Search in sources :

Example 11 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class PartialImportTest method testAddClientsWithServiceAccountsAndAuthorization.

@EnableFeature(value = UPLOAD_SCRIPTS, skipRestart = true)
@Test
public void testAddClientsWithServiceAccountsAndAuthorization() throws IOException {
    setFail();
    addClients(true);
    PartialImportResults results = doImport();
    assertEquals(NUM_ENTITIES * 2, results.getAdded());
    for (PartialImportResult result : results.getResults()) {
        if (result.getResourceType().equals(ResourceType.CLIENT)) {
            String id = result.getId();
            ClientResource clientRsc = testRealmResource().clients().get(id);
            ClientRepresentation client = clientRsc.toRepresentation();
            assertTrue(client.getName().startsWith(CLIENT_PREFIX));
            Assert.assertTrue(client.isServiceAccountsEnabled());
            if (ProfileAssume.isFeatureEnabled(AUTHORIZATION)) {
                Assert.assertTrue(client.getAuthorizationServicesEnabled());
                AuthorizationResource authRsc = clientRsc.authorization();
                ResourceServerRepresentation authRep = authRsc.exportSettings();
                Assert.assertNotNull(authRep);
                Assert.assertEquals(2, authRep.getResources().size());
                Assert.assertEquals(3, authRep.getPolicies().size());
            } else {
                Assert.assertNull(client.getAuthorizationServicesEnabled());
            }
        } else {
            UserResource userRsc = testRealmResource().users().get(result.getId());
            Assert.assertTrue(userRsc.toRepresentation().getUsername().startsWith(ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + CLIENT_PREFIX));
        }
    }
}
Also used : PartialImportResult(org.keycloak.partialimport.PartialImportResult) PartialImportResults(org.keycloak.partialimport.PartialImportResults) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) UserResource(org.keycloak.admin.client.resource.UserResource) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractAuthTest(org.keycloak.testsuite.AbstractAuthTest) Test(org.junit.Test) EnableFeature(org.keycloak.testsuite.arquillian.annotation.EnableFeature)

Example 12 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class ConflictingScopePermissionTest method testMartaCanAccessResourceAWithExecuteAndWrite.

/**
 * <p>Scope Read on Resource A has two conflicting permissions. One is granting access for Marta and the other for Kolo.
 *
 * <p>Scope Read should not be granted for Marta.
 */
@Test
public void testMartaCanAccessResourceAWithExecuteAndWrite() throws Exception {
    ClientResource client = getClient(getRealm());
    AuthorizationResource authorization = client.authorization();
    ResourceServerRepresentation settings = authorization.getSettings();
    settings.setPolicyEnforcementMode(PolicyEnforcementMode.ENFORCING);
    settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
    authorization.update(settings);
    Collection<Permission> permissions = getEntitlements("marta", "password");
    assertEquals(1, permissions.size());
    for (Permission permission : new ArrayList<>(permissions)) {
        String resourceSetName = permission.getResourceName();
        switch(resourceSetName) {
            case "Resource A":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write"));
                permissions.remove(permission);
                break;
            case "Resource C":
                assertThat(permission.getScopes(), containsInAnyOrder("execute", "write", "read"));
                permissions.remove(permission);
                break;
            default:
                fail("Unexpected permission for resource [" + resourceSetName + "]");
        }
    }
    assertTrue(permissions.isEmpty());
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) Permission(org.keycloak.representations.idm.authorization.Permission) ArrayList(java.util.ArrayList) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Test(org.junit.Test)

Example 13 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class ClientsResource method createClient.

/**
 * Create a new client
 *
 * Client's client_id must be unique!
 *
 * @param rep
 * @return
 */
@POST
@Consumes(MediaType.APPLICATION_JSON)
public Response createClient(final ClientRepresentation rep) {
    auth.clients().requireManage();
    try {
        session.clientPolicy().triggerOnEvent(new AdminClientRegisterContext(rep, auth.adminAuth()));
        ClientModel clientModel = ClientManager.createClient(session, realm, rep);
        if (TRUE.equals(rep.isServiceAccountsEnabled())) {
            UserModel serviceAccount = session.users().getServiceAccount(clientModel);
            if (serviceAccount == null) {
                new ClientManager(new RealmManager(session)).enableServiceAccount(clientModel);
            }
        }
        adminEvent.operation(OperationType.CREATE).resourcePath(session.getContext().getUri(), clientModel.getId()).representation(rep).success();
        if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION) && TRUE.equals(rep.getAuthorizationServicesEnabled())) {
            AuthorizationService authorizationService = getAuthorizationService(clientModel);
            authorizationService.enable(true);
            ResourceServerRepresentation authorizationSettings = rep.getAuthorizationSettings();
            if (authorizationSettings != null) {
                authorizationService.resourceServer().importSettings(authorizationSettings);
            }
        }
        ValidationUtil.validateClient(session, clientModel, true, r -> {
            session.getTransactionManager().setRollbackOnly();
            throw new ErrorResponseException(Errors.INVALID_INPUT, r.getAllLocalizedErrorsAsString(AdminRoot.getMessages(session, realm, auth.adminAuth().getToken().getLocale())), Response.Status.BAD_REQUEST);
        });
        session.clientPolicy().triggerOnEvent(new AdminClientRegisteredContext(clientModel, auth.adminAuth()));
        return Response.created(session.getContext().getUri().getAbsolutePathBuilder().path(clientModel.getId()).build()).build();
    } catch (ModelDuplicateException e) {
        return ErrorResponse.exists("Client " + rep.getClientId() + " already exists");
    } catch (ClientPolicyException cpe) {
        throw new ErrorResponseException(cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
    }
}
Also used : UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) AdminClientRegisteredContext(org.keycloak.services.clientpolicy.context.AdminClientRegisteredContext) AuthorizationService(org.keycloak.authorization.admin.AuthorizationService) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) ClientManager(org.keycloak.services.managers.ClientManager) ModelDuplicateException(org.keycloak.models.ModelDuplicateException) ErrorResponseException(org.keycloak.services.ErrorResponseException) RealmManager(org.keycloak.services.managers.RealmManager) AdminClientRegisterContext(org.keycloak.services.clientpolicy.context.AdminClientRegisterContext) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes)

Example 14 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class ExportUtils method exportAuthorizationSettings.

public static ResourceServerRepresentation exportAuthorizationSettings(KeycloakSession session, ClientModel client) {
    AuthorizationProviderFactory providerFactory = (AuthorizationProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(AuthorizationProvider.class);
    AuthorizationProvider authorization = providerFactory.create(session, client.getRealm());
    StoreFactory storeFactory = authorization.getStoreFactory();
    ResourceServer settingsModel = authorization.getStoreFactory().getResourceServerStore().findByClient(client);
    if (settingsModel == null) {
        return null;
    }
    ResourceServerRepresentation representation = toRepresentation(settingsModel, client);
    representation.setId(null);
    representation.setName(null);
    representation.setClientId(null);
    List<ResourceRepresentation> resources = storeFactory.getResourceStore().findByResourceServer(settingsModel.getId()).stream().map(resource -> {
        ResourceRepresentation rep = toRepresentation(resource, settingsModel.getId(), authorization);
        if (rep.getOwner().getId().equals(settingsModel.getId())) {
            rep.setOwner((ResourceOwnerRepresentation) null);
        } else {
            rep.getOwner().setId(null);
        }
        rep.getScopes().forEach(scopeRepresentation -> {
            scopeRepresentation.setId(null);
            scopeRepresentation.setIconUri(null);
        });
        return rep;
    }).collect(Collectors.toList());
    representation.setResources(resources);
    List<PolicyRepresentation> policies = new ArrayList<>();
    PolicyStore policyStore = storeFactory.getPolicyStore();
    policies.addAll(policyStore.findByResourceServer(settingsModel.getId()).stream().filter(policy -> !policy.getType().equals("resource") && !policy.getType().equals("scope") && policy.getOwner() == null).map(policy -> createPolicyRepresentation(authorization, policy)).collect(Collectors.toList()));
    policies.addAll(policyStore.findByResourceServer(settingsModel.getId()).stream().filter(policy -> (policy.getType().equals("resource") || policy.getType().equals("scope") && policy.getOwner() == null)).map(policy -> createPolicyRepresentation(authorization, policy)).collect(Collectors.toList()));
    representation.setPolicies(policies);
    List<ScopeRepresentation> scopes = storeFactory.getScopeStore().findByResourceServer(settingsModel.getId()).stream().map(scope -> {
        ScopeRepresentation rep = toRepresentation(scope);
        rep.setPolicies(null);
        rep.setResources(null);
        return rep;
    }).collect(Collectors.toList());
    representation.setScopes(scopes);
    return representation;
}
Also used : ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Version(org.keycloak.common.Version) RoleContainerModel(org.keycloak.models.RoleContainerModel) Map(java.util.Map) ModelToRepresentation.toRepresentation(org.keycloak.models.utils.ModelToRepresentation.toRepresentation) CredentialRepresentation(org.keycloak.representations.idm.CredentialRepresentation) UserConsentRepresentation(org.keycloak.representations.idm.UserConsentRepresentation) ResourceOwnerRepresentation(org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ClientScopeModel(org.keycloak.models.ClientScopeModel) RealmModel(org.keycloak.models.RealmModel) FederatedIdentityRepresentation(org.keycloak.representations.idm.FederatedIdentityRepresentation) Collection(java.util.Collection) AuthorizationProviderFactory(org.keycloak.authorization.AuthorizationProviderFactory) Set(java.util.Set) RoleModel(org.keycloak.models.RoleModel) PolicyStore(org.keycloak.authorization.store.PolicyStore) Collectors(java.util.stream.Collectors) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ModelToRepresentation(org.keycloak.models.utils.ModelToRepresentation) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) List(java.util.List) Stream(java.util.stream.Stream) ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) Profile(org.keycloak.common.Profile) JsonGenerator(com.fasterxml.jackson.core.JsonGenerator) ScopeMappingRepresentation(org.keycloak.representations.idm.ScopeMappingRepresentation) StoreFactory(org.keycloak.authorization.store.StoreFactory) HashMap(java.util.HashMap) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) UserModel(org.keycloak.models.UserModel) ComponentExportRepresentation(org.keycloak.representations.idm.ComponentExportRepresentation) JsonEncoding(com.fasterxml.jackson.core.JsonEncoding) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) LinkedList(java.util.LinkedList) RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) ResourceServer(org.keycloak.authorization.model.ResourceServer) FederatedIdentityModel(org.keycloak.models.FederatedIdentityModel) OutputStream(java.io.OutputStream) RolesRepresentation(org.keycloak.representations.idm.RolesRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) CredentialModel(org.keycloak.credential.CredentialModel) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) KeycloakSession(org.keycloak.models.KeycloakSession) IOException(java.io.IOException) JsonSerialization(org.keycloak.util.JsonSerialization) Policy(org.keycloak.authorization.model.Policy) JsonFactory(com.fasterxml.jackson.core.JsonFactory) SerializationFeature(com.fasterxml.jackson.databind.SerializationFeature) MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap) Resource(org.keycloak.authorization.model.Resource) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ArrayList(java.util.ArrayList) ResourceOwnerRepresentation(org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation) StoreFactory(org.keycloak.authorization.store.StoreFactory) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) AuthorizationProviderFactory(org.keycloak.authorization.AuthorizationProviderFactory) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) PolicyStore(org.keycloak.authorization.store.PolicyStore) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 15 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class AuthorizationTest method testRemoveDefaultResourceWithAdminEventsEnabled.

// KEYCLOAK-6321
@Test
public void testRemoveDefaultResourceWithAdminEventsEnabled() {
    RealmResource realmResource = testRealmResource();
    RealmRepresentation realmRepresentation = realmResource.toRepresentation();
    realmRepresentation.setAdminEventsEnabled(true);
    realmResource.update(realmRepresentation);
    ClientResource clientResource = getClientResource();
    ClientRepresentation resourceServer = getResourceServer();
    ResourceServerRepresentation settings = clientResource.authorization().getSettings();
    assertEquals(PolicyEnforcerConfig.EnforcementMode.ENFORCING.name(), settings.getPolicyEnforcementMode().name());
    assertEquals(resourceServer.getId(), settings.getClientId());
    List<ResourceRepresentation> defaultResources = clientResource.authorization().resources().resources();
    assertEquals(1, defaultResources.size());
    clientResource.authorization().resources().resource(defaultResources.get(0).getId()).remove();
    assertTrue(clientResource.authorization().resources().resources().isEmpty());
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Aggregations

ResourceServerRepresentation (org.keycloak.representations.idm.authorization.ResourceServerRepresentation)25 Test (org.junit.Test)15 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)15 ClientResource (org.keycloak.admin.client.resource.ClientResource)13 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)12 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)8 PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)7 ArrayList (java.util.ArrayList)6 Response (javax.ws.rs.core.Response)5 ClientsResource (org.keycloak.admin.client.resource.ClientsResource)5 RealmResource (org.keycloak.admin.client.resource.RealmResource)5 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)5 Permission (org.keycloak.representations.idm.authorization.Permission)5 List (java.util.List)4 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)4 IOException (java.io.IOException)3 HashMap (java.util.HashMap)3 Assert (org.junit.Assert)3 Before (org.junit.Before)3 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)3