : permissions) {
assertThat(Arrays.asList(typedResource.getName(), userResource.getName()), Matchers.hasItem(grantedPermission.getResourceName()));
}
typedResource.setAttributes(attributes);
authorization.resources().resource(typedResource.getId()).update(typedResource);
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertThat(userResource.getName(), Matchers.equalTo(grantedPermission.getResourceName()));
}
userResource.addScope("create", "read");
authorization.resources().resource(userResource.getId()).update(userResource);
typedResource.addScope("create", "read");
authorization.resources().resource(typedResource.getId()).update(typedResource);
ScopePermissionRepresentation createPermission = new ScopePermissionRepresentation();
createPermission.setName(KeycloakModelUtils.generateId());
createPermission.addScope("create");
createPermission.addPolicy(onlyPublicResourcesPolicy.getName());
authorization.permissions().scope().create(createPermission).close();
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertThat(userResource.getName(), Matchers.equalTo(grantedPermission.getResourceName()));
assertThat(grantedPermission.getScopes(), Matchers.not(Matchers.hasItem("create")));
}
typedResource.setAttributes(new HashMap<>());
authorization.resources().resource(typedResource.getId()).update(typedResource);
response = authzClient.authorization("marta", "password").authorize();
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
for (Permission grantedPermission : permissions) {
if (grantedPermission.getResourceName().equals(userResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.not(Matchers.hasItem("create")));
} else if (grantedPermission.getResourceName().equals(typedResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.containsInAnyOrder("create", "read"));
}
}
request = new AuthorizationRequest();
request.addPermission(typedResource.getId());
request.addPermission(userResource.getId());
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
for (Permission grantedPermission : permissions) {
if (grantedPermission.getResourceName().equals(userResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.not(Matchers.hasItem("create")));
} else if (grantedPermission.getResourceName().equals(typedResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.containsInAnyOrder("create", "read"));
}
}
request = new AuthorizationRequest();
request.addPermission(userResource.getId());
request.addPermission(typedResource.getId());
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
for (Permission grantedPermission : permissions) {
if (grantedPermission.getResourceName().equals(userResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.not(Matchers.hasItem("create")));
} else if (grantedPermission.getResourceName().equals(typedResource.getName())) {
assertThat(grantedPermission.getScopes(), Matchers.containsInAnyOrder("create", "read"));
}
}
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class GroupPathPolicyTest method testOnlyChildrenPolicy.
@Test
public void testOnlyChildrenPolicy() throws Exception {
RealmResource realm = getRealm();
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource B");
String ticket = authzClient.protection().permission().create(request).getTicket();
try {
authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected role");
} catch (AuthorizationDeniedException ignore) {
}
GroupRepresentation group = getGroup("/Group A/Group B/Group C");
UserRepresentation user = realm.users().search("kolo").get(0);
realm.users().get(user.getId()).joinGroup(group.getId());
AuthorizationResponse response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
try {
authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected role");
} catch (AuthorizationDeniedException ignore) {
}
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class PermissionClaimTest method testClaimsFromDifferentScopePermissions.
@Test
public void testClaimsFromDifferentScopePermissions() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resourceA = new ResourceRepresentation(KeycloakModelUtils.generateId(), "create", "update");
authorization.resources().create(resourceA).close();
ResourceRepresentation resourceB = new ResourceRepresentation(KeycloakModelUtils.generateId(), "create", "update");
authorization.resources().create(resourceB).close();
ScopePermissionRepresentation allScopesPermission = new ScopePermissionRepresentation();
allScopesPermission.setName(KeycloakModelUtils.generateId());
allScopesPermission.addScope("create", "update");
allScopesPermission.addPolicy(claimAPolicy.getName(), claimBPolicy.getName());
authorization.permissions().scope().create(allScopesPermission).close();
ScopePermissionRepresentation updatePermission = new ScopePermissionRepresentation();
updatePermission.setName(KeycloakModelUtils.generateId());
updatePermission.addScope("update");
updatePermission.addPolicy(claimCPolicy.getName());
try (Response response = authorization.permissions().scope().create(updatePermission)) {
updatePermission = response.readEntity(ScopePermissionRepresentation.class);
}
AuthzClient authzClient = getAuthzClient();
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "create", "update");
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
Authorization authorizationClaim = rpt.getAuthorization();
List<Permission> permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(2, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
}
updatePermission.addPolicy(denyPolicy.getName());
authorization.permissions().scope().findById(updatePermission.getId()).update(updatePermission);
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
rpt = toAccessToken(response.getToken());
authorizationClaim = rpt.getAuthorization();
permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(2, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
}
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class PermissionClaimTest method testPermissionWithClaimsDifferentPolicies.
@Test
public void testPermissionWithClaimsDifferentPolicies() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resource = new ResourceRepresentation("Resource B");
authorization.resources().create(resource).close();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getName());
permission.addPolicy(claimAPolicy.getName(), claimBPolicy.getName());
authorization.permissions().resource().create(permission).close();
PermissionRequest request = new PermissionRequest();
request.setResourceId(resource.getName());
String accessToken = new OAuthClient().realm("authz-test").clientId("test-client").doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient();
String ticket = authzClient.protection().permission().forResource(request).getTicket();
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
Authorization authorizationClaim = rpt.getAuthorization();
List<Permission> permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(1, permissions.size());
Map<String, Set<String>> claims = permissions.get(0).getClaims();
assertTrue(claims.containsKey("claim-a"));
assertTrue(claims.containsKey("claim-b"));
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class PermissionClaimTest method testPermissionWithClaims.
@Test
public void testPermissionWithClaims() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resource = new ResourceRepresentation("Resource A");
authorization.resources().create(resource).close();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getName());
permission.addPolicy(claimAPolicy.getName());
authorization.permissions().resource().create(permission).close();
PermissionRequest request = new PermissionRequest();
request.setResourceId(resource.getName());
String accessToken = new OAuthClient().realm("authz-test").clientId("test-client").doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient();
String ticket = authzClient.protection().permission().create(request).getTicket();
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
Authorization authorizationClaim = rpt.getAuthorization();
List<Permission> permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(1, permissions.size());
assertTrue(permissions.get(0).getClaims().get("claim-a").containsAll(Arrays.asList("claim-a", "claim-a1")));
}
Aggregations