Search in sources :

Example 1 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class KeycloakAdapterPolicyEnforcer method getPermissionTicket.

private String getPermissionTicket(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AuthzClient authzClient, OIDCHttpFacade httpFacade) {
    if (getEnforcerConfig().getUserManagedAccess() != null) {
        ProtectionResource protection = authzClient.protection();
        PermissionResource permission = protection.permission();
        PermissionRequest permissionRequest = new PermissionRequest();
        permissionRequest.setResourceId(pathConfig.getId());
        permissionRequest.setScopes(new HashSet<>(methodConfig.getScopes()));
        Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);
        if (!claims.isEmpty()) {
            permissionRequest.setClaims(claims);
        }
        return permission.create(permissionRequest).getTicket();
    }
    return null;
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) ArrayList(java.util.ArrayList) List(java.util.List) PermissionResource(org.keycloak.authorization.client.resource.PermissionResource)

Example 2 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class AbstractPermissionService method verifyRequestedScopes.

private Set<String> verifyRequestedScopes(PermissionRequest request, Resource resource) {
    Set<String> requestScopes = request.getScopes();
    if (requestScopes == null) {
        return Collections.emptySet();
    }
    ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
    return requestScopes.stream().map(scopeName -> {
        Scope scope = null;
        if (resource != null) {
            scope = resource.getScopes().stream().filter(scope1 -> scope1.getName().equals(scopeName)).findFirst().orElse(null);
            if (scope == null && resource.getType() != null) {
                scope = resourceStore.findByType(resource.getType(), resourceServer.getId()).stream().filter(baseResource -> baseResource.getOwner().equals(resource.getResourceServer())).flatMap(resource1 -> resource1.getScopes().stream()).filter(baseScope -> baseScope.getName().equals(scopeName)).findFirst().orElse(null);
            }
        } else {
            scope = authorization.getStoreFactory().getScopeStore().findByName(scopeName, resourceServer.getId());
        }
        if (scope == null) {
            throw new ErrorResponseException("invalid_scope", "Scope [" + scopeName + "] is invalid", Response.Status.BAD_REQUEST);
        }
        return scope.getName();
    }).collect(Collectors.toSet());
}
Also used : ResourceServer(org.keycloak.authorization.model.ResourceServer) Scope(org.keycloak.authorization.model.Scope) Permission(org.keycloak.representations.idm.authorization.Permission) Set(java.util.Set) HashMap(java.util.HashMap) ResourceStore(org.keycloak.authorization.store.ResourceStore) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) ArrayList(java.util.ArrayList) List(java.util.List) Response(javax.ws.rs.core.Response) ErrorResponseException(org.keycloak.services.ErrorResponseException) Map(java.util.Map) Urls(org.keycloak.services.Urls) PermissionTicketToken(org.keycloak.representations.idm.authorization.PermissionTicketToken) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) Scope(org.keycloak.authorization.model.Scope) ResourceStore(org.keycloak.authorization.store.ResourceStore) ErrorResponseException(org.keycloak.services.ErrorResponseException)

Example 3 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class AbstractPermissionService method createPermissionTicket.

private String createPermissionTicket(List<PermissionRequest> request) {
    List<Permission> permissions = verifyRequestedResource(request);
    String audience = Urls.realmIssuer(this.authorization.getKeycloakSession().getContext().getUri().getBaseUri(), this.authorization.getRealm().getName());
    PermissionTicketToken token = new PermissionTicketToken(permissions, audience, this.identity.getAccessToken());
    Map<String, List<String>> claims = new HashMap<>();
    for (PermissionRequest permissionRequest : request) {
        Map<String, List<String>> requestClaims = permissionRequest.getClaims();
        if (requestClaims != null) {
            claims.putAll(requestClaims);
        }
    }
    if (!claims.isEmpty()) {
        token.setClaims(claims);
    }
    return this.authorization.getKeycloakSession().tokens().encode(token);
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) PermissionTicketToken(org.keycloak.representations.idm.authorization.PermissionTicketToken) HashMap(java.util.HashMap) Permission(org.keycloak.representations.idm.authorization.Permission) ArrayList(java.util.ArrayList) List(java.util.List)

Example 4 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class RolePolicyTest method testUserWithoutExpectedRole.

@Test
public void testUserWithoutExpectedRole() {
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    try {
        authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected role");
    } catch (AuthorizationDeniedException ignore) {
    }
    request.setResourceId("Resource B");
    ticket = authzClient.protection().permission().create(request).getTicket();
    assertNotNull(authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket)));
    UserRepresentation user = getRealm().users().search("kolo").get(0);
    RoleRepresentation roleA = getRealm().roles().get("Role A").toRepresentation();
    getRealm().users().get(user.getId()).roles().realmLevel().add(Arrays.asList(roleA));
    request.setResourceId("Resource A");
    ticket = authzClient.protection().permission().create(request).getTicket();
    assertNotNull(authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket)));
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 5 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class RolePolicyTest method testUserWithGroupRole.

@Test
public void testUserWithGroupRole() throws InterruptedException {
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest();
    request.setResourceId("Resource C");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    assertNotNull(authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket)));
    UserRepresentation user = getRealm().users().search("alice").get(0);
    GroupRepresentation groupB = getRealm().groups().groups().stream().filter(representation -> "Group B".equals(representation.getName())).findFirst().get();
    getRealm().users().get(user.getId()).leaveGroup(groupB.getId());
    try {
        authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected role");
    } catch (AuthorizationDeniedException ignore) {
    }
    request.setResourceId("Resource A");
    ticket = authzClient.protection().permission().create(request).getTicket();
    try {
        authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket));
        fail("Should fail because user is not granted with expected role");
    } catch (AuthorizationDeniedException ignore) {
    }
    GroupRepresentation groupA = getRealm().groups().groups().stream().filter(representation -> "Group A".equals(representation.getName())).findFirst().get();
    getRealm().users().get(user.getId()).joinGroup(groupA.getId());
    assertNotNull(authzClient.authorization("alice", "password").authorize(new AuthorizationRequest(ticket)));
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) GroupRepresentation(org.keycloak.representations.idm.GroupRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Aggregations

PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)45 Test (org.junit.Test)39 AuthzClient (org.keycloak.authorization.client.AuthzClient)31 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)30 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)20 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)20 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)19 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)15 ArrayList (java.util.ArrayList)12 Permission (org.keycloak.representations.idm.authorization.Permission)11 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)9 AccessToken (org.keycloak.representations.AccessToken)9 List (java.util.List)6 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)6 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)6 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)6 OAuthClient (org.keycloak.testsuite.util.OAuthClient)5 ClientResource (org.keycloak.admin.client.resource.ClientResource)4 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)4 Set (java.util.Set)3