KEYCLOAK-4018 Added test for Client-Based Policy
This commit is contained in:
Jonas Pettersson
parent
5e660977aa
commit
5d070cbf22
2 changed files with 112 additions and 0 deletions
|
|
@ -25,6 +25,10 @@ import org.keycloak.authorization.model.Policy;
|
|||
import org.keycloak.authorization.model.Resource;
|
||||
import org.keycloak.authorization.permission.ResourcePermission;
|
||||
import org.keycloak.authorization.policy.evaluation.DefaultEvaluation;
|
||||
import org.keycloak.authorization.store.PolicyStore;
|
||||
import org.keycloak.authorization.store.StoreFactory;
|
||||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.representations.AccessToken;
|
||||
import org.keycloak.representations.idm.authorization.DecisionStrategy;
|
||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
||||
|
|
@ -34,6 +38,7 @@ import javax.ws.rs.client.Entity;
|
|||
import javax.ws.rs.core.MediaType;
|
||||
import javax.ws.rs.core.Response;
|
||||
import javax.ws.rs.core.Response.Status;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
|
|
@ -327,6 +332,93 @@ public class ResourcePermissionManagementTest extends AbstractPhotozAdminTest {
|
|||
assertEquals(0, evaluationsUserRole.size());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testResourceAccessWithClientBasedPolicy() throws Exception {
|
||||
ClientModel testClient1 = getClientByClientId("test-client-1");
|
||||
ClientModel testClient2 = getClientByClientId("test-client-2");
|
||||
Policy clientPolicy = createClientPolicy(Collections.singletonList(testClient1));
|
||||
|
||||
PolicyRepresentation newPermission = new PolicyRepresentation();
|
||||
|
||||
newPermission.setName("Client Permission");
|
||||
newPermission.setType("resource");
|
||||
|
||||
HashedMap config = new HashedMap();
|
||||
|
||||
config.put("defaultResourceType", "http://photoz.com/admin");
|
||||
config.put("applyPolicies", JsonSerialization.writeValueAsString(new String[] {clientPolicy.getId()}));
|
||||
|
||||
newPermission.setConfig(config);
|
||||
|
||||
Response response = newPermissionRequest().post(Entity.entity(newPermission, MediaType.APPLICATION_JSON_TYPE));
|
||||
|
||||
assertEquals(Status.CREATED.getStatusCode(), response.getStatus());
|
||||
|
||||
PolicyRepresentation permission = response.readEntity(PolicyRepresentation.class);
|
||||
|
||||
onAuthorizationSession(authorizationProvider -> {
|
||||
Policy policyModel = authorizationProvider.getStoreFactory().getPolicyStore().findById(permission.getId());
|
||||
|
||||
assertNotNull(policyModel);
|
||||
assertEquals(permission.getId(), policyModel.getId());
|
||||
assertEquals(newPermission.getName(), policyModel.getName());
|
||||
assertEquals(resourceServer.getId(), policyModel.getResourceServer().getId());
|
||||
});
|
||||
|
||||
Map<String, DefaultEvaluation> evaluations = performEvaluation(
|
||||
Collections.singletonList(new ResourcePermission(adminResource, Collections.emptyList(), resourceServer)),
|
||||
createAccessTokenForClient(testClient1),
|
||||
createClientConnection("127.0.0.1"));
|
||||
|
||||
assertEquals(1, evaluations.size());
|
||||
assertTrue(evaluations.containsKey(clientPolicy.getId()));
|
||||
assertEquals(Effect.PERMIT, evaluations.get(clientPolicy.getId()).getEffect());
|
||||
|
||||
Map<String, DefaultEvaluation> evaluations2 = performEvaluation(
|
||||
Collections.singletonList(new ResourcePermission(adminResource, Collections.emptyList(), resourceServer)),
|
||||
createAccessTokenForClient(testClient2),
|
||||
createClientConnection("127.0.0.1"));
|
||||
|
||||
assertEquals(1, evaluations2.size());
|
||||
assertTrue(evaluations2.containsKey(clientPolicy.getId()));
|
||||
assertEquals(Effect.DENY, evaluations2.get(clientPolicy.getId()).getEffect());
|
||||
}
|
||||
|
||||
private Policy createClientPolicy(List<ClientModel> allowedClients) {
|
||||
return onAuthorizationSession(authorizationProvider -> {
|
||||
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
|
||||
PolicyStore policyStore = storeFactory.getPolicyStore();
|
||||
Policy policy = policyStore.create("Client-Based Policy", "client", resourceServer);
|
||||
|
||||
List<String> clientIds = new ArrayList<>();
|
||||
for (ClientModel client : allowedClients) {
|
||||
clientIds.add(client.getClientId());
|
||||
}
|
||||
|
||||
String[] clients = clientIds.toArray(new String[clientIds.size()]);
|
||||
HashedMap config = new HashedMap();
|
||||
|
||||
try {
|
||||
config.put("clients", JsonSerialization.writeValueAsString(clients));
|
||||
} catch (IOException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
|
||||
policy.setConfig(config);
|
||||
|
||||
return policy;
|
||||
});
|
||||
}
|
||||
|
||||
private AccessToken createAccessTokenForClient(ClientModel client) {
|
||||
AccessToken accessToken = new AccessToken();
|
||||
|
||||
accessToken.setRealmAccess(new AccessToken.Access());
|
||||
accessToken.issuedFor = client.getClientId();
|
||||
|
||||
return accessToken;
|
||||
}
|
||||
|
||||
private PolicyRepresentation createAlbumResourceTypePermission() throws Exception {
|
||||
PolicyRepresentation newPermission = new PolicyRepresentation();
|
||||
|
||||
|
|
|
|||
|
|
@ -153,6 +153,26 @@
|
|||
"/confidential-no-service-account/*"
|
||||
],
|
||||
"secret": "secret"
|
||||
},
|
||||
{
|
||||
"clientId": "test-client-1",
|
||||
"secret": "secret",
|
||||
"enabled": true,
|
||||
"baseUrl": "test-client-1",
|
||||
"redirectUris": [
|
||||
"/test-client-1/*"
|
||||
],
|
||||
"webOrigins" : ["*"]
|
||||
},
|
||||
{
|
||||
"clientId": "test-client-2",
|
||||
"secret": "secret",
|
||||
"enabled": true,
|
||||
"baseUrl": "test-client-2",
|
||||
"redirectUris": [
|
||||
"/test-client-2/*"
|
||||
],
|
||||
"webOrigins" : ["*"]
|
||||
}
|
||||
]
|
||||
}
|
||||
Loading…
Reference in a new issue