use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.
the class AuthorizationTest method testEnableAuthorizationServices.
@Test
public void testEnableAuthorizationServices() {
ClientResource clientResource = getClientResource();
ClientRepresentation resourceServer = getResourceServer();
RealmResource realm = realmsResouce().realm(getRealmId());
UserRepresentation serviceAccount = realm.users().search(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + resourceServer.getClientId()).get(0);
Assert.assertNotNull(serviceAccount);
List<RoleRepresentation> serviceAccountRoles = realm.users().get(serviceAccount.getId()).roles().clientLevel(resourceServer.getId()).listEffective();
Assert.assertTrue(serviceAccountRoles.stream().anyMatch(roleRepresentation -> "uma_protection".equals(roleRepresentation.getName())));
enableAuthorizationServices(false);
enableAuthorizationServices(true);
serviceAccount = clientResource.getServiceAccountUser();
Assert.assertNotNull(serviceAccount);
realm = realmsResouce().realm(getRealmId());
serviceAccountRoles = realm.users().get(serviceAccount.getId()).roles().clientLevel(resourceServer.getId()).listEffective();
Assert.assertTrue(serviceAccountRoles.stream().anyMatch(roleRepresentation -> "uma_protection".equals(roleRepresentation.getName())));
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("should be removed");
policy.setCode("");
clientResource.authorization().policies().js().create(policy);
List<ResourceRepresentation> defaultResources = clientResource.authorization().resources().resources();
assertEquals(1, defaultResources.size());
List<PolicyRepresentation> defaultPolicies = clientResource.authorization().policies().policies();
assertEquals(3, defaultPolicies.size());
enableAuthorizationServices(false);
enableAuthorizationServices(true);
ResourceServerRepresentation settings = clientResource.authorization().getSettings();
assertEquals(PolicyEnforcerConfig.EnforcementMode.ENFORCING.name(), settings.getPolicyEnforcementMode().name());
assertTrue(settings.isAllowRemoteResourceManagement());
assertEquals(resourceServer.getId(), settings.getClientId());
defaultResources = clientResource.authorization().resources().resources();
assertEquals(1, defaultResources.size());
defaultPolicies = clientResource.authorization().policies().policies();
assertEquals(2, defaultPolicies.size());
serviceAccount = clientResource.getServiceAccountUser();
Assert.assertNotNull(serviceAccount);
serviceAccountRoles = realm.users().get(serviceAccount.getId()).roles().clientLevel(resourceServer.getId()).listEffective();
Assert.assertTrue(serviceAccountRoles.stream().anyMatch(roleRepresentation -> "uma_protection".equals(roleRepresentation.getName())));
}
use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.
the class JSPolicyManagementTest method testCreate.
@Test
public void testCreate() {
AuthorizationResource authorization = getClient().authorization();
JSPolicyRepresentation representation = new JSPolicyRepresentation();
representation.setName("JS Policy");
representation.setDescription("description");
representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
representation.setLogic(Logic.NEGATIVE);
representation.setCode("$evaluation.grant();");
assertCreated(authorization, representation);
}
use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.
the class UmaGrantTypeTest method configureAuthorization.
@Before
public void configureAuthorization() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Default Policy");
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resourceA = addResource("Resource A", "ScopeA", "ScopeB", "ScopeC");
permission.setName(resourceA.getName() + " Permission");
permission.addResource(resourceA.getName());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
policy = new JSPolicyRepresentation();
policy.setName("Deny Policy");
policy.setCode("$evaluation.deny();");
authorization.policies().js().create(policy).close();
}
use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.
the class UmaPermissionTicketPushedClaimsTest method testEvaluatePermissionsWithPushedClaims.
@Test
public void testEvaluatePermissionsWithPushedClaims() throws Exception {
ResourceRepresentation resource = addResource("Bank Account", "withdraw");
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Withdraw Limit Policy");
StringBuilder code = new StringBuilder();
code.append("var context = $evaluation.getContext();");
code.append("var attributes = context.getAttributes();");
code.append("var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');");
code.append("if (withdrawValue && withdrawValue.asDouble(0) <= 100) {");
code.append(" $evaluation.grant();");
code.append("}");
policy.setCode(code.toString());
AuthorizationResource authorization = getClient(getRealm()).authorization();
authorization.policies().js().create(policy).close();
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName("Withdraw Permission");
representation.addScope("withdraw");
representation.addPolicy(policy.getName());
authorization.permissions().scope().create(representation).close();
AuthzClient authzClient = getAuthzClient();
PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
permissionRequest.addScope("withdraw");
permissionRequest.setClaim("my.bank.account.withdraw.value", "50.5");
PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
AuthorizationResponse authorizationResponse = authzClient.authorization().authorize(request);
assertNotNull(authorizationResponse);
assertNotNull(authorizationResponse.getToken());
AccessToken token = toAccessToken(authorizationResponse.getToken());
Collection<Permission> permissions = token.getAuthorization().getPermissions();
assertEquals(1, permissions.size());
Permission permission = permissions.iterator().next();
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder("50.5"));
permissionRequest.setClaim("my.bank.account.withdraw.value", "100.5");
response = authzClient.protection("marta", "password").permission().create(permissionRequest);
request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authorizationResponse = authzClient.authorization().authorize(request);
fail("Access should be denied");
} catch (Exception ignore) {
}
}
use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.
the class DeployedScriptPolicyTest method failCreateJSPolicy.
@Test
@UncaughtServerErrorExpected
@DisableFeature(value = UPLOAD_SCRIPTS, skipRestart = true)
public void failCreateJSPolicy() {
JSPolicyRepresentation grantPolicy = new JSPolicyRepresentation();
grantPolicy.setName("JS Policy");
grantPolicy.setType("js");
grantPolicy.setCode("$evaluation.grant();");
try (Response response = getAuthorizationResource().policies().js().create(grantPolicy)) {
assertEquals(500, response.getStatus());
}
}
Aggregations