Search in sources :

Example 21 with Permission

use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.

the class ConflictingScopePermissionTest method testMartaCanAccessResourceAWithExecuteAndWrite.

/**
 * <p>Scope Read on Resource A has two conflicting permissions. One is granting access for Marta and the other for Kolo.
 *
 * <p>Scope Read should not be granted for Marta.
 */
@Test
public void testMartaCanAccessResourceAWithExecuteAndWrite() throws Exception {
    ClientResource client = getClient(getRealm());
    AuthorizationResource authorization = client.authorization();
    ResourceServerRepresentation settings = authorization.getSettings();
    settings.setPolicyEnforcementMode(PolicyEnforcementMode.ENFORCING);
    settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
    authorization.update(settings);
    Collection<Permission> permissions = getEntitlements("marta", "password");
    assertEquals(1, permissions.size());
    for (Permission permission : new ArrayList<>(permissions)) {
        String resourceSetName = permission.getResourceName();
        switch(resourceSetName) {
            case "Resource A":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write"));
                permissions.remove(permission);
                break;
            case "Resource C":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            default:
                fail("Unexpected permission for resource [" + resourceSetName + "]");
        }
    }
    assertTrue(permissions.isEmpty());
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) Permission(org.keycloak.representations.idm.authorization.Permission) ArrayList(java.util.ArrayList) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Test(org.junit.Test)

Example 22 with Permission

use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.

the class UmaGrantTypeTest method testObtainRptOnlyAuthorizedScopes.

@Test
public void testObtainRptOnlyAuthorizedScopes() throws Exception {
    ResourceRepresentation resourceA = addResource(KeycloakModelUtils.generateId(), "READ", "WRITE");
    ScopePermissionRepresentation permissionA = new ScopePermissionRepresentation();
    permissionA.setName(KeycloakModelUtils.generateId());
    permissionA.addScope("READ");
    permissionA.addPolicy("Default Policy");
    AuthorizationResource authzResource = getClient(getRealm()).authorization();
    authzResource.permissions().scope().create(permissionA).close();
    ScopePermissionRepresentation permissionB = new ScopePermissionRepresentation();
    permissionB.setName(KeycloakModelUtils.generateId());
    permissionB.addScope("WRITE");
    permissionB.addPolicy("Deny Policy");
    authzResource.permissions().scope().create(permissionB).close();
    AuthorizationResponse response = authorize("marta", "password", resourceA.getName(), new String[] { "READ" });
    String rpt = response.getToken();
    AccessToken.Authorization authorization = toAccessToken(rpt).getAuthorization();
    Collection<Permission> permissions = authorization.getPermissions();
    assertFalse(response.isUpgraded());
    assertNotNull(permissions);
    assertPermissions(permissions, resourceA.getName(), "READ");
    assertTrue(permissions.isEmpty());
    response = authorize("marta", "password", resourceA.getName(), new String[] { "READ", "WRITE" });
    rpt = response.getToken();
    authorization = toAccessToken(rpt).getAuthorization();
    permissions = authorization.getPermissions();
    assertFalse(response.isUpgraded());
    assertNotNull(permissions);
    assertPermissions(permissions, resourceA.getName(), "READ");
    assertTrue(permissions.isEmpty());
}
Also used : AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 23 with Permission

use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.

the class UmaGrantTypeTest method testObtainRptWithIDToken.

@Test
public void testObtainRptWithIDToken() throws Exception {
    String idToken = getIdToken("marta", "password");
    AuthorizationResponse response = authorize("Resource A", new String[] { "ScopeA", "ScopeB" }, idToken, "http://openid.net/specs/openid-connect-core-1_0.html#IDToken");
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
}
Also used : AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 24 with Permission

use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.

the class UmaGrantTypeTest method testObtainRptWithUpgradeWithUnauthorizedResource.

@Test
public void testObtainRptWithUpgradeWithUnauthorizedResource() throws Exception {
    AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] { "ScopeA", "ScopeB" });
    String rpt = response.getToken();
    AccessToken.Authorization authorization = toAccessToken(rpt).getAuthorization();
    Collection<Permission> permissions = authorization.getPermissions();
    assertFalse(response.isUpgraded());
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    ResourceRepresentation resourceB = addResource("Resource B", "ScopeA", "ScopeB", "ScopeC");
    permission.setName(resourceB.getName() + " Permission");
    permission.addResource(resourceB.getName());
    permission.addPolicy("Deny Policy");
    getClient(getRealm()).authorization().permissions().resource().create(permission).close();
    try {
        authorize("marta", "password", "Resource B", new String[] { "ScopeC" }, rpt);
        fail("Should be denied, resource b not granted");
    } catch (AuthorizationDeniedException ignore) {
    }
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 25 with Permission

use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.

the class UmaGrantTypeTest method testRefreshRpt.

@Test
public void testRefreshRpt() {
    AccessTokenResponse accessTokenResponse = getAuthzClient().obtainAccessToken("marta", "password");
    AuthorizationResponse response = authorize(null, null, null, null, accessTokenResponse.getToken(), null, null, new PermissionRequest("Resource A", "ScopeA", "ScopeB"));
    String rpt = response.getToken();
    assertNotNull(rpt);
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    String refreshToken = response.getRefreshToken();
    assertNotNull(refreshToken);
    AccessToken refreshTokenToken = toAccessToken(refreshToken);
    assertNotNull(refreshTokenToken.getAuthorization());
    Client client = AdminClientUtil.createResteasyClient();
    UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
    URI uri = OIDCLoginProtocolService.tokenUrl(builder).build(REALM_NAME);
    WebTarget target = client.target(uri);
    Form parameters = new Form();
    parameters.param("grant_type", OAuth2Constants.REFRESH_TOKEN);
    parameters.param(OAuth2Constants.REFRESH_TOKEN, refreshToken);
    AccessTokenResponse refreshTokenResponse = target.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("resource-server-test", "secret")).post(Entity.form(parameters)).readEntity(AccessTokenResponse.class);
    assertNotNull(refreshTokenResponse.getToken());
    refreshToken = refreshTokenResponse.getRefreshToken();
    refreshTokenToken = toAccessToken(refreshToken);
    assertNotNull(refreshTokenToken.getAuthorization());
    AccessToken refreshedToken = toAccessToken(rpt);
    authorization = refreshedToken.getAuthorization();
    assertNotNull(authorization);
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    refreshTokenResponse = target.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("resource-server-test", "secret")).post(Entity.form(parameters)).readEntity(AccessTokenResponse.class);
    assertNotNull(refreshTokenResponse.getToken());
    refreshToken = refreshTokenResponse.getRefreshToken();
    refreshTokenToken = toAccessToken(refreshToken);
    assertNotNull(refreshTokenToken.getAuthorization());
    refreshedToken = toAccessToken(rpt);
    authorization = refreshedToken.getAuthorization();
    assertNotNull(authorization);
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) Form(javax.ws.rs.core.Form) URI(java.net.URI) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) WebTarget(javax.ws.rs.client.WebTarget) AuthzClient(org.keycloak.authorization.client.AuthzClient) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) UriBuilder(javax.ws.rs.core.UriBuilder) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Test(org.junit.Test)

Aggregations

Permission (org.keycloak.representations.idm.authorization.Permission)73 Test (org.junit.Test)50 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)44 AccessToken (org.keycloak.representations.AccessToken)36 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)29 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)27 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)23 AuthzClient (org.keycloak.authorization.client.AuthzClient)22 ClientResource (org.keycloak.admin.client.resource.ClientResource)20 ArrayList (java.util.ArrayList)19 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)19 OAuthClient (org.keycloak.testsuite.util.OAuthClient)15 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)14 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)13 Response (javax.ws.rs.core.Response)12 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)12 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)12 PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)12 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)12 Authorization (org.keycloak.representations.AccessToken.Authorization)11