use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testServerDecisionStrategy.
@Test
public void testServerDecisionStrategy() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("read", "write", "delete");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
JSPolicyRepresentation grantPolicy = new JSPolicyRepresentation();
grantPolicy.setName(KeycloakModelUtils.generateId());
grantPolicy.setCode("$evaluation.grant();");
authorization.policies().js().create(grantPolicy).close();
JSPolicyRepresentation denyPolicy = new JSPolicyRepresentation();
denyPolicy.setName(KeycloakModelUtils.generateId());
denyPolicy.setCode("$evaluation.deny();");
authorization.policies().js().create(denyPolicy).close();
ResourcePermissionRepresentation resourcePermission = new ResourcePermissionRepresentation();
resourcePermission.setName(KeycloakModelUtils.generateId());
resourcePermission.addResource(resource.getId());
resourcePermission.addPolicy(denyPolicy.getName());
authorization.permissions().resource().create(resourcePermission).close();
ScopePermissionRepresentation scopePermission1 = new ScopePermissionRepresentation();
scopePermission1.setName(KeycloakModelUtils.generateId());
scopePermission1.addScope("read");
scopePermission1.addPolicy(grantPolicy.getName());
ScopePermissionsResource scopePermissions = authorization.permissions().scope();
scopePermissions.create(scopePermission1).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(resource.getName());
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access the resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
ResourceServerRepresentation settings = authorization.getSettings();
settings.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.update(settings);
assertPermissions(authzClient, accessToken, request, resource, "read");
scopePermission1 = scopePermissions.findByName(scopePermission1.getName());
scopePermission1.addScope("read", "delete");
scopePermissions.findById(scopePermission1.getId()).update(scopePermission1);
assertPermissions(authzClient, accessToken, request, resource, "read", "delete");
ScopePermissionRepresentation scopePermission2 = new ScopePermissionRepresentation();
scopePermission2.setName(KeycloakModelUtils.generateId());
scopePermission2.addScope("write");
scopePermission2.addPolicy(grantPolicy.getName());
scopePermissions.create(scopePermission2).close();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
ScopePermissionRepresentation scopePermission3 = new ScopePermissionRepresentation();
scopePermission3.setName(KeycloakModelUtils.generateId());
scopePermission3.addResource(resource.getId());
scopePermission3.addScope("write", "read", "delete");
scopePermission3.addPolicy(grantPolicy.getName());
scopePermissions.create(scopePermission3).close();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
scopePermission2 = scopePermissions.findByName(scopePermission2.getName());
scopePermissions.findById(scopePermission2.getId()).remove();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
scopePermission1 = scopePermissions.findByName(scopePermission1.getName());
scopePermissions.findById(scopePermission1.getId()).remove();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
scopePermission3 = scopePermissions.findByName(scopePermission3.getName());
scopePermission3.addScope("write", "delete");
scopePermissions.findById(scopePermission3.getId()).update(scopePermission3);
assertPermissions(authzClient, accessToken, request, resource, "delete", "write");
scopePermissions.findById(scopePermission3.getId()).remove();
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access the resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
ResourcePermissionRepresentation grantResourcePermission = new ResourcePermissionRepresentation();
grantResourcePermission.setName(KeycloakModelUtils.generateId());
grantResourcePermission.addResource(resource.getId());
grantResourcePermission.addPolicy(grantPolicy.getName());
authorization.permissions().resource().create(grantResourcePermission).close();
assertPermissions(authzClient, accessToken, request, resource, "read", "delete", "write");
settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
authorization.update(settings);
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access the resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
}
use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.
the class EntitlementAPITest method testOfflineRequestingPartyToken.
@Test
public void testOfflineRequestingPartyToken() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Sensors");
resource.addScope("sensors:view", "sensors:update", "sensors:delete");
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName("View Sensor");
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).scope("offline_access").doGrantAccessTokenRequest("secret", "offlineuser", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AccessTokenResponse response = authzClient.authorization(accessToken).authorize();
assertNotNull(response.getToken());
controller.stop(suiteContext.getAuthServerInfo().getQualifier());
controller.start(suiteContext.getAuthServerInfo().getQualifier());
reconnectAdminClient();
configureSectorIdentifierRedirectUris();
TokenIntrospectionResponse introspectionResponse = authzClient.protection().introspectRequestingPartyToken(response.getToken());
assertTrue(introspectionResponse.getActive());
assertFalse(introspectionResponse.getPermissions().isEmpty());
response = authzClient.authorization(accessToken).authorize();
assertNotNull(response.getToken());
}
use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.
the class PermissionClaimTest method testClaimsFromDifferentScopePermissions.
@Test
public void testClaimsFromDifferentScopePermissions() throws Exception {
ClientResource client = getClient(getRealm());
AuthorizationResource authorization = client.authorization();
ResourceRepresentation resourceA = new ResourceRepresentation(KeycloakModelUtils.generateId(), "create", "update");
authorization.resources().create(resourceA).close();
ResourceRepresentation resourceB = new ResourceRepresentation(KeycloakModelUtils.generateId(), "create", "update");
authorization.resources().create(resourceB).close();
ScopePermissionRepresentation allScopesPermission = new ScopePermissionRepresentation();
allScopesPermission.setName(KeycloakModelUtils.generateId());
allScopesPermission.addScope("create", "update");
allScopesPermission.addPolicy(claimAPolicy.getName(), claimBPolicy.getName());
authorization.permissions().scope().create(allScopesPermission).close();
ScopePermissionRepresentation updatePermission = new ScopePermissionRepresentation();
updatePermission.setName(KeycloakModelUtils.generateId());
updatePermission.addScope("update");
updatePermission.addPolicy(claimCPolicy.getName());
try (Response response = authorization.permissions().scope().create(updatePermission)) {
updatePermission = response.readEntity(ScopePermissionRepresentation.class);
}
AuthzClient authzClient = getAuthzClient();
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "create", "update");
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
Authorization authorizationClaim = rpt.getAuthorization();
List<Permission> permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(2, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
}
updatePermission.addPolicy(denyPolicy.getName());
authorization.permissions().scope().findById(updatePermission.getId()).update(updatePermission);
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
rpt = toAccessToken(response.getToken());
authorizationClaim = rpt.getAuthorization();
permissions = new ArrayList<>(authorizationClaim.getPermissions());
assertEquals(2, permissions.size());
for (Permission permission : permissions) {
Map<String, Set<String>> claims = permission.getClaims();
assertNotNull(claims);
assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder("claim-a", "claim-a1"));
assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder("claim-b"));
assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder("claim-c"));
assertThat(claims.get("deny-policy"), Matchers.containsInAnyOrder("deny-policy"));
}
}
use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.
the class ScopePermissionManagementTest method testUpdateResourceScope.
@Test
public void testUpdateResourceScope() {
authorizationPage.navigateTo();
ScopePermissionRepresentation expected = new ScopePermissionRepresentation();
expected.setName("testUpdateResourceScope Permission");
expected.setDescription("description");
expected.addResource("Resource A");
expected.addScope("Scope A");
expected.addPolicy("Policy C", "Policy A", "Policy B");
expected = createPermission(expected);
String previousName = expected.getName();
expected.setName(previousName + "Changed");
expected.setDescription("changed");
expected.setDecisionStrategy(DecisionStrategy.CONSENSUS);
expected.getResources().clear();
expected.addResource("Resource B");
expected.getScopes().clear();
expected.addScope("Scope B", "Scope C");
expected.getPolicies().clear();
expected.addPolicy("Policy C");
authorizationPage.navigateTo();
authorizationPage.authorizationTabs().permissions().update(previousName, expected);
assertAlertSuccess();
authorizationPage.navigateTo();
ScopePermission actual = authorizationPage.authorizationTabs().permissions().name(expected.getName());
assertPolicy(expected, actual);
expected.getPolicies().clear();
authorizationPage.navigateTo();
authorizationPage.authorizationTabs().permissions().update(expected.getName(), expected);
assertAlertSuccess();
authorizationPage.navigateTo();
actual = authorizationPage.authorizationTabs().permissions().name(expected.getName());
assertPolicy(expected, actual);
}
use of org.keycloak.representations.idm.authorization.ScopePermissionRepresentation in project keycloak by keycloak.
the class ScopePermissionManagementTest method assertPolicy.
private ScopePermissionRepresentation assertPolicy(ScopePermissionRepresentation expected, ScopePermission policy) {
ScopePermissionRepresentation actual = policy.toRepresentation();
assertEquals(expected.getName(), actual.getName());
assertEquals(expected.getDescription(), actual.getDescription());
assertEquals(expected.getDecisionStrategy(), actual.getDecisionStrategy());
if (expected.getPolicies() == null) {
assertTrue(actual.getPolicies() == null || actual.getPolicies().isEmpty());
} else {
assertEquals(expected.getPolicies().size(), actual.getPolicies().size());
}
assertEquals(0, actual.getPolicies().stream().filter(actualPolicy -> !expected.getPolicies().stream().filter(expectedPolicy -> actualPolicy.equals(expectedPolicy)).findFirst().isPresent()).count());
if (expected.getResources() != null) {
assertEquals(expected.getResources().size(), actual.getResources().size());
assertEquals(0, actual.getResources().stream().filter(actualResource -> !expected.getResources().stream().filter(expectedResource -> actualResource.equals(expectedResource)).findFirst().isPresent()).count());
}
assertEquals(expected.getScopes().size(), actual.getScopes().size());
assertEquals(0, actual.getScopes().stream().filter(actualScope -> !expected.getScopes().stream().filter(expectedScope -> actualScope.equals(expectedScope)).findFirst().isPresent()).count());
return actual;
}
Aggregations