Search in sources :

Example 6 with JSPolicyRepresentation

use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.

the class AuthorizationTest method testEnableAuthorizationServices.

@Test
public void testEnableAuthorizationServices() {
    ClientResource clientResource = getClientResource();
    ClientRepresentation resourceServer = getResourceServer();
    RealmResource realm = realmsResouce().realm(getRealmId());
    UserRepresentation serviceAccount = realm.users().search(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + resourceServer.getClientId()).get(0);
    Assert.assertNotNull(serviceAccount);
    List<RoleRepresentation> serviceAccountRoles = realm.users().get(serviceAccount.getId()).roles().clientLevel(resourceServer.getId()).listEffective();
    Assert.assertTrue(serviceAccountRoles.stream().anyMatch(roleRepresentation -> "uma_protection".equals(roleRepresentation.getName())));
    enableAuthorizationServices(false);
    enableAuthorizationServices(true);
    serviceAccount = clientResource.getServiceAccountUser();
    Assert.assertNotNull(serviceAccount);
    realm = realmsResouce().realm(getRealmId());
    serviceAccountRoles = realm.users().get(serviceAccount.getId()).roles().clientLevel(resourceServer.getId()).listEffective();
    Assert.assertTrue(serviceAccountRoles.stream().anyMatch(roleRepresentation -> "uma_protection".equals(roleRepresentation.getName())));
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName("should be removed");
    policy.setCode("");
    clientResource.authorization().policies().js().create(policy);
    List<ResourceRepresentation> defaultResources = clientResource.authorization().resources().resources();
    assertEquals(1, defaultResources.size());
    List<PolicyRepresentation> defaultPolicies = clientResource.authorization().policies().policies();
    assertEquals(3, defaultPolicies.size());
    enableAuthorizationServices(false);
    enableAuthorizationServices(true);
    ResourceServerRepresentation settings = clientResource.authorization().getSettings();
    assertEquals(PolicyEnforcerConfig.EnforcementMode.ENFORCING.name(), settings.getPolicyEnforcementMode().name());
    assertTrue(settings.isAllowRemoteResourceManagement());
    assertEquals(resourceServer.getId(), settings.getClientId());
    defaultResources = clientResource.authorization().resources().resources();
    assertEquals(1, defaultResources.size());
    defaultPolicies = clientResource.authorization().policies().policies();
    assertEquals(2, defaultPolicies.size());
    serviceAccount = clientResource.getServiceAccountUser();
    Assert.assertNotNull(serviceAccount);
    serviceAccountRoles = realm.users().get(serviceAccount.getId()).roles().clientLevel(resourceServer.getId()).listEffective();
    Assert.assertTrue(serviceAccountRoles.stream().anyMatch(roleRepresentation -> "uma_protection".equals(roleRepresentation.getName())));
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) PolicyEnforcerConfig(org.keycloak.representations.adapters.config.PolicyEnforcerConfig) Assert.assertTrue(org.junit.Assert.assertTrue) Test(org.junit.Test) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ServiceAccountConstants(org.keycloak.common.constants.ServiceAccountConstants) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) List(java.util.List) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) Assert(org.junit.Assert) ClientResource(org.keycloak.admin.client.resource.ClientResource) RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) Assert.assertEquals(org.junit.Assert.assertEquals) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 7 with JSPolicyRepresentation

use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.

the class JSPolicyManagementTest method testCreate.

@Test
public void testCreate() {
    AuthorizationResource authorization = getClient().authorization();
    JSPolicyRepresentation representation = new JSPolicyRepresentation();
    representation.setName("JS Policy");
    representation.setDescription("description");
    representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
    representation.setLogic(Logic.NEGATIVE);
    representation.setCode("$evaluation.grant();");
    assertCreated(authorization, representation);
}
Also used : JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Test(org.junit.Test)

Example 8 with JSPolicyRepresentation

use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.

the class UmaGrantTypeTest method configureAuthorization.

@Before
public void configureAuthorization() throws Exception {
    ClientResource client = getClient(getRealm());
    AuthorizationResource authorization = client.authorization();
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName("Default Policy");
    policy.setCode("$evaluation.grant();");
    authorization.policies().js().create(policy).close();
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    resourceA = addResource("Resource A", "ScopeA", "ScopeB", "ScopeC");
    permission.setName(resourceA.getName() + " Permission");
    permission.addResource(resourceA.getName());
    permission.addPolicy(policy.getName());
    authorization.permissions().resource().create(permission).close();
    policy = new JSPolicyRepresentation();
    policy.setName("Deny Policy");
    policy.setCode("$evaluation.deny();");
    authorization.policies().js().create(policy).close();
}
Also used : JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) Before(org.junit.Before)

Example 9 with JSPolicyRepresentation

use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.

the class UmaPermissionTicketPushedClaimsTest method testEvaluatePermissionsWithPushedClaims.

@Test
public void testEvaluatePermissionsWithPushedClaims() throws Exception {
    ResourceRepresentation resource = addResource("Bank Account", "withdraw");
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName("Withdraw Limit Policy");
    StringBuilder code = new StringBuilder();
    code.append("var context = $evaluation.getContext();");
    code.append("var attributes = context.getAttributes();");
    code.append("var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');");
    code.append("if (withdrawValue && withdrawValue.asDouble(0) <= 100) {");
    code.append("   $evaluation.grant();");
    code.append("}");
    policy.setCode(code.toString());
    AuthorizationResource authorization = getClient(getRealm()).authorization();
    authorization.policies().js().create(policy).close();
    ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
    representation.setName("Withdraw Permission");
    representation.addScope("withdraw");
    representation.addPolicy(policy.getName());
    authorization.permissions().scope().create(representation).close();
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
    permissionRequest.addScope("withdraw");
    permissionRequest.setClaim("my.bank.account.withdraw.value", "50.5");
    PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    AuthorizationResponse authorizationResponse = authzClient.authorization().authorize(request);
    assertNotNull(authorizationResponse);
    assertNotNull(authorizationResponse.getToken());
    AccessToken token = toAccessToken(authorizationResponse.getToken());
    Collection<Permission> permissions = token.getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    Permission permission = permissions.iterator().next();
    Map<String, Set<String>> claims = permission.getClaims();
    assertNotNull(claims);
    assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder("50.5"));
    permissionRequest.setClaim("my.bank.account.withdraw.value", "100.5");
    response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    try {
        authorizationResponse = authzClient.authorization().authorize(request);
        fail("Access should be denied");
    } catch (Exception ignore) {
    }
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) Test(org.junit.Test)

Example 10 with JSPolicyRepresentation

use of org.keycloak.representations.idm.authorization.JSPolicyRepresentation in project keycloak by keycloak.

the class DeployedScriptPolicyTest method failCreateJSPolicy.

@Test
@UncaughtServerErrorExpected
@DisableFeature(value = UPLOAD_SCRIPTS, skipRestart = true)
public void failCreateJSPolicy() {
    JSPolicyRepresentation grantPolicy = new JSPolicyRepresentation();
    grantPolicy.setName("JS Policy");
    grantPolicy.setType("js");
    grantPolicy.setCode("$evaluation.grant();");
    try (Response response = getAuthorizationResource().policies().js().create(grantPolicy)) {
        assertEquals(500, response.getStatus());
    }
}
Also used : Response(javax.ws.rs.core.Response) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) DisableFeature(org.keycloak.testsuite.arquillian.annotation.DisableFeature) Test(org.junit.Test) AbstractAuthzTest(org.keycloak.testsuite.authz.AbstractAuthzTest) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Aggregations

JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)60 Test (org.junit.Test)30 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)29 ClientResource (org.keycloak.admin.client.resource.ClientResource)27 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)23 Response (javax.ws.rs.core.Response)21 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)21 AuthzClient (org.keycloak.authorization.client.AuthzClient)20 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)20 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)18 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)18 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)17 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)17 OAuthClient (org.keycloak.testsuite.util.OAuthClient)17 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)16 Policy (org.keycloak.authorization.model.Policy)13 Permission (org.keycloak.representations.idm.authorization.Permission)13 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)11 ResourceServer (org.keycloak.authorization.model.ResourceServer)11 StoreFactory (org.keycloak.authorization.store.StoreFactory)11