use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testProcessMappersForTargetAudience.
@Test
public void testProcessMappersForTargetAudience() throws Exception {
ClientResource publicClient = getClient(getRealm(), PUBLIC_TEST_CLIENT);
ProtocolMapperRepresentation customClaimMapper = new ProtocolMapperRepresentation();
customClaimMapper.setName("custom_claim");
customClaimMapper.setProtocolMapper(HardcodedClaim.PROVIDER_ID);
customClaimMapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
Map<String, String> config = new HashMap<>();
config.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "custom_claim");
config.put(HardcodedClaim.CLAIM_VALUE, PUBLIC_TEST_CLIENT);
config.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "true");
customClaimMapper.setConfig(config);
publicClient.getProtocolMappers().createMapper(customClaimMapper);
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
config.put(HardcodedClaim.CLAIM_VALUE, RESOURCE_SERVER_TEST);
client.getProtocolMappers().createMapper(customClaimMapper);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Sensors");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName("View Sensor");
permission.addResource(resource.getName());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
oauth.realm("authz-test");
oauth.clientId(PUBLIC_TEST_CLIENT);
oauth.doLogin("marta", "password");
// Token request
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
AccessToken token = toAccessToken(response.getAccessToken());
assertEquals(PUBLIC_TEST_CLIENT, token.getOtherClaims().get("custom_claim"));
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission("Sensors");
AuthorizationResponse authorizationResponse = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(response.getAccessToken()).authorize(request);
token = toAccessToken(authorizationResponse.getToken());
assertEquals(RESOURCE_SERVER_TEST, token.getOtherClaims().get("custom_claim"));
assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
authorizationResponse = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(response.getAccessToken()).authorize(request);
token = toAccessToken(authorizationResponse.getToken());
assertEquals(RESOURCE_SERVER_TEST, token.getOtherClaims().get("custom_claim"));
assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
}
use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsForResourceType.
@Test
public void testObtainAllEntitlementsForResourceType() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
for (int i = 0; i < 10; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setType("type-one");
resource.setName(KeycloakModelUtils.generateId());
authorization.resources().create(resource).close();
}
for (int i = 0; i < 10; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setType("type-two");
resource.setName(KeycloakModelUtils.generateId());
authorization.resources().create(resource).close();
}
for (int i = 0; i < 10; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setType("type-three");
resource.setName(KeycloakModelUtils.generateId());
authorization.resources().create(resource).close();
}
for (int i = 0; i < 10; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setType("type-four");
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("scope:view", "scope:update");
authorization.resources().create(resource).close();
}
for (int i = 0; i < 10; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setType("type-five");
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("scope:view");
authorization.resources().create(resource).close();
}
ResourcePermissionRepresentation resourcePermission = new ResourcePermissionRepresentation();
resourcePermission.setName(KeycloakModelUtils.generateId());
resourcePermission.setResourceType("type-one");
resourcePermission.addPolicy(policy.getName());
authorization.permissions().resource().create(resourcePermission).close();
resourcePermission = new ResourcePermissionRepresentation();
resourcePermission.setName(KeycloakModelUtils.generateId());
resourcePermission.setResourceType("type-two");
resourcePermission.addPolicy(policy.getName());
authorization.permissions().resource().create(resourcePermission).close();
resourcePermission = new ResourcePermissionRepresentation();
resourcePermission.setName(KeycloakModelUtils.generateId());
resourcePermission.setResourceType("type-three");
resourcePermission.addPolicy(policy.getName());
authorization.permissions().resource().create(resourcePermission).close();
ScopePermissionRepresentation scopePersmission = new ScopePermissionRepresentation();
scopePersmission.setName(KeycloakModelUtils.generateId());
scopePersmission.setResourceType("type-four");
scopePersmission.addScope("scope:view");
scopePersmission.addPolicy(policy.getName());
authorization.permissions().scope().create(scopePersmission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission("resource-type:type-one");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(10, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type:type-three");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(10, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type:type-four", "scope:view");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(10, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(1, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view")));
}
request = new AuthorizationRequest();
request.addPermission("resource-type:type-five", "scope:view");
try {
authzClient.authorization(accessToken).authorize(request);
fail("no type-five resources can be granted since scope permission for scope:view only applies to type-four");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
for (int i = 0; i < 5; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setOwner("kolo");
resource.setType("type-two");
resource.setName(KeycloakModelUtils.generateId());
authorization.resources().create(resource).close();
}
request = new AuthorizationRequest();
request.addPermission("resource-type-any:type-two");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(15, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-owner:type-two");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(5, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-instance:type-two");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(5, permissions.size());
Permission next = permissions.iterator().next();
ResourceResource resourceMgmt = client.authorization().resources().resource(next.getResourceId());
ResourceRepresentation representation = resourceMgmt.toRepresentation();
representation.setType("type-three");
resourceMgmt.update(representation);
request = new AuthorizationRequest();
request.addPermission("resource-type-instance:type-two");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(4, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-instance:type-three");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-any:type-three");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(11, permissions.size());
for (int i = 0; i < 2; i++) {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setOwner("marta");
resource.setType("type-one");
resource.setName(KeycloakModelUtils.generateId());
authorization.resources().create(resource).close();
}
request = new AuthorizationRequest();
request.addPermission("resource-type:type-one");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(10, permissions.size());
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
request = new AuthorizationRequest();
request.addPermission("resource-type-owner:type-one");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(2, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-instance:type-one");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(2, permissions.size());
request = new AuthorizationRequest();
request.addPermission("resource-type-any:type-one");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(12, permissions.size());
}
use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method createOnlyOwnerPolicy.
@NotNull
private JSPolicyRepresentation createOnlyOwnerPolicy() {
JSPolicyRepresentation onlyOwnerPolicy = new JSPolicyRepresentation();
onlyOwnerPolicy.setName(KeycloakModelUtils.generateId());
onlyOwnerPolicy.setCode("var context = $evaluation.getContext();\n" + "var identity = context.getIdentity();\n" + "var permission = $evaluation.getPermission();\n" + "var resource = permission.getResource();\n" + "\n" + "if (resource) {\n" + " if (resource.owner == identity.id) {\n" + " $evaluation.grant();\n" + " }\n" + "}");
return onlyOwnerPolicy;
}
use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testPermissionsAcrossResourceServers.
@Test
public void testPermissionsAcrossResourceServers() throws Exception {
String rsAId;
try (Response response = getRealm().clients().create(ClientBuilder.create().clientId("rs-a").secret("secret").serviceAccount().authorizationServicesEnabled(true).build())) {
rsAId = ApiUtil.getCreatedId(response);
}
String rsBId;
try (Response response = getRealm().clients().create(ClientBuilder.create().clientId("rs-b").secret("secret").serviceAccount().authorizationServicesEnabled(true).build())) {
rsBId = ApiUtil.getCreatedId(response);
}
ClientResource rsB = getRealm().clients().get(rsBId);
rsB.authorization().resources().create(new ResourceRepresentation("Resource A"));
JSPolicyRepresentation grantPolicy = new JSPolicyRepresentation();
grantPolicy.setName("Grant Policy");
grantPolicy.setCode("$evaluation.grant();");
rsB.authorization().policies().js().create(grantPolicy);
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName("Resource A Permission");
permission.addResource("Resource A");
permission.addPolicy(grantPolicy.getName());
rsB.authorization().permissions().resource().create(permission);
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
Configuration config = authzClient.getConfiguration();
config.setResource("rs-a");
authzClient = AuthzClient.create(config);
AccessTokenResponse accessTokenResponse = authzClient.obtainAccessToken();
AccessToken accessToken = toAccessToken(accessTokenResponse.getToken());
config.setResource("rs-b");
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission("Resource A");
AuthorizationResponse response = authzClient.authorization(accessTokenResponse.getToken()).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
assertEquals("Resource A", permissions.iterator().next().getResourceName());
}
use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsForScopeWithDeny.
@Test
public void testObtainAllEntitlementsForScopeWithDeny() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
authorization.scopes().create(new ScopeRepresentation("sensors:view")).close();
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "sensors:view");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertNull(grantedPermission.getResourceId());
assertEquals(1, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("sensors:view")));
}
}
Aggregations