use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.
the class UmaPermissionTicketPushedClaimsTest method testEvaluatePermissionsWithPushedClaims.
@Test
public void testEvaluatePermissionsWithPushedClaims() throws Exception {
ResourceRepresentation resource = addResource("Bank Account", "withdraw");
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Withdraw Limit Policy");
StringBuilder code = new StringBuilder();
code.append("var context = $evaluation.getContext();");
code.append("var attributes = context.getAttributes();");
code.append("var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');");
code.append("if (withdrawValue && withdrawValue.asDouble(0) <= 100) {");
code.append(" $evaluation.grant();");
code.append("}");
policy.setCode(code.toString());
AuthorizationResource authorization = getClient(getRealm()).authorization();
authorization.policies().js().create(policy).close();
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName("Withdraw Permission");
representation.addScope("withdraw");
representation.addPolicy(policy.getName());
authorization.permissions().scope().create(representation).close();
AuthzClient authzClient = getAuthzClient();
PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
permissionRequest.addScope("withdraw");
permissionRequest.setClaim("my.bank.account.withdraw.value", "50.5");
PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
AuthorizationResponse authorizationResponse = authzClient.authorization().authorize(request);
assertNotNull(authorizationResponse);
assertNotNull(authorizationResponse.getToken());
AccessToken token = toAccessToken(authorizationResponse.getToken());
Collection<Permission> permissions = token.getAuthorization().getPermissions();
assertEquals(1, permissions.size());
Permission permission = permissions.iterator().next();
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder("50.5"));
permissionRequest.setClaim("my.bank.account.withdraw.value", "100.5");
response = authzClient.protection("marta", "password").permission().create(permissionRequest);
request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authorizationResponse = authzClient.authorization().authorize(request);
fail("Access should be denied");
} catch (Exception ignore) {
}
}
use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlements.
@Test
public void testObtainAllEntitlements() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Only Owner Policy");
policy.setCode("if ($evaluation.getContext().getIdentity().getId() == $evaluation.getPermission().getResource().getOwner()) {$evaluation.grant();}");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Marta Resource");
resource.setOwner("marta");
resource.setOwnerManagedAccess(true);
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName("Marta Resource Permission");
permission.addResource(resource.getId());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
assertTrue(hasPermission("marta", "password", resource.getId()));
assertFalse(hasPermission("kolo", "password", resource.getId()));
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
PermissionResponse permissionResponse = authzClient.protection().permission().create(new PermissionRequest(resource.getId()));
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(permissionResponse.getTicket());
try {
authzClient.authorization(accessToken).authorize(request);
} catch (Exception ignore) {
}
List<PermissionTicketRepresentation> tickets = authzClient.protection().permission().findByResource(resource.getId());
assertEquals(1, tickets.size());
PermissionTicketRepresentation ticket = tickets.get(0);
ticket.setGranted(true);
authzClient.protection().permission().update(ticket);
assertTrue(hasPermission("kolo", "password", resource.getId()));
resource.addScope("Scope A");
authorization.resources().resource(resource.getId()).update(resource);
// the addition of a new scope still grants access to resource and any scope
assertFalse(hasPermission("kolo", "password", resource.getId()));
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
permissionResponse = authzClient.protection().permission().create(new PermissionRequest(resource.getId(), "Scope A"));
request = new AuthorizationRequest();
request.setTicket(permissionResponse.getTicket());
try {
authzClient.authorization(accessToken).authorize(request);
} catch (Exception ignore) {
}
tickets = authzClient.protection().permission().find(resource.getId(), "Scope A", null, null, false, false, null, null);
assertEquals(1, tickets.size());
ticket = tickets.get(0);
ticket.setGranted(true);
authzClient.protection().permission().update(ticket);
assertTrue(hasPermission("kolo", "password", resource.getId(), "Scope A"));
resource.addScope("Scope B");
authorization.resources().resource(resource.getId()).update(resource);
assertTrue(hasPermission("kolo", "password", resource.getId()));
assertTrue(hasPermission("kolo", "password", resource.getId(), "Scope A"));
assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope B"));
resource.setScopes(new HashSet<>());
authorization.resources().resource(resource.getId()).update(resource);
assertTrue(hasPermission("kolo", "password", resource.getId()));
assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope A"));
assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope B"));
}
use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.
the class GroupPathPolicyTest method testAllowParentAndChildren.
@Test
public void testAllowParentAndChildren() {
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource A");
String ticket = authzClient.protection().permission().create(request).getTicket();
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
RealmResource realm = getRealm();
GroupRepresentation group = getGroup("/Group A/Group B/Group C");
UserRepresentation user = realm.users().search("kolo").get(0);
realm.users().get(user.getId()).joinGroup(group.getId());
ticket = authzClient.protection().permission().create(request).getTicket();
response = authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
}
use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.
the class ClientScopePolicyTest method testWithExpectedClientScope.
@Test
public void testWithExpectedClientScope() {
// Access Resource A with client scope foo.
AuthzClient authzClient = getAuthzClient();
PermissionRequest request = new PermissionRequest("Resource A");
String ticket = authzClient.protection().permission().create(request).getTicket();
AuthorizationResponse response = authzClient.authorization("marta", "password", "foo").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
// Access Resource A with client scope bar.
request = new PermissionRequest("Resource A");
ticket = authzClient.protection().permission().create(request).getTicket();
response = authzClient.authorization("marta", "password", "bar").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
// Access Resource B with client scope bar.
request = new PermissionRequest("Resource B");
ticket = authzClient.protection().permission().create(request).getTicket();
response = authzClient.authorization("marta", "password", "bar").authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
}
use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.
the class PermissionManagementTest method testTicketNotCreatedWhenResourceOwner.
@Test
public void testTicketNotCreatedWhenResourceOwner() throws Exception {
ResourceRepresentation resource = addResource("Resource A", "marta", true);
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("marta", "password").permission().create(new PermissionRequest(resource.getId()));
assertNotNull(response.getTicket());
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
e.printStackTrace();
}
List permissions = authzClient.protection().permission().findByResource(resource.getId());
assertTrue(permissions.isEmpty());
response = authzClient.protection("kolo", "password").permission().create(new PermissionRequest(resource.getId()));
assertNotNull(response.getTicket());
request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("kolo", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
}
permissions = authzClient.protection().permission().findByResource(resource.getId());
assertFalse(permissions.isEmpty());
assertEquals(1, permissions.size());
}
Aggregations