Search in sources :

Example 11 with ScopePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.

the class ConflictingScopePermissionTest method createScopePermission.

private void createScopePermission(String name, String resourceName, List<String> scopes, List<String> policies, ClientResource client) throws IOException {
    AuthorizationResource authorization = client.authorization();
    ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
    representation.setName(name);
    if (resourceName != null) {
        representation.addResource(resourceName);
    }
    representation.addScope(scopes.toArray(new String[scopes.size()]));
    representation.addPolicy(policies.toArray(new String[policies.size()]));
    authorization.permissions().scope().create(representation).close();
}
Also used : AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)

Example 12 with ScopePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.

the class UmaGrantTypeTest method testObtainRptOnlyAuthorizedScopes.

@Test
public void testObtainRptOnlyAuthorizedScopes() throws Exception {
    ResourceRepresentation resourceA = addResource(KeycloakModelUtils.generateId(), "READ", "WRITE");
    ScopePermissionRepresentation permissionA = new ScopePermissionRepresentation();
    permissionA.setName(KeycloakModelUtils.generateId());
    permissionA.addScope("READ");
    permissionA.addPolicy("Default Policy");
    AuthorizationResource authzResource = getClient(getRealm()).authorization();
    authzResource.permissions().scope().create(permissionA).close();
    ScopePermissionRepresentation permissionB = new ScopePermissionRepresentation();
    permissionB.setName(KeycloakModelUtils.generateId());
    permissionB.addScope("WRITE");
    permissionB.addPolicy("Deny Policy");
    authzResource.permissions().scope().create(permissionB).close();
    AuthorizationResponse response = authorize("marta", "password", resourceA.getName(), new String[] { "READ" });
    String rpt = response.getToken();
    AccessToken.Authorization authorization = toAccessToken(rpt).getAuthorization();
    Collection<Permission> permissions = authorization.getPermissions();
    assertFalse(response.isUpgraded());
    assertNotNull(permissions);
    assertPermissions(permissions, resourceA.getName(), "READ");
    assertTrue(permissions.isEmpty());
    response = authorize("marta", "password", resourceA.getName(), new String[] { "READ", "WRITE" });
    rpt = response.getToken();
    authorization = toAccessToken(rpt).getAuthorization();
    permissions = authorization.getPermissions();
    assertFalse(response.isUpgraded());
    assertNotNull(permissions);
    assertPermissions(permissions, resourceA.getName(), "READ");
    assertTrue(permissions.isEmpty());
}
Also used : AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 13 with ScopePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.

the class UserManagedAccessTest method testOnlyOwnerCanAccessPermissionsToScope.

@Test
public void testOnlyOwnerCanAccessPermissionsToScope() throws Exception {
    resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
    ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
    permission.setName(resource.getName() + " Scope A Permission");
    permission.addScope("ScopeA");
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().scope().create(permission).close();
    permission = new ScopePermissionRepresentation();
    permission.setName(resource.getName() + " Scope B Permission");
    permission.addScope("ScopeB");
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().scope().create(permission).close();
    AuthorizationResponse response = authorize("marta", "password", resource.getName(), new String[] { "ScopeA", "ScopeB" });
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
        fail("User should not have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
    List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
    for (PermissionTicketRepresentation ticket : tickets) {
        ticket.setGranted(true);
        getAuthzClient().protection().permission().update(ticket);
    }
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
    } catch (AuthorizationDeniedException ade) {
        fail("User should have access to resource from another user");
    }
    rpt = response.getToken();
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    permissions = authorization.getPermissions();
    assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("marta", "password", resource.getId(), new String[] { "ScopeB" });
    } catch (AuthorizationDeniedException ade) {
        fail("User should have access to his own resources");
    }
    rpt = response.getToken();
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    permissions = authorization.getPermissions();
    assertPermissions(permissions, resource.getName(), "ScopeB");
    assertTrue(permissions.isEmpty());
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 14 with ScopePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.

the class PolicyEvaluationCompositeRoleTest method addScopePermission.

private static Policy addScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope, Policy policy) {
    ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
    representation.setName(name);
    representation.setType("scope");
    representation.addResource(resource.getName());
    representation.addScope(scope.getName());
    representation.addPolicy(policy.getName());
    representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
    representation.setLogic(Logic.POSITIVE);
    return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
Also used : ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)

Example 15 with ScopePermissionRepresentation

use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.

the class UmaPermissionTicketPushedClaimsTest method testEvaluatePermissionsWithPushedClaims.

@Test
public void testEvaluatePermissionsWithPushedClaims() throws Exception {
    ResourceRepresentation resource = addResource("Bank Account", "withdraw");
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName("Withdraw Limit Policy");
    StringBuilder code = new StringBuilder();
    code.append("var context = $evaluation.getContext();");
    code.append("var attributes = context.getAttributes();");
    code.append("var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');");
    code.append("if (withdrawValue && withdrawValue.asDouble(0) <= 100) {");
    code.append("   $evaluation.grant();");
    code.append("}");
    policy.setCode(code.toString());
    AuthorizationResource authorization = getClient(getRealm()).authorization();
    authorization.policies().js().create(policy).close();
    ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
    representation.setName("Withdraw Permission");
    representation.addScope("withdraw");
    representation.addPolicy(policy.getName());
    authorization.permissions().scope().create(representation).close();
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
    permissionRequest.addScope("withdraw");
    permissionRequest.setClaim("my.bank.account.withdraw.value", "50.5");
    PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    AuthorizationResponse authorizationResponse = authzClient.authorization().authorize(request);
    assertNotNull(authorizationResponse);
    assertNotNull(authorizationResponse.getToken());
    AccessToken token = toAccessToken(authorizationResponse.getToken());
    Collection<Permission> permissions = token.getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    Permission permission = permissions.iterator().next();
    Map<String, Set<String>> claims = permission.getClaims();
    assertNotNull(claims);
    assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder("50.5"));
    permissionRequest.setClaim("my.bank.account.withdraw.value", "100.5");
    response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    try {
        authorizationResponse = authzClient.authorization().authorize(request);
        fail("Access should be denied");
    } catch (Exception ignore) {
    }
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) Test(org.junit.Test)

Aggregations

ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)43 Test (org.junit.Test)32 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)23 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)17 AuthzClient (org.keycloak.authorization.client.AuthzClient)16 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)16 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)16 ClientResource (org.keycloak.admin.client.resource.ClientResource)15 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)15 Permission (org.keycloak.representations.idm.authorization.Permission)14 Response (javax.ws.rs.core.Response)13 OAuthClient (org.keycloak.testsuite.util.OAuthClient)13 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)11 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)10 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)10 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)7 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)7 ScopePermissionsResource (org.keycloak.admin.client.resource.ScopePermissionsResource)6 ScopePermission (org.keycloak.testsuite.console.page.clients.authorization.permission.ScopePermission)5 ArrayList (java.util.ArrayList)4