Search in sources :

Example 6 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class AbstractMigrationTest method testDecisionStrategySetOnResourceServer.

private void testDecisionStrategySetOnResourceServer() {
    ClientsResource clients = migrationRealm.clients();
    ClientRepresentation clientRepresentation = clients.findByClientId("authz-servlet").get(0);
    ResourceServerRepresentation settings = clients.get(clientRepresentation.getId()).authorization().getSettings();
    assertEquals(DecisionStrategy.UNANIMOUS, settings.getDecisionStrategy());
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) ClientsResource(org.keycloak.admin.client.resource.ClientsResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)

Example 7 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class RepresentationToModel method createResourceServer.

public static ResourceServer createResourceServer(ClientModel client, KeycloakSession session, boolean addDefaultRoles) {
    if ((client.isBearerOnly() || client.isPublicClient()) && !(client.getClientId().equals(Config.getAdminRealm() + "-realm") || client.getClientId().equals(Constants.REALM_MANAGEMENT_CLIENT_ID))) {
        throw new RuntimeException("Only confidential clients are allowed to set authorization settings");
    }
    AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
    UserModel serviceAccount = session.users().getServiceAccount(client);
    if (serviceAccount == null) {
        client.setServiceAccountsEnabled(true);
    }
    if (addDefaultRoles) {
        RoleModel umaProtectionRole = client.getRole(Constants.AUTHZ_UMA_PROTECTION);
        if (umaProtectionRole == null) {
            umaProtectionRole = client.addRole(Constants.AUTHZ_UMA_PROTECTION);
        }
        if (serviceAccount != null) {
            serviceAccount.grantRole(umaProtectionRole);
        }
    }
    ResourceServerRepresentation representation = new ResourceServerRepresentation();
    representation.setAllowRemoteResourceManagement(true);
    representation.setClientId(client.getId());
    return toModel(representation, authorization, client);
}
Also used : UserModel(org.keycloak.models.UserModel) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) RoleModel(org.keycloak.models.RoleModel)

Example 8 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class AuthzCleanupTest method testCreate.

@Test
public void testCreate() throws Exception {
    ClientsResource clients = getAdminClient().realms().realm(TEST).clients();
    ClientRepresentation client = clients.findByClientId("myclient").get(0);
    ResourceServerRepresentation settings = JsonSerialization.readValue(getClass().getResourceAsStream("/authorization-test/acme-resource-server-cleanup-test.json"), ResourceServerRepresentation.class);
    clients.get(client.getId()).authorization().importSettings(settings);
    testingClient.server().run(AuthzCleanupTest::setup);
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) ClientsResource(org.keycloak.admin.client.resource.ClientsResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)

Example 9 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class KcRegCreateTest method testCreateWithAuthorizationServices.

@Test
public void testCreateWithAuthorizationServices() throws IOException {
    ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
    FileConfigHandler handler = initCustomConfigFile();
    try (TempFileResource configFile = new TempFileResource(handler.getConfigFile())) {
        KcRegExec exe = execute("config credentials -x --config '" + configFile.getName() + "' --insecure --server " + oauth.AUTH_SERVER_ROOT + " --realm master --user admin --password admin");
        assertExitCodeAndStreamSizes(exe, 0, 0, 3);
        String token = issueInitialAccessToken("test");
        exe = execute("create --config '" + configFile.getName() + "' --insecure --server " + oauth.AUTH_SERVER_ROOT + " --realm test -s clientId=authz-client -s authorizationServicesEnabled=true -t " + token);
        assertExitCodeAndStreamSizes(exe, 0, 0, 3);
        RealmResource realm = adminClient.realm("test");
        ClientsResource clients = realm.clients();
        ClientRepresentation clientRep = clients.findByClientId("authz-client").get(0);
        ClientResource client = clients.get(clientRep.getId());
        clientRep = client.toRepresentation();
        Assert.assertTrue(clientRep.getAuthorizationServicesEnabled());
        ResourceServerRepresentation settings = client.authorization().getSettings();
        Assert.assertEquals(PolicyEnforcementMode.ENFORCING, settings.getPolicyEnforcementMode());
        Assert.assertTrue(settings.isAllowRemoteResourceManagement());
        List<RoleRepresentation> roles = client.roles().list();
        Assert.assertEquals(1, roles.size());
        Assert.assertEquals("uma_protection", roles.get(0).getName());
        // create using oidc endpoint - autodetect format
        String content = "        {\n" + "            \"redirect_uris\" : [ \"http://localhost:8980/myapp/*\" ],\n" + "            \"grant_types\" : [ \"authorization_code\", \"client_credentials\", \"refresh_token\", \"" + OAuth2Constants.UMA_GRANT_TYPE + "\" ],\n" + "            \"response_types\" : [ \"code\", \"none\" ],\n" + "            \"client_name\" : \"My Reg Authz\",\n" + "            \"client_uri\" : \"http://localhost:8980/myapp\"\n" + "        }";
        try (TempFileResource tmpFile = new TempFileResource(initTempFile(".json", content))) {
            exe = execute("create --insecure --config '" + configFile.getName() + "' -s 'client_name=My Reg Authz' --realm test -t " + token + " -s 'redirect_uris=[\"http://localhost:8980/myapp5/*\"]' -s client_uri=http://localhost:8980/myapp5" + " -o -f - < '" + tmpFile.getName() + "'");
            assertExitCodeAndStdErrSize(exe, 0, 2);
            OIDCClientRepresentation oidcClient = JsonSerialization.readValue(exe.stdout(), OIDCClientRepresentation.class);
            Assert.assertNotNull("clientId", oidcClient.getClientId());
            Assert.assertEquals("redirect_uris", Arrays.asList("http://localhost:8980/myapp5/*"), oidcClient.getRedirectUris());
            Assert.assertThat("grant_types", oidcClient.getGrantTypes(), Matchers.containsInAnyOrder("authorization_code", "client_credentials", "refresh_token", OAuth2Constants.UMA_GRANT_TYPE));
            Assert.assertEquals("response_types", Arrays.asList("code", "none"), oidcClient.getResponseTypes());
            Assert.assertEquals("client_name", "My Reg Authz", oidcClient.getClientName());
            Assert.assertEquals("client_uri", "http://localhost:8980/myapp5", oidcClient.getClientUri());
            client = clients.get(oidcClient.getClientId());
            clientRep = client.toRepresentation();
            Assert.assertTrue(clientRep.getAuthorizationServicesEnabled());
            settings = client.authorization().getSettings();
            Assert.assertEquals(PolicyEnforcementMode.ENFORCING, settings.getPolicyEnforcementMode());
            Assert.assertTrue(settings.isAllowRemoteResourceManagement());
            roles = client.roles().list();
            Assert.assertEquals(1, roles.size());
            Assert.assertEquals("uma_protection", roles.get(0).getName());
            UserRepresentation serviceAccount = realm.users().search(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + clientRep.getClientId()).get(0);
            Assert.assertNotNull(serviceAccount);
            List<RoleRepresentation> serviceAccountRoles = realm.users().get(serviceAccount.getId()).roles().clientLevel(clientRep.getId()).listAll();
            Assert.assertTrue(serviceAccountRoles.stream().anyMatch(roleRepresentation -> "uma_protection".equals(roleRepresentation.getName())));
        }
    }
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) FileConfigHandler(org.keycloak.client.registration.cli.config.FileConfigHandler) Arrays(java.util.Arrays) Profile(org.keycloak.common.Profile) AUTH_SERVER_SSL_REQUIRED(org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED) ClientsResource(org.keycloak.admin.client.resource.ClientsResource) KcRegExec.execute(org.keycloak.testsuite.cli.KcRegExec.execute) TempFileResource(org.keycloak.testsuite.util.TempFileResource) Assume(org.junit.Assume) PolicyEnforcementMode(org.keycloak.representations.idm.authorization.PolicyEnforcementMode) ClientResource(org.keycloak.admin.client.resource.ClientResource) RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) ProfileAssume(org.keycloak.testsuite.ProfileAssume) Before(org.junit.Before) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) Matchers(org.hamcrest.Matchers) Test(org.junit.Test) IOException(java.io.IOException) File(java.io.File) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) KcRegExec(org.keycloak.testsuite.cli.KcRegExec) JsonSerialization(org.keycloak.util.JsonSerialization) ServiceAccountConstants(org.keycloak.common.constants.ServiceAccountConstants) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) List(java.util.List) Assert(org.junit.Assert) OAuth2Constants(org.keycloak.OAuth2Constants) ConfigData(org.keycloak.client.registration.cli.config.ConfigData) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) KcRegExec(org.keycloak.testsuite.cli.KcRegExec) TempFileResource(org.keycloak.testsuite.util.TempFileResource) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) FileConfigHandler(org.keycloak.client.registration.cli.config.FileConfigHandler) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientsResource(org.keycloak.admin.client.resource.ClientsResource) ClientResource(org.keycloak.admin.client.resource.ClientResource) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 10 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class ConflictingScopePermissionTest method testMartaCanAccessResourceA.

/**
 * <p>Scope Read on Resource A has two conflicting permissions. One is granting access for Marta and the other for Kolo.
 *
 * <p>Scope Read should not be granted for Marta.
 */
@Test
public void testMartaCanAccessResourceA() throws Exception {
    ClientResource client = getClient(getRealm());
    AuthorizationResource authorization = client.authorization();
    ResourceServerRepresentation settings = authorization.getSettings();
    settings.setPolicyEnforcementMode(PolicyEnforcementMode.ENFORCING);
    settings.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    authorization.update(settings);
    Collection<Permission> permissions = getEntitlements("marta", "password");
    assertEquals(1, permissions.size());
    for (Permission permission : new ArrayList<>(permissions)) {
        String resourceSetName = permission.getResourceName();
        switch(resourceSetName) {
            case "Resource A":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            case "Resource C":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            default:
                fail("Unexpected permission for resource [" + resourceSetName + "]");
        }
    }
    assertTrue(permissions.isEmpty());
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) Permission(org.keycloak.representations.idm.authorization.Permission) ArrayList(java.util.ArrayList) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Test(org.junit.Test)

Aggregations

ResourceServerRepresentation (org.keycloak.representations.idm.authorization.ResourceServerRepresentation)25 Test (org.junit.Test)15 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)15 ClientResource (org.keycloak.admin.client.resource.ClientResource)13 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)12 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)8 PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)7 ArrayList (java.util.ArrayList)6 Response (javax.ws.rs.core.Response)5 ClientsResource (org.keycloak.admin.client.resource.ClientsResource)5 RealmResource (org.keycloak.admin.client.resource.RealmResource)5 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)5 Permission (org.keycloak.representations.idm.authorization.Permission)5 List (java.util.List)4 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)4 IOException (java.io.IOException)3 HashMap (java.util.HashMap)3 Assert (org.junit.Assert)3 Before (org.junit.Before)3 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)3