Search in sources :

Example 36 with ResourcePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.

the class ResourcePermissionManagementTest method testDelete.

@Test
public void testDelete() {
    AuthorizationResource authorization = getClient().authorization();
    ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
    representation.setName("Test Delete Permission");
    representation.setResourceType("test-resource");
    representation.addPolicy("Only Marta Policy");
    ResourcePermissionsResource permissions = authorization.permissions().resource();
    try (Response response = permissions.create(representation)) {
        ResourcePermissionRepresentation created = response.readEntity(ResourcePermissionRepresentation.class);
        permissions.findById(created.getId()).remove();
        ResourcePermissionResource removed = permissions.findById(created.getId());
        try {
            removed.toRepresentation();
            fail("Permission not removed");
        } catch (NotFoundException ignore) {
        }
    }
}
Also used : Response(javax.ws.rs.core.Response) ResourcePermissionResource(org.keycloak.admin.client.resource.ResourcePermissionResource) NotFoundException(javax.ws.rs.NotFoundException) ResourcePermissionsResource(org.keycloak.admin.client.resource.ResourcePermissionsResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) Test(org.junit.Test)

Example 37 with ResourcePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.

the class ResourcePermissionManagementTest method failCreateWithSameName.

@Test
public void failCreateWithSameName() {
    AuthorizationResource authorization = getClient().authorization();
    ResourcePermissionRepresentation permission1 = new ResourcePermissionRepresentation();
    permission1.setName("Conflicting Name Permission");
    permission1.setResourceType("test-resource");
    permission1.addPolicy("Only Marta Policy");
    ResourcePermissionsResource permissions = authorization.permissions().resource();
    permissions.create(permission1).close();
    ResourcePermissionRepresentation permission2 = new ResourcePermissionRepresentation();
    permission2.setName(permission1.getName());
    try (Response response = permissions.create(permission2)) {
        assertEquals(Response.Status.CONFLICT.getStatusCode(), response.getStatus());
    }
}
Also used : Response(javax.ws.rs.core.Response) ResourcePermissionsResource(org.keycloak.admin.client.resource.ResourcePermissionsResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) Test(org.junit.Test)

Example 38 with ResourcePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.

the class ResourcePermissionManagementTest method assertCreated.

private void assertCreated(AuthorizationResource authorization, ResourcePermissionRepresentation representation) {
    ResourcePermissionsResource permissions = authorization.permissions().resource();
    try (Response response = permissions.create(representation)) {
        ResourcePermissionRepresentation created = response.readEntity(ResourcePermissionRepresentation.class);
        ResourcePermissionResource permission = permissions.findById(created.getId());
        assertRepresentation(representation, permission);
    }
}
Also used : Response(javax.ws.rs.core.Response) ResourcePermissionResource(org.keycloak.admin.client.resource.ResourcePermissionResource) ResourcePermissionsResource(org.keycloak.admin.client.resource.ResourcePermissionsResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)

Example 39 with ResourcePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.

the class UserManagedAccessTest method testScopePermissionsToScopeOnly.

@Test
public void testScopePermissionsToScopeOnly() throws Exception {
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getId());
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().resource().create(permission).close();
    AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] { "ScopeA", "ScopeB" });
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA" });
        fail("User should not have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
    PermissionResource permissionResource = getAuthzClient().protection().permission();
    List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(1, permissionTickets.size());
    PermissionTicketRepresentation ticket = permissionTickets.get(0);
    assertFalse(ticket.isGranted());
    ticket.setGranted(true);
    permissionResource.update(ticket);
    response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
    rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName(), "ScopeA");
    assertTrue(permissions.isEmpty());
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    // must have two permission tickets, one persisted during the first authorize call for ScopeA and another for the second call to authorize for ScopeB
    assertEquals(2, permissionTickets.size());
    for (PermissionTicketRepresentation representation : new ArrayList<>(permissionTickets)) {
        if (representation.isGranted()) {
            permissionResource.delete(representation.getId());
        }
    }
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertEquals(1, permissionTickets.size());
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) ArrayList(java.util.ArrayList) PermissionResource(org.keycloak.authorization.client.resource.PermissionResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 40 with ResourcePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation in project keycloak by keycloak.

the class UserManagedAccessTest method testUserGrantedAccessConsideredWhenRequestingAuthorizationByResourceName.

@Test
public void testUserGrantedAccessConsideredWhenRequestingAuthorizationByResourceName() throws Exception {
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getId());
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().resource().create(permission).close();
    try {
        AuthorizationResponse response = authorize("kolo", "password", resource.getId(), new String[] {});
        fail("User should not have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
    PermissionResource permissionResource = getAuthzClient().protection().permission();
    List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(2, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertFalse(ticket.isGranted());
        ticket.setGranted(true);
        permissionResource.update(ticket);
    }
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(2, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertTrue(ticket.isGranted());
    }
    AuthorizationRequest request = new AuthorizationRequest();
    // No resource id used in request, only name
    request.addPermission("Resource A", "ScopeA", "ScopeB");
    List<Permission> permissions = authorize("kolo", "password", request);
    assertEquals(1, permissions.size());
    Permission koloPermission = permissions.get(0);
    assertEquals("Resource A", koloPermission.getResourceName());
    assertTrue(koloPermission.getScopes().containsAll(Arrays.asList("ScopeA", "ScopeB")));
    ResourceRepresentation resourceRep = getAuthzClient().protection().resource().findById(resource.getId());
    resourceRep.setName("Resource A Changed");
    getAuthzClient().protection().resource().update(resourceRep);
    request = new AuthorizationRequest();
    // Try to use the old name
    request.addPermission("Resource A", "ScopeA", "ScopeB");
    try {
        authorize("kolo", "password", request);
        fail("User should not have access to resource from another user");
    } catch (RuntimeException ade) {
        assertTrue(ade.getCause().toString().contains("invalid_resource"));
    }
    request = new AuthorizationRequest();
    request.addPermission(resourceRep.getName(), "ScopeA", "ScopeB");
    permissions = authorize("kolo", "password", request);
    assertEquals(1, permissions.size());
    koloPermission = permissions.get(0);
    assertEquals(resourceRep.getName(), koloPermission.getResourceName());
    assertTrue(koloPermission.getScopes().containsAll(Arrays.asList("ScopeA", "ScopeB")));
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) Permission(org.keycloak.representations.idm.authorization.Permission) PermissionResource(org.keycloak.authorization.client.resource.PermissionResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Aggregations

ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)65 Test (org.junit.Test)46 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)32 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)28 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)28 ClientResource (org.keycloak.admin.client.resource.ClientResource)25 Response (javax.ws.rs.core.Response)20 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)19 Permission (org.keycloak.representations.idm.authorization.Permission)19 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)18 AuthzClient (org.keycloak.authorization.client.AuthzClient)16 OAuthClient (org.keycloak.testsuite.util.OAuthClient)16 AccessToken (org.keycloak.representations.AccessToken)14 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)12 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)12 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)12 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)11 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)9 PermissionTicketRepresentation (org.keycloak.representations.idm.authorization.PermissionTicketRepresentation)7 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)7