use of org.keycloak.representations.idm.authorization.PermissionResponse in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlements.
@Test
public void testObtainAllEntitlements() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Only Owner Policy");
policy.setCode("if ($evaluation.getContext().getIdentity().getId() == $evaluation.getPermission().getResource().getOwner()) {$evaluation.grant();}");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Marta Resource");
resource.setOwner("marta");
resource.setOwnerManagedAccess(true);
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName("Marta Resource Permission");
permission.addResource(resource.getId());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
assertTrue(hasPermission("marta", "password", resource.getId()));
assertFalse(hasPermission("kolo", "password", resource.getId()));
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
PermissionResponse permissionResponse = authzClient.protection().permission().create(new PermissionRequest(resource.getId()));
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(permissionResponse.getTicket());
try {
authzClient.authorization(accessToken).authorize(request);
} catch (Exception ignore) {
}
List<PermissionTicketRepresentation> tickets = authzClient.protection().permission().findByResource(resource.getId());
assertEquals(1, tickets.size());
PermissionTicketRepresentation ticket = tickets.get(0);
ticket.setGranted(true);
authzClient.protection().permission().update(ticket);
assertTrue(hasPermission("kolo", "password", resource.getId()));
resource.addScope("Scope A");
authorization.resources().resource(resource.getId()).update(resource);
// the addition of a new scope still grants access to resource and any scope
assertFalse(hasPermission("kolo", "password", resource.getId()));
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
permissionResponse = authzClient.protection().permission().create(new PermissionRequest(resource.getId(), "Scope A"));
request = new AuthorizationRequest();
request.setTicket(permissionResponse.getTicket());
try {
authzClient.authorization(accessToken).authorize(request);
} catch (Exception ignore) {
}
tickets = authzClient.protection().permission().find(resource.getId(), "Scope A", null, null, false, false, null, null);
assertEquals(1, tickets.size());
ticket = tickets.get(0);
ticket.setGranted(true);
authzClient.protection().permission().update(ticket);
assertTrue(hasPermission("kolo", "password", resource.getId(), "Scope A"));
resource.addScope("Scope B");
authorization.resources().resource(resource.getId()).update(resource);
assertTrue(hasPermission("kolo", "password", resource.getId()));
assertTrue(hasPermission("kolo", "password", resource.getId(), "Scope A"));
assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope B"));
resource.setScopes(new HashSet<>());
authorization.resources().resource(resource.getId()).update(resource);
assertTrue(hasPermission("kolo", "password", resource.getId()));
assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope A"));
assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope B"));
}
use of org.keycloak.representations.idm.authorization.PermissionResponse in project keycloak by keycloak.
the class PermissionManagementTest method testSameTicketForSamePermissionRequest.
@Test
public void testSameTicketForSamePermissionRequest() throws Exception {
ResourceRepresentation resource = addResource("Resource A", true);
PermissionResponse response = getAuthzClient().protection("marta", "password").permission().create(new PermissionRequest(resource.getName()));
assertNotNull(response.getTicket());
}
use of org.keycloak.representations.idm.authorization.PermissionResponse in project keycloak by keycloak.
the class PermissionManagementTest method testCreatePermissionTicketWithResourceId.
@Test
public void testCreatePermissionTicketWithResourceId() throws Exception {
ResourceRepresentation resource = addResource("Resource A", "kolo", true);
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("marta", "password").permission().create(new PermissionRequest(resource.getId()));
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
}
assertNotNull(response.getTicket());
assertFalse(authzClient.protection().permission().findByResource(resource.getId()).isEmpty());
}
use of org.keycloak.representations.idm.authorization.PermissionResponse in project keycloak by keycloak.
the class PermissionManagementTest method testMultiplePermissionRequest.
@Test
public void testMultiplePermissionRequest() throws Exception {
List<PermissionRequest> permissions = new ArrayList<>();
permissions.add(new PermissionRequest(addResource("Resource A", true).getName()));
permissions.add(new PermissionRequest(addResource("Resource B", true).getName()));
permissions.add(new PermissionRequest(addResource("Resource C", true).getName()));
permissions.add(new PermissionRequest(addResource("Resource D", true).getName()));
PermissionResponse response = getAuthzClient().protection().permission().create(permissions);
assertNotNull(response.getTicket());
}
use of org.keycloak.representations.idm.authorization.PermissionResponse in project keycloak by keycloak.
the class PermissionManagementTest method testGetPermissionTicketWithPagination.
@Test
public void testGetPermissionTicketWithPagination() throws Exception {
String[] scopes = { "ScopeA", "ScopeB", "ScopeC", "ScopeD" };
ResourceRepresentation resource = addResource("Resource A", "kolo", true, scopes);
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("marta", "password").permission().create(new PermissionRequest(resource.getId(), scopes));
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
}
// start with fetching the second half of all permission tickets
Collection<String> expectedScopes = new ArrayList(Arrays.asList(scopes));
List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, true, 2, 2);
assertEquals("Returned number of permissions tickets must match the specified page size (i.e., 'maxResult').", 2, tickets.size());
boolean foundScope = expectedScopes.remove(tickets.get(0).getScopeName());
assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", foundScope);
foundScope = expectedScopes.remove(tickets.get(1).getScopeName());
assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", foundScope);
// fetch the first half of all permission tickets
tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, true, 0, 2);
assertEquals("Returned number of permissions tickets must match the specified page size (i.e., 'maxResult').", 2, tickets.size());
foundScope = expectedScopes.remove(tickets.get(0).getScopeName());
assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", foundScope);
foundScope = expectedScopes.remove(tickets.get(1).getScopeName());
assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", foundScope);
}
Aggregations