Examples with UserPolicyRepresentation org.keycloak.representations.idm.authorization.UserPolicyRepresentation used on opensource projects

Search in sources :

Example 11 with UserPolicyRepresentation

use of org.keycloak.representations.idm.authorization.UserPolicyRepresentation in project keycloak by keycloak.

the class AggregatePolicyManagementTest method testCreateWithChildAndSelectedPolicy.

@Test
public void testCreateWithChildAndSelectedPolicy() {
    refreshPageAndWaitForLoad();
    AggregatePolicyRepresentation expected = new AggregatePolicyRepresentation();
    expected.setName("Test Child Create And Select Aggregate Policy");
    expected.setDescription("description");
    expected.addPolicy("Policy C");
    AggregatePolicy policy = authorizationPage.authorizationTabs().policies().create(expected, false);
    RolePolicyRepresentation childRolePolicy = new RolePolicyRepresentation();
    childRolePolicy.setName(UUID.randomUUID().toString());
    childRolePolicy.addRole("Role A");
    policy.createPolicy(childRolePolicy);
    expected.addPolicy(childRolePolicy.getName());
    UserPolicyRepresentation childUserPolicy = new UserPolicyRepresentation();
    childUserPolicy.setName(UUID.randomUUID().toString());
    childUserPolicy.setDescription("description");
    childUserPolicy.addUser("user a");
    policy.createPolicy(childUserPolicy);
    expected.addPolicy(childUserPolicy.getName());
    ClientPolicyRepresentation childClientPolicy = new ClientPolicyRepresentation();
    childClientPolicy.setName(UUID.randomUUID().toString());
    childClientPolicy.setDescription("description");
    childClientPolicy.addClient("client a");
    policy.createPolicy(childClientPolicy);
    expected.addPolicy(childClientPolicy.getName());
    JSPolicyRepresentation childJSPolicy = new JSPolicyRepresentation();
    childJSPolicy.setName(UUID.randomUUID().toString());
    childJSPolicy.setDescription("description");
    childJSPolicy.setCode("$evaluation.grant();");
    policy.createPolicy(childJSPolicy);
    expected.addPolicy(childJSPolicy.getName());
    TimePolicyRepresentation childTimePolicy = new TimePolicyRepresentation();
    childTimePolicy.setName(UUID.randomUUID().toString());
    childTimePolicy.setDescription("description");
    childTimePolicy.setNotBefore("2017-01-01 00:00:00");
    childTimePolicy.setNotBefore("2018-01-01 00:00:00");
    policy.createPolicy(childTimePolicy);
    expected.addPolicy(childTimePolicy.getName());
    GroupPolicyRepresentation childGroupPolicy = new GroupPolicyRepresentation();
    childGroupPolicy.setName(UUID.randomUUID().toString());
    childGroupPolicy.setDescription("description");
    childGroupPolicy.setGroupsClaim("groups");
    childGroupPolicy.addGroupPath("/Group A", true);
    policy.createPolicy(childGroupPolicy);
    expected.addPolicy(childGroupPolicy.getName());
    policy.form().save();
    assertAlertSuccess();
    authorizationPage.navigateTo();
    AggregatePolicy actual = authorizationPage.authorizationTabs().policies().name(expected.getName());
    assertPolicy(expected, actual);
}
Also used : RolePolicyRepresentation(org.keycloak.representations.idm.authorization.RolePolicyRepresentation) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) TimePolicyRepresentation(org.keycloak.representations.idm.authorization.TimePolicyRepresentation) AggregatePolicy(org.keycloak.testsuite.console.page.clients.authorization.policy.AggregatePolicy) GroupPolicyRepresentation(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation) AggregatePolicyRepresentation(org.keycloak.representations.idm.authorization.AggregatePolicyRepresentation) Test(org.junit.Test)

Example 12 with UserPolicyRepresentation

use of org.keycloak.representations.idm.authorization.UserPolicyRepresentation in project keycloak by keycloak.

the class ScopePermissionManagementTest method configureTest.

@Before
public void configureTest() {
    super.configureTest();
    RolesResource realmRoles = testRealmResource().roles();
    realmRoles.create(new RoleRepresentation("Role A", "", false));
    realmRoles.create(new RoleRepresentation("Role B", "", false));
    RolePolicyRepresentation policyA = new RolePolicyRepresentation();
    policyA.setName("Policy A");
    policyA.addRole("Role A");
    AuthorizationResource authorization = testRealmResource().clients().get(newClient.getId()).authorization();
    PoliciesResource policies = authorization.policies();
    RolePoliciesResource roles = policies.role();
    roles.create(policyA);
    RolePolicyRepresentation policyB = new RolePolicyRepresentation();
    policyB.setName("Policy B");
    policyB.addRole("Role B");
    roles.create(policyB);
    UserPolicyRepresentation policyC = new UserPolicyRepresentation();
    policyC.setName("Policy C");
    policyC.addUser("test");
    policies.user().create(policyC).close();
    authorization.scopes().create(new ScopeRepresentation("Scope A"));
    authorization.scopes().create(new ScopeRepresentation("Scope B"));
    authorization.scopes().create(new ScopeRepresentation("Scope C"));
    ResourcesResource resources = authorization.resources();
    resources.create(new ResourceRepresentation("Resource A", "Scope A"));
    resources.create(new ResourceRepresentation("Resource B", "Scope B", "Scope C"));
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) RolePolicyRepresentation(org.keycloak.representations.idm.authorization.RolePolicyRepresentation) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) RolePoliciesResource(org.keycloak.admin.client.resource.RolePoliciesResource) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) PoliciesResource(org.keycloak.admin.client.resource.PoliciesResource) RolePoliciesResource(org.keycloak.admin.client.resource.RolePoliciesResource) RolesResource(org.keycloak.admin.client.resource.RolesResource) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourcesResource(org.keycloak.admin.client.resource.ResourcesResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Before(org.junit.Before)

Example 13 with UserPolicyRepresentation

use of org.keycloak.representations.idm.authorization.UserPolicyRepresentation in project keycloak by keycloak.

the class UserPolicyManagementTest method testDelete.

@Test
public void testDelete() throws InterruptedException {
    authorizationPage.navigateTo();
    UserPolicyRepresentation expected = new UserPolicyRepresentation();
    expected.setName("Test User Policy");
    expected.setDescription("description");
    expected.addUser("user c");
    expected = createPolicy(expected);
    authorizationPage.navigateTo();
    authorizationPage.authorizationTabs().policies().delete(expected.getName());
    assertAlertSuccess();
    authorizationPage.navigateTo();
    assertNull(authorizationPage.authorizationTabs().policies().policies().findByName(expected.getName()));
}
Also used : UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) Test(org.junit.Test)

Example 14 with UserPolicyRepresentation

use of org.keycloak.representations.idm.authorization.UserPolicyRepresentation in project keycloak by keycloak.

the class UserManagedPermissionUtil method createUserManagedPermission.

private static Policy createUserManagedPermission(PermissionTicket ticket, StoreFactory storeFactory) {
    PolicyStore policyStore = storeFactory.getPolicyStore();
    UserPolicyRepresentation userPolicyRep = new UserPolicyRepresentation();
    userPolicyRep.setName(KeycloakModelUtils.generateId());
    userPolicyRep.addUser(ticket.getRequester());
    Policy userPolicy = policyStore.create(userPolicyRep, ticket.getResourceServer());
    userPolicy.setOwner(ticket.getOwner());
    PolicyRepresentation policyRep = new PolicyRepresentation();
    policyRep.setName(KeycloakModelUtils.generateId());
    policyRep.setType("uma");
    policyRep.addPolicy(userPolicy.getId());
    Policy policy = policyStore.create(policyRep, ticket.getResourceServer());
    policy.setOwner(ticket.getOwner());
    policy.addResource(ticket.getResource());
    Scope scope = ticket.getScope();
    if (scope != null) {
        policy.addScope(scope);
    }
    return policy;
}
Also used : Policy(org.keycloak.authorization.model.Policy) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) Scope(org.keycloak.authorization.model.Scope) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) PolicyStore(org.keycloak.authorization.store.PolicyStore)

Example 15 with UserPolicyRepresentation

use of org.keycloak.representations.idm.authorization.UserPolicyRepresentation in project keycloak by keycloak.

the class EntitlementAPITest method testOverridePermission.

@Test
public void testOverridePermission() throws Exception {
    ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
    AuthorizationResource authorization = client.authorization();
    JSPolicyRepresentation onlyOwnerPolicy = createOnlyOwnerPolicy();
    authorization.policies().js().create(onlyOwnerPolicy).close();
    ResourceRepresentation typedResource = new ResourceRepresentation();
    typedResource.setType("resource");
    typedResource.setName(KeycloakModelUtils.generateId());
    typedResource.addScope("read", "update");
    try (Response response = authorization.resources().create(typedResource)) {
        typedResource = response.readEntity(ResourceRepresentation.class);
    }
    ResourcePermissionRepresentation typedResourcePermission = new ResourcePermissionRepresentation();
    typedResourcePermission.setName(KeycloakModelUtils.generateId());
    typedResourcePermission.setResourceType("resource");
    typedResourcePermission.addPolicy(onlyOwnerPolicy.getName());
    try (Response response = authorization.permissions().resource().create(typedResourcePermission)) {
        typedResourcePermission = response.readEntity(ResourcePermissionRepresentation.class);
    }
    ResourceRepresentation martaResource = new ResourceRepresentation();
    martaResource.setType("resource");
    martaResource.setName(KeycloakModelUtils.generateId());
    martaResource.addScope("read", "update");
    martaResource.setOwner("marta");
    try (Response response = authorization.resources().create(martaResource)) {
        martaResource = response.readEntity(ResourceRepresentation.class);
    }
    String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
    AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(martaResource.getName());
    // marta can access her resource
    AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
    assertNotNull(response.getToken());
    Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    for (Permission grantedPermission : permissions) {
        assertEquals(martaResource.getName(), grantedPermission.getResourceName());
        Set<String> scopes = grantedPermission.getScopes();
        assertEquals(2, scopes.size());
        assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
    }
    accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
    authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
    request = new AuthorizationRequest();
    request.addPermission(martaResource.getId());
    try {
        authzClient.authorization(accessToken).authorize(request);
        fail("kolo can not access marta resource");
    } catch (RuntimeException expected) {
        assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
        assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
    }
    UserPolicyRepresentation onlyKoloPolicy = new UserPolicyRepresentation();
    onlyKoloPolicy.setName(KeycloakModelUtils.generateId());
    onlyKoloPolicy.addUser("kolo");
    authorization.policies().user().create(onlyKoloPolicy).close();
    ResourcePermissionRepresentation martaResourcePermission = new ResourcePermissionRepresentation();
    martaResourcePermission.setName(KeycloakModelUtils.generateId());
    martaResourcePermission.addResource(martaResource.getId());
    martaResourcePermission.addPolicy(onlyKoloPolicy.getName());
    try (Response response1 = authorization.permissions().resource().create(martaResourcePermission)) {
        martaResourcePermission = response1.readEntity(ResourcePermissionRepresentation.class);
    }
    response = authzClient.authorization(accessToken).authorize(request);
    assertNotNull(response.getToken());
    permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    for (Permission grantedPermission : permissions) {
        assertEquals(martaResource.getName(), grantedPermission.getResourceName());
        Set<String> scopes = grantedPermission.getScopes();
        assertEquals(2, scopes.size());
        assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
    }
    typedResourcePermission.setResourceType(null);
    typedResourcePermission.addResource(typedResource.getName());
    authorization.permissions().resource().findById(typedResourcePermission.getId()).update(typedResourcePermission);
    // now kolo can access marta's resources, last permission is overriding policies from typed resource
    response = authzClient.authorization(accessToken).authorize(request);
    assertNotNull(response.getToken());
    permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    for (Permission grantedPermission : permissions) {
        assertEquals(martaResource.getName(), grantedPermission.getResourceName());
        Set<String> scopes = grantedPermission.getScopes();
        assertEquals(2, scopes.size());
        assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
    }
    ScopePermissionRepresentation martaResourceUpdatePermission = new ScopePermissionRepresentation();
    martaResourceUpdatePermission.setName(KeycloakModelUtils.generateId());
    martaResourceUpdatePermission.addResource(martaResource.getId());
    martaResourceUpdatePermission.addScope("update");
    martaResourceUpdatePermission.addPolicy(onlyOwnerPolicy.getName());
    try (Response response1 = authorization.permissions().scope().create(martaResourceUpdatePermission)) {
        martaResourceUpdatePermission = response1.readEntity(ScopePermissionRepresentation.class);
    }
    // now kolo can only read, but not update
    response = authzClient.authorization(accessToken).authorize(request);
    assertNotNull(response.getToken());
    permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    for (Permission grantedPermission : permissions) {
        assertEquals(martaResource.getName(), grantedPermission.getResourceName());
        Set<String> scopes = grantedPermission.getScopes();
        assertEquals(1, scopes.size());
        assertThat(scopes, Matchers.containsInAnyOrder("read"));
    }
    authorization.permissions().resource().findById(martaResourcePermission.getId()).remove();
    try {
        // after removing permission to marta resource, kolo can not access any scope in the resource
        authzClient.authorization(accessToken).authorize(request);
        fail("kolo can not access marta resource");
    } catch (RuntimeException expected) {
        assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
        assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
    }
    martaResourceUpdatePermission.addPolicy(onlyKoloPolicy.getName());
    martaResourceUpdatePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).update(martaResourceUpdatePermission);
    // now kolo can access because update permission changed to allow him to access the resource using an affirmative strategy
    response = authzClient.authorization(accessToken).authorize(request);
    assertNotNull(response.getToken());
    permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    for (Permission grantedPermission : permissions) {
        assertEquals(martaResource.getName(), grantedPermission.getResourceName());
        Set<String> scopes = grantedPermission.getScopes();
        assertEquals(1, scopes.size());
        assertThat(scopes, Matchers.containsInAnyOrder("update"));
    }
    accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
    // marta can still access her resource
    response = authzClient.authorization(accessToken).authorize(request);
    assertNotNull(response.getToken());
    permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    for (Permission grantedPermission : permissions) {
        assertEquals(martaResource.getName(), grantedPermission.getResourceName());
        Set<String> scopes = grantedPermission.getScopes();
        assertEquals(2, scopes.size());
        assertThat(scopes, Matchers.containsInAnyOrder("update", "read"));
    }
    authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).remove();
    accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
    try {
        // back to original setup, permissions not granted by the type resource
        authzClient.authorization(accessToken).authorize(request);
        fail("kolo can not access marta resource");
    } catch (RuntimeException expected) {
        assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
        assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
    }
}
Also used : AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) OAuthClient(org.keycloak.testsuite.util.OAuthClient) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Response(javax.ws.rs.core.Response) TokenIntrospectionResponse(org.keycloak.authorization.client.representation.TokenIntrospectionResponse) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) Permission(org.keycloak.representations.idm.authorization.Permission) ClientResource(org.keycloak.admin.client.resource.ClientResource) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) Test(org.junit.Test)

Aggregations

UserPolicyRepresentation (org.keycloak.representations.idm.authorization.UserPolicyRepresentation)33 Test (org.junit.Test)15 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)11 Policy (org.keycloak.authorization.model.Policy)10 Response (javax.ws.rs.core.Response)7 RolePolicyRepresentation (org.keycloak.representations.idm.authorization.RolePolicyRepresentation)7 RealmModel (org.keycloak.models.RealmModel)6 UserModel (org.keycloak.models.UserModel)6 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)6 Before (org.junit.Before)4 Keycloak (org.keycloak.admin.client.Keycloak)4 UserPoliciesResource (org.keycloak.admin.client.resource.UserPoliciesResource)4 UserPolicyResource (org.keycloak.admin.client.resource.UserPolicyResource)4 ClientModel (org.keycloak.models.ClientModel)4 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)4 ClientPolicyRepresentation (org.keycloak.representations.idm.authorization.ClientPolicyRepresentation)4 GroupPolicyRepresentation (org.keycloak.representations.idm.authorization.GroupPolicyRepresentation)4 PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)4 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)4 AdminPermissionManagement (org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial