Search in sources :

Example 11 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class UmaPermissionTicketPushedClaimsTest method testEvaluatePermissionsWithPushedClaims.

@Test
public void testEvaluatePermissionsWithPushedClaims() throws Exception {
    ResourceRepresentation resource = addResource("Bank Account", "withdraw");
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName("Withdraw Limit Policy");
    StringBuilder code = new StringBuilder();
    code.append("var context = $evaluation.getContext();");
    code.append("var attributes = context.getAttributes();");
    code.append("var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');");
    code.append("if (withdrawValue && withdrawValue.asDouble(0) <= 100) {");
    code.append("   $evaluation.grant();");
    code.append("}");
    policy.setCode(code.toString());
    AuthorizationResource authorization = getClient(getRealm()).authorization();
    authorization.policies().js().create(policy).close();
    ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
    representation.setName("Withdraw Permission");
    representation.addScope("withdraw");
    representation.addPolicy(policy.getName());
    authorization.permissions().scope().create(representation).close();
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
    permissionRequest.addScope("withdraw");
    permissionRequest.setClaim("my.bank.account.withdraw.value", "50.5");
    PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    AuthorizationResponse authorizationResponse = authzClient.authorization().authorize(request);
    assertNotNull(authorizationResponse);
    assertNotNull(authorizationResponse.getToken());
    AccessToken token = toAccessToken(authorizationResponse.getToken());
    Collection<Permission> permissions = token.getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    Permission permission = permissions.iterator().next();
    Map<String, Set<String>> claims = permission.getClaims();
    assertNotNull(claims);
    assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder("50.5"));
    permissionRequest.setClaim("my.bank.account.withdraw.value", "100.5");
    response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    try {
        authorizationResponse = authzClient.authorization().authorize(request);
        fail("Access should be denied");
    } catch (Exception ignore) {
    }
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) Test(org.junit.Test)

Example 12 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class EntitlementAPITest method testObtainAllEntitlements.

@Test
public void testObtainAllEntitlements() throws Exception {
    ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
    AuthorizationResource authorization = client.authorization();
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName("Only Owner Policy");
    policy.setCode("if ($evaluation.getContext().getIdentity().getId() == $evaluation.getPermission().getResource().getOwner()) {$evaluation.grant();}");
    authorization.policies().js().create(policy).close();
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Marta Resource");
    resource.setOwner("marta");
    resource.setOwnerManagedAccess(true);
    try (Response response = authorization.resources().create(resource)) {
        resource = response.readEntity(ResourceRepresentation.class);
    }
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName("Marta Resource Permission");
    permission.addResource(resource.getId());
    permission.addPolicy(policy.getName());
    authorization.permissions().resource().create(permission).close();
    assertTrue(hasPermission("marta", "password", resource.getId()));
    assertFalse(hasPermission("kolo", "password", resource.getId()));
    String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
    AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
    PermissionResponse permissionResponse = authzClient.protection().permission().create(new PermissionRequest(resource.getId()));
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(permissionResponse.getTicket());
    try {
        authzClient.authorization(accessToken).authorize(request);
    } catch (Exception ignore) {
    }
    List<PermissionTicketRepresentation> tickets = authzClient.protection().permission().findByResource(resource.getId());
    assertEquals(1, tickets.size());
    PermissionTicketRepresentation ticket = tickets.get(0);
    ticket.setGranted(true);
    authzClient.protection().permission().update(ticket);
    assertTrue(hasPermission("kolo", "password", resource.getId()));
    resource.addScope("Scope A");
    authorization.resources().resource(resource.getId()).update(resource);
    // the addition of a new scope still grants access to resource and any scope
    assertFalse(hasPermission("kolo", "password", resource.getId()));
    accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
    permissionResponse = authzClient.protection().permission().create(new PermissionRequest(resource.getId(), "Scope A"));
    request = new AuthorizationRequest();
    request.setTicket(permissionResponse.getTicket());
    try {
        authzClient.authorization(accessToken).authorize(request);
    } catch (Exception ignore) {
    }
    tickets = authzClient.protection().permission().find(resource.getId(), "Scope A", null, null, false, false, null, null);
    assertEquals(1, tickets.size());
    ticket = tickets.get(0);
    ticket.setGranted(true);
    authzClient.protection().permission().update(ticket);
    assertTrue(hasPermission("kolo", "password", resource.getId(), "Scope A"));
    resource.addScope("Scope B");
    authorization.resources().resource(resource.getId()).update(resource);
    assertTrue(hasPermission("kolo", "password", resource.getId()));
    assertTrue(hasPermission("kolo", "password", resource.getId(), "Scope A"));
    assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope B"));
    resource.setScopes(new HashSet<>());
    authorization.resources().resource(resource.getId()).update(resource);
    assertTrue(hasPermission("kolo", "password", resource.getId()));
    assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope A"));
    assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope B"));
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) OAuthClient(org.keycloak.testsuite.util.OAuthClient) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) ExpectedException(org.junit.rules.ExpectedException) IOException(java.io.IOException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Response(javax.ws.rs.core.Response) TokenIntrospectionResponse(org.keycloak.authorization.client.representation.TokenIntrospectionResponse) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) Test(org.junit.Test)

Example 13 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class GroupPathPolicyTest method testAllowParentAndChildren.

@Test
public void testAllowParentAndChildren() {
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    RealmResource realm = getRealm();
    GroupRepresentation group = getGroup("/Group A/Group B/Group C");
    UserRepresentation user = realm.users().search("kolo").get(0);
    realm.users().get(user.getId()).joinGroup(group.getId());
    ticket = authzClient.protection().permission().create(request).getTicket();
    response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) GroupRepresentation(org.keycloak.representations.idm.GroupRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 14 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class ClientScopePolicyTest method testWithExpectedClientScope.

@Test
public void testWithExpectedClientScope() {
    // Access Resource A with client scope foo.
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    AuthorizationResponse response = authzClient.authorization("marta", "password", "foo").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    // Access Resource A with client scope bar.
    request = new PermissionRequest("Resource A");
    ticket = authzClient.protection().permission().create(request).getTicket();
    response = authzClient.authorization("marta", "password", "bar").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    // Access Resource B with client scope bar.
    request = new PermissionRequest("Resource B");
    ticket = authzClient.protection().permission().create(request).getTicket();
    response = authzClient.authorization("marta", "password", "bar").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 15 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class PermissionManagementTest method testTicketNotCreatedWhenResourceOwner.

@Test
public void testTicketNotCreatedWhenResourceOwner() throws Exception {
    ResourceRepresentation resource = addResource("Resource A", "marta", true);
    AuthzClient authzClient = getAuthzClient();
    PermissionResponse response = authzClient.protection("marta", "password").permission().create(new PermissionRequest(resource.getId()));
    assertNotNull(response.getTicket());
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    try {
        authzClient.authorization().authorize(request);
    } catch (Exception e) {
        e.printStackTrace();
    }
    List permissions = authzClient.protection().permission().findByResource(resource.getId());
    assertTrue(permissions.isEmpty());
    response = authzClient.protection("kolo", "password").permission().create(new PermissionRequest(resource.getId()));
    assertNotNull(response.getTicket());
    request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("kolo", "password").getToken());
    try {
        authzClient.authorization().authorize(request);
    } catch (Exception e) {
    }
    permissions = authzClient.protection().permission().findByResource(resource.getId());
    assertFalse(permissions.isEmpty());
    assertEquals(1, permissions.size());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) ArrayList(java.util.ArrayList) List(java.util.List) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Aggregations

PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)45 Test (org.junit.Test)39 AuthzClient (org.keycloak.authorization.client.AuthzClient)31 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)30 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)20 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)20 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)19 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)15 ArrayList (java.util.ArrayList)12 Permission (org.keycloak.representations.idm.authorization.Permission)11 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)9 AccessToken (org.keycloak.representations.AccessToken)9 List (java.util.List)6 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)6 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)6 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)6 OAuthClient (org.keycloak.testsuite.util.OAuthClient)5 ClientResource (org.keycloak.admin.client.resource.ClientResource)4 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)4 Set (java.util.Set)3