Examples with UmaPermissionRepresentation org.keycloak.representations.idm.authorization.UmaPermissionRepresentation used on opensource projects

Search in sources :

Example 1 with UmaPermissionRepresentation

use of org.keycloak.representations.idm.authorization.UmaPermissionRepresentation in project keycloak by keycloak.

the class UserManagedPermissionService method checkRequest.

private void checkRequest(String resourceId, UmaPermissionRepresentation representation) {
    ResourceStore resourceStore = this.authorization.getStoreFactory().getResourceStore();
    Resource resource = resourceStore.findById(resourceId, resourceServer.getId());
    if (resource == null) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Resource [" + resourceId + "] cannot be found", Response.Status.BAD_REQUEST);
    }
    if (!resource.getOwner().equals(identity.getId())) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Only resource owner can access policies for resource [" + resourceId + "]", Status.BAD_REQUEST);
    }
    if (!resource.isOwnerManagedAccess()) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Only resources with owner managed accessed can have policies", Status.BAD_REQUEST);
    }
    if (!resourceServer.isAllowRemoteResourceManagement()) {
        throw new ErrorResponseException(OAuthErrorException.REQUEST_NOT_SUPPORTED, "Remote Resource Management not enabled on resource server [" + resourceServer.getId() + "]", Status.FORBIDDEN);
    }
    if (representation != null) {
        Set<String> resourceScopes = resource.getScopes().stream().map(scope -> scope.getName()).collect(Collectors.toSet());
        Set<String> scopes = representation.getScopes();
        if (scopes == null || scopes.isEmpty()) {
            scopes = resourceScopes;
            representation.setScopes(scopes);
        }
        if (!resourceScopes.containsAll(scopes)) {
            throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Some of the scopes [" + scopes + "] are not valid for resource [" + resourceId + "]", Response.Status.BAD_REQUEST);
        }
        if (representation.getCondition() != null) {
            if (!Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
                throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Script upload not supported", Status.BAD_REQUEST);
            }
        }
    }
}
Also used : PathParam(javax.ws.rs.PathParam) Produces(javax.ws.rs.Produces) Profile(org.keycloak.common.Profile) GET(javax.ws.rs.GET) Path(javax.ws.rs.Path) ResteasyProviderFactory(org.jboss.resteasy.spi.ResteasyProviderFactory) OAuthErrorException(org.keycloak.OAuthErrorException) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) ErrorResponseException(org.keycloak.services.ErrorResponseException) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) Status(javax.ws.rs.core.Response.Status) Identity(org.keycloak.authorization.identity.Identity) DELETE(javax.ws.rs.DELETE) PolicyTypeResourceService(org.keycloak.authorization.admin.PolicyTypeResourceService) ResourceServer(org.keycloak.authorization.model.ResourceServer) POST(javax.ws.rs.POST) Set(java.util.Set) IOException(java.io.IOException) ResourceStore(org.keycloak.authorization.store.ResourceStore) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) PermissionService(org.keycloak.authorization.admin.PermissionService) JsonSerialization(org.keycloak.util.JsonSerialization) Policy(org.keycloak.authorization.model.Policy) Response(javax.ws.rs.core.Response) NoCache(org.jboss.resteasy.annotations.cache.NoCache) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) PUT(javax.ws.rs.PUT) Resource(org.keycloak.authorization.model.Resource) AdminEventBuilder(org.keycloak.services.resources.admin.AdminEventBuilder) Resource(org.keycloak.authorization.model.Resource) ResourceStore(org.keycloak.authorization.store.ResourceStore) ErrorResponseException(org.keycloak.services.ErrorResponseException)

Example 2 with UmaPermissionRepresentation

use of org.keycloak.representations.idm.authorization.UmaPermissionRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testRemovePoliciesOnClientDelete.

@Test
public void testRemovePoliciesOnClientDelete() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();
    newPermission.setName("Custom User-Managed Permission");
    newPermission.addClient("client-remove");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    protection.policy(resource.getId()).create(newPermission);
    getTestingClient().server().run((RunOnServer) UserManagedPermissionServiceTest::testRemovePoliciesOnClientDelete);
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 3 with UmaPermissionRepresentation

use of org.keycloak.representations.idm.authorization.UmaPermissionRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testOnlyResourceOwnerCanManagePolicies.

@Test
public void testOnlyResourceOwnerCanManagePolicies() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName(UUID.randomUUID().toString());
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    ProtectionResource protection = getAuthzClient().protection();
    resource = protection.resource().create(resource);
    try {
        getAuthzClient().protection("alice", "password").policy(resource.getId()).create(new UmaPermissionRepresentation());
        fail("Error expected");
    } catch (Exception e) {
        assertTrue(HttpResponseException.class.cast(e.getCause()).toString().contains("Only resource owner can access policies for resource"));
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 4 with UmaPermissionRepresentation

use of org.keycloak.representations.idm.authorization.UmaPermissionRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testPermissionWithoutScopes.

@Test
public void testPermissionWithoutScopes() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName(UUID.randomUUID().toString());
    resource.setOwner("marta");
    resource.setOwnerManagedAccess(true);
    resource.addScope("Scope A", "Scope B", "Scope C");
    ProtectionResource protection = getAuthzClient().protection();
    resource = protection.resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Policy");
    permission.addRole("role_a");
    PolicyResource policy = getAuthzClient().protection("marta", "password").policy(resource.getId());
    permission = policy.create(permission);
    assertEquals(3, permission.getScopes().size());
    assertTrue(Arrays.asList("Scope A", "Scope B", "Scope C").containsAll(permission.getScopes()));
    permission = policy.findById(permission.getId());
    assertTrue(Arrays.asList("Scope A", "Scope B", "Scope C").containsAll(permission.getScopes()));
    assertEquals(3, permission.getScopes().size());
    permission.removeScope("Scope B");
    policy.update(permission);
    permission = policy.findById(permission.getId());
    assertEquals(2, permission.getScopes().size());
    assertTrue(Arrays.asList("Scope A", "Scope C").containsAll(permission.getScopes()));
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) PolicyResource(org.keycloak.authorization.client.resource.PolicyResource) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 5 with UmaPermissionRepresentation

use of org.keycloak.representations.idm.authorization.UmaPermissionRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testDoNotGrantPermissionWhenObtainAllEntitlements.

@Test
public void testDoNotGrantPermissionWhenObtainAllEntitlements() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.addScope("Scope A", "Scope B");
    permission.addUser("kolo");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    protection.policy(resource.getId()).create(permission);
    AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "Scope A", "Scope B");
    AuthorizationResponse authzResponse = authorization.authorize(request);
    assertNotNull(authzResponse);
    AccessToken token = toAccessToken(authzResponse.getToken());
    assertNotNull(token.getAuthorization());
    Collection<Permission> permissions = token.getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    assertTrue(permissions.iterator().next().getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
    try {
        // policy engine does not evaluate custom policies when obtaining all entitlements
        getAuthzClient().authorization("kolo", "password").authorize();
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) AuthorizationResource(org.keycloak.authorization.client.resource.AuthorizationResource) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Aggregations

UmaPermissionRepresentation (org.keycloak.representations.idm.authorization.UmaPermissionRepresentation)18 ProtectionResource (org.keycloak.authorization.client.resource.ProtectionResource)15 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)15 Test (org.junit.Test)13 NotFoundException (javax.ws.rs.NotFoundException)9 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)9 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)9 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)5 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)5 AuthorizationResource (org.keycloak.authorization.client.resource.AuthorizationResource)3 IOException (java.io.IOException)2 Consumes (javax.ws.rs.Consumes)2 PUT (javax.ws.rs.PUT)2 Path (javax.ws.rs.Path)2 Produces (javax.ws.rs.Produces)2 PolicyTypeResourceService (org.keycloak.authorization.admin.PolicyTypeResourceService)2 PolicyResource (org.keycloak.authorization.client.resource.PolicyResource)2 Policy (org.keycloak.authorization.model.Policy)2 AccessToken (org.keycloak.representations.AccessToken)2 Permission (org.keycloak.representations.idm.authorization.Permission)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial