use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.
the class UserManagedPermissionServiceTest method testPermissionWithoutScopes.
@Test
public void testPermissionWithoutScopes() {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(UUID.randomUUID().toString());
resource.setOwner("marta");
resource.setOwnerManagedAccess(true);
resource.addScope("Scope A", "Scope B", "Scope C");
ProtectionResource protection = getAuthzClient().protection();
resource = protection.resource().create(resource);
UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
permission.setName("Custom User-Managed Policy");
permission.addRole("role_a");
PolicyResource policy = getAuthzClient().protection("marta", "password").policy(resource.getId());
permission = policy.create(permission);
assertEquals(3, permission.getScopes().size());
assertTrue(Arrays.asList("Scope A", "Scope B", "Scope C").containsAll(permission.getScopes()));
permission = policy.findById(permission.getId());
assertTrue(Arrays.asList("Scope A", "Scope B", "Scope C").containsAll(permission.getScopes()));
assertEquals(3, permission.getScopes().size());
permission.removeScope("Scope B");
policy.update(permission);
permission = policy.findById(permission.getId());
assertEquals(2, permission.getScopes().size());
assertTrue(Arrays.asList("Scope A", "Scope C").containsAll(permission.getScopes()));
}
use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.
the class UserManagedPermissionServiceTest method testDoNotGrantPermissionWhenObtainAllEntitlements.
@Test
public void testDoNotGrantPermissionWhenObtainAllEntitlements() {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("marta");
resource.addScope("Scope A", "Scope B", "Scope C");
resource = getAuthzClient().protection().resource().create(resource);
UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
permission.setName("Custom User-Managed Permission");
permission.addScope("Scope A", "Scope B");
permission.addUser("kolo");
ProtectionResource protection = getAuthzClient().protection("marta", "password");
protection.policy(resource.getId()).create(permission);
AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resource.getId(), "Scope A", "Scope B");
AuthorizationResponse authzResponse = authorization.authorize(request);
assertNotNull(authzResponse);
AccessToken token = toAccessToken(authzResponse.getToken());
assertNotNull(token.getAuthorization());
Collection<Permission> permissions = token.getAuthorization().getPermissions();
assertEquals(1, permissions.size());
assertTrue(permissions.iterator().next().getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
try {
// policy engine does not evaluate custom policies when obtaining all entitlements
getAuthzClient().authorization("kolo", "password").authorize();
fail("User should not have permission");
} catch (Exception e) {
assertTrue(AuthorizationDeniedException.class.isInstance(e));
}
}
use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.
the class UserManagedPermissionServiceTest method testFindPermission.
@Test
public void testFindPermission() {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(UUID.randomUUID().toString());
resource.setOwner("marta");
resource.setOwnerManagedAccess(true);
resource.addScope("Scope A", "Scope B", "Scope C");
ProtectionResource protection = getAuthzClient().protection();
resource = protection.resource().create(resource);
PolicyResource policy = getAuthzClient().protection("marta", "password").policy(resource.getId());
for (int i = 0; i < 10; i++) {
UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
permission.setName("Custom User-Managed Policy " + i);
permission.addRole("role_a");
policy.create(permission);
}
assertEquals(10, policy.find(null, null, null, null).size());
List<UmaPermissionRepresentation> byId = policy.find("Custom User-Managed Policy 8", null, null, null);
assertEquals(1, byId.size());
assertEquals(byId.get(0).getId(), policy.findById(byId.get(0).getId()).getId());
assertEquals(10, policy.find(null, "Scope A", null, null).size());
assertEquals(5, policy.find(null, null, -1, 5).size());
assertEquals(2, policy.find(null, null, -1, 2).size());
}
use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.
the class UserManagedPermissionServiceTest method testUpdate.
private void testUpdate() {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("marta");
resource.addScope("Scope A", "Scope B", "Scope C");
resource = getAuthzClient().protection().resource().create(resource);
UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
permission.setName("Custom User-Managed Permission");
permission.setDescription("Users from specific roles are allowed to access");
permission.addScope("Scope A");
permission.addRole("role_a");
ProtectionResource protection = getAuthzClient().protection("marta", "password");
permission = protection.policy(resource.getId()).create(permission);
assertEquals(1, getAssociatedPolicies(permission).size());
permission.setName("Changed");
permission.setDescription("Changed");
protection.policy(resource.getId()).update(permission);
UmaPermissionRepresentation updated = protection.policy(resource.getId()).findById(permission.getId());
assertEquals(permission.getName(), updated.getName());
assertEquals(permission.getDescription(), updated.getDescription());
permission.removeRole("role_a");
permission.addRole("role_b", "role_c");
protection.policy(resource.getId()).update(permission);
assertEquals(1, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertTrue(permission.getRoles().containsAll(updated.getRoles()));
permission.addRole("role_d");
protection.policy(resource.getId()).update(permission);
assertEquals(1, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertTrue(permission.getRoles().containsAll(updated.getRoles()));
permission.addGroup("/group_a/group_b");
protection.policy(resource.getId()).update(permission);
assertEquals(2, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertTrue(permission.getGroups().containsAll(updated.getGroups()));
permission.addGroup("/group_a");
protection.policy(resource.getId()).update(permission);
assertEquals(2, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertTrue(permission.getGroups().containsAll(updated.getGroups()));
permission.removeGroup("/group_a/group_b");
permission.addGroup("/group_c");
protection.policy(resource.getId()).update(permission);
assertEquals(2, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertTrue(permission.getGroups().containsAll(updated.getGroups()));
permission.addClient("client-a");
protection.policy(resource.getId()).update(permission);
assertEquals(3, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertTrue(permission.getClients().containsAll(updated.getClients()));
permission.addClient("resource-server-test");
protection.policy(resource.getId()).update(permission);
assertEquals(3, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertTrue(permission.getClients().containsAll(updated.getClients()));
permission.removeClient("client-a");
protection.policy(resource.getId()).update(permission);
assertEquals(3, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertTrue(permission.getClients().containsAll(updated.getClients()));
if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
permission.setCondition("$evaluation.grant()");
protection.policy(resource.getId()).update(permission);
assertEquals(4, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertEquals(permission.getCondition(), updated.getCondition());
}
permission.addUser("alice");
protection.policy(resource.getId()).update(permission);
int expectedPolicies = Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS) ? 5 : 4;
assertEquals(expectedPolicies, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertEquals(1, updated.getUsers().size());
assertEquals(permission.getUsers(), updated.getUsers());
permission.addUser("kolo");
protection.policy(resource.getId()).update(permission);
assertEquals(expectedPolicies, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertEquals(2, updated.getUsers().size());
assertEquals(permission.getUsers(), updated.getUsers());
permission.removeUser("alice");
protection.policy(resource.getId()).update(permission);
assertEquals(expectedPolicies, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertEquals(1, updated.getUsers().size());
assertEquals(permission.getUsers(), updated.getUsers());
permission.setUsers(null);
protection.policy(resource.getId()).update(permission);
assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertEquals(permission.getUsers(), updated.getUsers());
if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
permission.setCondition(null);
protection.policy(resource.getId()).update(permission);
assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertEquals(permission.getCondition(), updated.getCondition());
}
;
permission.setRoles(null);
protection.policy(resource.getId()).update(permission);
assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertEquals(permission.getRoles(), updated.getRoles());
permission.setClients(null);
protection.policy(resource.getId()).update(permission);
assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
updated = protection.policy(resource.getId()).findById(permission.getId());
assertEquals(permission.getClients(), updated.getClients());
permission.setGroups(null);
try {
protection.policy(resource.getId()).update(permission);
assertEquals(1, getAssociatedPolicies(permission).size());
fail("Permission must be removed because the last associated policy was removed");
} catch (NotFoundException ignore) {
} catch (Exception e) {
fail("Expected not found");
}
}
use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.
the class UserManagedPermissionServiceTest method testRemovePoliciesOnResourceDelete.
@Test
public void testRemovePoliciesOnResourceDelete() {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("marta");
resource.addScope("Scope A", "Scope B", "Scope C");
resource = getAuthzClient().protection().resource().create(resource);
UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();
newPermission.setName("Custom User-Managed Permission");
newPermission.setDescription("Users from specific roles are allowed to access");
newPermission.addScope("Scope A", "Scope B", "Scope C");
newPermission.addRole("role_a", "role_b", "role_c", "role_d");
newPermission.addGroup("/group_a", "/group_a/group_b", "/group_c");
newPermission.addClient("client-a", "resource-server-test");
if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
newPermission.setCondition("$evaluation.grant()");
}
newPermission.addUser("kolo");
ProtectionResource protection = getAuthzClient().protection("marta", "password");
protection.policy(resource.getId()).create(newPermission);
getTestingClient().server().run((RunOnServer) UserManagedPermissionServiceTest::testRemovePoliciesOnResourceDelete);
}
Aggregations