use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class UserManagedAccessTest method testUserGrantsAccessToResourceWithoutScopes.
@Test
public void testUserGrantsAccessToResourceWithoutScopes() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true);
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] {});
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A");
assertTrue(permissions.isEmpty());
try {
response = authorize("kolo", "password", resource.getId(), new String[] {});
fail("User should have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
response = authorize("kolo", "password", resource.getId(), new String[] {});
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName());
assertTrue(permissions.isEmpty());
response = authorize("kolo", "password", resource.getId(), new String[] {});
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName());
assertTrue(permissions.isEmpty());
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
for (PermissionTicketRepresentation ticket : permissionTickets) {
permissionResource.delete(ticket.getId());
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertEquals(0, permissionTickets.size());
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class RegexPolicyTest method testWithExpectedUserAttribute.
@Test
public void testWithExpectedUserAttribute() {
// Access Resource A with marta.
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource A");
String ticket = authzClient.protection().permission().create(request).getTicket();
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
// Access Resource B with marta.
request = new PermissionRequest("Resource B");
ticket = authzClient.protection().permission().create(request).getTicket();
response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class UmaPermissionTicketPushedClaimsTest method testEvaluatePermissionsWithPushedClaims.
@Test
public void testEvaluatePermissionsWithPushedClaims() throws Exception {
ResourceRepresentation resource = addResource("Bank Account", "withdraw");
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Withdraw Limit Policy");
StringBuilder code = new StringBuilder();
code.append("var context = $evaluation.getContext();");
code.append("var attributes = context.getAttributes();");
code.append("var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');");
code.append("if (withdrawValue && withdrawValue.asDouble(0) <= 100) {");
code.append(" $evaluation.grant();");
code.append("}");
policy.setCode(code.toString());
AuthorizationResource authorization = getClient(getRealm()).authorization();
authorization.policies().js().create(policy).close();
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName("Withdraw Permission");
representation.addScope("withdraw");
representation.addPolicy(policy.getName());
authorization.permissions().scope().create(representation).close();
AuthzClient authzClient = getAuthzClient();
PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
permissionRequest.addScope("withdraw");
permissionRequest.setClaim("my.bank.account.withdraw.value", "50.5");
PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
AuthorizationResponse authorizationResponse = authzClient.authorization().authorize(request);
assertNotNull(authorizationResponse);
assertNotNull(authorizationResponse.getToken());
AccessToken token = toAccessToken(authorizationResponse.getToken());
Collection<Permission> permissions = token.getAuthorization().getPermissions();
assertEquals(1, permissions.size());
Permission permission = permissions.iterator().next();
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder("50.5"));
permissionRequest.setClaim("my.bank.account.withdraw.value", "100.5");
response = authzClient.protection("marta", "password").permission().create(permissionRequest);
request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authorizationResponse = authzClient.authorization().authorize(request);
fail("Access should be denied");
} catch (Exception ignore) {
}
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class UserManagedPermissionServiceTest method testDoNotGrantPermissionWhenObtainAllEntitlements.
@Test
public void testDoNotGrantPermissionWhenObtainAllEntitlements() {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("marta");
resource.addScope("Scope A", "Scope B", "Scope C");
resource = getAuthzClient().protection().resource().create(resource);
UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
permission.setName("Custom User-Managed Permission");
permission.addScope("Scope A", "Scope B");
permission.addUser("kolo");
ProtectionResource protection = getAuthzClient().protection("marta", "password");
protection.policy(resource.getId()).create(permission);
AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resource.getId(), "Scope A", "Scope B");
AuthorizationResponse authzResponse = authorization.authorize(request);
assertNotNull(authzResponse);
AccessToken token = toAccessToken(authzResponse.getToken());
assertNotNull(token.getAuthorization());
Collection<Permission> permissions = token.getAuthorization().getPermissions();
assertEquals(1, permissions.size());
assertTrue(permissions.iterator().next().getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
try {
// policy engine does not evaluate custom policies when obtaining all entitlements
getAuthzClient().authorization("kolo", "password").authorize();
fail("User should not have permission");
} catch (Exception e) {
assertTrue(AuthorizationDeniedException.class.isInstance(e));
}
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class KeycloakAdapterPolicyEnforcer method requestAuthorizationToken.
private AccessToken requestAuthorizationToken(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade httpFacade, Map<String, List<String>> claims) {
if (getEnforcerConfig().getUserManagedAccess() != null) {
return null;
}
try {
KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();
String accessTokenString = securityContext.getTokenString();
KeycloakDeployment deployment = getPolicyEnforcer().getDeployment();
AccessToken accessToken = securityContext.getToken();
AuthorizationRequest authzRequest = new AuthorizationRequest();
if (isBearerAuthorization(httpFacade) || accessToken.getAuthorization() != null) {
authzRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
}
if (!claims.isEmpty()) {
authzRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
authzRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(claims)));
}
if (accessToken.getAuthorization() != null) {
authzRequest.setRpt(accessTokenString);
}
LOGGER.debug("Obtaining authorization for authenticated user.");
AuthorizationResponse authzResponse;
if (isBearerAuthorization(httpFacade)) {
authzRequest.setSubjectToken(accessTokenString);
authzResponse = getAuthzClient().authorization().authorize(authzRequest);
} else {
authzResponse = getAuthzClient().authorization(accessTokenString).authorize(authzRequest);
}
if (authzResponse != null) {
return AdapterTokenVerifier.verifyToken(authzResponse.getToken(), deployment);
}
} catch (AuthorizationDeniedException ignore) {
LOGGER.debug("Authorization denied", ignore);
} catch (Exception e) {
LOGGER.debug("Authorization failed", e);
}
return null;
}
Aggregations