use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsForResourceWithResourcePermission.
@Test
public void testObtainAllEntitlementsForResourceWithResourcePermission() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("scope:view", "scope:update", "scope:delete");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addResource(resource.getId());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "scope:view", "scope:update", "scope:delete");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(3, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view")));
}
resource.setScopes(new HashSet<>());
resource.addScope("scope:view", "scope:update");
authorization.resources().resource(resource.getId()).update(resource);
request = new AuthorizationRequest();
request.addPermission(null, "scope:view", "scope:update", "scope:delete");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(2, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view", "scope:update")));
}
request = new AuthorizationRequest();
request.addPermission(resource.getId(), "scope:view", "scope:update", "scope:delete");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(2, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view", "scope:update")));
}
}
use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.
the class EntitlementAPITest method testPermissionOrder.
@Test
public void testPermissionOrder() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("my_resource");
resource.addScope("entity:read");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ScopeRepresentation featureAccessScope = new ScopeRepresentation("feature:access");
authorization.scopes().create(featureAccessScope);
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addPolicy(policy.getName());
permission.addResource(resource.getId());
authorization.permissions().resource().create(permission).close();
ScopePermissionRepresentation scopePermission = new ScopePermissionRepresentation();
scopePermission.setName(KeycloakModelUtils.generateId());
scopePermission.addPolicy(policy.getName());
scopePermission.addScope(featureAccessScope.getName());
authorization.permissions().scope().create(scopePermission).close();
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "entity:read");
request.addPermission(null, "feature:access");
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationResponse response = authzClient.authorization().authorize(request);
AccessToken token = toAccessToken(response.getToken());
Authorization result = token.getAuthorization();
assertEquals(2, result.getPermissions().size());
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() == null && p.getScopes().contains(featureAccessScope.getName())));
String resourceId = resource.getId();
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() != null && p.getResourceId().equals(resourceId) && p.getScopes().contains("entity:read")));
request = new AuthorizationRequest();
request.addPermission(null, "feature:access");
request.addPermission(null, "entity:read");
response = authzClient.authorization().authorize(request);
token = toAccessToken(response.getToken());
result = token.getAuthorization();
assertEquals(2, result.getPermissions().size());
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() == null && p.getScopes().contains(featureAccessScope.getName())));
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() != null && p.getResourceId().equals(resourceId) && p.getScopes().contains("entity:read")));
}
use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.
the class EntitlementAPITest method testPermissionLimit.
public void testPermissionLimit(String configFile) {
AuthorizationRequest request = new AuthorizationRequest();
for (int i = 1; i <= 10; i++) {
request.addPermission("Resource " + i);
}
Metadata metadata = new Metadata();
metadata.setLimit(10);
request.setMetadata(metadata);
AuthorizationResponse response = getAuthzClient(configFile).authorization("marta", "password").authorize(request);
AccessToken rpt = toAccessToken(response.getToken());
List<Permission> permissions = new ArrayList<>(rpt.getAuthorization().getPermissions());
assertEquals(10, permissions.size());
for (int i = 0; i < 10; i++) {
assertEquals("Resource " + (i + 1), permissions.get(i).getResourceName());
}
request = new AuthorizationRequest();
for (int i = 11; i <= 15; i++) {
request.addPermission("Resource " + i);
}
request.setMetadata(metadata);
request.setRpt(response.getToken());
response = getAuthzClient(configFile).authorization("marta", "password").authorize(request);
rpt = toAccessToken(response.getToken());
permissions = new ArrayList<>(rpt.getAuthorization().getPermissions());
assertEquals(10, permissions.size());
for (int i = 0; i < 10; i++) {
if (i < 5) {
assertEquals("Resource " + (i + 11), permissions.get(i).getResourceName());
} else {
assertEquals("Resource " + (i - 4), permissions.get(i).getResourceName());
}
}
request = new AuthorizationRequest();
for (int i = 16; i <= 18; i++) {
request.addPermission("Resource " + i);
}
request.setMetadata(metadata);
request.setRpt(response.getToken());
response = getAuthzClient(configFile).authorization("marta", "password").authorize(request);
rpt = toAccessToken(response.getToken());
permissions = new ArrayList<>(rpt.getAuthorization().getPermissions());
assertEquals(10, permissions.size());
assertEquals("Resource 16", permissions.get(0).getResourceName());
assertEquals("Resource 17", permissions.get(1).getResourceName());
assertEquals("Resource 18", permissions.get(2).getResourceName());
assertEquals("Resource 11", permissions.get(3).getResourceName());
assertEquals("Resource 12", permissions.get(4).getResourceName());
assertEquals("Resource 13", permissions.get(5).getResourceName());
assertEquals("Resource 14", permissions.get(6).getResourceName());
assertEquals("Resource 15", permissions.get(7).getResourceName());
assertEquals("Resource 1", permissions.get(8).getResourceName());
assertEquals("Resource 2", permissions.get(9).getResourceName());
request = new AuthorizationRequest();
metadata.setLimit(5);
request.setMetadata(metadata);
request.setRpt(response.getToken());
response = getAuthzClient(configFile).authorization("marta", "password").authorize(request);
rpt = toAccessToken(response.getToken());
permissions = new ArrayList<>(rpt.getAuthorization().getPermissions());
assertEquals(5, permissions.size());
assertEquals("Resource 16", permissions.get(0).getResourceName());
assertEquals("Resource 17", permissions.get(1).getResourceName());
assertEquals("Resource 18", permissions.get(2).getResourceName());
assertEquals("Resource 11", permissions.get(3).getResourceName());
assertEquals("Resource 12", permissions.get(4).getResourceName());
}
use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsForResourceWithScopePermission.
@Test
public void testObtainAllEntitlementsForResourceWithScopePermission() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resourceWithoutType = new ResourceRepresentation();
resourceWithoutType.setName(KeycloakModelUtils.generateId());
resourceWithoutType.addScope("scope:view", "scope:update", "scope:delete");
try (Response response = authorization.resources().create(resourceWithoutType)) {
resourceWithoutType = response.readEntity(ResourceRepresentation.class);
}
ResourceRepresentation resourceWithType = new ResourceRepresentation();
resourceWithType.setName(KeycloakModelUtils.generateId());
resourceWithType.setType("type-one");
resourceWithType.addScope("scope:view", "scope:update", "scope:delete");
try (Response response = authorization.resources().create(resourceWithType)) {
resourceWithType = response.readEntity(ResourceRepresentation.class);
}
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addResource(resourceWithoutType.getId());
permission.addScope("scope:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
permission = new ScopePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.setResourceType("type-one");
permission.addScope("scope:update");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resourceWithoutType.getId(), "scope:view", "scope:update", "scope:delete");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resourceWithoutType.getId(), grantedPermission.getResourceId());
assertEquals(1, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view")));
}
request = new AuthorizationRequest();
request.addPermission(resourceWithType.getId(), "scope:view", "scope:update", "scope:delete");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resourceWithType.getId(), grantedPermission.getResourceId());
assertEquals(1, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:update")));
}
}
use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.
the class EntitlementAPITest method assertPermissions.
private void assertPermissions(AuthzClient authzClient, String accessToken, AuthorizationRequest request, ResourceRepresentation resource, String... expectedScopes) {
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(expectedScopes.length, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList(expectedScopes)));
}
}
Aggregations