keycloak-scim/testsuite/integration-arquillian/test-apps/photoz/photoz-restful-api-authz-service.json

{
  "allowRemoteResourceManagement": true,
  "policyEnforcementMode": "ENFORCING",
  "resources": [
    {
      "name": "User Profile Resource",
      "uri": "/profile",
      "type": "http://photoz.com/profile",
      "scopes": [
        {
          "name": "urn:photoz.com:scopes:profile:view"
        }
      ]
    },
    {
      "name": "Album Resource",
      "uri": "/album/*",
      "type": "http://photoz.com/album",
      "scopes": [
        {
          "name": "urn:photoz.com:scopes:album:view"
        },
        {
          "name": "urn:photoz.com:scopes:album:delete"
        },
        {
          "name": "urn:photoz.com:scopes:album:create"
        }
      ]
    },
    {
      "name": "Admin Resources",
      "uri": "/admin/*",
      "type": "http://photoz.com/admin",
      "scopes": [
        {
          "name": "urn:photoz.com:scopes:album:admin:manage"
        }
      ]
    }
  ],
  "policies": [
    {
      "name": "Only Owner Policy",
      "description": "Defines that only the resource owner is allowed to do something",
      "type": "drools",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "mavenArtifactVersion": "2.1.0-SNAPSHOT",
        "mavenArtifactId": "photoz-authz-policy",
        "sessionName": "MainOwnerSession",
        "mavenArtifactGroupId": "org.keycloak",
        "moduleName": "PhotozAuthzOwnerPolicy",
        "applyPolicies": "[]",
        "scannerPeriod": "1",
        "scannerPeriodUnit": "Hours"
      }
    },
    {
      "name": "Any Admin Policy",
      "description": "Defines that adminsitrators can do something",
      "type": "role",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "applyPolicies": "[]",
        "roles": "[{\"id\":\"admin\",\"required\":true}]"
      }
    },
    {
      "name": "Any User Policy",
      "description": "Defines that only users from well known clients are allowed to access",
      "type": "role",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "applyPolicies": "[]",
        "roles": "[{\"id\":\"user\"},{\"id\":\"manage-albums\",\"required\":true}]"
      }
    },
    {
      "name": "Only From a Specific Client Address",
      "description": "Defines that only clients from a specific address can do something",
      "type": "js",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "applyPolicies": "[]",
        "code": "var contextAttributes = $evaluation.getContext().getAttributes();\n\nif (contextAttributes.containsValue('kc.client.network.ip_address', '127.0.0.1')) {\n    $evaluation.grant();\n}"
      }
    },
    {
      "name": "Administration Policy",
      "description": "Defines that only administrators from a specific network address can do something.",
      "type": "aggregate",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "applyPolicies": "[\"Only From a Specific Client Address\",\"Any Admin Policy\"]"
      }
    },
    {
      "name": "Only Owner and Administrators Policy",
      "description": "Defines that only the resource owner and administrators can do something",
      "type": "aggregate",
      "logic": "POSITIVE",
      "decisionStrategy": "AFFIRMATIVE",
      "config": {
        "applyPolicies": "[\"Administration Policy\",\"Only Owner Policy\"]"
      }
    },
    {
      "name": "Only From @keycloak.org or Admin",
      "description": "Defines that only users from @keycloak.org",
      "type": "js",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "applyPolicies": "[]",
        "code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRole('admin') || email.endsWith('@keycloak.org')) {\n    $evaluation.grant();\n}"
      }
    },
    {
      "name": "Album Resource Permission",
      "description": "General policies that apply to all album resources.",
      "type": "resource",
      "logic": "POSITIVE",
      "decisionStrategy": "AFFIRMATIVE",
      "config": {
        "defaultResourceType": "http://photoz.com/album",
        "default": "true",
        "applyPolicies": "[\"Any User Policy\",\"Administration Policy\"]"
      }
    },
    {
      "name": "Admin Resource Permission",
      "description": "General policy for any administrative resource.",
      "type": "resource",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "defaultResourceType": "http://photoz.com/admin",
        "default": "true",
        "applyPolicies": "[\"Administration Policy\"]"
      }
    },
    {
      "name": "View User Permission",
      "description": "Defines who is allowed to view an user profile",
      "type": "scope",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "applyPolicies": "[\"Only From @keycloak.org or Admin\"]",
        "scopes": "[\"urn:photoz.com:scopes:profile:view\"]"
      }
    },
    {
      "name": "Delete Album Permission",
      "description": "A policy that only allows the owner to delete his albums.",
      "type": "scope",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "applyPolicies": "[\"Only Owner and Administrators Policy\"]",
        "scopes": "[\"urn:photoz.com:scopes:album:delete\"]"
      }
    }
  ],
  "scopes": [
    {
      "name": "urn:photoz.com:scopes:profile:view"
    },
    {
      "name": "urn:photoz.com:scopes:album:view"
    },
    {
      "name": "urn:photoz.com:scopes:album:create"
    },
    {
      "name": "urn:photoz.com:scopes:album:delete"
    },
    {
      "name": "urn:photoz.com:scopes:album:admin:manage"
    }
  ]
}
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`{`
			`"allowRemoteResourceManagement": true,`
			`"policyEnforcementMode": "ENFORCING",`
			`"resources": [`
			`{`
			`"name": "User Profile Resource",`
			`"uri": "/profile",`
			`"type": "http://photoz.com/profile",`
			`"scopes": [`
			`{`
			`"name": "urn:photoz.com:scopes:profile:view"`
			`}`
			`]`
			`},`
			`{`
			`"name": "Album Resource",`
			`"uri": "/album/*",`
			`"type": "http://photoz.com/album",`
			`"scopes": [`
			`{`
			`"name": "urn:photoz.com:scopes:album:view"`
			`},`
			`{`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"name": "urn:photoz.com:scopes:album:delete"`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`},`
			`{`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"name": "urn:photoz.com:scopes:album:create"`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`}`
			`]`
			`},`
			`{`
			`"name": "Admin Resources",`
			`"uri": "/admin/*",`
			`"type": "http://photoz.com/admin",`
			`"scopes": [`
			`{`
			`"name": "urn:photoz.com:scopes:album:admin:manage"`
			`}`
			`]`
			`}`
			`],`
			`"policies": [`
			`{`
			`"name": "Only Owner Policy",`
			`"description": "Defines that only the resource owner is allowed to do something",`
			`"type": "drools",`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"logic": "POSITIVE",`
			`"decisionStrategy": "UNANIMOUS",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"config": {`
[KEYCLOAK-3305] - Cache is not properly handling failures when importing configuration 2016-07-12 16:55:58 +00:00			`"mavenArtifactVersion": "2.1.0-SNAPSHOT",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"mavenArtifactId": "photoz-authz-policy",`
			`"sessionName": "MainOwnerSession",`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"mavenArtifactGroupId": "org.keycloak",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"moduleName": "PhotozAuthzOwnerPolicy",`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"applyPolicies": "[]",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"scannerPeriod": "1",`
			`"scannerPeriodUnit": "Hours"`
			`}`
			`},`
			`{`
			`"name": "Any Admin Policy",`
			`"description": "Defines that adminsitrators can do something",`
			`"type": "role",`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"logic": "POSITIVE",`
			`"decisionStrategy": "UNANIMOUS",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"config": {`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"applyPolicies": "[]",`
			`"roles": "[{\"id\":\"admin\",\"required\":true}]"`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`}`
			`},`
			`{`
			`"name": "Any User Policy",`
[KEYCLOAK-3338] More testing and improvements when importing role policies 2016-07-28 15:31:46 +00:00			`"description": "Defines that only users from well known clients are allowed to access",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"type": "role",`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"logic": "POSITIVE",`
			`"decisionStrategy": "UNANIMOUS",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"config": {`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"applyPolicies": "[]",`
[KEYCLOAK-3338] More testing and improvements when importing role policies 2016-07-28 15:31:46 +00:00			`"roles": "[{\"id\":\"user\"},{\"id\":\"manage-albums\",\"required\":true}]"`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`}`
			`},`
			`{`
			`"name": "Only From a Specific Client Address",`
			`"description": "Defines that only clients from a specific address can do something",`
			`"type": "js",`
			`"logic": "POSITIVE",`
			`"decisionStrategy": "UNANIMOUS",`
			`"config": {`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"applyPolicies": "[]",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"code": "var contextAttributes = $evaluation.getContext().getAttributes();\n\nif (contextAttributes.containsValue('kc.client.network.ip_address', '127.0.0.1')) {\n $evaluation.grant();\n}"`
			`}`
			`},`
			`{`
			`"name": "Administration Policy",`
			`"description": "Defines that only administrators from a specific network address can do something.",`
			`"type": "aggregate",`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"logic": "POSITIVE",`
			`"decisionStrategy": "UNANIMOUS",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"config": {`
[KEYCLOAK-3338] More testing and improvements when importing role policies 2016-07-28 15:31:46 +00:00			`"applyPolicies": "[\"Only From a Specific Client Address\",\"Any Admin Policy\"]"`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`}`
			`},`
			`{`
			`"name": "Only Owner and Administrators Policy",`
			`"description": "Defines that only the resource owner and administrators can do something",`
			`"type": "aggregate",`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"logic": "POSITIVE",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"decisionStrategy": "AFFIRMATIVE",`
			`"config": {`
[KEYCLOAK-3338] More testing and improvements when importing role policies 2016-07-28 15:31:46 +00:00			`"applyPolicies": "[\"Administration Policy\",\"Only Owner Policy\"]"`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`}`
			`},`
			`{`
			`"name": "Only From @keycloak.org or Admin",`
			`"description": "Defines that only users from @keycloak.org",`
			`"type": "js",`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"logic": "POSITIVE",`
			`"decisionStrategy": "UNANIMOUS",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"config": {`
			`"applyPolicies": "[]",`
			`"code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRole('admin') \|\| email.endsWith('@keycloak.org')) {\n $evaluation.grant();\n}"`
			`}`
			`},`
			`{`
			`"name": "Album Resource Permission",`
			`"description": "General policies that apply to all album resources.",`
			`"type": "resource",`
[KEYCLOAK-3338] - Adding client roles to role policy and UX improvements 2016-07-27 18:15:14 +00:00			`"logic": "POSITIVE",`
[KEYCLOAK-2999] - Authorization arquillian tests 2016-06-30 12:46:34 +00:00			`"decisionStrategy": "AFFIRMATIVE",`
			`"config": {`
			`"defaultResourceType": "http://photoz.com/album",`
			`"default": "true",`
			`"applyPolicies": "[\"Any User Policy\",\"Administration Policy\"]"`
			`}`
			`},`
			`{`
			`"name": "Admin Resource Permission",`
			`"description": "General policy for any administrative resource.",`
			`"type": "resource",`
			`"logic": "POSITIVE",`
			`"decisionStrategy": "UNANIMOUS",`
			`"config": {`
			`"defaultResourceType": "http://photoz.com/admin",`
			`"default": "true",`
			`"applyPolicies": "[\"Administration Policy\"]"`
			`}`
			`},`
			`{`
			`"name": "View User Permission",`
			`"description": "Defines who is allowed to view an user profile",`
			`"type": "scope",`
			`"logic": "POSITIVE",`
			`"decisionStrategy": "UNANIMOUS",`
			`"config": {`
			`"applyPolicies": "[\"Only From @keycloak.org or Admin\"]",`
			`"scopes": "[\"urn:photoz.com:scopes:profile:view\"]"`
			`}`
			`},`
			`{`
			`"name": "Delete Album Permission",`
			`"description": "A policy that only allows the owner to delete his albums.",`
			`"type": "scope",`
			`"logic": "POSITIVE",`
			`"decisionStrategy": "UNANIMOUS",`
			`"config": {`
			`"applyPolicies": "[\"Only Owner and Administrators Policy\"]",`
			`"scopes": "[\"urn:photoz.com:scopes:album:delete\"]"`
			`}`
			`}`
			`],`
			`"scopes": [`
			`{`
			`"name": "urn:photoz.com:scopes:profile:view"`
			`},`
			`{`
			`"name": "urn:photoz.com:scopes:album:view"`
			`},`
			`{`
			`"name": "urn:photoz.com:scopes:album:create"`
			`},`
			`{`
			`"name": "urn:photoz.com:scopes:album:delete"`
			`},`
			`{`
			`"name": "urn:photoz.com:scopes:album:admin:manage"`
			`}`
			`]`
			`}`