use of org.keycloak.representations.idm.authorization.PermissionResponse in project keycloak by keycloak.
the class PermissionManagementTest method testTicketNotCreatedWhenResourceOwner.
@Test
public void testTicketNotCreatedWhenResourceOwner() throws Exception {
ResourceRepresentation resource = addResource("Resource A", "marta", true);
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("marta", "password").permission().create(new PermissionRequest(resource.getId()));
assertNotNull(response.getTicket());
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
e.printStackTrace();
}
List permissions = authzClient.protection().permission().findByResource(resource.getId());
assertTrue(permissions.isEmpty());
response = authzClient.protection("kolo", "password").permission().create(new PermissionRequest(resource.getId()));
assertNotNull(response.getTicket());
request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("kolo", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
}
permissions = authzClient.protection().permission().findByResource(resource.getId());
assertFalse(permissions.isEmpty());
assertEquals(1, permissions.size());
}
use of org.keycloak.representations.idm.authorization.PermissionResponse in project keycloak by keycloak.
the class PermissionManagementTest method testCreatePermissionTicketWithResourceName.
@Test
public void testCreatePermissionTicketWithResourceName() throws Exception {
ResourceRepresentation resource = addResource("Resource A", "kolo", true);
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("marta", "password").permission().create(new PermissionRequest(resource.getId()));
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
}
assertPersistence(response, resource);
}
use of org.keycloak.representations.idm.authorization.PermissionResponse in project keycloak by keycloak.
the class UmaPermissionTicketPushedClaimsTest method testEvaluatePermissionsWithPushedClaims.
@Test
public void testEvaluatePermissionsWithPushedClaims() throws Exception {
ResourceRepresentation resource = addResource("Bank Account", "withdraw");
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Withdraw Limit Policy");
StringBuilder code = new StringBuilder();
code.append("var context = $evaluation.getContext();");
code.append("var attributes = context.getAttributes();");
code.append("var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');");
code.append("if (withdrawValue && withdrawValue.asDouble(0) <= 100) {");
code.append(" $evaluation.grant();");
code.append("}");
policy.setCode(code.toString());
AuthorizationResource authorization = getClient(getRealm()).authorization();
authorization.policies().js().create(policy).close();
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName("Withdraw Permission");
representation.addScope("withdraw");
representation.addPolicy(policy.getName());
authorization.permissions().scope().create(representation).close();
AuthzClient authzClient = getAuthzClient();
PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
permissionRequest.addScope("withdraw");
permissionRequest.setClaim("my.bank.account.withdraw.value", "50.5");
PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
AuthorizationResponse authorizationResponse = authzClient.authorization().authorize(request);
assertNotNull(authorizationResponse);
assertNotNull(authorizationResponse.getToken());
AccessToken token = toAccessToken(authorizationResponse.getToken());
Collection<Permission> permissions = token.getAuthorization().getPermissions();
assertEquals(1, permissions.size());
Permission permission = permissions.iterator().next();
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder("50.5"));
permissionRequest.setClaim("my.bank.account.withdraw.value", "100.5");
response = authzClient.protection("marta", "password").permission().create(permissionRequest);
request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authorizationResponse = authzClient.authorization().authorize(request);
fail("Access should be denied");
} catch (Exception ignore) {
}
}
use of org.keycloak.representations.idm.authorization.PermissionResponse in project keycloak by keycloak.
the class PermissionManagementTest method assertPersistence.
private void assertPersistence(PermissionResponse response, ResourceRepresentation resource, String... scopeNames) throws Exception {
String ticket = response.getTicket();
assertNotNull(ticket);
int expectedPermissions = scopeNames.length > 0 ? scopeNames.length : 1;
List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().findByResource(resource.getId());
assertEquals(expectedPermissions, tickets.size());
PermissionTicketToken token = new JWSInput(ticket).readJsonContent(PermissionTicketToken.class);
List<Permission> tokenPermissions = token.getPermissions();
assertNotNull(tokenPermissions);
assertEquals(expectedPermissions, scopeNames.length > 0 ? scopeNames.length : tokenPermissions.size());
Iterator<Permission> permissionIterator = tokenPermissions.iterator();
while (permissionIterator.hasNext()) {
Permission resourcePermission = permissionIterator.next();
long count = tickets.stream().filter(representation -> representation.getResource().equals(resourcePermission.getResourceId())).count();
if (count == (scopeNames.length > 0 ? scopeNames.length : 1)) {
permissionIterator.remove();
}
}
assertTrue(tokenPermissions.isEmpty());
ArrayList<PermissionTicketRepresentation> expectedTickets = new ArrayList<>(tickets);
Iterator<PermissionTicketRepresentation> ticketIterator = expectedTickets.iterator();
while (ticketIterator.hasNext()) {
PermissionTicketRepresentation ticketRep = ticketIterator.next();
assertFalse(ticketRep.isGranted());
if (ticketRep.getScope() != null) {
ScopeRepresentation scope = getClient(getRealm()).authorization().scopes().scope(ticketRep.getScope()).toRepresentation();
if (Arrays.asList(scopeNames).contains(scope.getName())) {
ticketIterator.remove();
}
} else if (ticketRep.getResource().equals(resource.getId())) {
ticketIterator.remove();
}
}
assertTrue(expectedTickets.isEmpty());
}
use of org.keycloak.representations.idm.authorization.PermissionResponse in project keycloak by keycloak.
the class PermissionManagementTest method testPermissionForTypedScope.
@Test
public void testPermissionForTypedScope() throws Exception {
ResourceRepresentation typedResource = addResource("Typed Resource", "ScopeC");
typedResource.setType("typed-resource");
getClient(getRealm()).authorization().resources().resource(typedResource.getId()).update(typedResource);
ResourceRepresentation resourceA = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
resourceA.setType(typedResource.getType());
getClient(getRealm()).authorization().resources().resource(resourceA.getId()).update(resourceA);
PermissionRequest permissionRequest = new PermissionRequest(resourceA.getId());
permissionRequest.setScopes(new HashSet<>(Arrays.asList("ScopeA", "ScopeC")));
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("kolo", "password").permission().create(permissionRequest);
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("kolo", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
}
assertPersistence(response, resourceA, "ScopeA", "ScopeC");
}
Aggregations