Search in sources :

Example 41 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class PermissionManagementTest method testPermissionCount.

@Test
public void testPermissionCount() throws Exception {
    String[] scopes = { "ScopeA", "ScopeB", "ScopeC", "ScopeD" };
    ResourceRepresentation resource = addResource("Resource A", "kolo", true, scopes);
    AuthzClient authzClient = getAuthzClient();
    PermissionResponse response = authzClient.protection("marta", "password").permission().create(new PermissionRequest(resource.getId(), scopes));
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    try {
        authzClient.authorization().authorize(request);
    } catch (Exception ignored) {
    }
    Long ticketCount = getAuthzClient().protection().permission().count(resource.getId(), null, null, null, null, true);
    assertEquals("Returned number of permissions tickets must match the amount of permission tickets.", Long.valueOf(4), ticketCount);
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 42 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class UmaGrantTypeTest method testObtainRptUsingAccessToken.

@Test
public void testObtainRptUsingAccessToken() throws Exception {
    AccessTokenResponse accessTokenResponse = getAuthzClient().obtainAccessToken("marta", "password");
    AuthorizationResponse response = authorize(null, null, null, null, accessTokenResponse.getToken(), null, null, new PermissionRequest("Resource A", "ScopeA", "ScopeB"));
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 43 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class UmaGrantTypeTest method testTokenIntrospect.

@Test
public void testTokenIntrospect() throws Exception {
    AuthzClient authzClient = getAuthzClient();
    AccessTokenResponse accessTokenResponse = authzClient.obtainAccessToken("marta", "password");
    AuthorizationResponse response = authorize(null, null, null, null, accessTokenResponse.getToken(), null, null, new PermissionRequest("Resource A", "ScopeA", "ScopeB"));
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    TokenIntrospectionResponse introspectionResponse = authzClient.protection().introspectRequestingPartyToken(rpt);
    assertNotNull(introspectionResponse);
    assertNotNull(introspectionResponse.getPermissions());
    oauth.realm("authz-test");
    String introspectHttpResponse = oauth.introspectTokenWithClientCredential("resource-server-test", "secret", "requesting_party_token", rpt);
    Map jsonNode = JsonSerialization.readValue(introspectHttpResponse, Map.class);
    assertEquals(true, jsonNode.get("active"));
    Collection permissionClaims = (Collection) jsonNode.get("permissions");
    assertNotNull(permissionClaims);
    assertEquals(1, permissionClaims.size());
    Map<String, Object> claim = (Map) permissionClaims.iterator().next();
    assertThat(claim.keySet(), containsInAnyOrder("resource_id", "rsname", "resource_scopes", "scopes", "rsid"));
    assertThat(claim.get("rsname"), equalTo("Resource A"));
    ResourceRepresentation resourceRep = authzClient.protection().resource().findByName("Resource A");
    assertThat(claim.get("rsid"), equalTo(resourceRep.getId()));
    assertThat(claim.get("resource_id"), equalTo(resourceRep.getId()));
    assertThat((Collection<String>) claim.get("resource_scopes"), containsInAnyOrder("ScopeA", "ScopeB"));
    assertThat((Collection<String>) claim.get("scopes"), containsInAnyOrder("ScopeA", "ScopeB"));
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) Collection(java.util.Collection) TokenIntrospectionResponse(org.keycloak.authorization.client.representation.TokenIntrospectionResponse) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Map(java.util.Map) Test(org.junit.Test)

Example 44 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class UmaGrantTypeTest method testCORSHeadersInFailedRptRequest.

@Test
public void testCORSHeadersInFailedRptRequest() throws Exception {
    AccessTokenResponse accessTokenResponse = getAuthzClient().obtainAccessToken("marta", "password");
    UserRepresentation userRepresentation = getRealm().users().search("marta").get(0);
    UserRepresentation updatedUser = UserBuilder.edit(userRepresentation).enabled(false).build();
    getRealm().users().get(userRepresentation.getId()).update(updatedUser);
    PermissionRequest permissions = new PermissionRequest("Resource A", "ScopeA", "ScopeB");
    String ticket = getAuthzClient().protection().permission().create(Arrays.asList(permissions)).getTicket();
    String tokenEndpoint = getAuthzClient().getServerConfiguration().getTokenEndpoint();
    HttpPost post = new HttpPost(tokenEndpoint);
    post.addHeader("Origin", "http://localhost");
    post.addHeader("Authorization", "Bearer " + accessTokenResponse.getToken());
    List<NameValuePair> parameters = new LinkedList<>();
    parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.UMA_GRANT_TYPE));
    parameters.add(new BasicNameValuePair("ticket", ticket));
    UrlEncodedFormEntity formEntity = new UrlEncodedFormEntity(parameters, Charsets.UTF_8);
    post.setEntity(formEntity);
    CloseableHttpResponse response = oauth.getHttpClient().get().execute(post);
    assertEquals(401, response.getStatusLine().getStatusCode());
    assertEquals("http://localhost", response.getFirstHeader("Access-Control-Allow-Origin").getValue());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) HttpPost(org.apache.http.client.methods.HttpPost) NameValuePair(org.apache.http.NameValuePair) BasicNameValuePair(org.apache.http.message.BasicNameValuePair) BasicNameValuePair(org.apache.http.message.BasicNameValuePair) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) UrlEncodedFormEntity(org.apache.http.client.entity.UrlEncodedFormEntity) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) LinkedList(java.util.LinkedList) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 45 with PermissionRequest

use of org.keycloak.representations.idm.authorization.PermissionRequest in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testPermissionInAdditionToUserGrantedPermission.

@Test
public void testPermissionInAdditionToUserGrantedPermission() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    PermissionResponse ticketResponse = getAuthzClient().protection().permission().create(new PermissionRequest(resource.getId(), "Scope A"));
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(ticketResponse.getTicket());
    try {
        getAuthzClient().authorization("kolo", "password").authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
        assertTrue(e.getMessage().contains("request_submitted"));
    }
    List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().findByResource(resource.getId());
    assertEquals(1, tickets.size());
    PermissionTicketRepresentation ticket = tickets.get(0);
    ticket.setGranted(true);
    getAuthzClient().protection().permission().update(ticket);
    AuthorizationResponse authzResponse = getAuthzClient().authorization("kolo", "password").authorize(request);
    assertNotNull(authzResponse);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.addScope("Scope A");
    permission.addRole("role_a");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    permission = protection.policy(resource.getId()).create(permission);
    getAuthzClient().authorization("kolo", "password").authorize(request);
    ticket.setGranted(false);
    getAuthzClient().protection().permission().update(ticket);
    getAuthzClient().authorization("kolo", "password").authorize(request);
    permission = getAuthzClient().protection("marta", "password").policy(resource.getId()).findById(permission.getId());
    assertNotNull(permission);
    permission.removeRole("role_a");
    permission.addRole("role_b");
    getAuthzClient().protection("marta", "password").policy(resource.getId()).update(permission);
    try {
        getAuthzClient().authorization("kolo", "password").authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    request = new AuthorizationRequest();
    request.addPermission(resource.getId());
    try {
        getAuthzClient().authorization("kolo", "password").authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    getAuthzClient().protection("marta", "password").policy(resource.getId()).delete(permission.getId());
    try {
        getAuthzClient().authorization("kolo", "password").authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Aggregations

PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)45 Test (org.junit.Test)39 AuthzClient (org.keycloak.authorization.client.AuthzClient)31 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)30 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)20 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)20 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)19 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)15 ArrayList (java.util.ArrayList)12 Permission (org.keycloak.representations.idm.authorization.Permission)11 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)9 AccessToken (org.keycloak.representations.AccessToken)9 List (java.util.List)6 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)6 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)6 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)6 OAuthClient (org.keycloak.testsuite.util.OAuthClient)5 ClientResource (org.keycloak.admin.client.resource.ClientResource)4 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)4 Set (java.util.Set)3