Search in sources :

Example 66 with ResourceRepresentation

use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testPermissionWithoutScopes.

@Test
public void testPermissionWithoutScopes() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName(UUID.randomUUID().toString());
    resource.setOwner("marta");
    resource.setOwnerManagedAccess(true);
    resource.addScope("Scope A", "Scope B", "Scope C");
    ProtectionResource protection = getAuthzClient().protection();
    resource = protection.resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Policy");
    permission.addRole("role_a");
    PolicyResource policy = getAuthzClient().protection("marta", "password").policy(resource.getId());
    permission = policy.create(permission);
    assertEquals(3, permission.getScopes().size());
    assertTrue(Arrays.asList("Scope A", "Scope B", "Scope C").containsAll(permission.getScopes()));
    permission = policy.findById(permission.getId());
    assertTrue(Arrays.asList("Scope A", "Scope B", "Scope C").containsAll(permission.getScopes()));
    assertEquals(3, permission.getScopes().size());
    permission.removeScope("Scope B");
    policy.update(permission);
    permission = policy.findById(permission.getId());
    assertEquals(2, permission.getScopes().size());
    assertTrue(Arrays.asList("Scope A", "Scope C").containsAll(permission.getScopes()));
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) PolicyResource(org.keycloak.authorization.client.resource.PolicyResource) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 67 with ResourceRepresentation

use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testDoNotGrantPermissionWhenObtainAllEntitlements.

@Test
public void testDoNotGrantPermissionWhenObtainAllEntitlements() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.addScope("Scope A", "Scope B");
    permission.addUser("kolo");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    protection.policy(resource.getId()).create(permission);
    AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "Scope A", "Scope B");
    AuthorizationResponse authzResponse = authorization.authorize(request);
    assertNotNull(authzResponse);
    AccessToken token = toAccessToken(authzResponse.getToken());
    assertNotNull(token.getAuthorization());
    Collection<Permission> permissions = token.getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    assertTrue(permissions.iterator().next().getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
    try {
        // policy engine does not evaluate custom policies when obtaining all entitlements
        getAuthzClient().authorization("kolo", "password").authorize();
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) AuthorizationResource(org.keycloak.authorization.client.resource.AuthorizationResource) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 68 with ResourceRepresentation

use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testFindPermission.

@Test
public void testFindPermission() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName(UUID.randomUUID().toString());
    resource.setOwner("marta");
    resource.setOwnerManagedAccess(true);
    resource.addScope("Scope A", "Scope B", "Scope C");
    ProtectionResource protection = getAuthzClient().protection();
    resource = protection.resource().create(resource);
    PolicyResource policy = getAuthzClient().protection("marta", "password").policy(resource.getId());
    for (int i = 0; i < 10; i++) {
        UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
        permission.setName("Custom User-Managed Policy " + i);
        permission.addRole("role_a");
        policy.create(permission);
    }
    assertEquals(10, policy.find(null, null, null, null).size());
    List<UmaPermissionRepresentation> byId = policy.find("Custom User-Managed Policy 8", null, null, null);
    assertEquals(1, byId.size());
    assertEquals(byId.get(0).getId(), policy.findById(byId.get(0).getId()).getId());
    assertEquals(10, policy.find(null, "Scope A", null, null).size());
    assertEquals(5, policy.find(null, null, -1, 5).size());
    assertEquals(2, policy.find(null, null, -1, 2).size());
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) PolicyResource(org.keycloak.authorization.client.resource.PolicyResource) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 69 with ResourceRepresentation

use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testUpdate.

private void testUpdate() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.setDescription("Users from specific roles are allowed to access");
    permission.addScope("Scope A");
    permission.addRole("role_a");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    permission = protection.policy(resource.getId()).create(permission);
    assertEquals(1, getAssociatedPolicies(permission).size());
    permission.setName("Changed");
    permission.setDescription("Changed");
    protection.policy(resource.getId()).update(permission);
    UmaPermissionRepresentation updated = protection.policy(resource.getId()).findById(permission.getId());
    assertEquals(permission.getName(), updated.getName());
    assertEquals(permission.getDescription(), updated.getDescription());
    permission.removeRole("role_a");
    permission.addRole("role_b", "role_c");
    protection.policy(resource.getId()).update(permission);
    assertEquals(1, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertTrue(permission.getRoles().containsAll(updated.getRoles()));
    permission.addRole("role_d");
    protection.policy(resource.getId()).update(permission);
    assertEquals(1, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertTrue(permission.getRoles().containsAll(updated.getRoles()));
    permission.addGroup("/group_a/group_b");
    protection.policy(resource.getId()).update(permission);
    assertEquals(2, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertTrue(permission.getGroups().containsAll(updated.getGroups()));
    permission.addGroup("/group_a");
    protection.policy(resource.getId()).update(permission);
    assertEquals(2, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertTrue(permission.getGroups().containsAll(updated.getGroups()));
    permission.removeGroup("/group_a/group_b");
    permission.addGroup("/group_c");
    protection.policy(resource.getId()).update(permission);
    assertEquals(2, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertTrue(permission.getGroups().containsAll(updated.getGroups()));
    permission.addClient("client-a");
    protection.policy(resource.getId()).update(permission);
    assertEquals(3, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertTrue(permission.getClients().containsAll(updated.getClients()));
    permission.addClient("resource-server-test");
    protection.policy(resource.getId()).update(permission);
    assertEquals(3, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertTrue(permission.getClients().containsAll(updated.getClients()));
    permission.removeClient("client-a");
    protection.policy(resource.getId()).update(permission);
    assertEquals(3, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertTrue(permission.getClients().containsAll(updated.getClients()));
    if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
        permission.setCondition("$evaluation.grant()");
        protection.policy(resource.getId()).update(permission);
        assertEquals(4, getAssociatedPolicies(permission).size());
        updated = protection.policy(resource.getId()).findById(permission.getId());
        assertEquals(permission.getCondition(), updated.getCondition());
    }
    permission.addUser("alice");
    protection.policy(resource.getId()).update(permission);
    int expectedPolicies = Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS) ? 5 : 4;
    assertEquals(expectedPolicies, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertEquals(1, updated.getUsers().size());
    assertEquals(permission.getUsers(), updated.getUsers());
    permission.addUser("kolo");
    protection.policy(resource.getId()).update(permission);
    assertEquals(expectedPolicies, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertEquals(2, updated.getUsers().size());
    assertEquals(permission.getUsers(), updated.getUsers());
    permission.removeUser("alice");
    protection.policy(resource.getId()).update(permission);
    assertEquals(expectedPolicies, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertEquals(1, updated.getUsers().size());
    assertEquals(permission.getUsers(), updated.getUsers());
    permission.setUsers(null);
    protection.policy(resource.getId()).update(permission);
    assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertEquals(permission.getUsers(), updated.getUsers());
    if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
        permission.setCondition(null);
        protection.policy(resource.getId()).update(permission);
        assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
        updated = protection.policy(resource.getId()).findById(permission.getId());
        assertEquals(permission.getCondition(), updated.getCondition());
    }
    ;
    permission.setRoles(null);
    protection.policy(resource.getId()).update(permission);
    assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertEquals(permission.getRoles(), updated.getRoles());
    permission.setClients(null);
    protection.policy(resource.getId()).update(permission);
    assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
    updated = protection.policy(resource.getId()).findById(permission.getId());
    assertEquals(permission.getClients(), updated.getClients());
    permission.setGroups(null);
    try {
        protection.policy(resource.getId()).update(permission);
        assertEquals(1, getAssociatedPolicies(permission).size());
        fail("Permission must be removed because the last associated policy was removed");
    } catch (NotFoundException ignore) {
    } catch (Exception e) {
        fail("Expected not found");
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) NotFoundException(javax.ws.rs.NotFoundException) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation)

Example 70 with ResourceRepresentation

use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testRemovePoliciesOnResourceDelete.

@Test
public void testRemovePoliciesOnResourceDelete() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();
    newPermission.setName("Custom User-Managed Permission");
    newPermission.setDescription("Users from specific roles are allowed to access");
    newPermission.addScope("Scope A", "Scope B", "Scope C");
    newPermission.addRole("role_a", "role_b", "role_c", "role_d");
    newPermission.addGroup("/group_a", "/group_a/group_b", "/group_c");
    newPermission.addClient("client-a", "resource-server-test");
    if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
        newPermission.setCondition("$evaluation.grant()");
    }
    newPermission.addUser("kolo");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    protection.policy(resource.getId()).create(newPermission);
    getTestingClient().server().run((RunOnServer) UserManagedPermissionServiceTest::testRemovePoliciesOnResourceDelete);
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Aggregations

ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)154 Test (org.junit.Test)96 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)49 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)45 AuthzClient (org.keycloak.authorization.client.AuthzClient)44 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)39 ClientResource (org.keycloak.admin.client.resource.ClientResource)38 Response (javax.ws.rs.core.Response)36 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)35 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)33 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)33 Permission (org.keycloak.representations.idm.authorization.Permission)28 ScopeRepresentation (org.keycloak.representations.idm.authorization.ScopeRepresentation)26 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)23 OAuthClient (org.keycloak.testsuite.util.OAuthClient)23 PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)22 AccessToken (org.keycloak.representations.AccessToken)19 ArrayList (java.util.ArrayList)18 List (java.util.List)18 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)18