Examples with UmaPermissionRepresentation org.keycloak.representations.idm.authorization.UmaPermissionRepresentation used on opensource projects

Search in sources :

Example 11 with UmaPermissionRepresentation

use of org.keycloak.representations.idm.authorization.UmaPermissionRepresentation in project keycloak by keycloak.

the class UMAPolicyProviderFactory method toRepresentation.

@Override
public UmaPermissionRepresentation toRepresentation(Policy policy, AuthorizationProvider authorization) {
    UmaPermissionRepresentation representation = new UmaPermissionRepresentation();
    representation.setScopes(policy.getScopes().stream().map(Scope::getName).collect(Collectors.toSet()));
    representation.setOwner(policy.getOwner());
    for (Policy associatedPolicy : policy.getAssociatedPolicies()) {
        AbstractPolicyRepresentation associatedRep = ModelToRepresentation.toRepresentation(associatedPolicy, authorization, false, false);
        RealmModel realm = authorization.getRealm();
        if ("role".equals(associatedRep.getType())) {
            RolePolicyRepresentation rep = RolePolicyRepresentation.class.cast(associatedRep);
            for (RoleDefinition definition : rep.getRoles()) {
                RoleModel role = realm.getRoleById(definition.getId());
                if (role.isClientRole()) {
                    representation.addClientRole(ClientModel.class.cast(role.getContainer()).getClientId(), role.getName());
                } else {
                    representation.addRole(role.getName());
                }
            }
        } else if ("js".equals(associatedRep.getType())) {
            JSPolicyRepresentation rep = JSPolicyRepresentation.class.cast(associatedRep);
            representation.setCondition(rep.getCode());
        } else if ("group".equals(associatedRep.getType())) {
            GroupPolicyRepresentation rep = GroupPolicyRepresentation.class.cast(associatedRep);
            for (GroupDefinition definition : rep.getGroups()) {
                representation.addGroup(ModelToRepresentation.buildGroupPath(realm.getGroupById(definition.getId())));
            }
        } else if ("client".equals(associatedRep.getType())) {
            ClientPolicyRepresentation rep = ClientPolicyRepresentation.class.cast(associatedRep);
            for (String client : rep.getClients()) {
                representation.addClient(realm.getClientById(client).getClientId());
            }
        } else if ("user".equals(associatedPolicy.getType())) {
            UserPolicyRepresentation rep = UserPolicyRepresentation.class.cast(associatedRep);
            for (String user : rep.getUsers()) {
                representation.addUser(authorization.getKeycloakSession().users().getUserById(realm, user).getUsername());
            }
        }
    }
    return representation;
}
Also used : Policy(org.keycloak.authorization.model.Policy) RolePolicyRepresentation(org.keycloak.representations.idm.authorization.RolePolicyRepresentation) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) RoleDefinition(org.keycloak.representations.idm.authorization.RolePolicyRepresentation.RoleDefinition) RoleModel(org.keycloak.models.RoleModel) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) GroupPolicyRepresentation(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation) AbstractPolicyRepresentation(org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation) RealmModel(org.keycloak.models.RealmModel) Scope(org.keycloak.authorization.model.Scope) GroupDefinition(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation.GroupDefinition) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation)

Example 12 with UmaPermissionRepresentation

use of org.keycloak.representations.idm.authorization.UmaPermissionRepresentation in project keycloak by keycloak.

the class UserManagedPermissionService method update.

@Path("{policyId}")
@PUT
@Consumes("application/json")
@Produces("application/json")
public Response update(@PathParam("policyId") String policyId, String payload) {
    UmaPermissionRepresentation representation;
    try {
        representation = JsonSerialization.readValue(payload, UmaPermissionRepresentation.class);
    } catch (IOException e) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Failed to parse representation", Status.BAD_REQUEST);
    }
    checkRequest(getAssociatedResourceId(policyId), representation);
    return PolicyTypeResourceService.class.cast(delegate.getResource(policyId)).update(payload);
}
Also used : PolicyTypeResourceService(org.keycloak.authorization.admin.PolicyTypeResourceService) ErrorResponseException(org.keycloak.services.ErrorResponseException) IOException(java.io.IOException) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) PUT(javax.ws.rs.PUT)

Example 13 with UmaPermissionRepresentation

use of org.keycloak.representations.idm.authorization.UmaPermissionRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testUserManagedPermission.

@Test
public void testUserManagedPermission() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.setDescription("Users from specific roles are allowed to access");
    permission.addScope("Scope A");
    permission.addRole("role_a");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    permission = protection.policy(resource.getId()).create(permission);
    AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "Scope A");
    AuthorizationResponse authzResponse = authorization.authorize(request);
    assertNotNull(authzResponse);
    permission.removeRole("role_a");
    permission.addRole("role_b");
    protection.policy(resource.getId()).update(permission);
    try {
        authorization.authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    try {
        getAuthzClient().authorization("alice", "password").authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    permission.addRole("role_a");
    protection.policy(resource.getId()).update(permission);
    authzResponse = authorization.authorize(request);
    assertNotNull(authzResponse);
    protection.policy(resource.getId()).delete(permission.getId());
    try {
        authorization.authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    try {
        getAuthzClient().protection("marta", "password").policy(resource.getId()).findById(permission.getId());
        fail("Permission must not exist");
    } catch (Exception e) {
        assertEquals(404, HttpResponseException.class.cast(e.getCause()).getStatusCode());
    }
    // create a user based permission, where only selected users are allowed access to the resource.
    permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.setDescription("Specific users are allowed access to the resource");
    permission.addScope("Scope A");
    permission.addUser("alice");
    protection.policy(resource.getId()).create(permission);
    // alice should be able to access the resource with the updated permission.
    authzResponse = getAuthzClient().authorization("alice", "password").authorize(request);
    assertNotNull(authzResponse);
    // kolo shouldn't be able to access the resource with the updated permission.
    try {
        authorization.authorize(request);
        fail("User should not have permission to access the protected resource");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) AuthorizationResource(org.keycloak.authorization.client.resource.AuthorizationResource) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 14 with UmaPermissionRepresentation

use of org.keycloak.representations.idm.authorization.UmaPermissionRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testOnlyResourcesWithOwnerManagedAccess.

@Test
public void testOnlyResourcesWithOwnerManagedAccess() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName(UUID.randomUUID().toString());
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    ProtectionResource protection = getAuthzClient().protection();
    resource = protection.resource().create(resource);
    try {
        getAuthzClient().protection("marta", "password").policy(resource.getId()).create(new UmaPermissionRepresentation());
        fail("Error expected");
    } catch (Exception e) {
        assertTrue(HttpResponseException.class.cast(e.getCause()).toString().contains("Only resources with owner managed accessed can have policies"));
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Test(org.junit.Test)

Example 15 with UmaPermissionRepresentation

use of org.keycloak.representations.idm.authorization.UmaPermissionRepresentation in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testGrantRequestedScopesOnly.

@Test
public void testGrantRequestedScopesOnly() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName(UUID.randomUUID().toString());
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("view", "delete");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    resource = protection.resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.addScope("view");
    permission.addUser("kolo");
    permission = protection.policy(resource.getId()).create(permission);
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "view");
    AuthorizationResponse response = getAuthzClient().authorization("kolo", "password").authorize(request);
    AccessToken rpt = toAccessToken(response.getToken());
    Collection<Permission> permissions = rpt.getAuthorization().getPermissions();
    assertPermissions(permissions, resource.getId(), "view");
    assertTrue(permissions.isEmpty());
    request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "delete");
    try {
        getAuthzClient().authorization("kolo", "password").authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "delete");
    try {
        getAuthzClient().authorization("kolo", "password").authorize(request);
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
    request = new AuthorizationRequest();
    request.addPermission(resource.getId());
    response = getAuthzClient().authorization("kolo", "password").authorize(request);
    rpt = toAccessToken(response.getToken());
    permissions = rpt.getAuthorization().getPermissions();
    assertPermissions(permissions, resource.getId(), "view");
    assertTrue(permissions.isEmpty());
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Aggregations

UmaPermissionRepresentation (org.keycloak.representations.idm.authorization.UmaPermissionRepresentation)18 ProtectionResource (org.keycloak.authorization.client.resource.ProtectionResource)15 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)15 Test (org.junit.Test)13 NotFoundException (javax.ws.rs.NotFoundException)9 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)9 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)9 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)5 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)5 AuthorizationResource (org.keycloak.authorization.client.resource.AuthorizationResource)3 IOException (java.io.IOException)2 Consumes (javax.ws.rs.Consumes)2 PUT (javax.ws.rs.PUT)2 Path (javax.ws.rs.Path)2 Produces (javax.ws.rs.Produces)2 PolicyTypeResourceService (org.keycloak.authorization.admin.PolicyTypeResourceService)2 PolicyResource (org.keycloak.authorization.client.resource.PolicyResource)2 Policy (org.keycloak.authorization.model.Policy)2 AccessToken (org.keycloak.representations.AccessToken)2 Permission (org.keycloak.representations.idm.authorization.Permission)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial