use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.
the class ResourcePermissionManagementTest method testDelete.
@Test
public void testDelete() {
AuthorizationResource authorization = getClient().authorization();
ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
representation.setName("Test Delete Permission");
representation.setResourceType("test-resource");
representation.addPolicy("Only Marta Policy");
ResourcePermissionsResource permissions = authorization.permissions().resource();
try (Response response = permissions.create(representation)) {
ResourcePermissionRepresentation created = response.readEntity(ResourcePermissionRepresentation.class);
permissions.findById(created.getId()).remove();
ResourcePermissionResource removed = permissions.findById(created.getId());
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
}
}
}
use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.
the class ResourcePermissionManagementTest method failCreateWithSameName.
@Test
public void failCreateWithSameName() {
AuthorizationResource authorization = getClient().authorization();
ResourcePermissionRepresentation permission1 = new ResourcePermissionRepresentation();
permission1.setName("Conflicting Name Permission");
permission1.setResourceType("test-resource");
permission1.addPolicy("Only Marta Policy");
ResourcePermissionsResource permissions = authorization.permissions().resource();
permissions.create(permission1).close();
ResourcePermissionRepresentation permission2 = new ResourcePermissionRepresentation();
permission2.setName(permission1.getName());
try (Response response = permissions.create(permission2)) {
assertEquals(Response.Status.CONFLICT.getStatusCode(), response.getStatus());
}
}
use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.
the class ResourcePermissionManagementTest method assertCreated.
private void assertCreated(AuthorizationResource authorization, ResourcePermissionRepresentation representation) {
ResourcePermissionsResource permissions = authorization.permissions().resource();
try (Response response = permissions.create(representation)) {
ResourcePermissionRepresentation created = response.readEntity(ResourcePermissionRepresentation.class);
ResourcePermissionResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
}
use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.
the class UserManagedAccessTest method testScopePermissionsToScopeOnly.
@Test
public void testScopePermissionsToScopeOnly() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] { "ScopeA", "ScopeB" });
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA" });
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(1, permissionTickets.size());
PermissionTicketRepresentation ticket = permissionTickets.get(0);
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA");
assertTrue(permissions.isEmpty());
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
// must have two permission tickets, one persisted during the first authorize call for ScopeA and another for the second call to authorize for ScopeB
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation representation : new ArrayList<>(permissionTickets)) {
if (representation.isGranted()) {
permissionResource.delete(representation.getId());
}
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertEquals(1, permissionTickets.size());
}
use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.
the class UserManagedAccessTest method testUserGrantedAccessConsideredWhenRequestingAuthorizationByResourceName.
@Test
public void testUserGrantedAccessConsideredWhenRequestingAuthorizationByResourceName() throws Exception {
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getId());
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().resource().create(permission).close();
try {
AuthorizationResponse response = authorize("kolo", "password", resource.getId(), new String[] {});
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
PermissionResource permissionResource = getAuthzClient().protection().permission();
List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertFalse(ticket.isGranted());
ticket.setGranted(true);
permissionResource.update(ticket);
}
permissionTickets = permissionResource.findByResource(resource.getId());
assertFalse(permissionTickets.isEmpty());
assertEquals(2, permissionTickets.size());
for (PermissionTicketRepresentation ticket : permissionTickets) {
assertTrue(ticket.isGranted());
}
AuthorizationRequest request = new AuthorizationRequest();
// No resource id used in request, only name
request.addPermission("Resource A", "ScopeA", "ScopeB");
List<Permission> permissions = authorize("kolo", "password", request);
assertEquals(1, permissions.size());
Permission koloPermission = permissions.get(0);
assertEquals("Resource A", koloPermission.getResourceName());
assertTrue(koloPermission.getScopes().containsAll(Arrays.asList("ScopeA", "ScopeB")));
ResourceRepresentation resourceRep = getAuthzClient().protection().resource().findById(resource.getId());
resourceRep.setName("Resource A Changed");
getAuthzClient().protection().resource().update(resourceRep);
request = new AuthorizationRequest();
// Try to use the old name
request.addPermission("Resource A", "ScopeA", "ScopeB");
try {
authorize("kolo", "password", request);
fail("User should not have access to resource from another user");
} catch (RuntimeException ade) {
assertTrue(ade.getCause().toString().contains("invalid_resource"));
}
request = new AuthorizationRequest();
request.addPermission(resourceRep.getName(), "ScopeA", "ScopeB");
permissions = authorize("kolo", "password", request);
assertEquals(1, permissions.size());
koloPermission = permissions.get(0);
assertEquals(resourceRep.getName(), koloPermission.getResourceName());
assertTrue(koloPermission.getScopes().containsAll(Arrays.asList("ScopeA", "ScopeB")));
}
Aggregations