Search in sources :

Example 11 with AuthorizationResponse

use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.

the class GroupPathPolicyTest method testAllowParentAndChildren.

@Test
public void testAllowParentAndChildren() {
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    RealmResource realm = getRealm();
    GroupRepresentation group = getGroup("/Group A/Group B/Group C");
    UserRepresentation user = realm.users().search("kolo").get(0);
    realm.users().get(user.getId()).joinGroup(group.getId());
    ticket = authzClient.protection().permission().create(request).getTicket();
    response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) GroupRepresentation(org.keycloak.representations.idm.GroupRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 12 with AuthorizationResponse

use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.

the class PermissionClaimTest method testClaimsFromDifferentResourcePermissions.

@Test
public void testClaimsFromDifferentResourcePermissions() throws Exception {
    ClientResource client = getClient(getRealm());
    AuthorizationResource authorization = client.authorization();
    ResourceRepresentation resourceA = new ResourceRepresentation(KeycloakModelUtils.generateId());
    resourceA.setType("typed-resource");
    authorization.resources().create(resourceA).close();
    ResourcePermissionRepresentation allScopesPermission = new ResourcePermissionRepresentation();
    allScopesPermission.setName(KeycloakModelUtils.generateId());
    allScopesPermission.addResource(resourceA.getName());
    allScopesPermission.addPolicy(claimAPolicy.getName(), claimBPolicy.getName());
    authorization.permissions().resource().create(allScopesPermission).close();
    ResourcePermissionRepresentation updatePermission = new ResourcePermissionRepresentation();
    updatePermission.setName(KeycloakModelUtils.generateId());
    updatePermission.addResource(resourceA.getName());
    updatePermission.addPolicy(claimCPolicy.getName());
    try (Response response = authorization.permissions().resource().create(updatePermission)) {
        updatePermission = response.readEntity(ResourcePermissionRepresentation.class);
    }
    AuthzClient authzClient = getAuthzClient();
    AuthorizationResponse response = authzClient.authorization("marta", "password").authorize();
    assertNotNull(response.getToken());
    AccessToken rpt = toAccessToken(response.getToken());
    Authorization authorizationClaim = rpt.getAuthorization();
    List<Permission> permissions = new ArrayList<>(authorizationClaim.getPermissions());
    assertEquals(1, permissions.size());
    for (Permission permission : permissions) {
        Map<String, Set<String>> claims = permission.getClaims();
        assertNotNull(claims);
        assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
        assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
        assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
    }
    updatePermission.addPolicy(denyPolicy.getName());
    authorization.permissions().resource().findById(updatePermission.getId()).update(updatePermission);
    try {
        authzClient.authorization("marta", "password").authorize();
        fail("can not access resource");
    } catch (RuntimeException expected) {
        assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
        assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
    }
    ResourceRepresentation resourceInstance = new ResourceRepresentation(KeycloakModelUtils.generateId(), "create", "update");
    resourceInstance.setType(resourceA.getType());
    resourceInstance.setOwner("marta");
    try (Response response1 = authorization.resources().create(resourceInstance)) {
        resourceInstance = response1.readEntity(ResourceRepresentation.class);
    }
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(null, "create", "update");
    try {
        authzClient.authorization("marta", "password").authorize(request);
        fail("can not access resource");
    } catch (RuntimeException expected) {
        assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
        assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
    }
    ResourcePermissionRepresentation resourceInstancePermission = new ResourcePermissionRepresentation();
    resourceInstancePermission.setName(KeycloakModelUtils.generateId());
    resourceInstancePermission.addResource(resourceInstance.getId());
    resourceInstancePermission.addPolicy(claimCPolicy.getName());
    try (Response response1 = authorization.permissions().resource().create(resourceInstancePermission)) {
        resourceInstancePermission = response1.readEntity(ResourcePermissionRepresentation.class);
    }
    response = authzClient.authorization("marta", "password").authorize(request);
    assertNotNull(response.getToken());
    rpt = toAccessToken(response.getToken());
    authorizationClaim = rpt.getAuthorization();
    permissions = new ArrayList<>(authorizationClaim.getPermissions());
    assertEquals(1, permissions.size());
    for (Permission permission : permissions) {
        Map<String, Set<String>> claims = permission.getClaims();
        assertNotNull(claims);
        assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
        assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
        assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
        assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
    }
    response = authzClient.authorization("marta", "password").authorize();
    assertNotNull(response.getToken());
    rpt = toAccessToken(response.getToken());
    authorizationClaim = rpt.getAuthorization();
    permissions = new ArrayList<>(authorizationClaim.getPermissions());
    assertEquals(1, permissions.size());
    for (Permission permission : permissions) {
        Map<String, Set<String>> claims = permission.getClaims();
        assertNotNull(claims);
        assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
        assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
        assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
        assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
        assertThat(permission.getScopes(), Matchers.containsInAnyOrder("create", "update"));
    }
    updatePermission.setPolicies(new HashSet<>());
    updatePermission.addPolicy(claimCPolicy.getName());
    authorization.permissions().resource().findById(updatePermission.getId()).update(updatePermission);
    response = authzClient.authorization("marta", "password").authorize();
    assertNotNull(response.getToken());
    rpt = toAccessToken(response.getToken());
    authorizationClaim = rpt.getAuthorization();
    permissions = new ArrayList<>(authorizationClaim.getPermissions());
    assertEquals(2, permissions.size());
    for (Permission permission : permissions) {
        Map<String, Set<String>> claims = permission.getClaims();
        assertNotNull(claims);
        assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
        assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
        assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
    }
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) ArrayList(java.util.ArrayList) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Response(javax.ws.rs.core.Response) Authorization(org.keycloak.representations.AccessToken.Authorization) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) ClientResource(org.keycloak.admin.client.resource.ClientResource) Test(org.junit.Test)

Example 13 with AuthorizationResponse

use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.

the class GroupNamePolicyTest method testExactNameMatch.

@Test
public void testExactNameMatch() {
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    try {
        authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
    try {
        authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
    try {
        authzClient.authorization(authzClient.obtainAccessToken().getToken()).authorize(new AuthorizationRequest(ticket));
        fail("Should fail because service account is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 14 with AuthorizationResponse

use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.

the class GroupNamePolicyTest method testOnlyChildrenPolicy.

@Test
public void testOnlyChildrenPolicy() throws Exception {
    RealmResource realm = getRealm();
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource B");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    try {
        authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected group");
    } catch (AuthorizationDeniedException ignore) {
    }
    AuthorizationResponse response = authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    try {
        authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected role");
    } catch (AuthorizationDeniedException ignore) {
    }
    request = new PermissionRequest("Resource C");
    ticket = authzClient.protection().permission().create(request).getTicket();
    response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) RealmResource(org.keycloak.admin.client.resource.RealmResource) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 15 with AuthorizationResponse

use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.

the class AuthorizationAPITest method testResourceServerAsAudience.

public void testResourceServerAsAudience(String clientId, String resourceServerClientId, String authzConfigFile) throws Exception {
    AuthzClient authzClient = getAuthzClient(authzConfigFile);
    PermissionRequest request = new PermissionRequest();
    request.setResourceId("Resource A");
    String accessToken = new OAuthClient().realm("authz-test").clientId(clientId).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
    String ticket = authzClient.protection().permission().create(request).getTicket();
    // Ticket is opaque to client or resourceServer. The audience should be just an authorization server itself
    JsonWebToken ticketDecoded = JsonSerialization.readValue(new JWSInput(ticket).getContent(), JsonWebToken.class);
    Assert.assertFalse(ticketDecoded.hasAudience(clientId));
    Assert.assertFalse(ticketDecoded.hasAudience(resourceServerClientId));
    AuthorizationResponse response = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    AccessToken rpt = toAccessToken(response.getToken());
    assertEquals(resourceServerClientId, rpt.getAudience()[0]);
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) JWSInput(org.keycloak.jose.jws.JWSInput) JsonWebToken(org.keycloak.representations.JsonWebToken) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)

Aggregations

AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)69 Test (org.junit.Test)58 AccessToken (org.keycloak.representations.AccessToken)43 Permission (org.keycloak.representations.idm.authorization.Permission)43 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)41 AuthzClient (org.keycloak.authorization.client.AuthzClient)35 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)30 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)22 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)20 ClientResource (org.keycloak.admin.client.resource.ClientResource)20 PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)20 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)19 OAuthClient (org.keycloak.testsuite.util.OAuthClient)17 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)15 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)14 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)14 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)14 Response (javax.ws.rs.core.Response)13 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)12 ArrayList (java.util.ArrayList)11