use of org.keycloak.representations.idm.authorization.PermissionTicketRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlements.
@Test
public void testObtainAllEntitlements() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Only Owner Policy");
policy.setCode("if ($evaluation.getContext().getIdentity().getId() == $evaluation.getPermission().getResource().getOwner()) {$evaluation.grant();}");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Marta Resource");
resource.setOwner("marta");
resource.setOwnerManagedAccess(true);
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName("Marta Resource Permission");
permission.addResource(resource.getId());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
assertTrue(hasPermission("marta", "password", resource.getId()));
assertFalse(hasPermission("kolo", "password", resource.getId()));
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
PermissionResponse permissionResponse = authzClient.protection().permission().create(new PermissionRequest(resource.getId()));
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(permissionResponse.getTicket());
try {
authzClient.authorization(accessToken).authorize(request);
} catch (Exception ignore) {
}
List<PermissionTicketRepresentation> tickets = authzClient.protection().permission().findByResource(resource.getId());
assertEquals(1, tickets.size());
PermissionTicketRepresentation ticket = tickets.get(0);
ticket.setGranted(true);
authzClient.protection().permission().update(ticket);
assertTrue(hasPermission("kolo", "password", resource.getId()));
resource.addScope("Scope A");
authorization.resources().resource(resource.getId()).update(resource);
// the addition of a new scope still grants access to resource and any scope
assertFalse(hasPermission("kolo", "password", resource.getId()));
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
permissionResponse = authzClient.protection().permission().create(new PermissionRequest(resource.getId(), "Scope A"));
request = new AuthorizationRequest();
request.setTicket(permissionResponse.getTicket());
try {
authzClient.authorization(accessToken).authorize(request);
} catch (Exception ignore) {
}
tickets = authzClient.protection().permission().find(resource.getId(), "Scope A", null, null, false, false, null, null);
assertEquals(1, tickets.size());
ticket = tickets.get(0);
ticket.setGranted(true);
authzClient.protection().permission().update(ticket);
assertTrue(hasPermission("kolo", "password", resource.getId(), "Scope A"));
resource.addScope("Scope B");
authorization.resources().resource(resource.getId()).update(resource);
assertTrue(hasPermission("kolo", "password", resource.getId()));
assertTrue(hasPermission("kolo", "password", resource.getId(), "Scope A"));
assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope B"));
resource.setScopes(new HashSet<>());
authorization.resources().resource(resource.getId()).update(resource);
assertTrue(hasPermission("kolo", "password", resource.getId()));
assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope A"));
assertFalse(hasPermission("kolo", "password", resource.getId(), "Scope B"));
}
use of org.keycloak.representations.idm.authorization.PermissionTicketRepresentation in project keycloak by keycloak.
the class PermissionManagementTest method testGetPermissionTicketWithPagination.
@Test
public void testGetPermissionTicketWithPagination() throws Exception {
String[] scopes = { "ScopeA", "ScopeB", "ScopeC", "ScopeD" };
ResourceRepresentation resource = addResource("Resource A", "kolo", true, scopes);
AuthzClient authzClient = getAuthzClient();
PermissionResponse response = authzClient.protection("marta", "password").permission().create(new PermissionRequest(resource.getId(), scopes));
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authzClient.authorization().authorize(request);
} catch (Exception e) {
}
// start with fetching the second half of all permission tickets
Collection<String> expectedScopes = new ArrayList(Arrays.asList(scopes));
List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, true, 2, 2);
assertEquals("Returned number of permissions tickets must match the specified page size (i.e., 'maxResult').", 2, tickets.size());
boolean foundScope = expectedScopes.remove(tickets.get(0).getScopeName());
assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", foundScope);
foundScope = expectedScopes.remove(tickets.get(1).getScopeName());
assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", foundScope);
// fetch the first half of all permission tickets
tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, true, 0, 2);
assertEquals("Returned number of permissions tickets must match the specified page size (i.e., 'maxResult').", 2, tickets.size());
foundScope = expectedScopes.remove(tickets.get(0).getScopeName());
assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", foundScope);
foundScope = expectedScopes.remove(tickets.get(1).getScopeName());
assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", foundScope);
}
use of org.keycloak.representations.idm.authorization.PermissionTicketRepresentation in project keycloak by keycloak.
the class UserManagedAccessTest method testOnlyOwnerCanAccessPermissionsToScope.
@Test
public void testOnlyOwnerCanAccessPermissionsToScope() throws Exception {
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName(resource.getName() + " Scope A Permission");
permission.addScope("ScopeA");
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().scope().create(permission).close();
permission = new ScopePermissionRepresentation();
permission.setName(resource.getName() + " Scope B Permission");
permission.addScope("ScopeB");
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().scope().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", resource.getName(), new String[] { "ScopeA", "ScopeB" });
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
for (PermissionTicketRepresentation ticket : tickets) {
ticket.setGranted(true);
getAuthzClient().protection().permission().update(ticket);
}
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
} catch (AuthorizationDeniedException ade) {
fail("User should have access to resource from another user");
}
rpt = response.getToken();
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
permissions = authorization.getPermissions();
assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
try {
response = authorize("marta", "password", resource.getId(), new String[] { "ScopeB" });
} catch (AuthorizationDeniedException ade) {
fail("User should have access to his own resources");
}
rpt = response.getToken();
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
permissions = authorization.getPermissions();
assertPermissions(permissions, resource.getName(), "ScopeB");
assertTrue(permissions.isEmpty());
}
use of org.keycloak.representations.idm.authorization.PermissionTicketRepresentation in project keycloak by keycloak.
the class UserManagedAccessTest method testOnlyOwnerCanAccessResourceWithType.
/**
* Makes sure permissions granted to a typed resource instance does not grant access to resource instances with the same type.
*
* @throws Exception
*/
@Test
public void testOnlyOwnerCanAccessResourceWithType() throws Exception {
ResourceRepresentation typedResource = addResource("Typed Resource", getClient(getRealm()).toRepresentation().getId(), false, "ScopeA", "ScopeB");
typedResource.setType("my:resource");
getClient(getRealm()).authorization().resources().resource(typedResource.getId()).update(typedResource);
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
resource.setType(typedResource.getType());
getClient(getRealm()).authorization().resources().resource(resource.getId()).update(resource);
ResourceRepresentation resourceB = addResource("Resource B", "marta", true, "ScopeA", "ScopeB");
resourceB.setType(typedResource.getType());
getClient(getRealm()).authorization().resources().resource(resourceB.getId()).update(resourceB);
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getType() + " Permission");
permission.setResourceType(resource.getType());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", resource.getName(), new String[] { "ScopeA", "ScopeB" });
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
for (PermissionTicketRepresentation ticket : tickets) {
ticket.setGranted(true);
getAuthzClient().protection().permission().update(ticket);
}
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
} catch (AuthorizationDeniedException ade) {
fail("User should have access to resource from another user");
}
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
for (PermissionTicketRepresentation ticket : tickets) {
getAuthzClient().protection().permission().delete(ticket.getId());
}
tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
assertEquals(0, tickets.size());
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
}
use of org.keycloak.representations.idm.authorization.PermissionTicketRepresentation in project keycloak by keycloak.
the class UserManagedAccessTest method testUserGrantsAccessToResourceWithoutScopes.
@Test
public void testUserGrantsAccessToResourceWithoutScopes() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true);
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] {});
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A");
assertTrue(permissions.isEmpty());
try {
response = authorize("kolo", "password", resource.getId(), new String[] {});
fail("User should have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
response = authorize("kolo", "password", resource.getId(), new String[] {});
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName());
assertTrue(permissions.isEmpty());
response = authorize("kolo", "password", resource.getId(), new String[] {});
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName());
assertTrue(permissions.isEmpty());
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
for (PermissionTicketRepresentation ticket : permissionTickets) {
permissionResource.delete(ticket.getId());
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertEquals(0, permissionTickets.size());
}
Aggregations