use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.
the class PermissionManagementTest method testPermissionCount.
@Test
public void testPermissionCount() throws Exception {
String[] scopes = { "ScopeA", "ScopeB", "ScopeC", "ScopeD" };
ResourceRepresentation resource = addResource("Resource A", "kolo", true, scopes);
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("marta", "password").permission().create(new PermissionRequest(resource.getId(), scopes));
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception ignored) {
}
Long ticketCount = getAuthzClient().protection().permission().count(resource.getId(), null, null, null, null, true);
assertEquals("Returned number of permissions tickets must match the amount of permission tickets.", Long.valueOf(4), ticketCount);
}
use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.
the class UmaGrantTypeTest method testObtainRptUsingAccessToken.
@Test
public void testObtainRptUsingAccessToken() throws Exception {
AccessTokenResponse accessTokenResponse = getAuthzClient().obtainAccessToken("marta", "password");
AuthorizationResponse response = authorize(null, null, null, null, accessTokenResponse.getToken(), null, null, new PermissionRequest("Resource A", "ScopeA", "ScopeB"));
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
}
use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.
the class UmaGrantTypeTest method testTokenIntrospect.
@Test
public void testTokenIntrospect() throws Exception {
AuthzClient authzClient = getAuthzClient();
AccessTokenResponse accessTokenResponse = authzClient.obtainAccessToken("marta", "password");
AuthorizationResponse response = authorize(null, null, null, null, accessTokenResponse.getToken(), null, null, new PermissionRequest("Resource A", "ScopeA", "ScopeB"));
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
TokenIntrospectionResponse introspectionResponse = authzClient.protection().introspectRequestingPartyToken(rpt);
assertNotNull(introspectionResponse);
assertNotNull(introspectionResponse.getPermissions());
oauth.realm("authz-test");
String introspectHttpResponse = oauth.introspectTokenWithClientCredential("resource-server-test", "secret", "requesting_party_token", rpt);
Map jsonNode = JsonSerialization.readValue(introspectHttpResponse, Map.class);
assertEquals(true, jsonNode.get("active"));
Collection permissionClaims = (Collection) jsonNode.get("permissions");
assertNotNull(permissionClaims);
assertEquals(1, permissionClaims.size());
Map<String, Object> claim = (Map) permissionClaims.iterator().next();
assertThat(claim.keySet(), containsInAnyOrder("resource_id", "rsname", "resource_scopes", "scopes", "rsid"));
assertThat(claim.get("rsname"), equalTo("Resource A"));
ResourceRepresentation resourceRep = authzClient.protection().resource().findByName("Resource A");
assertThat(claim.get("rsid"), equalTo(resourceRep.getId()));
assertThat(claim.get("resource_id"), equalTo(resourceRep.getId()));
assertThat((Collection<String>) claim.get("resource_scopes"), containsInAnyOrder("ScopeA", "ScopeB"));
assertThat((Collection<String>) claim.get("scopes"), containsInAnyOrder("ScopeA", "ScopeB"));
}
use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.
the class UmaGrantTypeTest method testCORSHeadersInFailedRptRequest.
@Test
public void testCORSHeadersInFailedRptRequest() throws Exception {
AccessTokenResponse accessTokenResponse = getAuthzClient().obtainAccessToken("marta", "password");
UserRepresentation userRepresentation = getRealm().users().search("marta").get(0);
UserRepresentation updatedUser = UserBuilder.edit(userRepresentation).enabled(false).build();
getRealm().users().get(userRepresentation.getId()).update(updatedUser);
PermissionRequest permissions = new PermissionRequest("Resource A", "ScopeA", "ScopeB");
String ticket = getAuthzClient().protection().permission().create(Arrays.asList(permissions)).getTicket();
String tokenEndpoint = getAuthzClient().getServerConfiguration().getTokenEndpoint();
HttpPost post = new HttpPost(tokenEndpoint);
post.addHeader("Origin", "http://localhost");
post.addHeader("Authorization", "Bearer " + accessTokenResponse.getToken());
List<NameValuePair> parameters = new LinkedList<>();
parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.UMA_GRANT_TYPE));
parameters.add(new BasicNameValuePair("ticket", ticket));
UrlEncodedFormEntity formEntity = new UrlEncodedFormEntity(parameters, Charsets.UTF_8);
post.setEntity(formEntity);
CloseableHttpResponse response = oauth.getHttpClient().get().execute(post);
assertEquals(401, response.getStatusLine().getStatusCode());
assertEquals("http://localhost", response.getFirstHeader("Access-Control-Allow-Origin").getValue());
}
use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.
the class UserManagedPermissionServiceTest method testPermissionInAdditionToUserGrantedPermission.
@Test
public void testPermissionInAdditionToUserGrantedPermission() {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("marta");
resource.addScope("Scope A", "Scope B", "Scope C");
resource = getAuthzClient().protection().resource().create(resource);
PermissionResponse ticketResponse = getAuthzClient().protection().permission().create(new PermissionRequest(resource.getId(), "Scope A"));
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(ticketResponse.getTicket());
try {
getAuthzClient().authorization("kolo", "password").authorize(request);
fail("User should not have permission");
} catch (Exception e) {
assertTrue(AuthorizationDeniedException.class.isInstance(e));
assertTrue(e.getMessage().contains("request_submitted"));
}
List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().findByResource(resource.getId());
assertEquals(1, tickets.size());
PermissionTicketRepresentation ticket = tickets.get(0);
ticket.setGranted(true);
getAuthzClient().protection().permission().update(ticket);
AuthorizationResponse authzResponse = getAuthzClient().authorization("kolo", "password").authorize(request);
assertNotNull(authzResponse);
UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
permission.setName("Custom User-Managed Permission");
permission.addScope("Scope A");
permission.addRole("role_a");
ProtectionResource protection = getAuthzClient().protection("marta", "password");
permission = protection.policy(resource.getId()).create(permission);
getAuthzClient().authorization("kolo", "password").authorize(request);
ticket.setGranted(false);
getAuthzClient().protection().permission().update(ticket);
getAuthzClient().authorization("kolo", "password").authorize(request);
permission = getAuthzClient().protection("marta", "password").policy(resource.getId()).findById(permission.getId());
assertNotNull(permission);
permission.removeRole("role_a");
permission.addRole("role_b");
getAuthzClient().protection("marta", "password").policy(resource.getId()).update(permission);
try {
getAuthzClient().authorization("kolo", "password").authorize(request);
fail("User should not have permission");
} catch (Exception e) {
assertTrue(AuthorizationDeniedException.class.isInstance(e));
}
request = new AuthorizationRequest();
request.addPermission(resource.getId());
try {
getAuthzClient().authorization("kolo", "password").authorize(request);
fail("User should not have permission");
} catch (Exception e) {
assertTrue(AuthorizationDeniedException.class.isInstance(e));
}
getAuthzClient().protection("marta", "password").policy(resource.getId()).delete(permission.getId());
try {
getAuthzClient().authorization("kolo", "password").authorize(request);
fail("User should not have permission");
} catch (Exception e) {
assertTrue(AuthorizationDeniedException.class.isInstance(e));
}
}
Aggregations