use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.
the class ResourceService method create.
@POST
@Consumes("application/json")
@Produces("application/json")
public Response create(UmaResourceRepresentation resource) {
checkResourceServerSettings();
if (resource == null) {
return Response.status(Status.BAD_REQUEST).build();
}
ResourceOwnerRepresentation owner = resource.getOwner();
if (owner == null) {
owner = new ResourceOwnerRepresentation();
resource.setOwner(owner);
}
String ownerId = owner.getId();
if (ownerId == null) {
ownerId = this.identity.getId();
}
owner.setId(ownerId);
ResourceRepresentation newResource = resourceManager.create(resource);
resourceManager.audit(resource, resource.getId(), OperationType.CREATE);
return Response.status(Status.CREATED).entity(new UmaResourceRepresentation(newResource)).build();
}
use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.
the class AbstractServletAuthzAdapterTest method testCanNotAccessWhenEnforcing.
@Test
public void testCanNotAccessWhenEnforcing() throws Exception {
performTests(() -> {
importResourceServerSettings();
ResourcesResource resources = getAuthorizationResource().resources();
ResourceRepresentation resource = resources.findByName("Protected Resource").get(0);
resource.setUri("/index.jsp");
resources.resource(resource.getId()).update(resource);
}, () -> {
login("jdoe", "jdoe");
driver.navigate().to(getResourceServerUrl().toString() + "/enforcing/resource");
assertWasDenied();
});
}
use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsForResourceWithResourcePermission.
@Test
public void testObtainAllEntitlementsForResourceWithResourcePermission() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("scope:view", "scope:update", "scope:delete");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addResource(resource.getId());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "scope:view", "scope:update", "scope:delete");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(3, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view")));
}
resource.setScopes(new HashSet<>());
resource.addScope("scope:view", "scope:update");
authorization.resources().resource(resource.getId()).update(resource);
request = new AuthorizationRequest();
request.addPermission(null, "scope:view", "scope:update", "scope:delete");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(2, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view", "scope:update")));
}
request = new AuthorizationRequest();
request.addPermission(resource.getId(), "scope:view", "scope:update", "scope:delete");
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(resource.getId(), grantedPermission.getResourceId());
assertEquals(2, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("scope:view", "scope:update")));
}
}
use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testObtainAllEntitlementsInvalidScope.
@Test
public void testObtainAllEntitlementsInvalidScope() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("sensors:view", "sensors:update", "sensors:delete");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resource.getId(), "sensors:view_invalid");
try {
authzClient.authorization(accessToken).authorize(request);
fail("scope is invalid");
} catch (RuntimeException expected) {
assertEquals(400, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("invalid_scope"));
}
request = new AuthorizationRequest();
request.addPermission(null, "sensors:view_invalid");
try {
authzClient.authorization(accessToken).authorize(request);
fail("scope is invalid");
} catch (RuntimeException expected) {
assertEquals(400, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("invalid_scope"));
}
}
use of org.keycloak.representations.idm.authorization.ResourceRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testPermissionOrder.
@Test
public void testPermissionOrder() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("my_resource");
resource.addScope("entity:read");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ScopeRepresentation featureAccessScope = new ScopeRepresentation("feature:access");
authorization.scopes().create(featureAccessScope);
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addPolicy(policy.getName());
permission.addResource(resource.getId());
authorization.permissions().resource().create(permission).close();
ScopePermissionRepresentation scopePermission = new ScopePermissionRepresentation();
scopePermission.setName(KeycloakModelUtils.generateId());
scopePermission.addPolicy(policy.getName());
scopePermission.addScope(featureAccessScope.getName());
authorization.permissions().scope().create(scopePermission).close();
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "entity:read");
request.addPermission(null, "feature:access");
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationResponse response = authzClient.authorization().authorize(request);
AccessToken token = toAccessToken(response.getToken());
Authorization result = token.getAuthorization();
assertEquals(2, result.getPermissions().size());
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() == null && p.getScopes().contains(featureAccessScope.getName())));
String resourceId = resource.getId();
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() != null && p.getResourceId().equals(resourceId) && p.getScopes().contains("entity:read")));
request = new AuthorizationRequest();
request.addPermission(null, "feature:access");
request.addPermission(null, "entity:read");
response = authzClient.authorization().authorize(request);
token = toAccessToken(response.getToken());
result = token.getAuthorization();
assertEquals(2, result.getPermissions().size());
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() == null && p.getScopes().contains(featureAccessScope.getName())));
assertTrue(result.getPermissions().stream().anyMatch(p -> p.getResourceId() != null && p.getResourceId().equals(resourceId) && p.getScopes().contains("entity:read")));
}
Aggregations