Search in sources :

Example 46 with ResourcePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.

the class GroupNamePolicyTest method createResourcePermission.

private void createResourcePermission(String name, String resource, String... policies) {
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName(name);
    permission.addResource(resource);
    permission.addPolicy(policies);
    getClient().authorization().permissions().resource().create(permission).close();
}
Also used : ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)

Example 47 with ResourcePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.

the class ConflictingScopePermissionTest method createResourcePermission.

private void createResourcePermission(String name, String resourceName, List<String> policies, ClientResource client) throws IOException {
    ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
    representation.setName(name);
    representation.addResource(resourceName);
    representation.addPolicy(policies.toArray(new String[policies.size()]));
    client.authorization().permissions().resource().create(representation).close();
}
Also used : ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)

Example 48 with ResourcePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.

the class DeployedScriptPolicyTest method testCreatePermission.

@Test
public void testCreatePermission() {
    AuthorizationResource authorization = getAuthorizationResource();
    PolicyRepresentation grantPolicy = new PolicyRepresentation();
    grantPolicy.setName("Grant Policy");
    grantPolicy.setType("script-policy-grant.js");
    authorization.policies().create(grantPolicy).close();
    PolicyRepresentation denyPolicy = new PolicyRepresentation();
    denyPolicy.setName("Deny Policy");
    denyPolicy.setType("script-policy-deny.js");
    authorization.policies().create(denyPolicy).close();
    PermissionsResource permissions = authorization.permissions();
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName("Test Deployed JS Permission");
    permission.addResource("Default Resource");
    permission.addPolicy(grantPolicy.getName());
    permissions.resource().create(permission).close();
    PolicyEvaluationRequest request = new PolicyEvaluationRequest();
    request.setUserId("marta");
    request.addResource("Default Resource");
    PolicyEvaluationResponse response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.PERMIT, response.getStatus());
    permission = permissions.resource().findByName(permission.getName());
    permission.addPolicy(denyPolicy.getName());
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.DENY, response.getStatus());
    permission.addPolicy(grantPolicy.getName());
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.DENY, response.getStatus());
    permission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.PERMIT, response.getStatus());
}
Also used : PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) PolicyEvaluationRequest(org.keycloak.representations.idm.authorization.PolicyEvaluationRequest) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) Test(org.junit.Test) AbstractAuthzTest(org.keycloak.testsuite.authz.AbstractAuthzTest)

Example 49 with ResourcePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.

the class PermissionsTest method clientAuthorization.

@Test
public void clientAuthorization() {
    ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
    ClientRepresentation newClient = new ClientRepresentation();
    newClient.setClientId("foo-authz");
    adminClient.realms().realm(REALM_NAME).clients().create(newClient);
    ClientRepresentation foo = adminClient.realms().realm(REALM_NAME).clients().findByClientId("foo-authz").get(0);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            foo.setServiceAccountsEnabled(true);
            foo.setAuthorizationServicesEnabled(true);
            realm.clients().get(foo.getId()).update(foo);
        }
    }, CLIENT, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.clients().get(foo.getId()).authorization().getSettings();
        }
    }, AUTHORIZATION, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            ResourceServerRepresentation settings = authorization.getSettings();
            authorization.update(settings);
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.resources().resources();
        }
    }, AUTHORIZATION, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.scopes().scopes();
        }
    }, AUTHORIZATION, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.policies().policies();
        }
    }, AUTHORIZATION, false);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            response.set(authorization.resources().create(new ResourceRepresentation("Test", Collections.emptySet())));
        }
    }, AUTHORIZATION, true);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            response.set(authorization.scopes().create(new ScopeRepresentation("Test")));
        }
    }, AUTHORIZATION, true);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
            representation.setName("Test PermissionsTest");
            representation.addResource("Default Resource");
            response.set(authorization.permissions().resource().create(representation));
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.resources().resource("nosuch").update(new ResourceRepresentation());
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.scopes().scope("nosuch").update(new ScopeRepresentation());
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.policies().policy("nosuch").update(new PolicyRepresentation());
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.resources().resource("nosuch").remove();
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.scopes().scope("nosuch").remove();
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.policies().policy("nosuch").remove();
        }
    }, AUTHORIZATION, true);
}
Also used : Response(javax.ws.rs.core.Response) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 50 with ResourcePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.

the class EntitlementAPITest method testProcessMappersForTargetAudience.

@Test
public void testProcessMappersForTargetAudience() throws Exception {
    ClientResource publicClient = getClient(getRealm(), PUBLIC_TEST_CLIENT);
    ProtocolMapperRepresentation customClaimMapper = new ProtocolMapperRepresentation();
    customClaimMapper.setName("custom_claim");
    customClaimMapper.setProtocolMapper(HardcodedClaim.PROVIDER_ID);
    customClaimMapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    Map<String, String> config = new HashMap<>();
    config.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "custom_claim");
    config.put(HardcodedClaim.CLAIM_VALUE, PUBLIC_TEST_CLIENT);
    config.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "true");
    customClaimMapper.setConfig(config);
    publicClient.getProtocolMappers().createMapper(customClaimMapper);
    ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
    config.put(HardcodedClaim.CLAIM_VALUE, RESOURCE_SERVER_TEST);
    client.getProtocolMappers().createMapper(customClaimMapper);
    AuthorizationResource authorization = client.authorization();
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName(KeycloakModelUtils.generateId());
    policy.setCode("$evaluation.grant();");
    authorization.policies().js().create(policy).close();
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Sensors");
    try (Response response = authorization.resources().create(resource)) {
        resource = response.readEntity(ResourceRepresentation.class);
    }
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName("View Sensor");
    permission.addResource(resource.getName());
    permission.addPolicy(policy.getName());
    authorization.permissions().resource().create(permission).close();
    oauth.realm("authz-test");
    oauth.clientId(PUBLIC_TEST_CLIENT);
    oauth.doLogin("marta", "password");
    // Token request
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    AccessToken token = toAccessToken(response.getAccessToken());
    assertEquals(PUBLIC_TEST_CLIENT, token.getOtherClaims().get("custom_claim"));
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission("Sensors");
    AuthorizationResponse authorizationResponse = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(response.getAccessToken()).authorize(request);
    token = toAccessToken(authorizationResponse.getToken());
    assertEquals(RESOURCE_SERVER_TEST, token.getOtherClaims().get("custom_claim"));
    assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
    authorizationResponse = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(response.getAccessToken()).authorize(request);
    token = toAccessToken(authorizationResponse.getToken());
    assertEquals(RESOURCE_SERVER_TEST, token.getOtherClaims().get("custom_claim"));
    assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
}
Also used : AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) HashMap(java.util.HashMap) OAuthClient(org.keycloak.testsuite.util.OAuthClient) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Response(javax.ws.rs.core.Response) TokenIntrospectionResponse(org.keycloak.authorization.client.representation.TokenIntrospectionResponse) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AccessToken(org.keycloak.representations.AccessToken) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) Test(org.junit.Test)

Aggregations

ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)65 Test (org.junit.Test)46 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)32 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)28 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)28 ClientResource (org.keycloak.admin.client.resource.ClientResource)25 Response (javax.ws.rs.core.Response)20 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)19 Permission (org.keycloak.representations.idm.authorization.Permission)19 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)18 AuthzClient (org.keycloak.authorization.client.AuthzClient)16 OAuthClient (org.keycloak.testsuite.util.OAuthClient)16 AccessToken (org.keycloak.representations.AccessToken)14 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)12 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)12 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)12 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)11 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)9 PermissionTicketRepresentation (org.keycloak.representations.idm.authorization.PermissionTicketRepresentation)7 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)7