use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.
the class GroupNamePolicyTest method createResourcePermission.
private void createResourcePermission(String name, String resource, String... policies) {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(name);
permission.addResource(resource);
permission.addPolicy(policies);
getClient().authorization().permissions().resource().create(permission).close();
}
use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.
the class ConflictingScopePermissionTest method createResourcePermission.
private void createResourcePermission(String name, String resourceName, List<String> policies, ClientResource client) throws IOException {
ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
representation.setName(name);
representation.addResource(resourceName);
representation.addPolicy(policies.toArray(new String[policies.size()]));
client.authorization().permissions().resource().create(representation).close();
}
use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.
the class DeployedScriptPolicyTest method testCreatePermission.
@Test
public void testCreatePermission() {
AuthorizationResource authorization = getAuthorizationResource();
PolicyRepresentation grantPolicy = new PolicyRepresentation();
grantPolicy.setName("Grant Policy");
grantPolicy.setType("script-policy-grant.js");
authorization.policies().create(grantPolicy).close();
PolicyRepresentation denyPolicy = new PolicyRepresentation();
denyPolicy.setName("Deny Policy");
denyPolicy.setType("script-policy-deny.js");
authorization.policies().create(denyPolicy).close();
PermissionsResource permissions = authorization.permissions();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName("Test Deployed JS Permission");
permission.addResource("Default Resource");
permission.addPolicy(grantPolicy.getName());
permissions.resource().create(permission).close();
PolicyEvaluationRequest request = new PolicyEvaluationRequest();
request.setUserId("marta");
request.addResource("Default Resource");
PolicyEvaluationResponse response = authorization.policies().evaluate(request);
assertEquals(DecisionEffect.PERMIT, response.getStatus());
permission = permissions.resource().findByName(permission.getName());
permission.addPolicy(denyPolicy.getName());
permissions.resource().findById(permission.getId()).update(permission);
response = authorization.policies().evaluate(request);
assertEquals(DecisionEffect.DENY, response.getStatus());
permission.addPolicy(grantPolicy.getName());
permissions.resource().findById(permission.getId()).update(permission);
response = authorization.policies().evaluate(request);
assertEquals(DecisionEffect.DENY, response.getStatus());
permission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
permissions.resource().findById(permission.getId()).update(permission);
response = authorization.policies().evaluate(request);
assertEquals(DecisionEffect.PERMIT, response.getStatus());
}
use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.
the class PermissionsTest method clientAuthorization.
@Test
public void clientAuthorization() {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
ClientRepresentation newClient = new ClientRepresentation();
newClient.setClientId("foo-authz");
adminClient.realms().realm(REALM_NAME).clients().create(newClient);
ClientRepresentation foo = adminClient.realms().realm(REALM_NAME).clients().findByClientId("foo-authz").get(0);
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
foo.setServiceAccountsEnabled(true);
foo.setAuthorizationServicesEnabled(true);
realm.clients().get(foo.getId()).update(foo);
}
}, CLIENT, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.clients().get(foo.getId()).authorization().getSettings();
}
}, AUTHORIZATION, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
ResourceServerRepresentation settings = authorization.getSettings();
authorization.update(settings);
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resources();
}
}, AUTHORIZATION, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scopes();
}
}, AUTHORIZATION, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policies();
}
}, AUTHORIZATION, false);
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
response.set(authorization.resources().create(new ResourceRepresentation("Test", Collections.emptySet())));
}
}, AUTHORIZATION, true);
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
response.set(authorization.scopes().create(new ScopeRepresentation("Test")));
}
}, AUTHORIZATION, true);
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
representation.setName("Test PermissionsTest");
representation.addResource("Default Resource");
response.set(authorization.permissions().resource().create(representation));
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resource("nosuch").update(new ResourceRepresentation());
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scope("nosuch").update(new ScopeRepresentation());
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policy("nosuch").update(new PolicyRepresentation());
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resource("nosuch").remove();
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scope("nosuch").remove();
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policy("nosuch").remove();
}
}, AUTHORIZATION, true);
}
use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testProcessMappersForTargetAudience.
@Test
public void testProcessMappersForTargetAudience() throws Exception {
ClientResource publicClient = getClient(getRealm(), PUBLIC_TEST_CLIENT);
ProtocolMapperRepresentation customClaimMapper = new ProtocolMapperRepresentation();
customClaimMapper.setName("custom_claim");
customClaimMapper.setProtocolMapper(HardcodedClaim.PROVIDER_ID);
customClaimMapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
Map<String, String> config = new HashMap<>();
config.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "custom_claim");
config.put(HardcodedClaim.CLAIM_VALUE, PUBLIC_TEST_CLIENT);
config.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "true");
customClaimMapper.setConfig(config);
publicClient.getProtocolMappers().createMapper(customClaimMapper);
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
config.put(HardcodedClaim.CLAIM_VALUE, RESOURCE_SERVER_TEST);
client.getProtocolMappers().createMapper(customClaimMapper);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Sensors");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName("View Sensor");
permission.addResource(resource.getName());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
oauth.realm("authz-test");
oauth.clientId(PUBLIC_TEST_CLIENT);
oauth.doLogin("marta", "password");
// Token request
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
AccessToken token = toAccessToken(response.getAccessToken());
assertEquals(PUBLIC_TEST_CLIENT, token.getOtherClaims().get("custom_claim"));
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission("Sensors");
AuthorizationResponse authorizationResponse = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(response.getAccessToken()).authorize(request);
token = toAccessToken(authorizationResponse.getToken());
assertEquals(RESOURCE_SERVER_TEST, token.getOtherClaims().get("custom_claim"));
assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
authorizationResponse = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(response.getAccessToken()).authorize(request);
token = toAccessToken(authorizationResponse.getToken());
assertEquals(RESOURCE_SERVER_TEST, token.getOtherClaims().get("custom_claim"));
assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
}
Aggregations