[KEYCLOAK-3129] - Add authorization services endpoints to PermissionsTest
This commit is contained in:
parent
eebd496c2f
commit
517413d38e
7 changed files with 158 additions and 4 deletions
|
@ -25,6 +25,7 @@ import javax.ws.rs.POST;
|
||||||
import javax.ws.rs.Path;
|
import javax.ws.rs.Path;
|
||||||
import javax.ws.rs.PathParam;
|
import javax.ws.rs.PathParam;
|
||||||
import javax.ws.rs.Produces;
|
import javax.ws.rs.Produces;
|
||||||
|
import javax.ws.rs.QueryParam;
|
||||||
import javax.ws.rs.core.MediaType;
|
import javax.ws.rs.core.MediaType;
|
||||||
import javax.ws.rs.core.Response;
|
import javax.ws.rs.core.Response;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
@ -42,6 +43,17 @@ public interface ResourcesResource {
|
||||||
@Path("{id}")
|
@Path("{id}")
|
||||||
ResourceResource resource(@PathParam("id") String id);
|
ResourceResource resource(@PathParam("id") String id);
|
||||||
|
|
||||||
|
@GET
|
||||||
|
@NoCache
|
||||||
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
|
List<ResourceRepresentation> find(@QueryParam("name") String name,
|
||||||
|
@QueryParam("uri") String uri,
|
||||||
|
@QueryParam("owner") String owner,
|
||||||
|
@QueryParam("type") String type,
|
||||||
|
@QueryParam("scope") String scope,
|
||||||
|
@QueryParam("first") Integer firstResult,
|
||||||
|
@QueryParam("max") Integer maxResult);
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@NoCache
|
@NoCache
|
||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
|
|
|
@ -47,6 +47,7 @@ import org.keycloak.protocol.ProtocolMapper;
|
||||||
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
|
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
|
||||||
import org.keycloak.representations.AccessToken;
|
import org.keycloak.representations.AccessToken;
|
||||||
import org.keycloak.services.Urls;
|
import org.keycloak.services.Urls;
|
||||||
|
import org.keycloak.services.resources.admin.RealmAuth;
|
||||||
|
|
||||||
import javax.ws.rs.Consumes;
|
import javax.ws.rs.Consumes;
|
||||||
import javax.ws.rs.POST;
|
import javax.ws.rs.POST;
|
||||||
|
@ -74,20 +75,23 @@ import static java.util.Arrays.asList;
|
||||||
public class PolicyEvaluationService {
|
public class PolicyEvaluationService {
|
||||||
|
|
||||||
private final AuthorizationProvider authorization;
|
private final AuthorizationProvider authorization;
|
||||||
|
private final RealmAuth auth;
|
||||||
@Context
|
@Context
|
||||||
private HttpRequest httpRequest;
|
private HttpRequest httpRequest;
|
||||||
|
|
||||||
private final ResourceServer resourceServer;
|
private final ResourceServer resourceServer;
|
||||||
|
|
||||||
PolicyEvaluationService(ResourceServer resourceServer, AuthorizationProvider authorization) {
|
PolicyEvaluationService(ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
|
||||||
this.resourceServer = resourceServer;
|
this.resourceServer = resourceServer;
|
||||||
this.authorization = authorization;
|
this.authorization = authorization;
|
||||||
|
this.auth = auth;
|
||||||
}
|
}
|
||||||
|
|
||||||
@POST
|
@POST
|
||||||
@Consumes("application/json")
|
@Consumes("application/json")
|
||||||
@Produces("application/json")
|
@Produces("application/json")
|
||||||
public void evaluate(PolicyEvaluationRequest evaluationRequest, @Suspended AsyncResponse asyncResponse) {
|
public void evaluate(PolicyEvaluationRequest evaluationRequest, @Suspended AsyncResponse asyncResponse) {
|
||||||
|
this.auth.requireView();
|
||||||
KeycloakIdentity identity = createIdentity(evaluationRequest);
|
KeycloakIdentity identity = createIdentity(evaluationRequest);
|
||||||
EvaluationContext evaluationContext = createEvaluationContext(evaluationRequest, identity);
|
EvaluationContext evaluationContext = createEvaluationContext(evaluationRequest, identity);
|
||||||
authorization.evaluators().from(createPermissions(evaluationRequest, evaluationContext, authorization), evaluationContext).evaluate(createDecisionCollector(authorization, identity, asyncResponse));
|
authorization.evaluators().from(createPermissions(evaluationRequest, evaluationContext, authorization), evaluationContext).evaluate(createDecisionCollector(authorization, identity, asyncResponse));
|
||||||
|
|
|
@ -273,7 +273,7 @@ public class PolicyService {
|
||||||
@Path("evaluate")
|
@Path("evaluate")
|
||||||
public PolicyEvaluationService getPolicyEvaluateResource() {
|
public PolicyEvaluationService getPolicyEvaluateResource() {
|
||||||
this.auth.requireView();
|
this.auth.requireView();
|
||||||
PolicyEvaluationService resource = new PolicyEvaluationService(this.resourceServer, this.authorization);
|
PolicyEvaluationService resource = new PolicyEvaluationService(this.resourceServer, this.authorization, this.auth);
|
||||||
|
|
||||||
ResteasyProviderFactory.getInstance().injectProperties(resource);
|
ResteasyProviderFactory.getInstance().injectProperties(resource);
|
||||||
|
|
||||||
|
|
|
@ -177,7 +177,7 @@ public class ResourceSetService {
|
||||||
@GET
|
@GET
|
||||||
@NoCache
|
@NoCache
|
||||||
@Produces("application/json")
|
@Produces("application/json")
|
||||||
public Response findAll(@QueryParam("name") String name,
|
public Response find(@QueryParam("name") String name,
|
||||||
@QueryParam("uri") String uri,
|
@QueryParam("uri") String uri,
|
||||||
@QueryParam("owner") String owner,
|
@QueryParam("owner") String owner,
|
||||||
@QueryParam("type") String type,
|
@QueryParam("type") String type,
|
||||||
|
|
|
@ -107,6 +107,11 @@ public class ScopeService {
|
||||||
}
|
}
|
||||||
|
|
||||||
Scope scope = storeFactory.getScopeStore().findById(id);
|
Scope scope = storeFactory.getScopeStore().findById(id);
|
||||||
|
|
||||||
|
if (scope == null) {
|
||||||
|
return Response.status(Status.NOT_FOUND).build();
|
||||||
|
}
|
||||||
|
|
||||||
PolicyStore policyStore = storeFactory.getPolicyStore();
|
PolicyStore policyStore = storeFactory.getPolicyStore();
|
||||||
List<Policy> policies = policyStore.findByScopeIds(Arrays.asList(scope.getId()), resourceServer.getId());
|
List<Policy> policies = policyStore.findByScopeIds(Arrays.asList(scope.getId()), resourceServer.getId());
|
||||||
|
|
||||||
|
|
|
@ -109,7 +109,7 @@ public class ResourceService {
|
||||||
}
|
}
|
||||||
|
|
||||||
private Set<String> findAll() {
|
private Set<String> findAll() {
|
||||||
Response response = this.resourceManager.findAll(null, null, null, null, null, -1, -1);
|
Response response = this.resourceManager.find(null, null, null, null, null, -1, -1);
|
||||||
List<ResourceRepresentation> resources = (List<ResourceRepresentation>) response.getEntity();
|
List<ResourceRepresentation> resources = (List<ResourceRepresentation>) response.getEntity();
|
||||||
return resources.stream().map(ResourceRepresentation::getId).collect(Collectors.toSet());
|
return resources.stream().map(ResourceRepresentation::getId).collect(Collectors.toSet());
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,10 +17,12 @@
|
||||||
|
|
||||||
package org.keycloak.testsuite.admin;
|
package org.keycloak.testsuite.admin;
|
||||||
|
|
||||||
|
import org.apache.bcel.generic.RETURN;
|
||||||
import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataOutput;
|
import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataOutput;
|
||||||
import org.junit.Rule;
|
import org.junit.Rule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.keycloak.admin.client.Keycloak;
|
import org.keycloak.admin.client.Keycloak;
|
||||||
|
import org.keycloak.admin.client.resource.AuthorizationResource;
|
||||||
import org.keycloak.admin.client.resource.RealmResource;
|
import org.keycloak.admin.client.resource.RealmResource;
|
||||||
import org.keycloak.models.AdminRoles;
|
import org.keycloak.models.AdminRoles;
|
||||||
import org.keycloak.models.Constants;
|
import org.keycloak.models.Constants;
|
||||||
|
@ -45,6 +47,10 @@ import org.keycloak.representations.idm.RoleRepresentation;
|
||||||
import org.keycloak.representations.idm.UserFederationMapperRepresentation;
|
import org.keycloak.representations.idm.UserFederationMapperRepresentation;
|
||||||
import org.keycloak.representations.idm.UserFederationProviderRepresentation;
|
import org.keycloak.representations.idm.UserFederationProviderRepresentation;
|
||||||
import org.keycloak.representations.idm.UserRepresentation;
|
import org.keycloak.representations.idm.UserRepresentation;
|
||||||
|
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||||
|
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
||||||
|
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
|
||||||
|
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
|
||||||
import org.keycloak.services.resources.admin.RealmAuth.Resource;
|
import org.keycloak.services.resources.admin.RealmAuth.Resource;
|
||||||
import org.keycloak.testsuite.AbstractKeycloakTest;
|
import org.keycloak.testsuite.AbstractKeycloakTest;
|
||||||
import org.keycloak.testsuite.Assert;
|
import org.keycloak.testsuite.Assert;
|
||||||
|
@ -68,6 +74,8 @@ import java.util.Map;
|
||||||
import java.util.concurrent.atomic.AtomicReference;
|
import java.util.concurrent.atomic.AtomicReference;
|
||||||
|
|
||||||
import static org.junit.Assert.*;
|
import static org.junit.Assert.*;
|
||||||
|
import static org.keycloak.services.resources.admin.RealmAuth.Resource.AUTHORIZATION;
|
||||||
|
import static org.keycloak.services.resources.admin.RealmAuth.Resource.CLIENT;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
|
@ -770,6 +778,123 @@ public class PermissionsTest extends AbstractKeycloakTest {
|
||||||
}, Resource.CLIENT, true);
|
}, Resource.CLIENT, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void clientAuthorization() {
|
||||||
|
invoke(new InvocationWithResponse() {
|
||||||
|
public void invoke(RealmResource realm, AtomicReference<Response> response) {
|
||||||
|
realm.clients().create(ClientBuilder.create().clientId("foo-authz").build());
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
foo.setServiceAccountsEnabled(true);
|
||||||
|
foo.setAuthorizationServicesEnabled(true);
|
||||||
|
realm.clients().get(foo.getId()).update(foo);
|
||||||
|
}
|
||||||
|
}, CLIENT, true);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
realm.clients().get(foo.getId()).authorization().getSettings();
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, false);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
ResourceServerRepresentation settings = authorization.getSettings();
|
||||||
|
authorization.update(settings);
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, true);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
authorization.resources().resources();
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, false);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
authorization.scopes().scopes();
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, false);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
authorization.policies().policies();
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, false);
|
||||||
|
invoke(new InvocationWithResponse() {
|
||||||
|
public void invoke(RealmResource realm, AtomicReference<Response> response) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
response.set(authorization.resources().create(new ResourceRepresentation("Test", Collections.emptySet())));
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, true);
|
||||||
|
invoke(new InvocationWithResponse() {
|
||||||
|
public void invoke(RealmResource realm, AtomicReference<Response> response) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
response.set(authorization.scopes().create(new ScopeRepresentation("Test")));
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, true);
|
||||||
|
invoke(new InvocationWithResponse() {
|
||||||
|
public void invoke(RealmResource realm, AtomicReference<Response> response) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
PolicyRepresentation representation = new PolicyRepresentation();
|
||||||
|
representation.setName("Test PermissionsTest");
|
||||||
|
representation.setType("js");
|
||||||
|
HashMap<String, String> config = new HashMap<>();
|
||||||
|
config.put("code", "");
|
||||||
|
representation.setConfig(config);
|
||||||
|
response.set(authorization.policies().create(representation));
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, true);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
authorization.resources().resource("nosuch").update(new ResourceRepresentation());
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, true);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
authorization.scopes().scope("nosuch").update(new ScopeRepresentation());
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, true);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
authorization.policies().policy("nosuch").update(new PolicyRepresentation());
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, true);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
authorization.resources().resource("nosuch").remove();
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, true);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
authorization.scopes().scope("nosuch").remove();
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, true);
|
||||||
|
invoke(new Invocation() {
|
||||||
|
public void invoke(RealmResource realm) {
|
||||||
|
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
|
||||||
|
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
|
||||||
|
authorization.policies().policy("nosuch").remove();
|
||||||
|
}
|
||||||
|
}, AUTHORIZATION, true);
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void roles() {
|
public void roles() {
|
||||||
invoke(new Invocation() {
|
invoke(new Invocation() {
|
||||||
|
@ -1543,6 +1668,8 @@ public class PermissionsTest extends AbstractKeycloakTest {
|
||||||
return AdminRoles.VIEW_EVENTS;
|
return AdminRoles.VIEW_EVENTS;
|
||||||
case IDENTITY_PROVIDER:
|
case IDENTITY_PROVIDER:
|
||||||
return AdminRoles.VIEW_IDENTITY_PROVIDERS;
|
return AdminRoles.VIEW_IDENTITY_PROVIDERS;
|
||||||
|
case AUTHORIZATION:
|
||||||
|
return AdminRoles.VIEW_AUTHORIZATION;
|
||||||
default:
|
default:
|
||||||
throw new RuntimeException("Unexpected resouce");
|
throw new RuntimeException("Unexpected resouce");
|
||||||
}
|
}
|
||||||
|
@ -1560,6 +1687,8 @@ public class PermissionsTest extends AbstractKeycloakTest {
|
||||||
return AdminRoles.MANAGE_EVENTS;
|
return AdminRoles.MANAGE_EVENTS;
|
||||||
case IDENTITY_PROVIDER:
|
case IDENTITY_PROVIDER:
|
||||||
return AdminRoles.MANAGE_IDENTITY_PROVIDERS;
|
return AdminRoles.MANAGE_IDENTITY_PROVIDERS;
|
||||||
|
case AUTHORIZATION:
|
||||||
|
return AdminRoles.MANAGE_AUTHORIZATION;
|
||||||
default:
|
default:
|
||||||
throw new RuntimeException("Unexpected resouce");
|
throw new RuntimeException("Unexpected resouce");
|
||||||
}
|
}
|
||||||
|
@ -1577,6 +1706,8 @@ public class PermissionsTest extends AbstractKeycloakTest {
|
||||||
return AdminRoles.VIEW_IDENTITY_PROVIDERS;
|
return AdminRoles.VIEW_IDENTITY_PROVIDERS;
|
||||||
case IDENTITY_PROVIDER:
|
case IDENTITY_PROVIDER:
|
||||||
return AdminRoles.VIEW_REALM;
|
return AdminRoles.VIEW_REALM;
|
||||||
|
case AUTHORIZATION:
|
||||||
|
return AdminRoles.VIEW_IDENTITY_PROVIDERS;
|
||||||
default:
|
default:
|
||||||
throw new RuntimeException("Unexpected resouce");
|
throw new RuntimeException("Unexpected resouce");
|
||||||
}
|
}
|
||||||
|
@ -1594,6 +1725,8 @@ public class PermissionsTest extends AbstractKeycloakTest {
|
||||||
return AdminRoles.MANAGE_IDENTITY_PROVIDERS;
|
return AdminRoles.MANAGE_IDENTITY_PROVIDERS;
|
||||||
case IDENTITY_PROVIDER:
|
case IDENTITY_PROVIDER:
|
||||||
return AdminRoles.MANAGE_REALM;
|
return AdminRoles.MANAGE_REALM;
|
||||||
|
case AUTHORIZATION:
|
||||||
|
return AdminRoles.MANAGE_IDENTITY_PROVIDERS;
|
||||||
default:
|
default:
|
||||||
throw new RuntimeException("Unexpected resouce");
|
throw new RuntimeException("Unexpected resouce");
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue