Search in sources :

Example 11 with ClientPolicyRepresentation

use of org.keycloak.representations.idm.authorization.ClientPolicyRepresentation in project keycloak by keycloak.

the class ClientTokenExchangeTest method setupRealm.

public static void setupRealm(KeycloakSession session) {
    addDirectExchanger(session);
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel exampleRole = realm.getRole("example");
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    ClientModel target = realm.getClientByClientId("target");
    assertNotNull(target);
    RoleModel impersonateRole = management.getRealmManagementClient().getRole(ImpersonationConstants.IMPERSONATION_ROLE);
    ClientModel clientExchanger = realm.addClient("client-exchanger");
    clientExchanger.setClientId("client-exchanger");
    clientExchanger.setPublicClient(false);
    clientExchanger.setDirectAccessGrantsEnabled(true);
    clientExchanger.setEnabled(true);
    clientExchanger.setSecret("secret");
    clientExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    clientExchanger.setFullScopeAllowed(false);
    clientExchanger.addScopeMapping(impersonateRole);
    clientExchanger.addProtocolMapper(UserSessionNoteMapper.createUserSessionNoteMapper(IMPERSONATOR_ID));
    clientExchanger.addProtocolMapper(UserSessionNoteMapper.createUserSessionNoteMapper(IMPERSONATOR_USERNAME));
    ClientModel illegal = realm.addClient("illegal");
    illegal.setClientId("illegal");
    illegal.setPublicClient(false);
    illegal.setDirectAccessGrantsEnabled(true);
    illegal.setEnabled(true);
    illegal.setSecret("secret");
    illegal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    illegal.setFullScopeAllowed(false);
    ClientModel legal = realm.addClient("legal");
    legal.setClientId("legal");
    legal.setPublicClient(false);
    legal.setDirectAccessGrantsEnabled(true);
    legal.setEnabled(true);
    legal.setSecret("secret");
    legal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    legal.setFullScopeAllowed(false);
    ClientModel directLegal = realm.addClient("direct-legal");
    directLegal.setClientId("direct-legal");
    directLegal.setPublicClient(false);
    directLegal.setDirectAccessGrantsEnabled(true);
    directLegal.setEnabled(true);
    directLegal.setSecret("secret");
    directLegal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directLegal.setFullScopeAllowed(false);
    ClientModel directPublic = realm.addClient("direct-public");
    directPublic.setClientId("direct-public");
    directPublic.setPublicClient(true);
    directPublic.setDirectAccessGrantsEnabled(true);
    directPublic.setEnabled(true);
    directPublic.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directPublic.setFullScopeAllowed(false);
    ClientModel directNoSecret = realm.addClient("direct-no-secret");
    directNoSecret.setClientId("direct-no-secret");
    directNoSecret.setPublicClient(false);
    directNoSecret.setDirectAccessGrantsEnabled(true);
    directNoSecret.setEnabled(true);
    directNoSecret.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directNoSecret.setFullScopeAllowed(false);
    ClientModel noRefreshToken = realm.addClient("no-refresh-token");
    noRefreshToken.setClientId("no-refresh-token");
    noRefreshToken.setPublicClient(false);
    noRefreshToken.setDirectAccessGrantsEnabled(true);
    noRefreshToken.setEnabled(true);
    noRefreshToken.setSecret("secret");
    noRefreshToken.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    noRefreshToken.setFullScopeAllowed(false);
    noRefreshToken.getAttributes().put(OIDCConfigAttributes.USE_REFRESH_TOKEN, "false");
    // permission for client to client exchange to "target" client
    ClientPolicyRepresentation clientRep = new ClientPolicyRepresentation();
    clientRep.setName("to");
    clientRep.addClient(clientExchanger.getId());
    clientRep.addClient(legal.getId());
    clientRep.addClient(directLegal.getId());
    clientRep.addClient(noRefreshToken.getId());
    ResourceServer server = management.realmResourceServer();
    Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server);
    management.clients().exchangeToPermission(target).addAssociatedPolicy(clientPolicy);
    // permission for user impersonation for a client
    ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
    clientImpersonateRep.setName("clientImpersonators");
    clientImpersonateRep.addClient(directLegal.getId());
    clientImpersonateRep.addClient(directPublic.getId());
    clientImpersonateRep.addClient(directNoSecret.getId());
    server = management.realmResourceServer();
    Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
    management.users().setPermissionsEnabled(true);
    management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
    management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    UserModel user = session.users().addUser(realm, "user");
    user.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password("password"));
    user.grantRole(exampleRole);
    user.grantRole(impersonateRole);
    UserModel bad = session.users().addUser(realm, "bad-impersonator");
    bad.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, bad, UserCredentialModel.password("password"));
}
Also used : RealmModel(org.keycloak.models.RealmModel) Policy(org.keycloak.authorization.model.Policy) UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) RoleModel(org.keycloak.models.RoleModel) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Example 12 with ClientPolicyRepresentation

use of org.keycloak.representations.idm.authorization.ClientPolicyRepresentation in project keycloak by keycloak.

the class ClientTokenExchangeTest method addDirectExchanger.

private static void addDirectExchanger(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel exampleRole = realm.addRole("example");
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    ClientModel target = realm.addClient("target");
    target.setName("target");
    target.setClientId("target");
    target.setDirectAccessGrantsEnabled(true);
    target.setEnabled(true);
    target.setSecret("secret");
    target.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    target.setFullScopeAllowed(false);
    target.addScopeMapping(exampleRole);
    ClientModel directExchanger = realm.addClient("direct-exchanger");
    directExchanger.setName("direct-exchanger");
    directExchanger.setClientId("direct-exchanger");
    directExchanger.setPublicClient(false);
    directExchanger.setDirectAccessGrantsEnabled(true);
    directExchanger.setEnabled(true);
    directExchanger.setSecret("secret");
    directExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directExchanger.setFullScopeAllowed(false);
    // permission for client to client exchange to "target" client
    management.clients().setPermissionsEnabled(target, true);
    ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
    clientImpersonateRep.setName("clientImpersonatorsDirect");
    clientImpersonateRep.addClient(directExchanger.getId());
    ResourceServer server = management.realmResourceServer();
    Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
    management.users().setPermissionsEnabled(true);
    management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
    management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    UserModel impersonatedUser = session.users().addUser(realm, "impersonated-user");
    impersonatedUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, impersonatedUser, UserCredentialModel.password("password"));
    impersonatedUser.grantRole(exampleRole);
}
Also used : RealmModel(org.keycloak.models.RealmModel) Policy(org.keycloak.authorization.model.Policy) UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) RoleModel(org.keycloak.models.RoleModel) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Example 13 with ClientPolicyRepresentation

use of org.keycloak.representations.idm.authorization.ClientPolicyRepresentation in project keycloak by keycloak.

the class AggregatePolicyManagementTest method testCreateWithChildAndSelectedPolicy.

@Test
public void testCreateWithChildAndSelectedPolicy() {
    refreshPageAndWaitForLoad();
    AggregatePolicyRepresentation expected = new AggregatePolicyRepresentation();
    expected.setName("Test Child Create And Select Aggregate Policy");
    expected.setDescription("description");
    expected.addPolicy("Policy C");
    AggregatePolicy policy = authorizationPage.authorizationTabs().policies().create(expected, false);
    RolePolicyRepresentation childRolePolicy = new RolePolicyRepresentation();
    childRolePolicy.setName(UUID.randomUUID().toString());
    childRolePolicy.addRole("Role A");
    policy.createPolicy(childRolePolicy);
    expected.addPolicy(childRolePolicy.getName());
    UserPolicyRepresentation childUserPolicy = new UserPolicyRepresentation();
    childUserPolicy.setName(UUID.randomUUID().toString());
    childUserPolicy.setDescription("description");
    childUserPolicy.addUser("user a");
    policy.createPolicy(childUserPolicy);
    expected.addPolicy(childUserPolicy.getName());
    ClientPolicyRepresentation childClientPolicy = new ClientPolicyRepresentation();
    childClientPolicy.setName(UUID.randomUUID().toString());
    childClientPolicy.setDescription("description");
    childClientPolicy.addClient("client a");
    policy.createPolicy(childClientPolicy);
    expected.addPolicy(childClientPolicy.getName());
    JSPolicyRepresentation childJSPolicy = new JSPolicyRepresentation();
    childJSPolicy.setName(UUID.randomUUID().toString());
    childJSPolicy.setDescription("description");
    childJSPolicy.setCode("$evaluation.grant();");
    policy.createPolicy(childJSPolicy);
    expected.addPolicy(childJSPolicy.getName());
    TimePolicyRepresentation childTimePolicy = new TimePolicyRepresentation();
    childTimePolicy.setName(UUID.randomUUID().toString());
    childTimePolicy.setDescription("description");
    childTimePolicy.setNotBefore("2017-01-01 00:00:00");
    childTimePolicy.setNotBefore("2018-01-01 00:00:00");
    policy.createPolicy(childTimePolicy);
    expected.addPolicy(childTimePolicy.getName());
    GroupPolicyRepresentation childGroupPolicy = new GroupPolicyRepresentation();
    childGroupPolicy.setName(UUID.randomUUID().toString());
    childGroupPolicy.setDescription("description");
    childGroupPolicy.setGroupsClaim("groups");
    childGroupPolicy.addGroupPath("/Group A", true);
    policy.createPolicy(childGroupPolicy);
    expected.addPolicy(childGroupPolicy.getName());
    policy.form().save();
    assertAlertSuccess();
    authorizationPage.navigateTo();
    AggregatePolicy actual = authorizationPage.authorizationTabs().policies().name(expected.getName());
    assertPolicy(expected, actual);
}
Also used : RolePolicyRepresentation(org.keycloak.representations.idm.authorization.RolePolicyRepresentation) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) TimePolicyRepresentation(org.keycloak.representations.idm.authorization.TimePolicyRepresentation) AggregatePolicy(org.keycloak.testsuite.console.page.clients.authorization.policy.AggregatePolicy) GroupPolicyRepresentation(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation) AggregatePolicyRepresentation(org.keycloak.representations.idm.authorization.AggregatePolicyRepresentation) Test(org.junit.Test)

Example 14 with ClientPolicyRepresentation

use of org.keycloak.representations.idm.authorization.ClientPolicyRepresentation in project keycloak by keycloak.

the class ClientPolicyManagementTest method testDeleteFromList.

@Test
public void testDeleteFromList() throws InterruptedException {
    authorizationPage.navigateTo();
    ClientPolicyRepresentation expected = new ClientPolicyRepresentation();
    expected.setName("Test Client Policy");
    expected.setDescription("description");
    expected.addClient("client c");
    expected = createPolicy(expected);
    authorizationPage.navigateTo();
    authorizationPage.authorizationTabs().policies().deleteFromList(expected.getName());
    authorizationPage.navigateTo();
    assertNull(authorizationPage.authorizationTabs().policies().policies().findByName(expected.getName()));
}
Also used : ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) Test(org.junit.Test)

Example 15 with ClientPolicyRepresentation

use of org.keycloak.representations.idm.authorization.ClientPolicyRepresentation in project keycloak by keycloak.

the class ClientPolicyManagementTest method testDelete.

@Test
public void testDelete() throws InterruptedException {
    authorizationPage.navigateTo();
    ClientPolicyRepresentation expected = new ClientPolicyRepresentation();
    expected.setName("Test Client Policy");
    expected.setDescription("description");
    expected.addClient("client c");
    expected = createPolicy(expected);
    authorizationPage.navigateTo();
    authorizationPage.authorizationTabs().policies().delete(expected.getName());
    assertAlertSuccess();
    authorizationPage.navigateTo();
    assertNull(authorizationPage.authorizationTabs().policies().policies().findByName(expected.getName()));
}
Also used : ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) Test(org.junit.Test)

Aggregations

ClientPolicyRepresentation (org.keycloak.representations.idm.authorization.ClientPolicyRepresentation)29 Policy (org.keycloak.authorization.model.Policy)12 Test (org.junit.Test)10 RealmModel (org.keycloak.models.RealmModel)10 ResourceServer (org.keycloak.authorization.model.ResourceServer)9 ClientModel (org.keycloak.models.ClientModel)9 AdminPermissionManagement (org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)7 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)5 ClientPoliciesResource (org.keycloak.admin.client.resource.ClientPoliciesResource)5 RoleModel (org.keycloak.models.RoleModel)5 Response (javax.ws.rs.core.Response)4 ClientPolicyResource (org.keycloak.admin.client.resource.ClientPolicyResource)4 UserModel (org.keycloak.models.UserModel)4 GroupPolicyRepresentation (org.keycloak.representations.idm.authorization.GroupPolicyRepresentation)4 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)4 RolePolicyRepresentation (org.keycloak.representations.idm.authorization.RolePolicyRepresentation)4 UserPolicyRepresentation (org.keycloak.representations.idm.authorization.UserPolicyRepresentation)4 AbstractPolicyRepresentation (org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation)3 PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)3 HashSet (java.util.HashSet)2