Search in sources :

Example 21 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class PermissionsTest method clientAuthorization.

@Test
public void clientAuthorization() {
    ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
    ClientRepresentation newClient = new ClientRepresentation();
    newClient.setClientId("foo-authz");
    adminClient.realms().realm(REALM_NAME).clients().create(newClient);
    ClientRepresentation foo = adminClient.realms().realm(REALM_NAME).clients().findByClientId("foo-authz").get(0);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            foo.setServiceAccountsEnabled(true);
            foo.setAuthorizationServicesEnabled(true);
            realm.clients().get(foo.getId()).update(foo);
        }
    }, CLIENT, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.clients().get(foo.getId()).authorization().getSettings();
        }
    }, AUTHORIZATION, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            ResourceServerRepresentation settings = authorization.getSettings();
            authorization.update(settings);
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.resources().resources();
        }
    }, AUTHORIZATION, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.scopes().scopes();
        }
    }, AUTHORIZATION, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.policies().policies();
        }
    }, AUTHORIZATION, false);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            response.set(authorization.resources().create(new ResourceRepresentation("Test", Collections.emptySet())));
        }
    }, AUTHORIZATION, true);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            response.set(authorization.scopes().create(new ScopeRepresentation("Test")));
        }
    }, AUTHORIZATION, true);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
            representation.setName("Test PermissionsTest");
            representation.addResource("Default Resource");
            response.set(authorization.permissions().resource().create(representation));
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.resources().resource("nosuch").update(new ResourceRepresentation());
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.scopes().scope("nosuch").update(new ScopeRepresentation());
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.policies().policy("nosuch").update(new PolicyRepresentation());
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.resources().resource("nosuch").remove();
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.scopes().scope("nosuch").remove();
        }
    }, AUTHORIZATION, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
            authorization.policies().policy("nosuch").remove();
        }
    }, AUTHORIZATION, true);
}
Also used : Response(javax.ws.rs.core.Response) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 22 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class RepresentationToModel method importAuthorizationSettings.

public static void importAuthorizationSettings(ClientRepresentation clientRepresentation, ClientModel client, KeycloakSession session) {
    if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION) && Boolean.TRUE.equals(clientRepresentation.getAuthorizationServicesEnabled())) {
        AuthorizationProviderFactory authorizationFactory = (AuthorizationProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(AuthorizationProvider.class);
        AuthorizationProvider authorization = authorizationFactory.create(session, client.getRealm());
        client.setServiceAccountsEnabled(true);
        client.setBearerOnly(false);
        client.setPublicClient(false);
        ResourceServerRepresentation rep = clientRepresentation.getAuthorizationSettings();
        if (rep == null) {
            rep = new ResourceServerRepresentation();
        }
        rep.setClientId(client.getId());
        toModel(rep, authorization, client);
    }
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) AuthorizationProviderFactory(org.keycloak.authorization.AuthorizationProviderFactory)

Example 23 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class ImportAuthorizationSettingsTest method testImportUnorderedSettings.

@Test
public void testImportUnorderedSettings() throws Exception {
    ClientResource clientResource = getClientResource();
    ResourceServerRepresentation toImport = JsonSerialization.readValue(getClass().getResourceAsStream("/authorization-test/import-authorization-unordered-settings.json"), ResourceServerRepresentation.class);
    realmsResouce().realm(getRealmId()).roles().create(new RoleRepresentation("user", null, false));
    clientResource.roles().create(new RoleRepresentation("manage-albums", null, false));
    AuthorizationResource authorizationResource = clientResource.authorization();
    authorizationResource.importSettings(toImport);
    assertEquals(13, authorizationResource.policies().policies().size());
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Test(org.junit.Test)

Example 24 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class EntitlementAPITest method testServerDecisionStrategy.

@Test
public void testServerDecisionStrategy() throws Exception {
    ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
    AuthorizationResource authorization = client.authorization();
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName(KeycloakModelUtils.generateId());
    resource.addScope("read", "write", "delete");
    try (Response response = authorization.resources().create(resource)) {
        resource = response.readEntity(ResourceRepresentation.class);
    }
    JSPolicyRepresentation grantPolicy = new JSPolicyRepresentation();
    grantPolicy.setName(KeycloakModelUtils.generateId());
    grantPolicy.setCode("$evaluation.grant();");
    authorization.policies().js().create(grantPolicy).close();
    JSPolicyRepresentation denyPolicy = new JSPolicyRepresentation();
    denyPolicy.setName(KeycloakModelUtils.generateId());
    denyPolicy.setCode("$evaluation.deny();");
    authorization.policies().js().create(denyPolicy).close();
    ResourcePermissionRepresentation resourcePermission = new ResourcePermissionRepresentation();
    resourcePermission.setName(KeycloakModelUtils.generateId());
    resourcePermission.addResource(resource.getId());
    resourcePermission.addPolicy(denyPolicy.getName());
    authorization.permissions().resource().create(resourcePermission).close();
    ScopePermissionRepresentation scopePermission1 = new ScopePermissionRepresentation();
    scopePermission1.setName(KeycloakModelUtils.generateId());
    scopePermission1.addScope("read");
    scopePermission1.addPolicy(grantPolicy.getName());
    ScopePermissionsResource scopePermissions = authorization.permissions().scope();
    scopePermissions.create(scopePermission1).close();
    String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
    AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(resource.getName());
    try {
        authzClient.authorization(accessToken).authorize(request);
        fail("kolo can not access the resource");
    } catch (RuntimeException expected) {
        assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
        assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
    }
    ResourceServerRepresentation settings = authorization.getSettings();
    settings.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    authorization.update(settings);
    assertPermissions(authzClient, accessToken, request, resource, "read");
    scopePermission1 = scopePermissions.findByName(scopePermission1.getName());
    scopePermission1.addScope("read", "delete");
    scopePermissions.findById(scopePermission1.getId()).update(scopePermission1);
    assertPermissions(authzClient, accessToken, request, resource, "read", "delete");
    ScopePermissionRepresentation scopePermission2 = new ScopePermissionRepresentation();
    scopePermission2.setName(KeycloakModelUtils.generateId());
    scopePermission2.addScope("write");
    scopePermission2.addPolicy(grantPolicy.getName());
    scopePermissions.create(scopePermission2).close();
    assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
    ScopePermissionRepresentation scopePermission3 = new ScopePermissionRepresentation();
    scopePermission3.setName(KeycloakModelUtils.generateId());
    scopePermission3.addResource(resource.getId());
    scopePermission3.addScope("write", "read", "delete");
    scopePermission3.addPolicy(grantPolicy.getName());
    scopePermissions.create(scopePermission3).close();
    assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
    scopePermission2 = scopePermissions.findByName(scopePermission2.getName());
    scopePermissions.findById(scopePermission2.getId()).remove();
    assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
    scopePermission1 = scopePermissions.findByName(scopePermission1.getName());
    scopePermissions.findById(scopePermission1.getId()).remove();
    assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
    scopePermission3 = scopePermissions.findByName(scopePermission3.getName());
    scopePermission3.addScope("write", "delete");
    scopePermissions.findById(scopePermission3.getId()).update(scopePermission3);
    assertPermissions(authzClient, accessToken, request, resource, "delete", "write");
    scopePermissions.findById(scopePermission3.getId()).remove();
    try {
        authzClient.authorization(accessToken).authorize(request);
        fail("kolo can not access the resource");
    } catch (RuntimeException expected) {
        assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
        assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
    }
    ResourcePermissionRepresentation grantResourcePermission = new ResourcePermissionRepresentation();
    grantResourcePermission.setName(KeycloakModelUtils.generateId());
    grantResourcePermission.addResource(resource.getId());
    grantResourcePermission.addPolicy(grantPolicy.getName());
    authorization.permissions().resource().create(grantResourcePermission).close();
    assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
    settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
    authorization.update(settings);
    try {
        authzClient.authorization(accessToken).authorize(request);
        fail("kolo can not access the resource");
    } catch (RuntimeException expected) {
        assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
        assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
    }
}
Also used : AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) ScopePermissionsResource(org.keycloak.admin.client.resource.ScopePermissionsResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Response(javax.ws.rs.core.Response) TokenIntrospectionResponse(org.keycloak.authorization.client.representation.TokenIntrospectionResponse) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) ClientResource(org.keycloak.admin.client.resource.ClientResource) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) Test(org.junit.Test)

Example 25 with ResourceServerRepresentation

use of org.keycloak.representations.idm.authorization.ResourceServerRepresentation in project keycloak by keycloak.

the class AuthzClientCredentialsTest method beforeAbstractKeycloakTest.

@Before
@Override
public void beforeAbstractKeycloakTest() throws Exception {
    super.beforeAbstractKeycloakTest();
    testContext.getTestRealmReps().forEach(realmRepresentation -> {
        Keycloak adminClient = getAdminClient();
        ClientsResource clients = adminClient.realm(realmRepresentation.getRealm()).clients();
        ClientRepresentation client = clients.findByClientId("resource-server-test").get(0);
        client.setAuthorizationServicesEnabled(false);
        clients.get(client.getId()).update(client);
        client.setAuthorizationServicesEnabled(true);
        clients.get(client.getId()).update(client);
        AuthorizationResource authorization = clients.get(client.getId()).authorization();
        ResourceServerRepresentation settings = authorization.getSettings();
        settings.setAllowRemoteResourceManagement(true);
        authorization.update(settings);
    });
}
Also used : ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) ClientsResource(org.keycloak.admin.client.resource.ClientsResource) Keycloak(org.keycloak.admin.client.Keycloak) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Before(org.junit.Before)

Aggregations

ResourceServerRepresentation (org.keycloak.representations.idm.authorization.ResourceServerRepresentation)25 Test (org.junit.Test)15 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)15 ClientResource (org.keycloak.admin.client.resource.ClientResource)13 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)12 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)8 PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)7 ArrayList (java.util.ArrayList)6 Response (javax.ws.rs.core.Response)5 ClientsResource (org.keycloak.admin.client.resource.ClientsResource)5 RealmResource (org.keycloak.admin.client.resource.RealmResource)5 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)5 Permission (org.keycloak.representations.idm.authorization.Permission)5 List (java.util.List)4 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)4 IOException (java.io.IOException)3 HashMap (java.util.HashMap)3 Assert (org.junit.Assert)3 Before (org.junit.Before)3 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)3