use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.
the class ConflictingScopePermissionTest method createScopePermission.
private void createScopePermission(String name, String resourceName, List<String> scopes, List<String> policies, ClientResource client) throws IOException {
AuthorizationResource authorization = client.authorization();
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName(name);
if (resourceName != null) {
representation.addResource(resourceName);
}
representation.addScope(scopes.toArray(new String[scopes.size()]));
representation.addPolicy(policies.toArray(new String[policies.size()]));
authorization.permissions().scope().create(representation).close();
}
use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.
the class UmaGrantTypeTest method testObtainRptOnlyAuthorizedScopes.
@Test
public void testObtainRptOnlyAuthorizedScopes() throws Exception {
ResourceRepresentation resourceA = addResource(KeycloakModelUtils.generateId(), "READ", "WRITE");
ScopePermissionRepresentation permissionA = new ScopePermissionRepresentation();
permissionA.setName(KeycloakModelUtils.generateId());
permissionA.addScope("READ");
permissionA.addPolicy("Default Policy");
AuthorizationResource authzResource = getClient(getRealm()).authorization();
authzResource.permissions().scope().create(permissionA).close();
ScopePermissionRepresentation permissionB = new ScopePermissionRepresentation();
permissionB.setName(KeycloakModelUtils.generateId());
permissionB.addScope("WRITE");
permissionB.addPolicy("Deny Policy");
authzResource.permissions().scope().create(permissionB).close();
AuthorizationResponse response = authorize("marta", "password", resourceA.getName(), new String[] { "READ" });
String rpt = response.getToken();
AccessToken.Authorization authorization = toAccessToken(rpt).getAuthorization();
Collection<Permission> permissions = authorization.getPermissions();
assertFalse(response.isUpgraded());
assertNotNull(permissions);
assertPermissions(permissions, resourceA.getName(), "READ");
assertTrue(permissions.isEmpty());
response = authorize("marta", "password", resourceA.getName(), new String[] { "READ", "WRITE" });
rpt = response.getToken();
authorization = toAccessToken(rpt).getAuthorization();
permissions = authorization.getPermissions();
assertFalse(response.isUpgraded());
assertNotNull(permissions);
assertPermissions(permissions, resourceA.getName(), "READ");
assertTrue(permissions.isEmpty());
}
use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.
the class UserManagedAccessTest method testOnlyOwnerCanAccessPermissionsToScope.
@Test
public void testOnlyOwnerCanAccessPermissionsToScope() throws Exception {
resource = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName(resource.getName() + " Scope A Permission");
permission.addScope("ScopeA");
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().scope().create(permission).close();
permission = new ScopePermissionRepresentation();
permission.setName(resource.getName() + " Scope B Permission");
permission.addScope("ScopeB");
permission.addPolicy("Only Owner Policy");
getClient(getRealm()).authorization().permissions().scope().create(permission).close();
AuthorizationResponse response = authorize("marta", "password", resource.getName(), new String[] { "ScopeA", "ScopeB" });
String rpt = response.getToken();
assertNotNull(rpt);
assertFalse(response.isUpgraded());
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
fail("User should not have access to resource from another user");
} catch (AuthorizationDeniedException ade) {
}
List<PermissionTicketRepresentation> tickets = getAuthzClient().protection().permission().find(resource.getId(), null, null, null, null, null, null, null);
for (PermissionTicketRepresentation ticket : tickets) {
ticket.setGranted(true);
getAuthzClient().protection().permission().update(ticket);
}
try {
response = authorize("kolo", "password", resource.getId(), new String[] { "ScopeA", "ScopeB" });
} catch (AuthorizationDeniedException ade) {
fail("User should have access to resource from another user");
}
rpt = response.getToken();
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
permissions = authorization.getPermissions();
assertPermissions(permissions, resource.getName(), "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
try {
response = authorize("marta", "password", resource.getId(), new String[] { "ScopeB" });
} catch (AuthorizationDeniedException ade) {
fail("User should have access to his own resources");
}
rpt = response.getToken();
accessToken = toAccessToken(rpt);
authorization = accessToken.getAuthorization();
permissions = authorization.getPermissions();
assertPermissions(permissions, resource.getName(), "ScopeB");
assertTrue(permissions.isEmpty());
}
use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.
the class PolicyEvaluationCompositeRoleTest method addScopePermission.
private static Policy addScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope, Policy policy) {
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName(name);
representation.setType("scope");
representation.addResource(resource.getName());
representation.addScope(scope.getName());
representation.addPolicy(policy.getName());
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.
the class UmaPermissionTicketPushedClaimsTest method testEvaluatePermissionsWithPushedClaims.
@Test
public void testEvaluatePermissionsWithPushedClaims() throws Exception {
ResourceRepresentation resource = addResource("Bank Account", "withdraw");
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName("Withdraw Limit Policy");
StringBuilder code = new StringBuilder();
code.append("var context = $evaluation.getContext();");
code.append("var attributes = context.getAttributes();");
code.append("var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');");
code.append("if (withdrawValue && withdrawValue.asDouble(0) <= 100) {");
code.append(" $evaluation.grant();");
code.append("}");
policy.setCode(code.toString());
AuthorizationResource authorization = getClient(getRealm()).authorization();
authorization.policies().js().create(policy).close();
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName("Withdraw Permission");
representation.addScope("withdraw");
representation.addPolicy(policy.getName());
authorization.permissions().scope().create(representation).close();
AuthzClient authzClient = getAuthzClient();
PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
permissionRequest.addScope("withdraw");
permissionRequest.setClaim("my.bank.account.withdraw.value", "50.5");
PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
AuthorizationRequest request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
AuthorizationResponse authorizationResponse = authzClient.authorization().authorize(request);
assertNotNull(authorizationResponse);
assertNotNull(authorizationResponse.getToken());
AccessToken token = toAccessToken(authorizationResponse.getToken());
Collection<Permission> permissions = token.getAuthorization().getPermissions();
assertEquals(1, permissions.size());
Permission permission = permissions.iterator().next();
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder("50.5"));
permissionRequest.setClaim("my.bank.account.withdraw.value", "100.5");
response = authzClient.protection("marta", "password").permission().create(permissionRequest);
request = new AuthorizationRequest();
request.setTicket(response.getTicket());
request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
try {
authorizationResponse = authzClient.authorization().authorize(request);
fail("Access should be denied");
} catch (Exception ignore) {
}
}
Aggregations