Example 16 with OAuthClient
use of org.keycloak.testsuite.util.OAuthClient in project keycloak by keycloak.
the class EntitlementAPITest method testOverrideParentScopePermission.
@Test
public void testOverrideParentScopePermission() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation onlyOwnerPolicy = createOnlyOwnerPolicy();
authorization.policies().js().create(onlyOwnerPolicy).close();
ResourceRepresentation typedResource = new ResourceRepresentation();
typedResource.setType("resource");
typedResource.setName(KeycloakModelUtils.generateId());
typedResource.addScope("read", "update");
try (Response response = authorization.resources().create(typedResource)) {
typedResource = response.readEntity(ResourceRepresentation.class);
}
ScopePermissionRepresentation typedResourcePermission = new ScopePermissionRepresentation();
typedResourcePermission.setName(KeycloakModelUtils.generateId());
typedResourcePermission.addResource(typedResource.getName());
typedResourcePermission.addPolicy(onlyOwnerPolicy.getName());
typedResourcePermission.addScope("read", "update");
authorization.permissions().scope().create(typedResourcePermission).close();
ResourceRepresentation martaResource = new ResourceRepresentation();
martaResource.setType("resource");
martaResource.setName(KeycloakModelUtils.generateId());
martaResource.addScope("read");
martaResource.setOwner("marta");
try (Response response = authorization.resources().create(martaResource)) {
martaResource = response.readEntity(ResourceRepresentation.class);
}
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(martaResource.getName());
// marta can access her resource
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
request = new AuthorizationRequest();
request.addPermission(martaResource.getId());
try {
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
UserPolicyRepresentation onlyKoloPolicy = new UserPolicyRepresentation();
onlyKoloPolicy.setName(KeycloakModelUtils.generateId());
onlyKoloPolicy.addUser("kolo");
authorization.policies().user().create(onlyKoloPolicy).close();
ResourcePermissionRepresentation martaResourcePermission = new ResourcePermissionRepresentation();
martaResourcePermission.setName(KeycloakModelUtils.generateId());
martaResourcePermission.addResource(martaResource.getId());
martaResourcePermission.addPolicy(onlyKoloPolicy.getName());
try (Response response1 = authorization.permissions().resource().create(martaResourcePermission)) {
martaResourcePermission = response1.readEntity(ResourcePermissionRepresentation.class);
}
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read", "update"));
}
ScopePermissionRepresentation martaResourceUpdatePermission = new ScopePermissionRepresentation();
martaResourceUpdatePermission.setName(KeycloakModelUtils.generateId());
martaResourceUpdatePermission.addResource(martaResource.getId());
martaResourceUpdatePermission.addScope("update");
martaResourceUpdatePermission.addPolicy(onlyOwnerPolicy.getName());
try (Response response1 = authorization.permissions().scope().create(martaResourceUpdatePermission)) {
martaResourceUpdatePermission = response1.readEntity(ScopePermissionRepresentation.class);
}
// now kolo can only read, but not update
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(1, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("read"));
}
authorization.permissions().resource().findById(martaResourcePermission.getId()).remove();
try {
// after removing permission to marta resource, kolo can not access any scope in the resource
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
martaResourceUpdatePermission.addPolicy(onlyKoloPolicy.getName());
martaResourceUpdatePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).update(martaResourceUpdatePermission);
// now kolo can access because update permission changed to allow him to access the resource using an affirmative strategy
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(1, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("update"));
}
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
// marta can still access her resource
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertEquals(martaResource.getName(), grantedPermission.getResourceName());
Set<String> scopes = grantedPermission.getScopes();
assertEquals(2, scopes.size());
assertThat(scopes, Matchers.containsInAnyOrder("update", "read"));
}
authorization.permissions().scope().findById(martaResourceUpdatePermission.getId()).remove();
accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
try {
// back to original setup, permissions not granted by the type resource
authzClient.authorization(accessToken).authorize(request);
fail("kolo can not access marta resource");
} catch (RuntimeException expected) {
assertEquals(403, HttpResponseException.class.cast(expected.getCause()).getStatusCode());
assertTrue(HttpResponseException.class.cast(expected.getCause()).toString().contains("access_denied"));
}
}
Also used :
AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation)
HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException)
AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource)
ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)
AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)
Response(javax.ws.rs.core.Response)
TokenIntrospectionResponse(org.keycloak.authorization.client.representation.TokenIntrospectionResponse)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse)
AuthzClient(org.keycloak.authorization.client.AuthzClient)
UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation)
Permission(org.keycloak.representations.idm.authorization.Permission)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)
Test(org.junit.Test)
Example 17 with OAuthClient
use of org.keycloak.testsuite.util.OAuthClient in project keycloak by keycloak.
the class AuthorizationAPITest method testResourceServerAsAudience.
public void testResourceServerAsAudience(String clientId, String resourceServerClientId, String authzConfigFile) throws Exception {
AuthzClient authzClient = getAuthzClient(authzConfigFile);
PermissionRequest request = new PermissionRequest();
request.setResourceId("Resource A");
String accessToken = new OAuthClient().realm("authz-test").clientId(clientId).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
String ticket = authzClient.protection().permission().create(request).getTicket();
// Ticket is opaque to client or resourceServer. The audience should be just an authorization server itself
JsonWebToken ticketDecoded = JsonSerialization.readValue(new JWSInput(ticket).getContent(), JsonWebToken.class);
Assert.assertFalse(ticketDecoded.hasAudience(clientId));
Assert.assertFalse(ticketDecoded.hasAudience(resourceServerClientId));
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(ticket));
assertNotNull(response.getToken());
AccessToken rpt = toAccessToken(response.getToken());
assertEquals(resourceServerClientId, rpt.getAudience()[0]);
}
Also used :
PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest)
AuthzClient(org.keycloak.authorization.client.AuthzClient)
AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
AccessToken(org.keycloak.representations.AccessToken)
JWSInput(org.keycloak.jose.jws.JWSInput)
JsonWebToken(org.keycloak.representations.JsonWebToken)
AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)
Example 18 with OAuthClient
use of org.keycloak.testsuite.util.OAuthClient in project keycloak by keycloak.
the class AuthServerTestEnricher method initializeOAuthClient.
public void initializeOAuthClient(@Observes(precedence = 4) BeforeClass event) {
// TODO workaround. Check if can be removed
OAuthClient.updateURLs(suiteContext.getAuthServerInfo().getContextRoot().toString());
OAuthClient oAuthClient = new OAuthClient();
oAuthClientProducer.set(oAuthClient);
}
Also used :
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
Example 19 with OAuthClient
use of org.keycloak.testsuite.util.OAuthClient in project keycloak by keycloak.
the class MultiVersionClusterTest method loginSuccessToLegacy.
/*
* Tests if legacy node remains usable (login) after current node connects to cluster
*/
@Test
public void loginSuccessToLegacy() throws Exception {
String originalServerRoot = OAuthClient.SERVER_ROOT;
try {
OAuthClient.updateURLs(legacyNode.getContextRoot().toString());
OAuthClient oauth = new OAuthClient();
oauth.init(DroneUtils.getCurrentDriver());
oauth.realm(MASTER).clientId("account").redirectUri(legacyNode.getContextRoot().toString() + "/auth/realms/master/account/");
oauth.openLoginForm();
assertThat(DroneUtils.getCurrentDriver().getTitle(), containsString("Sign in to "));
loginPage.login("admin", "admin");
assertThat("Login was not successful.", oauth.getCurrentQuery().get(OAuth2Constants.CODE), notNullValue());
} finally {
OAuthClient.updateURLs(originalServerRoot);
}
}
Also used :
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
Matchers.containsString(org.hamcrest.Matchers.containsString)
AbstractClusterTest(org.keycloak.testsuite.cluster.AbstractClusterTest)
Test(org.junit.Test)
Example 20 with OAuthClient
use of org.keycloak.testsuite.util.OAuthClient in project keycloak by keycloak.
the class RequiredActionResetPasswordTest method logoutSessionsCheckboxNotPresent.
@Test
public void logoutSessionsCheckboxNotPresent() {
OAuthClient oauth2 = new OAuthClient();
oauth2.init(driver2);
UserResource testUser = testRealm().users().get(findUser("test-user@localhost").getId());
oauth2.doLogin("test-user@localhost", "password");
events.expectLogin().assertEvent();
assertEquals(1, testUser.getUserSessions().size());
requireUpdatePassword();
loginPage.open();
loginPage.login("test-user@localhost", "password");
changePasswordPage.assertCurrent();
assertFalse(changePasswordPage.isLogoutSessionDisplayed());
changePasswordPage.changePassword("All Right Then, Keep Your Secrets", "All Right Then, Keep Your Secrets");
events.expectRequiredAction(EventType.UPDATE_PASSWORD).assertEvent();
events.expectLogin().assertEvent();
assertEquals("All sessions are still active", 2, testUser.getUserSessions().size());
}
Also used :
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
UserResource(org.keycloak.admin.client.resource.UserResource)
Test(org.junit.Test)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
Aggregations
OAuthClient (org.keycloak.testsuite.util.OAuthClient)38
Test (org.junit.Test)30
AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)19
AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)19
AuthzClient (org.keycloak.authorization.client.AuthzClient)18
AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)17
ClientResource (org.keycloak.admin.client.resource.ClientResource)17
ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)16
JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)15
Response (javax.ws.rs.core.Response)12
TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)12
AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)12
PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)12
Permission (org.keycloak.representations.idm.authorization.Permission)11
ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)11
ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)10
HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)9
AccessToken (org.keycloak.representations.AccessToken)5
IOException (java.io.IOException)4
EventRepresentation (org.keycloak.representations.idm.EventRepresentation)4
