use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class UserManagedAccessTest method testScopePermissionsToScopeOnly.
@Test
public void testScopePermissionsToScopeOnly() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] { "ScopeA", "ScopeB" });
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA" });
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
PermissionTicketRepresentation ticket = permissionTickets.get(0);
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA");
assertTrue(permissions.isEmpty());
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
// must have two permission tickets, one persisted during the first authorize call for ScopeA and another for the second call to authorize for ScopeB
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation representation : new ArrayList<>(permissionTickets)) {
if (representation.isGranted()) {
permissionResource.delete(representation.getId());
}
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertEquals(1, permissionTickets.size());
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class UserManagedAccessTest method testUserGrantedAccessConsideredWhenRequestingAuthorizationByResourceName.
@Test
public void testUserGrantedAccessConsideredWhenRequestingAuthorizationByResourceName() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
try {
AuthorizationResponse response = authorize("kolo", "password", resource.getId(), new String[] {});
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
AuthorizationRequest request = new AuthorizationRequest();
// No resource id used in request, only name
request.addPermission("Resource A", "ScopeA", "ScopeB");
List<Permission> permissions = authorize("kolo", "password", request);
assertEquals(1, permissions.size());
Permission koloPermission = permissions.get(0);
assertEquals("Resource A", koloPermission.getResourceName());
assertTrue(koloPermission.getScopes().containsAll(Arrays.asList("ScopeA", "ScopeB")));
ResourceRepresentation resourceRep = getAuthzClient().protection().resource().findById(resource.getId());
resourceRep.setName("Resource A Changed");
getAuthzClient().protection().resource().update(resourceRep);
request = new AuthorizationRequest();
// Try to use the old name
request.addPermission("Resource A", "ScopeA", "ScopeB");
try {
authorize("kolo", "password", request);
fail("User should not have access to resource from another user");
} catch (RuntimeException ade) {
assertTrue(ade.getCause().toString().contains("invalid_resource"));
}
request = new AuthorizationRequest();
request.addPermission(resourceRep.getName(), "ScopeA", "ScopeB");
permissions = authorize("kolo", "password", request);
assertEquals(1, permissions.size());
koloPermission = permissions.get(0);
assertEquals(resourceRep.getName(), koloPermission.getResourceName());
assertTrue(koloPermission.getScopes().containsAll(Arrays.asList("ScopeA", "ScopeB")));
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class UserManagedAccessTest method testUserGrantsAccessToResource.
@Test
public void testUserGrantsAccessToResource() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
ClientResource client = getClient(getRealm());
client.authorization().permissions().resource().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] { "ScopeA", "ScopeB" });
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
getTestContext().getTestingClient().testing().clearEventQueue();
try {
response = authorize("kolo", "password", resource.getId(), new String[] {});
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
String realmId = getRealm().toRepresentation().getId();
String clientId = client.toRepresentation().getClientId();
events.expectLogin().realm(realmId).client(clientId).user(isUUID()).clearDetails().assertEvent();
events.expectLogin().realm(realmId).client(clientId).user(isUUID()).clearDetails().assertEvent();
events.expect(EventType.PERMISSION_TOKEN_ERROR).realm(realmId).client(clientId).user(isUUID()).session((String) null).error("access_denied").detail("reason", "request_submitted").assertEvent();
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
getTestContext().getTestingClient().testing().clearEventQueue();
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
events.expectLogin().realm(realmId).client(clientId).user(isUUID()).clearDetails().assertEvent();
events.expectLogin().realm(realmId).client(clientId).user(isUUID()).clearDetails().assertEvent();
events.expect(EventType.PERMISSION_TOKEN).realm(realmId).client(clientId).user(isUUID()).session((String) null).clearDetails().assertEvent();
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class UserManagedAccessTest method testPermissiveModePermissions.
@Test
public void testPermissiveModePermissions() throws Exception {
resource = addResource("Resource A");
try {
authorize("kolo", "password", resource.getId(), null);
fail("Access should be denied, server in enforcing mode");
} catch (AuthorizationDeniedException ade) {
}
AuthorizationResource authorizationResource = getClient(getRealm()).authorization();
ResourceServerRepresentation settings = authorizationResource.getSettings();
settings.setPolicyEnforcementMode(PolicyEnforcementMode.PERMISSIVE);
authorizationResource.update(settings);
AuthorizationResponse response = authorize("marta", "password", "Resource A", null);
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A");
assertTrue(permissions.isEmpty());
}
use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.
the class UserManagedAccessTest method authorize.
private List<Permission> authorize(String userName, String password, AuthorizationRequest request) {
AuthorizationResponse response = getAuthzClient().authorization(userName, password).authorize(request);
AccessToken token = toAccessToken(response.getToken());
AccessToken.Authorization authorization = token.getAuthorization();
return new ArrayList<>(authorization.getPermissions());
}
Aggregations