Examples with Permission org.keycloak.representations.idm.authorization.Permission used on opensource projects

Search in sources :

Example 31 with Permission

use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.

the class UserManagedAccessTest method testOnlyOwnerCanAccessResourceWithType.

/**
 * Makes sure permissions granted to a typed resource instance does not grant access to resource instances with the same type.
 *
 * @throws Exception
 */
@Test
public void testOnlyOwnerCanAccessResourceWithType() throws Exception {
    ResourceRepresentation typedResource = addResource("Typed Resource", getClient(getRealm()).toRepresentation().getId(), false, "ScopeA", "ScopeB");
    typedResource.setType("my:resource");
    getClient(getRealm()).authorization().resources().resource(typedResource.getId()).update(typedResource);
    resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
    resource.setType(typedResource.getType());
    getClient(getRealm()).authorization().resources().resource(resource.getId()).update(resource);
    ResourceRepresentation resourceB = addResource("Resource B", "marta", true, "ScopeA", "ScopeB");
    resourceB.setType(typedResource.getType());
    getClient(getRealm()).authorization().resources().resource(resourceB.getId()).update(resourceB);
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName(resource.getType() + " Permission");
    permission.setResourceType(resource.getType());
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().resource().create(permission).close();
    AuthorizationResponse response = authorize("marta", "password", resource.getName(), new String[] { "ScopeA", "ScopeB" });
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
        fail("User should not have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
    List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
    for (PermissionTicketRepresentation ticket : tickets) {
        ticket.setGranted(true);
        getAuthzClient().protection().permission().update(ticket);
    }
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
    } catch (AuthorizationDeniedException ade) {
        fail("User should have access to resource from another user");
    }
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    for (PermissionTicketRepresentation ticket : tickets) {
        getAuthzClient().protection().permission().delete(ticket.getId());
    }
    tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
    assertEquals(0, tickets.size());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
        fail("User should not have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 32 with Permission

use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.

the class UserManagedAccessTest method testUserGrantsAccessToResourceWithoutScopes.

@Test
public void testUserGrantsAccessToResourceWithoutScopes() throws Exception {
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    resource = addResource("Resource A", "marta", true);
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getId());
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().resource().create(permission).close();
    AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] {});
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] {});
        fail("User should have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
    PermissionResource permissionResource = getAuthzClient().protection().permission();
    List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(1, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertFalse(ticket.isGranted());
        ticket.setGranted(true);
        permissionResource.update(ticket);
    }
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(1, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertTrue(ticket.isGranted());
    }
    response = authorize("kolo", "password", resource.getId(), new String[] {});
    rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName());
    assertTrue(permissions.isEmpty());
    response = authorize("kolo", "password", resource.getId(), new String[] {});
    rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName());
    assertTrue(permissions.isEmpty());
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(1, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertTrue(ticket.isGranted());
    }
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        permissionResource.delete(ticket.getId());
    }
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertEquals(0, permissionTickets.size());
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) PermissionResource(org.keycloak.authorization.client.resource.PermissionResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 33 with Permission

use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.

the class UmaPermissionTicketPushedClaimsTest method testEvaluatePermissionsWithPushedClaims.

@Test
public void testEvaluatePermissionsWithPushedClaims() throws Exception {
    ResourceRepresentation resource = addResource("Bank Account", "withdraw");
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName("Withdraw Limit Policy");
    StringBuilder code = new StringBuilder();
    code.append("var context = $evaluation.getContext();");
    code.append("var attributes = context.getAttributes();");
    code.append("var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');");
    code.append("if (withdrawValue && withdrawValue.asDouble(0) <= 100) {");
    code.append("   $evaluation.grant();");
    code.append("}");
    policy.setCode(code.toString());
    AuthorizationResource authorization = getClient(getRealm()).authorization();
    authorization.policies().js().create(policy).close();
    ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
    representation.setName("Withdraw Permission");
    representation.addScope("withdraw");
    representation.addPolicy(policy.getName());
    authorization.permissions().scope().create(representation).close();
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
    permissionRequest.addScope("withdraw");
    permissionRequest.setClaim("my.bank.account.withdraw.value", "50.5");
    PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    AuthorizationResponse authorizationResponse = authzClient.authorization().authorize(request);
    assertNotNull(authorizationResponse);
    assertNotNull(authorizationResponse.getToken());
    AccessToken token = toAccessToken(authorizationResponse.getToken());
    Collection<Permission> permissions = token.getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    Permission permission = permissions.iterator().next();
    Map<String, Set<String>> claims = permission.getClaims();
    assertNotNull(claims);
    assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder("50.5"));
    permissionRequest.setClaim("my.bank.account.withdraw.value", "100.5");
    response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    try {
        authorizationResponse = authzClient.authorization().authorize(request);
        fail("Access should be denied");
    } catch (Exception ignore) {
    }
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) Test(org.junit.Test)

Example 34 with Permission

use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testDoNotGrantPermissionWhenObtainAllEntitlements.

@Test
public void testDoNotGrantPermissionWhenObtainAllEntitlements() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.addScope("Scope A", "Scope B");
    permission.addUser("kolo");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    protection.policy(resource.getId()).create(permission);
    AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "Scope A", "Scope B");
    AuthorizationResponse authzResponse = authorization.authorize(request);
    assertNotNull(authzResponse);
    AccessToken token = toAccessToken(authzResponse.getToken());
    assertNotNull(token.getAuthorization());
    Collection<Permission> permissions = token.getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    assertTrue(permissions.iterator().next().getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
    try {
        // policy engine does not evaluate custom policies when obtaining all entitlements
        getAuthzClient().authorization("kolo", "password").authorize();
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) AuthorizationResource(org.keycloak.authorization.client.resource.AuthorizationResource) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 35 with Permission

use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.

the class KeycloakAdapterPolicyEnforcer method isAuthorized.

@Override
protected boolean isAuthorized(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AccessToken accessToken, OIDCHttpFacade httpFacade, Map<String, List<String>> claims) {
    AccessToken original = accessToken;
    if (super.isAuthorized(pathConfig, methodConfig, accessToken, httpFacade, claims)) {
        return true;
    }
    accessToken = requestAuthorizationToken(pathConfig, methodConfig, httpFacade, claims);
    if (accessToken == null) {
        return false;
    }
    AccessToken.Authorization authorization = original.getAuthorization();
    if (authorization == null) {
        authorization = new AccessToken.Authorization();
        authorization.setPermissions(new ArrayList<Permission>());
    }
    AccessToken.Authorization newAuthorization = accessToken.getAuthorization();
    if (newAuthorization != null) {
        Collection<Permission> grantedPermissions = authorization.getPermissions();
        Collection<Permission> newPermissions = newAuthorization.getPermissions();
        for (Permission newPermission : newPermissions) {
            if (!grantedPermissions.contains(newPermission)) {
                grantedPermissions.add(newPermission);
            }
        }
    }
    original.setAuthorization(authorization);
    return super.isAuthorized(pathConfig, methodConfig, accessToken, httpFacade, claims);
}
Also used : AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission)

Aggregations

Permission (org.keycloak.representations.idm.authorization.Permission)73 Test (org.junit.Test)50 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)44 AccessToken (org.keycloak.representations.AccessToken)36 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)29 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)27 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)23 AuthzClient (org.keycloak.authorization.client.AuthzClient)22 ClientResource (org.keycloak.admin.client.resource.ClientResource)20 ArrayList (java.util.ArrayList)19 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)19 OAuthClient (org.keycloak.testsuite.util.OAuthClient)15 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)14 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)13 Response (javax.ws.rs.core.Response)12 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)12 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)12 PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)12 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)12 Authorization (org.keycloak.representations.AccessToken.Authorization)11
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial