use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.
the class PartialImportTest method testAddClientsWithServiceAccountsAndAuthorization.
@EnableFeature(value = UPLOAD_SCRIPTS, skipRestart = true)
@Test
public void testAddClientsWithServiceAccountsAndAuthorization() throws IOException {
setFail();
addClients(true);
PartialImportResults results = doImport();
assertEquals(NUM_ENTITIES * 2, results.getAdded());
for (PartialImportResult result : results.getResults()) {
if (result.getResourceType().equals(ResourceType.CLIENT)) {
String id = result.getId();
ClientResource clientRsc = testRealmResource().clients().get(id);
ClientRepresentation client = clientRsc.toRepresentation();
assertTrue(client.getName().startsWith(CLIENT_PREFIX));
Assert.assertTrue(client.isServiceAccountsEnabled());
if (ProfileAssume.isFeatureEnabled(AUTHORIZATION)) {
Assert.assertTrue(client.getAuthorizationServicesEnabled());
AuthorizationResource authRsc = clientRsc.authorization();
ResourceServerRepresentation authRep = authRsc.exportSettings();
Assert.assertNotNull(authRep);
Assert.assertEquals(2, authRep.getResources().size());
Assert.assertEquals(3, authRep.getPolicies().size());
} else {
Assert.assertNull(client.getAuthorizationServicesEnabled());
}
} else {
UserResource userRsc = testRealmResource().users().get(result.getId());
Assert.assertTrue(userRsc.toRepresentation().getUsername().startsWith(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + CLIENT_PREFIX));
}
}
}
use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.
the class ConflictingScopePermissionTest method testMartaCanAccessResourceAWithExecuteAndWrite.
/**
* <p>Scope Read on Resource A has two conflicting permissions. One is granting access for Marta and the other for Kolo.
*
* <p>Scope Read should not be granted for Marta.
*/
@Test
public void testMartaCanAccessResourceAWithExecuteAndWrite() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceServerRepresentation settings = authorization.getSettings();
settings.setPolicyEnforcementMode(PolicyEnforcementMode.ENFORCING);
settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
authorization.update(settings);
Collection<Permission> permissions = getEntitlements("marta", "password");
assertEquals(1, permissions.size());
for (Permission permission : new ArrayList<>(permissions)) {
String resourceSetName = permission.getResourceName();
switch(resourceSetName) {
case "Resource A":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write"));
permissions.remove(permission);
break;
case "Resource C":
assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
permissions.remove(permission);
break;
default:
fail("Unexpected permission for resource [" + resourceSetName + "]");
}
}
assertTrue(permissions.isEmpty());
}
use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.
the class ClientsResource method createClient.
/**
* Create a new client
*
* Client's client_id must be unique!
*
* @param rep
* @return
*/
@POST
@Consumes(MediaType.APPLICATION_JSON)
public Response createClient(final ClientRepresentation rep) {
auth.clients().requireManage();
try {
session.clientPolicy().triggerOnEvent(new AdminClientRegisterContext(rep, auth.adminAuth()));
ClientModel clientModel = ClientManager.createClient(session, realm, rep);
if (TRUE.equals(rep.isServiceAccountsEnabled())) {
UserModel serviceAccount = session.users().getServiceAccount(clientModel);
if (serviceAccount == null) {
new ClientManager(new RealmManager(session)).enableServiceAccount(clientModel);
}
}
adminEvent.operation(OperationType.CREATE).resourcePath(session.getContext().getUri(), clientModel.getId()).representation(rep).success();
if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION) && TRUE.equals(rep.getAuthorizationServicesEnabled())) {
AuthorizationService authorizationService = getAuthorizationService(clientModel);
authorizationService.enable(true);
ResourceServerRepresentation authorizationSettings = rep.getAuthorizationSettings();
if (authorizationSettings != null) {
authorizationService.resourceServer().importSettings(authorizationSettings);
}
}
ValidationUtil.validateClient(session, clientModel, true, r -> {
session.getTransactionManager().setRollbackOnly();
throw new ErrorResponseException(Errors.INVALID_INPUT, r.getAllLocalizedErrorsAsString(AdminRoot.getMessages(session, realm, auth.adminAuth().getToken().getLocale())), Response.Status.BAD_REQUEST);
});
session.clientPolicy().triggerOnEvent(new AdminClientRegisteredContext(clientModel, auth.adminAuth()));
return Response.created(session.getContext().getUri().getAbsolutePathBuilder().path(clientModel.getId()).build()).build();
} catch (ModelDuplicateException e) {
return ErrorResponse.exists("Client " + rep.getClientId() + " already exists");
} catch (ClientPolicyException cpe) {
throw new ErrorResponseException(cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
}
}
use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.
the class ExportUtils method exportAuthorizationSettings.
public static ResourceServerRepresentation exportAuthorizationSettings(KeycloakSession session, ClientModel client) {
AuthorizationProviderFactory providerFactory = (AuthorizationProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(AuthorizationProvider.class);
AuthorizationProvider authorization = providerFactory.create(session, client.getRealm());
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceServer settingsModel = authorization.getStoreFactory().getResourceServerStore().findByClient(client);
if (settingsModel == null) {
return null;
}
ResourceServerRepresentation representation = toRepresentation(settingsModel, client);
representation.setId(null);
representation.setName(null);
representation.setClientId(null);
List<ResourceRepresentation> resources = storeFactory.getResourceStore().findByResourceServer(settingsModel.getId()).stream().map(resource -> {
ResourceRepresentation rep = toRepresentation(resource, settingsModel.getId(), authorization);
if (rep.getOwner().getId().equals(settingsModel.getId())) {
rep.setOwner((ResourceOwnerRepresentation) null);
} else {
rep.getOwner().setId(null);
}
rep.getScopes().forEach(scopeRepresentation -> {
scopeRepresentation.setId(null);
scopeRepresentation.setIconUri(null);
});
return rep;
}).collect(Collectors.toList());
representation.setResources(resources);
List<PolicyRepresentation> policies = new ArrayList<>();
PolicyStore policyStore = storeFactory.getPolicyStore();
policies.addAll(policyStore.findByResourceServer(settingsModel.getId()).stream().filter(policy -> !policy.getType().equals("resource") && !policy.getType().equals("scope") && policy.getOwner() == null).map(policy -> createPolicyRepresentation(authorization, policy)).collect(Collectors.toList()));
policies.addAll(policyStore.findByResourceServer(settingsModel.getId()).stream().filter(policy -> (policy.getType().equals("resource") || policy.getType().equals("scope") && policy.getOwner() == null)).map(policy -> createPolicyRepresentation(authorization, policy)).collect(Collectors.toList()));
representation.setPolicies(policies);
List<ScopeRepresentation> scopes = storeFactory.getScopeStore().findByResourceServer(settingsModel.getId()).stream().map(scope -> {
ScopeRepresentation rep = toRepresentation(scope);
rep.setPolicies(null);
rep.setResources(null);
return rep;
}).collect(Collectors.toList());
representation.setScopes(scopes);
return representation;
}
use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.
the class AuthorizationTest method testRemoveDefaultResourceWithAdminEventsEnabled.
// KEYCLOAK-6321
@Test
public void testRemoveDefaultResourceWithAdminEventsEnabled() {
RealmResource realmResource = testRealmResource();
RealmRepresentation realmRepresentation = realmResource.toRepresentation();
realmRepresentation.setAdminEventsEnabled(true);
realmResource.update(realmRepresentation);
ClientResource clientResource = getClientResource();
ClientRepresentation resourceServer = getResourceServer();
ResourceServerRepresentation settings = clientResource.authorization().getSettings();
assertEquals(PolicyEnforcerConfig.EnforcementMode.ENFORCING.name(), settings.getPolicyEnforcementMode().name());
assertEquals(resourceServer.getId(), settings.getClientId());
List<ResourceRepresentation> defaultResources = clientResource.authorization().resources().resources();
assertEquals(1, defaultResources.size());
clientResource.authorization().resources().resource(defaultResources.get(0).getId()).remove();
assertTrue(clientResource.authorization().resources().resources().isEmpty());
}
Aggregations