Search in sources :

Example 51 with PolicyRepresentation

use of org.keycloak.representations.idm.authorization.PolicyRepresentation in project keycloak by keycloak.

the class PolicyEvaluationCompositeRoleTest method createRolePolicy.

private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
    PolicyRepresentation representation = new PolicyRepresentation();
    representation.setName(role.getName());
    representation.setType("role");
    representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
    representation.setLogic(Logic.POSITIVE);
    String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
    Map<String, String> config = new HashMap<>();
    config.put("roles", roleValues);
    representation.setConfig(config);
    return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
Also used : PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) HashMap(java.util.HashMap)

Example 52 with PolicyRepresentation

use of org.keycloak.representations.idm.authorization.PolicyRepresentation in project keycloak by keycloak.

the class ExportImportUtil method assertAuthorizationSettingsTestAppAuthz.

private static void assertAuthorizationSettingsTestAppAuthz(RealmResource realmRsc) {
    AuthorizationResource authzResource = ApiUtil.findAuthorizationSettings(realmRsc, "test-app-authz");
    Assert.assertNotNull(authzResource);
    List<ResourceRepresentation> resources = authzResource.resources().resources();
    Assert.assertEquals(4, resources.size());
    ResourceServerRepresentation authzSettings = authzResource.getSettings();
    List<Predicate<ResourceRepresentation>> resourcePredicates = new ArrayList<>();
    resourcePredicates.add(resourceRep -> {
        if ("Admin Resource".equals(resourceRep.getName())) {
            Assert.assertEquals(authzSettings.getClientId(), resourceRep.getOwner().getId());
            Assert.assertEquals("/protected/admin/*", resourceRep.getUri());
            Assert.assertEquals("http://test-app-authz/protected/admin", resourceRep.getType());
            Assert.assertEquals("http://icons.com/icon-admin", resourceRep.getIconUri());
            Assert.assertEquals(1, resourceRep.getScopes().size());
            return true;
        }
        return false;
    });
    resourcePredicates.add(resourceRep -> {
        if ("Protected Resource".equals(resourceRep.getName())) {
            Assert.assertEquals(authzSettings.getClientId(), resourceRep.getOwner().getId());
            Assert.assertEquals("/*", resourceRep.getUri());
            Assert.assertEquals("http://test-app-authz/protected/resource", resourceRep.getType());
            Assert.assertEquals("http://icons.com/icon-resource", resourceRep.getIconUri());
            Assert.assertEquals(1, resourceRep.getScopes().size());
            return true;
        }
        return false;
    });
    resourcePredicates.add(resourceRep -> {
        if ("Premium Resource".equals(resourceRep.getName())) {
            Assert.assertEquals(authzSettings.getClientId(), resourceRep.getOwner().getId());
            Assert.assertEquals("/protected/premium/*", resourceRep.getUri());
            Assert.assertEquals("urn:test-app-authz:protected:resource", resourceRep.getType());
            Assert.assertEquals("http://icons.com/icon-premium", resourceRep.getIconUri());
            Assert.assertEquals(1, resourceRep.getScopes().size());
            return true;
        }
        return false;
    });
    resourcePredicates.add(resourceRep -> {
        if ("Main Page".equals(resourceRep.getName())) {
            Assert.assertEquals(authzSettings.getClientId(), resourceRep.getOwner().getId());
            Assert.assertNull(resourceRep.getUri());
            Assert.assertEquals("urn:test-app-authz:protected:resource", resourceRep.getType());
            Assert.assertEquals("http://icons.com/icon-main-page", resourceRep.getIconUri());
            Assert.assertEquals(3, resourceRep.getScopes().size());
            return true;
        }
        return false;
    });
    assertPredicate(resources, resourcePredicates);
    List<ScopeRepresentation> scopes = authzResource.scopes().scopes();
    Assert.assertEquals(6, scopes.size());
    List<Predicate<ScopeRepresentation>> scopePredicates = new ArrayList<>();
    scopePredicates.add(scopeRepresentation -> "admin-access".equals(scopeRepresentation.getName()));
    scopePredicates.add(scopeRepresentation -> "resource-access".equals(scopeRepresentation.getName()));
    scopePredicates.add(scopeRepresentation -> "premium-access".equals(scopeRepresentation.getName()));
    scopePredicates.add(scopeRepresentation -> "urn:test-app-authz:page:main:actionForAdmin".equals(scopeRepresentation.getName()));
    scopePredicates.add(scopeRepresentation -> "urn:test-app-authz:page:main:actionForUser".equals(scopeRepresentation.getName()));
    scopePredicates.add(scopeRepresentation -> "urn:test-app-authz:page:main:actionForPremiumUser".equals(scopeRepresentation.getName()));
    assertPredicate(scopes, scopePredicates);
    List<PolicyRepresentation> policies = authzResource.policies().policies();
    Assert.assertEquals(14, policies.size());
    List<Predicate<PolicyRepresentation>> policyPredicates = new ArrayList<>();
    policyPredicates.add(policyRepresentation -> "Any Admin Policy".equals(policyRepresentation.getName()));
    policyPredicates.add(policyRepresentation -> "Any User Policy".equals(policyRepresentation.getName()));
    policyPredicates.add(representation -> "Client and Realm Role Policy".equals(representation.getName()));
    policyPredicates.add(representation -> "Client Test Policy".equals(representation.getName()));
    policyPredicates.add(representation -> "Group Policy Test".equals(representation.getName()));
    policyPredicates.add(policyRepresentation -> "Only Premium User Policy".equals(policyRepresentation.getName()));
    policyPredicates.add(policyRepresentation -> "wburke policy".equals(policyRepresentation.getName()));
    policyPredicates.add(policyRepresentation -> "All Users Policy".equals(policyRepresentation.getName()));
    policyPredicates.add(policyRepresentation -> "Premium Resource Permission".equals(policyRepresentation.getName()));
    policyPredicates.add(policyRepresentation -> "Administrative Resource Permission".equals(policyRepresentation.getName()));
    policyPredicates.add(policyRepresentation -> "Protected Resource Permission".equals(policyRepresentation.getName()));
    policyPredicates.add(policyRepresentation -> "Action 1 on Main Page Resource Permission".equals(policyRepresentation.getName()));
    policyPredicates.add(policyRepresentation -> "Action 2 on Main Page Resource Permission".equals(policyRepresentation.getName()));
    policyPredicates.add(policyRepresentation -> "Action 3 on Main Page Resource Permission".equals(policyRepresentation.getName()));
    assertPredicate(policies, policyPredicates);
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) ArrayList(java.util.ArrayList) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Predicate(java.util.function.Predicate) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation)

Example 53 with PolicyRepresentation

use of org.keycloak.representations.idm.authorization.PolicyRepresentation in project keycloak by keycloak.

the class DeployedScriptPolicyTest method testCreatePermission.

@Test
public void testCreatePermission() {
    AuthorizationResource authorization = getAuthorizationResource();
    PolicyRepresentation grantPolicy = new PolicyRepresentation();
    grantPolicy.setName("Grant Policy");
    grantPolicy.setType("script-policy-grant.js");
    authorization.policies().create(grantPolicy).close();
    PolicyRepresentation denyPolicy = new PolicyRepresentation();
    denyPolicy.setName("Deny Policy");
    denyPolicy.setType("script-policy-deny.js");
    authorization.policies().create(denyPolicy).close();
    PermissionsResource permissions = authorization.permissions();
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName("Test Deployed JS Permission");
    permission.addResource("Default Resource");
    permission.addPolicy(grantPolicy.getName());
    permissions.resource().create(permission).close();
    PolicyEvaluationRequest request = new PolicyEvaluationRequest();
    request.setUserId("marta");
    request.addResource("Default Resource");
    PolicyEvaluationResponse response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.PERMIT, response.getStatus());
    permission = permissions.resource().findByName(permission.getName());
    permission.addPolicy(denyPolicy.getName());
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.DENY, response.getStatus());
    permission.addPolicy(grantPolicy.getName());
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.DENY, response.getStatus());
    permission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.PERMIT, response.getStatus());
}
Also used : PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) PolicyEvaluationRequest(org.keycloak.representations.idm.authorization.PolicyEvaluationRequest) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) Test(org.junit.Test) AbstractAuthzTest(org.keycloak.testsuite.authz.AbstractAuthzTest)

Example 54 with PolicyRepresentation

use of org.keycloak.representations.idm.authorization.PolicyRepresentation in project keycloak by keycloak.

the class PermissionsTest method clientAuthorization.

@Test
public void clientAuthorization() {
    ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
    ClientRepresentation newClient = new ClientRepresentation();
    newClient.setClientId("foo-authz");
    adminClient.realms().realm(REALM_NAME).clients().create(newClient);
    ClientRepresentation foo = adminClient.realms().realm(REALM_NAME).clients().findByClientId("foo-authz").get(0);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            foo.setServiceAccountsEnabled(true);
            foo.setAuthorizationServicesEnabled(true);
            realm.clients().get(foo.getId()).update(foo);
        }
    }, CLIENT, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.clients().get(foo.getId()).authorization().getSettings();
        }
    }, AUTHORIZATION, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            ResourceServerRepresentation settings = authorization.getSettings();
            authorization.update(settings);
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.resources().resources();
        }
    }, AUTHORIZATION, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.scopes().scopes();
        }
    }, AUTHORIZATION, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.policies().policies();
        }
    }, AUTHORIZATION, false);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            response.set(authorization.resources().create(new ResourceRepresentation("Test", Collections.emptySet())));
        }
    }, AUTHORIZATION, true);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            response.set(authorization.scopes().create(new ScopeRepresentation("Test")));
        }
    }, AUTHORIZATION, true);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
            representation.setName("Test PermissionsTest");
            representation.addResource("Default Resource");
            response.set(authorization.permissions().resource().create(representation));
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.resources().resource("nosuch").update(new ResourceRepresentation());
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.scopes().scope("nosuch").update(new ScopeRepresentation());
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.policies().policy("nosuch").update(new PolicyRepresentation());
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.resources().resource("nosuch").remove();
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.scopes().scope("nosuch").remove();
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.policies().policy("nosuch").remove();
        }
    }, AUTHORIZATION, true);
}
Also used : Response(javax.ws.rs.core.Response) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 55 with PolicyRepresentation

use of org.keycloak.representations.idm.authorization.PolicyRepresentation in project keycloak by keycloak.

the class RepresentationToModel method toModel.

public static Policy toModel(AbstractPolicyRepresentation representation, AuthorizationProvider authorization, Policy model) {
    model.setName(representation.getName());
    model.setDescription(representation.getDescription());
    model.setDecisionStrategy(representation.getDecisionStrategy());
    model.setLogic(representation.getLogic());
    Set resources = representation.getResources();
    Set scopes = representation.getScopes();
    Set policies = representation.getPolicies();
    if (representation instanceof PolicyRepresentation) {
        PolicyRepresentation policy = PolicyRepresentation.class.cast(representation);
        if (resources == null) {
            String resourcesConfig = policy.getConfig().get("resources");
            if (resourcesConfig != null) {
                try {
                    resources = JsonSerialization.readValue(resourcesConfig, Set.class);
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        }
        if (scopes == null) {
            String scopesConfig = policy.getConfig().get("scopes");
            if (scopesConfig != null) {
                try {
                    scopes = JsonSerialization.readValue(scopesConfig, Set.class);
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        }
        if (policies == null) {
            String policiesConfig = policy.getConfig().get("applyPolicies");
            if (policiesConfig != null) {
                try {
                    policies = JsonSerialization.readValue(policiesConfig, Set.class);
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        }
        model.setConfig(policy.getConfig());
    }
    StoreFactory storeFactory = authorization.getStoreFactory();
    updateResources(resources, model, storeFactory);
    updateScopes(scopes, model, storeFactory);
    updateAssociatedPolicies(policies, model, storeFactory);
    PolicyProviderFactory provider = authorization.getProviderFactory(model.getType());
    if (representation instanceof PolicyRepresentation) {
        provider.onImport(model, PolicyRepresentation.class.cast(representation), authorization);
    } else if (representation.getId() == null) {
        provider.onCreate(model, representation, authorization);
    } else {
        provider.onUpdate(model, representation, authorization);
    }
    representation.setId(model.getId());
    return model;
}
Also used : AbstractPolicyRepresentation(org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) Set(java.util.Set) HashSet(java.util.HashSet) PolicyProviderFactory(org.keycloak.authorization.policy.provider.PolicyProviderFactory) ArtifactBindingUtils.computeArtifactBindingIdentifierString(org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString) IOException(java.io.IOException) StoreFactory(org.keycloak.authorization.store.StoreFactory)

Aggregations

PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)58 Test (org.junit.Test)26 HashMap (java.util.HashMap)20 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)19 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)18 Response (javax.ws.rs.core.Response)15 List (java.util.List)12 Map (java.util.Map)12 IOException (java.io.IOException)10 ArrayList (java.util.ArrayList)10 Collectors (java.util.stream.Collectors)10 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)10 AbstractPolicyRepresentation (org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation)10 ScopeRepresentation (org.keycloak.representations.idm.authorization.ScopeRepresentation)10 UserPolicyRepresentation (org.keycloak.representations.idm.authorization.UserPolicyRepresentation)10 WebElement (org.openqa.selenium.WebElement)10 Set (java.util.Set)9 Policy (org.keycloak.authorization.model.Policy)9 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)9 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)8