use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class GroupPathPolicyTest method testAllowParentAndChildren.
@Test
public void testAllowParentAndChildren() {
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource A");
String ticket = authzClient.protection().permission().create(request).getTicket();
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
RealmResource realm = getRealm();
GroupRepresentation group = getGroup("/Group A/Group B/Group C");
UserRepresentation user = realm.users().search("kolo").get(0);
realm.users().get(user.getId()).joinGroup(group.getId());
ticket = authzClient.protection().permission().create(request).getTicket();
response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class PermissionClaimTest method testClaimsFromDifferentResourcePermissions.
@Test
public void testClaimsFromDifferentResourcePermissions() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resourceA = new ResourceRepresentation(KeycloakModelUtils.generateId());
resourceA.setType("typed-resource");
authorization.resources().create(resourceA).close();
ResourcePermissionRepresentation allScopesPermission = new ResourcePermissionRepresentation();
allScopesPermission.setName(KeycloakModelUtils.generateId());
allScopesPermission.addResource(resourceA.getName());
allScopesPermission.addPolicy(claimAPolicy.getName(), claimBPolicy.getName());
authorization.permissions().resource().create(allScopesPermission).close();
ResourcePermissionRepresentation updatePermission = new ResourcePermissionRepresentation();
updatePermission.setName(KeycloakModelUtils.generateId());
updatePermission.addResource(resourceA.getName());
updatePermission.addPolicy(claimCPolicy.getName());
try (Response response = authorization.permissions().resource().create(updatePermission)) {
updatePermission = response.readEntity(ResourcePermissionRepresentation.class);
}
AuthzClient authzClient = getAuthzClient();
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize();
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
Authorization authorizationClaim = rpt.getAuthorization();
List<Permission> permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(1, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
}
updatePermission.addPolicy(denyPolicy.getName());
authorization.permissions().resource().findById(updatePermission.getId()).update(updatePermission);
try {
authzClient.authorization("marta", "password").authorize();
fail("can not access resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
ResourceRepresentation resourceInstance = new ResourceRepresentation(KeycloakModelUtils.generateId(), "create", "update");
resourceInstance.setType(resourceA.getType());
resourceInstance.setOwner("marta");
try (Response response1 = authorization.resources().create(resourceInstance)) {
resourceInstance = response1.readEntity(ResourceRepresentation.class);
}
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "create", "update");
try {
authzClient.authorization("marta", "password").authorize(request);
fail("can not access resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
ResourcePermissionRepresentation resourceInstancePermission = new ResourcePermissionRepresentation();
resourceInstancePermission.setName(KeycloakModelUtils.generateId());
resourceInstancePermission.addResource(resourceInstance.getId());
resourceInstancePermission.addPolicy(claimCPolicy.getName());
try (Response response1 = authorization.permissions().resource().create(resourceInstancePermission)) {
resourceInstancePermission = response1.readEntity(ResourcePermissionRepresentation.class);
}
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
rpt = toAccessToken(response.getToken());
authorizationClaim = rpt.getAuthorization();
permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(1, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
}
response = authzClient.authorization("marta", "password").authorize();
assertNotNull(response.getToken());
rpt = toAccessToken(response.getToken());
authorizationClaim = rpt.getAuthorization();
permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(1, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
assertThat(permission.getScopes(), Matchers.containsInAnyOrder("create", "update"));
}
updatePermission.setPolicies(new HashSet<>());
updatePermission.addPolicy(claimCPolicy.getName());
authorization.permissions().resource().findById(updatePermission.getId()).update(updatePermission);
response = authzClient.authorization("marta", "password").authorize();
assertNotNull(response.getToken());
rpt = toAccessToken(response.getToken());
authorizationClaim = rpt.getAuthorization();
permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(2, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
}
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class GroupNamePolicyTest method testExactNameMatch.
@Test
public void testExactNameMatch() {
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource A");
String ticket = authzClient.protection().permission().create(request).getTicket();
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
try {
authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
try {
authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
try {
authzClient.authorization(authzClient.obtainAccessToken().getToken()).authorize(new AuthorizationRequest(ticket));
fail("Should fail because service account is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class GroupNamePolicyTest method testOnlyChildrenPolicy.
@Test
public void testOnlyChildrenPolicy() throws Exception {
RealmResource realm = getRealm();
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource B");
String ticket = authzClient.protection().permission().create(request).getTicket();
try {
authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
AuthorizationResponse response = authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
try {
authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
fail("Should fail because user is not granted with expected role");
} catch (AuthorizationDeniedException ignore) {
}
request = new PermissionRequest("Resource C");
ticket = authzClient.protection().permission().create(request).getTicket();
response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class AuthorizationAPITest method testResourceServerAsAudience.
public void testResourceServerAsAudience(String clientId, String resourceServerClientId, String authzConfigFile) throws Exception {
AuthzClient authzClient = getAuthzClient(authzConfigFile);
PermissionRequest request = new PermissionRequest();
request.setResourceId("Resource A");
String accessToken = new OAuthClient().realm("authz-test").clientId(clientId).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
String ticket = authzClient.protection().permission().create(request).getTicket();
// Ticket is opaque to client or resourceServer. The audience should be just an authorization server itself
JsonWebToken ticketDecoded = JsonSerialization.readValue(new JWSInput(ticket).getContent(), JsonWebToken.class);
Assert.assertFalse(ticketDecoded.hasAudience(clientId));
Assert.assertFalse(ticketDecoded.hasAudience(resourceServerClientId));
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
assertEquals(resourceServerClientId, rpt.getAudience()[0]);
}
Aggregations