use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.
the class AbstractMigrationTest method testDecisionStrategySetOnResourceServer.
private void testDecisionStrategySetOnResourceServer() {
ClientsResource clients = migrationRealm.clients();
ClientRepresentation clientRepresentation = clients.findByClientId("authz-servlet").get(0);
ResourceServerRepresentation settings = clients.get(clientRepresentation.getId()).authorization().getSettings();
assertEquals(DecisionStrategy.UNANIMOUS, settings.getDecisionStrategy());
}
use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.
the class RepresentationToModel method createResourceServer.
public static ResourceServer createResourceServer(ClientModel client, KeycloakSession session, boolean addDefaultRoles) {
if ((client.isBearerOnly() || client.isPublicClient()) && !(client.getClientId().equals(Config.getAdminRealm() + "-realm") || client.getClientId().equals(Constants.REALM_MANAGEMENT_CLIENT_ID))) {
throw new RuntimeException("Only confidential clients are allowed to set authorization settings");
}
AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
UserModel serviceAccount = session.users().getServiceAccount(client);
if (serviceAccount == null) {
client.setServiceAccountsEnabled(true);
}
if (addDefaultRoles) {
RoleModel umaProtectionRole = client.getRole(Constants.AUTHZ_UMA_PROTECTION);
if (umaProtectionRole == null) {
umaProtectionRole = client.addRole(Constants.AUTHZ_UMA_PROTECTION);
}
if (serviceAccount != null) {
serviceAccount.grantRole(umaProtectionRole);
}
}
ResourceServerRepresentation representation = new ResourceServerRepresentation();
representation.setAllowRemoteResourceManagement(true);
representation.setClientId(client.getId());
return toModel(representation, authorization, client);
}
use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.
the class AuthzCleanupTest method testCreate.
@Test
public void testCreate() throws Exception {
ClientsResource clients = getAdminClient().realms().realm(TEST).clients();
ClientRepresentation client = clients.findByClientId("myclient").get(0);
ResourceServerRepresentation settings = JsonSerialization.readValue(getClass().getResourceAsStream("/authorization-test/acme-resource-server-cleanup-test.json"), ResourceServerRepresentation.class);
clients.get(client.getId()).authorization().importSettings(settings);
testingClient.server().run(AuthzCleanupTest::setup);
}
use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.
the class KcRegCreateTest method testCreateWithAuthorizationServices.
@Test
public void testCreateWithAuthorizationServices() throws IOException {
ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
FileConfigHandler handler = initCustomConfigFile();
try (TempFileResource configFile = new TempFileResource(handler.getConfigFile())) {
KcRegExec exe = execute("config credentials -x --config '" + configFile.getName() + "' --insecure --server " + oauth.AUTH_SERVER_ROOT + " --realm master --user admin --password admin");
assertExitCodeAndStreamSizes(exe, 0, 0, 3);
String token = issueInitialAccessToken("test");
exe = execute("create --config '" + configFile.getName() + "' --insecure --server " + oauth.AUTH_SERVER_ROOT + " --realm test -s clientId=authz-client -s authorizationServicesEnabled=true -t " + token);
assertExitCodeAndStreamSizes(exe, 0, 0, 3);
RealmResource realm = adminClient.realm("test");
ClientsResource clients = realm.clients();
ClientRepresentation clientRep = clients.findByClientId("authz-client").get(0);
ClientResource client = clients.get(clientRep.getId());
clientRep = client.toRepresentation();
Assert.assertTrue(clientRep.getAuthorizationServicesEnabled());
ResourceServerRepresentation settings = client.authorization().getSettings();
Assert.assertEquals(PolicyEnforcementMode.ENFORCING, settings.getPolicyEnforcementMode());
Assert.assertTrue(settings.isAllowRemoteResourceManagement());
List<RoleRepresentation> roles = client.roles().list();
Assert.assertEquals(1, roles.size());
Assert.assertEquals("uma_protection", roles.get(0).getName());
// create using oidc endpoint - autodetect format
String content = " {\n" + " \"redirect_uris\" : [ \"http://localhost:8980/myapp/*\" ],\n" + " \"grant_types\" : [ \"authorization_code\", \"client_credentials\", \"refresh_token\", \"" + OAuth2Constants.UMA_GRANT_TYPE + "\" ],\n" + " \"response_types\" : [ \"code\", \"none\" ],\n" + " \"client_name\" : \"My Reg Authz\",\n" + " \"client_uri\" : \"http://localhost:8980/myapp\"\n" + " }";
try (TempFileResource tmpFile = new TempFileResource(initTempFile(".json", content))) {
exe = execute("create --insecure --config '" + configFile.getName() + "' -s 'client_name=My Reg Authz' --realm test -t " + token + " -s 'redirect_uris=[\"http://localhost:8980/myapp5/*\"]' -s client_uri=http://localhost:8980/myapp5" + " -o -f - < '" + tmpFile.getName() + "'");
assertExitCodeAndStdErrSize(exe, 0, 2);
OIDCClientRepresentation oidcClient = JsonSerialization.readValue(exe.stdout(), OIDCClientRepresentation.class);
Assert.assertNotNull("clientId", oidcClient.getClientId());
Assert.assertEquals("redirect_uris", Arrays.asList("http://localhost:8980/myapp5/*"), oidcClient.getRedirectUris());
Assert.assertThat("grant_types", oidcClient.getGrantTypes(), Matchers.containsInAnyOrder("authorization_code", "client_credentials", "refresh_token", OAuth2Constants.UMA_GRANT_TYPE));
Assert.assertEquals("response_types", Arrays.asList("code", "none"), oidcClient.getResponseTypes());
Assert.assertEquals("client_name", "My Reg Authz", oidcClient.getClientName());
Assert.assertEquals("client_uri", "http://localhost:8980/myapp5", oidcClient.getClientUri());
client = clients.get(oidcClient.getClientId());
clientRep = client.toRepresentation();
Assert.assertTrue(clientRep.getAuthorizationServicesEnabled());
settings = client.authorization().getSettings();
Assert.assertEquals(PolicyEnforcementMode.ENFORCING, settings.getPolicyEnforcementMode());
Assert.assertTrue(settings.isAllowRemoteResourceManagement());
roles = client.roles().list();
Assert.assertEquals(1, roles.size());
Assert.assertEquals("uma_protection", roles.get(0).getName());
UserRepresentation serviceAccount = realm.users().search(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + clientRep.getClientId()).get(0);
Assert.assertNotNull(serviceAccount);
List<RoleRepresentation> serviceAccountRoles = realm.users().get(serviceAccount.getId()).roles().clientLevel(clientRep.getId()).listAll();
Assert.assertTrue(serviceAccountRoles.stream().anyMatch(roleRepresentation -> "uma_protection".equals(roleRepresentation.getName())));
}
}
}
use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.
the class ConflictingScopePermissionTest method testMartaCanAccessResourceA.
/**
* <p>Scope Read on Resource A has two conflicting permissions. One is granting access for Marta and the other for Kolo.
*
* <p>Scope Read should not be granted for Marta.
*/
@Test
public void testMartaCanAccessResourceA() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceServerRepresentation settings = authorization.getSettings();
settings.setPolicyEnforcementMode(PolicyEnforcementMode.ENFORCING);
settings.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.update(settings);
Collection<Permission> permissions = getEntitlements("marta", "password");
assertEquals(1, permissions.size());
for (Permission permission : new ArrayList<>(permissions)) {
String resourceSetName = permission.getResourceName();
switch(resourceSetName) {
case "Resource A":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
permissions.remove(permission);
break;
case "Resource C":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
permissions.remove(permission);
break;
default:
fail("Unexpected permission for resource [" + resourceSetName + "]");
}
}
assertTrue(permissions.isEmpty());
}
Aggregations