libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

[KEYCLOAK-9451] - Policy evaluation fails when not evaluated against a particual resource

Browse source
This commit is contained in:
Pedro Igor 2019-02-27 11:27:25 -03:00 committed by Bruno Oliveira da Silva
parent fab52ebc51
commit 6aa9096361
26 changed files with 379 additions and 281 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DecisionPermissionCollector.java
View file

@ -78,7 +78,7 @@ public class DecisionPermissionCollector extends AbstractDecisionCollector {
grantedScopes.add(scope);
// we need to grant any scope granted by a permission in case it is not explicitly
// associated with the resource. For instance, resources inheriting scopes from parent resources.
if (!resource.getScopes().contains(scope)) {
if (resource != null && !resource.getScopes().contains(scope)) {
deniedScopes.remove(scope);
}
}

10
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractAuthorizationTest.java
View file

@ -107,13 +107,13 @@ public abstract class AbstractAuthorizationTest extends AbstractClientTest {
ResourceScopesResource resources = getClientResource().authorization().scopes();
Response response = resources.create(newScope);
try (Response response = resources.create(newScope)) {
assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
ScopeRepresentation stored = response.readEntity(ScopeRepresentation.class);
ScopeRepresentation stored = response.readEntity(ScopeRepresentation.class);
return resources.scope(stored.getId());
return resources.scope(stored.getId());
}
}
private RealmBuilder createTestRealm() {

27
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AggregatePolicyManagementTest.java
View file

@ -86,27 +86,30 @@ public class AggregatePolicyManagementTest extends AbstractPolicyManagementTest
representation.addPolicy("Only Marta Policy");
AggregatePoliciesResource policies = authorization.policies().aggregate();
Response response = policies.create(representation);
AggregatePolicyRepresentation created = response.readEntity(AggregatePolicyRepresentation.class);
policies.findById(created.getId()).remove();
try (Response response = policies.create(representation)) {
AggregatePolicyRepresentation created = response.readEntity(AggregatePolicyRepresentation.class);
AggregatePolicyResource removed = policies.findById(created.getId());
policies.findById(created.getId()).remove();
try {
removed.toRepresentation();
fail("Policy not removed");
} catch (NotFoundException ignore) {
AggregatePolicyResource removed = policies.findById(created.getId());
try {
removed.toRepresentation();
fail("Policy not removed");
} catch (NotFoundException ignore) {
}
}
}
private void assertCreated(AuthorizationResource authorization, AggregatePolicyRepresentation representation) {
AggregatePoliciesResource permissions = authorization.policies().aggregate();
Response response = permissions.create(representation);
AggregatePolicyRepresentation created = response.readEntity(AggregatePolicyRepresentation.class);
AggregatePolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
try (Response response = permissions.create(representation)) {
AggregatePolicyRepresentation created = response.readEntity(AggregatePolicyRepresentation.class);
AggregatePolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
}
private void assertRepresentation(AggregatePolicyRepresentation representation, AggregatePolicyResource policy) {

49
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ClientPolicyManagementTest.java
View file

@ -115,19 +115,20 @@ public class ClientPolicyManagementTest extends AbstractPolicyManagementTest {
representation.addClient("Client A");
ClientPoliciesResource policies = authorization.policies().client();
Response response = policies.create(representation);
ClientPolicyRepresentation created = response.readEntity(ClientPolicyRepresentation.class);
response.close();
policies.findById(created.getId()).remove();
try (Response response = policies.create(representation)) {
ClientPolicyRepresentation created = response.readEntity(ClientPolicyRepresentation.class);
ClientPolicyResource removed = policies.findById(created.getId());
policies.findById(created.getId()).remove();
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
ClientPolicyResource removed = policies.findById(created.getId());
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
}
}
}
@ -185,28 +186,30 @@ public class ClientPolicyManagementTest extends AbstractPolicyManagementTest {
representation.addClient("Client A");
ClientPoliciesResource policies = authorization.policies().client();
Response response = policies.create(representation);
ClientPolicyRepresentation created = response.readEntity(ClientPolicyRepresentation.class);
response.close();
PolicyResource policy = authorization.policies().policy(created.getId());
PolicyRepresentation genericConfig = policy.toRepresentation();
try (Response response = policies.create(representation)) {
ClientPolicyRepresentation created = response.readEntity(ClientPolicyRepresentation.class);
assertNotNull(genericConfig.getConfig());
assertNotNull(genericConfig.getConfig().get("clients"));
PolicyResource policy = authorization.policies().policy(created.getId());
PolicyRepresentation genericConfig = policy.toRepresentation();
ClientRepresentation user = getRealm().clients().findByClientId("Client A").get(0);
assertNotNull(genericConfig.getConfig());
assertNotNull(genericConfig.getConfig().get("clients"));
assertTrue(genericConfig.getConfig().get("clients").contains(user.getId()));
ClientRepresentation user = getRealm().clients().findByClientId("Client A").get(0);
assertTrue(genericConfig.getConfig().get("clients").contains(user.getId()));
}
}
private void assertCreated(AuthorizationResource authorization, ClientPolicyRepresentation representation) {
ClientPoliciesResource permissions = authorization.policies().client();
Response response = permissions.create(representation);
ClientPolicyRepresentation created = response.readEntity(ClientPolicyRepresentation.class);
response.close();
ClientPolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
try (Response response = permissions.create(representation)) {
ClientPolicyRepresentation created = response.readEntity(ClientPolicyRepresentation.class);
ClientPolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
}
private void assertRepresentation(ClientPolicyRepresentation representation, ClientPolicyResource permission) {

28
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/GenericPolicyManagementTest.java
View file

@ -189,13 +189,14 @@ public class GenericPolicyManagementTest extends AbstractAuthorizationTest {
newPolicy.setConfig(config);
PoliciesResource policies = getClientResource().authorization().policies();
Response response = policies.create(newPolicy);
assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
try (Response response = policies.create(newPolicy)) {
assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
PolicyRepresentation stored = response.readEntity(PolicyRepresentation.class);
PolicyRepresentation stored = response.readEntity(PolicyRepresentation.class);
return policies.policy(stored.getId());
return policies.policy(stored.getId());
}
}
private ResourceResource createResource(String name) {
@ -205,13 +206,13 @@ public class GenericPolicyManagementTest extends AbstractAuthorizationTest {
ResourcesResource resources = getClientResource().authorization().resources();
Response response = resources.create(newResource);
try (Response response = resources.create(newResource)) {
assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
ResourceRepresentation stored = response.readEntity(ResourceRepresentation.class);
ResourceRepresentation stored = response.readEntity(ResourceRepresentation.class);
return resources.resource(stored.getId());
return resources.resource(stored.getId());
}
}
private ResourceScopeResource createScope(String name) {
@ -221,13 +222,14 @@ public class GenericPolicyManagementTest extends AbstractAuthorizationTest {
ResourceScopesResource scopes = getClientResource().authorization().scopes();
Response response = scopes.create(newScope);
try (Response response = scopes.create(newScope)) {
assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
ScopeRepresentation stored = response.readEntity(ScopeRepresentation.class);
ScopeRepresentation stored = response.readEntity(ScopeRepresentation.class);
return scopes.scope(stored.getId());
return scopes.scope(stored.getId());
}
}
private String buildConfigOption(String... values) {

36
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/GroupPolicyManagementTest.java
View file

@ -145,18 +145,20 @@ public class GroupPolicyManagementTest extends AbstractPolicyManagementTest {
representation.addGroupPath("Group F");
GroupPoliciesResource policies = authorization.policies().group();
Response response = policies.create(representation);
GroupPolicyRepresentation created = response.readEntity(GroupPolicyRepresentation.class);
policies.findById(created.getId()).remove();
try (Response response = policies.create(representation)) {
GroupPolicyRepresentation created = response.readEntity(GroupPolicyRepresentation.class);
GroupPolicyResource removed = policies.findById(created.getId());
policies.findById(created.getId()).remove();
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
GroupPolicyResource removed = policies.findById(created.getId());
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
}
}
}
@ -183,18 +185,20 @@ public class GroupPolicyManagementTest extends AbstractPolicyManagementTest {
representation.addGroupPath("/Group A");
GroupPoliciesResource policies = authorization.policies().group();
Response response = policies.create(representation);
GroupPolicyRepresentation created = response.readEntity(GroupPolicyRepresentation.class);
PolicyResource policy = authorization.policies().policy(created.getId());
PolicyRepresentation genericConfig = policy.toRepresentation();
try (Response response = policies.create(representation)) {
GroupPolicyRepresentation created = response.readEntity(GroupPolicyRepresentation.class);
assertNotNull(genericConfig.getConfig());
assertNotNull(genericConfig.getConfig().get("groups"));
PolicyResource policy = authorization.policies().policy(created.getId());
PolicyRepresentation genericConfig = policy.toRepresentation();
GroupRepresentation group = getRealm().groups().groups().stream().filter(groupRepresentation -> groupRepresentation.getName().equals("Group A")).findFirst().get();
assertNotNull(genericConfig.getConfig());
assertNotNull(genericConfig.getConfig().get("groups"));
assertTrue(genericConfig.getConfig().get("groups").contains(group.getId()));
GroupRepresentation group = getRealm().groups().groups().stream().filter(groupRepresentation -> groupRepresentation.getName().equals("Group A")).findFirst().get();
assertTrue(genericConfig.getConfig().get("groups").contains(group.getId()));
}
}
private void assertCreated(AuthorizationResource authorization, GroupPolicyRepresentation representation) {

27
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/JSPolicyManagementTest.java
View file

@ -86,27 +86,30 @@ public class JSPolicyManagementTest extends AbstractPolicyManagementTest {
representation.setCode("$evaluation.grant()");
JSPoliciesResource policies = authorization.policies().js();
Response response = policies.create(representation);
JSPolicyRepresentation created = response.readEntity(JSPolicyRepresentation.class);
try (Response response = policies.create(representation)) {
JSPolicyRepresentation created = response.readEntity(JSPolicyRepresentation.class);
policies.findById(created.getId()).remove();
policies.findById(created.getId()).remove();
JSPolicyResource removed = policies.findById(created.getId());
JSPolicyResource removed = policies.findById(created.getId());
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
}
}
}
private void assertCreated(AuthorizationResource authorization, JSPolicyRepresentation representation) {
JSPoliciesResource permissions = authorization.policies().js();
Response response = permissions.create(representation);
JSPolicyRepresentation created = response.readEntity(JSPolicyRepresentation.class);
JSPolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
try (Response response = permissions.create(representation)) {
JSPolicyRepresentation created = response.readEntity(JSPolicyRepresentation.class);
JSPolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
}
private void assertRepresentation(JSPolicyRepresentation representation, JSPolicyResource permission) {

11
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerClaimsTest.java
View file

@ -333,7 +333,7 @@ public class PolicyEnforcerClaimsTest extends AbstractKeycloakTest {
policy.setCode(code.toString());
clientResource.authorization().policies().js().create(policy);
clientResource.authorization().policies().js().create(policy).close();
createResource(clientResource, "Bank Account", "/api/bank/account/{id}/withdrawal", "withdrawal");
@ -343,7 +343,7 @@ public class PolicyEnforcerClaimsTest extends AbstractKeycloakTest {
permission.addScope("withdrawal");
permission.addPolicy(policy.getName());
clientResource.authorization().permissions().scope().create(permission);
clientResource.authorization().permissions().scope().create(permission).close();
}
}
@ -362,11 +362,12 @@ public class PolicyEnforcerClaimsTest extends AbstractKeycloakTest {
representation.setUri(uri);
representation.setScopes(Arrays.asList(scopes).stream().map(ScopeRepresentation::new).collect(Collectors.toSet()));
javax.ws.rs.core.Response response = clientResource.authorization().resources().create(representation);
try (javax.ws.rs.core.Response response = clientResource.authorization().resources().create(representation)) {
representation.setId(response.readEntity(ResourceRepresentation.class).getId());
representation.setId(response.readEntity(ResourceRepresentation.class).getId());
return representation;
return representation;
}
}
private ClientResource getClientResource(String name) {

17
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ResourceManagementTest.java
View file

@ -250,17 +250,18 @@ public class ResourceManagementTest extends AbstractAuthorizationTest {
protected ResourceRepresentation doCreateResource(ResourceRepresentation newResource) {
ResourcesResource resources = getClientResource().authorization().resources();
Response response = resources.create(newResource);
try (Response response = resources.create(newResource)) {
int status = response.getStatus();
int status = response.getStatus();
if (status != Response.Status.CREATED.getStatusCode()) {
throw new RuntimeException(new HttpResponseException("Error", status, "", null));
if (status != Response.Status.CREATED.getStatusCode()) {
throw new RuntimeException(new HttpResponseException("Error", status, "", null));
}
ResourceRepresentation stored = response.readEntity(ResourceRepresentation.class);
return resources.resource(stored.getId()).toRepresentation();
}
ResourceRepresentation stored = response.readEntity(ResourceRepresentation.class);
return resources.resource(stored.getId()).toRepresentation();
}
protected ResourceRepresentation doUpdateResource(ResourceRepresentation resource) {

35
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ResourcePermissionManagementTest.java
View file

@ -114,18 +114,20 @@ public class ResourcePermissionManagementTest extends AbstractPolicyManagementTe
representation.addPolicy("Only Marta Policy");
ResourcePermissionsResource permissions = authorization.permissions().resource();
Response response = permissions.create(representation);
ResourcePermissionRepresentation created = response.readEntity(ResourcePermissionRepresentation.class);
permissions.findById(created.getId()).remove();
try (Response response = permissions.create(representation)) {
ResourcePermissionRepresentation created = response.readEntity(ResourcePermissionRepresentation.class);
ResourcePermissionResource removed = permissions.findById(created.getId());
permissions.findById(created.getId()).remove();
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
ResourcePermissionResource removed = permissions.findById(created.getId());
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
}
}
}
@ -140,23 +142,24 @@ public class ResourcePermissionManagementTest extends AbstractPolicyManagementTe
ResourcePermissionsResource permissions = authorization.permissions().resource();
permissions.create(permission1);
permissions.create(permission1).close();
ResourcePermissionRepresentation permission2 = new ResourcePermissionRepresentation();
permission2.setName(permission1.getName());
Response response = permissions.create(permission2);
assertEquals(Response.Status.CONFLICT.getStatusCode(), response.getStatus());
try (Response response = permissions.create(permission2)) {
assertEquals(Response.Status.CONFLICT.getStatusCode(), response.getStatus());
}
}
private void assertCreated(AuthorizationResource authorization, ResourcePermissionRepresentation representation) {
ResourcePermissionsResource permissions = authorization.permissions().resource();
Response response = permissions.create(representation);
ResourcePermissionRepresentation created = response.readEntity(ResourcePermissionRepresentation.class);
ResourcePermissionResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
try (Response response = permissions.create(representation)) {
ResourcePermissionRepresentation created = response.readEntity(ResourcePermissionRepresentation.class);
ResourcePermissionResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
}
private void assertRepresentation(ResourcePermissionRepresentation representation, ResourcePermissionResource permission) {

46
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java
View file

@ -147,18 +147,20 @@ public class RolePolicyManagementTest extends AbstractPolicyManagementTest {
representation.addRole("Role A", false);
RolePoliciesResource policies = authorization.policies().role();
Response response = policies.create(representation);
RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
policies.findById(created.getId()).remove();
try (Response response = policies.create(representation)) {
RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
RolePolicyResource removed = policies.findById(created.getId());
policies.findById(created.getId()).remove();
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
RolePolicyResource removed = policies.findById(created.getId());
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
}
}
}
@ -171,26 +173,30 @@ public class RolePolicyManagementTest extends AbstractPolicyManagementTest {
representation.addRole("Role A", false);
RolePoliciesResource policies = authorization.policies().role();
Response response = policies.create(representation);
RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
PolicyResource policy = authorization.policies().policy(created.getId());
PolicyRepresentation genericConfig = policy.toRepresentation();
try (Response response = policies.create(representation)) {
RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
assertNotNull(genericConfig.getConfig());
assertNotNull(genericConfig.getConfig().get("roles"));
PolicyResource policy = authorization.policies().policy(created.getId());
PolicyRepresentation genericConfig = policy.toRepresentation();
RoleRepresentation role = getRealm().roles().get("Role A").toRepresentation();
assertNotNull(genericConfig.getConfig());
assertNotNull(genericConfig.getConfig().get("roles"));
assertTrue(genericConfig.getConfig().get("roles").contains(role.getId()));
RoleRepresentation role = getRealm().roles().get("Role A").toRepresentation();
assertTrue(genericConfig.getConfig().get("roles").contains(role.getId()));
}
}
private void assertCreated(AuthorizationResource authorization, RolePolicyRepresentation representation) {
RolePoliciesResource permissions = authorization.policies().role();
Response response = permissions.create(representation);
RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
RolePolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
try (Response response = permissions.create(representation)) {
RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
RolePolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
}
private void assertRepresentation(RolePolicyRepresentation representation, RolePolicyResource permission) {

28
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RulesPolicyManagementTest.java
View file

@ -77,18 +77,20 @@ public class RulesPolicyManagementTest extends AbstractPolicyManagementTest {
RulePolicyRepresentation representation = createDefaultRepresentation("Delete Rule Policy");
RulePoliciesResource policies = authorization.policies().rule();
Response response = policies.create(representation);
RulePolicyRepresentation created = response.readEntity(RulePolicyRepresentation.class);
policies.findById(created.getId()).remove();
try (Response response = policies.create(representation)) {
RulePolicyRepresentation created = response.readEntity(RulePolicyRepresentation.class);
RulePolicyResource removed = policies.findById(created.getId());
policies.findById(created.getId()).remove();
try {
removed.toRepresentation();
fail("Policy not removed");
} catch (NotFoundException ignore) {
RulePolicyResource removed = policies.findById(created.getId());
try {
removed.toRepresentation();
fail("Policy not removed");
} catch (NotFoundException ignore) {
}
}
}
@ -112,10 +114,12 @@ public class RulesPolicyManagementTest extends AbstractPolicyManagementTest {
private void assertCreated(AuthorizationResource authorization, RulePolicyRepresentation representation) {
RulePoliciesResource permissions = authorization.policies().rule();
Response response = permissions.create(representation);
RulePolicyRepresentation created = response.readEntity(RulePolicyRepresentation.class);
RulePolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
try (Response response = permissions.create(representation)) {
RulePolicyRepresentation created = response.readEntity(RulePolicyRepresentation.class);
RulePolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
}
private void assertRepresentation(RulePolicyRepresentation expected, RulePolicyResource policy) {

18
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ScopePermissionManagementTest.java
View file

@ -134,23 +134,25 @@ public class ScopePermissionManagementTest extends AbstractPolicyManagementTest
ScopePermissionsResource permissions = authorization.permissions().scope();
permissions.create(permission1);
permissions.create(permission1).close();
ScopePermissionRepresentation permission2 = new ScopePermissionRepresentation();
permission2.setName(permission1.getName());
Response response = permissions.create(permission2);
assertEquals(Response.Status.CONFLICT.getStatusCode(), response.getStatus());
try (Response response = permissions.create(permission2)) {
assertEquals(Response.Status.CONFLICT.getStatusCode(), response.getStatus());
}
}
private void assertCreated(AuthorizationResource authorization, ScopePermissionRepresentation representation) {
ScopePermissionsResource permissions = authorization.permissions().scope();
Response response = permissions.create(representation);
ScopePermissionRepresentation created = response.readEntity(ScopePermissionRepresentation.class);
ScopePermissionResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
try (Response response = permissions.create(representation)) {
ScopePermissionRepresentation created = response.readEntity(ScopePermissionRepresentation.class);
ScopePermissionResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
}
private void assertRepresentation(ScopePermissionRepresentation representation, ScopePermissionResource permission) {

28
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/TimePolicyManagementTest.java
View file

@ -101,18 +101,20 @@ public class TimePolicyManagementTest extends AbstractPolicyManagementTest {
AuthorizationResource authorization = getClient().authorization();
TimePolicyRepresentation representation = createRepresentation("Test Delete Policy");
TimePoliciesResource policies = authorization.policies().time();
Response response = policies.create(representation);
TimePolicyRepresentation created = response.readEntity(TimePolicyRepresentation.class);
policies.findById(created.getId()).remove();
try (Response response = policies.create(representation)) {
TimePolicyRepresentation created = response.readEntity(TimePolicyRepresentation.class);
TimePolicyResource removed = policies.findById(created.getId());
policies.findById(created.getId()).remove();
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
TimePolicyResource removed = policies.findById(created.getId());
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
}
}
}
@ -140,10 +142,12 @@ public class TimePolicyManagementTest extends AbstractPolicyManagementTest {
private void assertCreated(AuthorizationResource authorization, TimePolicyRepresentation representation) {
TimePoliciesResource permissions = authorization.policies().time();
Response response = permissions.create(representation);
TimePolicyRepresentation created = response.readEntity(TimePolicyRepresentation.class);
TimePolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
try (Response response = permissions.create(representation)) {
TimePolicyRepresentation created = response.readEntity(TimePolicyRepresentation.class);
TimePolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
}
private void assertRepresentation(TimePolicyRepresentation representation, TimePolicyResource permission) {

64
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/UserPolicyManagementTest.java
View file

@ -118,18 +118,20 @@ public class UserPolicyManagementTest extends AbstractPolicyManagementTest {
representation.addUser("User A");
UserPoliciesResource policies = authorization.policies().user();
Response response = policies.create(representation);
UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
policies.findById(created.getId()).remove();
try (Response response = policies.create(representation)) {
UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
UserPolicyResource removed = policies.findById(created.getId());
policies.findById(created.getId()).remove();
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
UserPolicyResource removed = policies.findById(created.getId());
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
}
}
}
@ -186,18 +188,20 @@ public class UserPolicyManagementTest extends AbstractPolicyManagementTest {
representation.addUser("User A");
UserPoliciesResource policies = authorization.policies().user();
Response response = policies.create(representation);
UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
PolicyResource policy = authorization.policies().policy(created.getId());
PolicyRepresentation genericConfig = policy.toRepresentation();
try (Response response = policies.create(representation)) {
UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
assertNotNull(genericConfig.getConfig());
assertNotNull(genericConfig.getConfig().get("users"));
PolicyResource policy = authorization.policies().policy(created.getId());
PolicyRepresentation genericConfig = policy.toRepresentation();
UserRepresentation user = getRealm().users().search("User A").get(0);
assertNotNull(genericConfig.getConfig());
assertNotNull(genericConfig.getConfig().get("users"));
assertTrue(genericConfig.getConfig().get("users").contains(user.getId()));
UserRepresentation user = getRealm().users().search("User A").get(0);
assertTrue(genericConfig.getConfig().get("users").contains(user.getId()));
}
}
@Test
@ -219,33 +223,35 @@ public class UserPolicyManagementTest extends AbstractPolicyManagementTest {
policy.setConfig(config);
Response response = authorization.policies().create(policy);
assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
response.close();
try (Response response = authorization.policies().create(policy)) {
assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
}
config.put("users", "");
policy.setConfig(config);
response = authorization.policies().create(policy);
assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
response.close();
try (Response response = authorization.policies().create(policy)) {
assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
}
config.clear();
policy.setConfig(config);
response = authorization.policies().create(policy);
assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
response.close();
try (Response response = authorization.policies().create(policy)) {
assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
}
}
private void assertCreated(AuthorizationResource authorization, UserPolicyRepresentation representation) {
UserPoliciesResource permissions = authorization.policies().user();
Response response = permissions.create(representation);
UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
UserPolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
try (Response response = permissions.create(representation)) {
UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
UserPolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
}
private void assertRepresentation(UserPolicyRepresentation representation, UserPolicyResource permission) {

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/AuthorizationTest.java
View file

@ -183,9 +183,9 @@ public class AuthorizationTest extends AbstractAuthzTest {
permission.addResource(resource.getId());
permission.addPolicy(policies);
Response response = getClient().authorization().permissions().resource().create(permission);
assertEquals(201, response.getStatus());
try (Response response = getClient().authorization().permissions().resource().create(permission)) {
assertEquals(201, response.getStatus());
}
}
@NotNull

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java
View file

@ -274,7 +274,7 @@ public class ConflictingScopePermissionTest extends AbstractAuthzTest {
representation.setConfig(config);
client.authorization().policies().create(representation);
client.authorization().policies().create(representation).close();
}
private void createResourcePermission(String name, String resourceName, List<String> policies, ClientResource client) throws IOException {
@ -284,7 +284,7 @@ public class ConflictingScopePermissionTest extends AbstractAuthzTest {
representation.addResource(resourceName);
representation.addPolicy(policies.toArray(new String[policies.size()]));
client.authorization().permissions().resource().create(representation);
client.authorization().permissions().resource().create(representation).close();
}
private void createScopePermission(String name, String resourceName, List<String> scopes, List<String> policies, ClientResource client) throws IOException {
@ -300,7 +300,7 @@ public class ConflictingScopePermissionTest extends AbstractAuthzTest {
representation.addScope(scopes.toArray(new String[scopes.size()]));
representation.addPolicy(policies.toArray(new String[policies.size()]));
authorization.permissions().scope().create(representation);
authorization.permissions().scope().create(representation).close();
}
private AuthzClient getAuthzClient() {

125
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java
View file

@ -24,6 +24,7 @@ import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import javax.ws.rs.core.Response;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
@ -36,8 +37,6 @@ import java.util.Set;
import java.util.function.Supplier;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.BasicCookieStore;
import org.apache.http.impl.client.DefaultHttpRequestRetryHandler;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.hamcrest.Matchers;
@ -80,9 +79,9 @@ import org.keycloak.representations.idm.authorization.PermissionTicketRepresenta
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ContainerAssume;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
@ -407,7 +406,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
resource.setOwner("marta");
resource.setOwnerManagedAccess(true);
resource = authorization.resources().create(resource).readEntity(ResourceRepresentation.class);
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
@ -415,7 +416,7 @@ public class EntitlementAPITest extends AbstractAuthzTest {
permission.addResource(resource.getId());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission);
authorization.permissions().resource().create(permission).close();
assertTrue(hasPermission("marta", "password", resource.getId()));
assertFalse(hasPermission("kolo", "password", resource.getId()));
@ -543,7 +544,7 @@ public class EntitlementAPITest extends AbstractAuthzTest {
resource.setName("Sensors");
resource.addScope("sensors:view", "sensors:update", "sensors:delete");
resource = authorization.resources().create(resource).readEntity(ResourceRepresentation.class);
authorization.resources().create(resource).close();
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
@ -551,7 +552,7 @@ public class EntitlementAPITest extends AbstractAuthzTest {
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission);
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
@ -585,7 +586,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("sensors:view", "sensors:update", "sensors:delete");
resource = authorization.resources().create(resource).readEntity(ResourceRepresentation.class);
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
@ -593,7 +596,7 @@ public class EntitlementAPITest extends AbstractAuthzTest {
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission);
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
@ -640,14 +643,18 @@ public class EntitlementAPITest extends AbstractAuthzTest {
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("sensors:view", "sensors:update", "sensors:delete");
resourceIds.add(authorization.resources().create(resource).readEntity(ResourceRepresentation.class).getId());
try (Response response = authorization.resources().create(resource)) {
resourceIds.add(response.readEntity(ResourceRepresentation.class).getId());
}
resource = new ResourceRepresentation();
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("sensors:view", "sensors:update");
resourceIds.add(authorization.resources().create(resource).readEntity(ResourceRepresentation.class).getId());
try (Response response = authorization.resources().create(resource)) {
resourceIds.add(response.readEntity(ResourceRepresentation.class).getId());
}
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
@ -655,7 +662,7 @@ public class EntitlementAPITest extends AbstractAuthzTest {
permission.addScope("sensors:view", "sensors:update");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission);
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
@ -717,6 +724,46 @@ public class EntitlementAPITest extends AbstractAuthzTest {
}
}
@Test
public void testObtainAllEntitlementsForScopeWithDeny() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
authorization.scopes().create(new ScopeRepresentation("sensors:view")).close();
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
permission.setName(KeycloakModelUtils.generateId());
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(null, "sensors:view");
AuthorizationResponse response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
Collection<Permission> permissions = toAccessToken(response.getToken()).getAuthorization().getPermissions();
assertEquals(1, permissions.size());
for (Permission grantedPermission : permissions) {
assertNull(grantedPermission.getResourceId());
assertEquals(1, grantedPermission.getScopes().size());
assertTrue(grantedPermission.getScopes().containsAll(Arrays.asList("sensors:view")));
}
}
@Test
public void testObtainAllEntitlementsForResource() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
@ -734,7 +781,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
resource.setName(KeycloakModelUtils.generateId());
resource.addScope("scope:view", "scope:update", "scope:delete");
resource = authorization.resources().create(resource).readEntity(ResourceRepresentation.class);
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
@ -742,7 +791,7 @@ public class EntitlementAPITest extends AbstractAuthzTest {
permission.addResource(resource.getId());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission);
authorization.permissions().resource().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
@ -806,7 +855,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
typedResource.setName(KeycloakModelUtils.generateId());
typedResource.addScope("read", "update");
typedResource = authorization.resources().create(typedResource).readEntity(ResourceRepresentation.class);
try (Response response = authorization.resources().create(typedResource)) {
typedResource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation typedResourcePermission = new ResourcePermissionRepresentation();
@ -814,7 +865,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
typedResourcePermission.setResourceType("resource");
typedResourcePermission.addPolicy(onlyOwnerPolicy.getName());
typedResourcePermission = authorization.permissions().resource().create(typedResourcePermission).readEntity(ResourcePermissionRepresentation.class);
try (Response response = authorization.permissions().resource().create(typedResourcePermission)) {
typedResourcePermission = response.readEntity(ResourcePermissionRepresentation.class);
}
ResourceRepresentation martaResource = new ResourceRepresentation();
@ -823,7 +876,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
martaResource.addScope("read", "update");
martaResource.setOwner("marta");
martaResource = authorization.resources().create(martaResource).readEntity(ResourceRepresentation.class);
try (Response response = authorization.resources().create(martaResource)) {
martaResource = response.readEntity(ResourceRepresentation.class);
}
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
@ -864,7 +919,7 @@ public class EntitlementAPITest extends AbstractAuthzTest {
onlyKoloPolicy.setName(KeycloakModelUtils.generateId());
onlyKoloPolicy.addUser("kolo");
authorization.policies().user().create(onlyKoloPolicy);
authorization.policies().user().create(onlyKoloPolicy).close();
ResourcePermissionRepresentation martaResourcePermission = new ResourcePermissionRepresentation();
@ -872,7 +927,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
martaResourcePermission.addResource(martaResource.getId());
martaResourcePermission.addPolicy(onlyKoloPolicy.getName());
martaResourcePermission = authorization.permissions().resource().create(martaResourcePermission).readEntity(ResourcePermissionRepresentation.class);
try (Response response1 = authorization.permissions().resource().create(martaResourcePermission)) {
martaResourcePermission = response1.readEntity(ResourcePermissionRepresentation.class);
}
response = authzClient.authorization(accessToken).authorize(request);
assertNotNull(response.getToken());
@ -911,7 +968,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
martaResourceUpdatePermission.addScope("update");
martaResourceUpdatePermission.addPolicy(onlyOwnerPolicy.getName());
martaResourceUpdatePermission = authorization.permissions().scope().create(martaResourceUpdatePermission).readEntity(ScopePermissionRepresentation.class);
try (Response response1 = authorization.permissions().scope().create(martaResourceUpdatePermission)) {
martaResourceUpdatePermission = response1.readEntity(ScopePermissionRepresentation.class);
}
// now kolo can only read, but not update
response = authzClient.authorization(accessToken).authorize(request);
@ -1034,7 +1093,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
typedResource.setType("resource");
typedResource.setName(KeycloakModelUtils.generateId());
typedResource = authorization.resources().create(typedResource).readEntity(ResourceRepresentation.class);
try (Response response = authorization.resources().create(typedResource)) {
typedResource = response.readEntity(ResourceRepresentation.class);
}
ResourceRepresentation userResource = new ResourceRepresentation();
@ -1045,7 +1106,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
attributes.put("visibility", Arrays.asList("private"));
userResource.setAttributes(attributes);
userResource = authorization.resources().create(userResource).readEntity(ResourceRepresentation.class);
try (Response response = authorization.resources().create(userResource)) {
userResource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation typedResourcePermission = new ResourcePermissionRepresentation();
@ -1053,7 +1116,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
typedResourcePermission.setResourceType("resource");
typedResourcePermission.addPolicy(onlyPublicResourcesPolicy.getName());
typedResourcePermission = authorization.permissions().resource().create(typedResourcePermission).readEntity(ResourcePermissionRepresentation.class);
try (Response response = authorization.permissions().resource().create(typedResourcePermission)) {
typedResourcePermission = response.readEntity(ResourcePermissionRepresentation.class);
}
// marta can access any public resource
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
@ -1110,7 +1175,7 @@ public class EntitlementAPITest extends AbstractAuthzTest {
createPermission.addScope("create");
createPermission.addPolicy(onlyPublicResourcesPolicy.getName());
authorization.permissions().scope().create(createPermission);
authorization.permissions().scope().create(createPermission).close();
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());
@ -1190,7 +1255,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
resource.setName("Sensors");
resource.addScope("sensors:view", "sensors:update", "sensors:delete");
resource = authorization.resources().create(resource).readEntity(ResourceRepresentation.class);
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ScopePermissionRepresentation permission = new ScopePermissionRepresentation();
@ -1198,7 +1265,7 @@ public class EntitlementAPITest extends AbstractAuthzTest {
permission.addScope("sensors:view");
permission.addPolicy(policy.getName());
authorization.permissions().scope().create(permission);
authorization.permissions().scope().create(permission).close();
String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).scope("offline_access").doGrantAccessTokenRequest("secret", "offlineuser", "password").getAccessToken();
AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
@ -1254,7 +1321,9 @@ public class EntitlementAPITest extends AbstractAuthzTest {
resource.setName("Sensors");
resource = authorization.resources().create(resource).readEntity(ResourceRepresentation.class);
try (Response response = authorization.resources().create(resource)) {
resource = response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
@ -1262,7 +1331,7 @@ public class EntitlementAPITest extends AbstractAuthzTest {
permission.addResource(resource.getName());
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission);
authorization.permissions().resource().create(permission).close();
oauth.realm("authz-test");
oauth.clientId(PUBLIC_TEST_CLIENT);

14
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/GroupNamePolicyTest.java
View file

@ -28,8 +28,6 @@ import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.ws.rs.core.Response;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
@ -38,7 +36,6 @@ import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.mappers.GroupMembershipMapper;
import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper;
@ -52,14 +49,12 @@ import org.keycloak.representations.idm.authorization.GroupPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.GroupBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@ -197,8 +192,7 @@ public class GroupNamePolicyTest extends AbstractAuthzTest {
policy.setGroupsClaim("groups");
policy.addGroupPath(groupPath, extendChildren);
Response response = getClient().authorization().policies().group().create(policy);
response.close();
getClient().authorization().policies().group().create(policy).close();
}
private void createResourcePermission(String name, String resource, String... policies) {
@ -208,16 +202,14 @@ public class GroupNamePolicyTest extends AbstractAuthzTest {
permission.addResource(resource);
permission.addPolicy(policies);
Response response = getClient().authorization().permissions().resource().create(permission);
response.close();
getClient().authorization().permissions().resource().create(permission).close();
}
private void createResource(String name) {
AuthorizationResource authorization = getClient().authorization();
ResourceRepresentation resource = new ResourceRepresentation(name);
Response response = authorization.resources().create(resource);
response.close();
authorization.resources().create(resource).close();
}
private RealmResource getRealm() {

11
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/GroupPathPolicyTest.java
View file

@ -28,8 +28,6 @@ import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.ws.rs.core.Response;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
@ -181,8 +179,7 @@ public class GroupPathPolicyTest extends AbstractAuthzTest {
policy.setGroupsClaim("groups");
policy.addGroupPath(groupPath, extendChildren);
Response response = getClient().authorization().policies().group().create(policy);
response.close();
getClient().authorization().policies().group().create(policy).close();
}
private void createResourcePermission(String name, String resource, String... policies) {
@ -192,16 +189,14 @@ public class GroupPathPolicyTest extends AbstractAuthzTest {
permission.addResource(resource);
permission.addPolicy(policies);
Response response = getClient().authorization().permissions().resource().create(permission);
response.close();
getClient().authorization().permissions().resource().create(permission).close();
}
private void createResource(String name) {
AuthorizationResource authorization = getClient().authorization();
ResourceRepresentation resource = new ResourceRepresentation(name);
Response response = authorization.resources().create(resource);
response.close();
authorization.resources().create(resource).close();
}
private RealmResource getRealm() {

17
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PermissionClaimTest.java
View file

@ -22,6 +22,7 @@ import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import javax.ws.rs.core.Response;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
@ -247,7 +248,9 @@ public class PermissionClaimTest extends AbstractAuthzTest {
updatePermission.addScope("update");
updatePermission.addPolicy(claimCPolicy.getName());
updatePermission = authorization.permissions().scope().create(updatePermission).readEntity(ScopePermissionRepresentation.class);
try (Response response = authorization.permissions().scope().create(updatePermission)) {
updatePermission = response.readEntity(ScopePermissionRepresentation.class);
}
AuthzClient authzClient = getAuthzClient();
AuthorizationRequest request = new AuthorizationRequest();
@ -320,7 +323,9 @@ public class PermissionClaimTest extends AbstractAuthzTest {
updatePermission.addResource(resourceA.getName());
updatePermission.addPolicy(claimCPolicy.getName());
updatePermission = authorization.permissions().resource().create(updatePermission).readEntity(ResourcePermissionRepresentation.class);
try (Response response = authorization.permissions().resource().create(updatePermission)) {
updatePermission = response.readEntity(ResourcePermissionRepresentation.class);
}
AuthzClient authzClient = getAuthzClient();
AuthorizationResponse response = authzClient.authorization("marta", "password").authorize();
@ -357,7 +362,9 @@ public class PermissionClaimTest extends AbstractAuthzTest {
resourceInstance.setType(resourceA.getType());
resourceInstance.setOwner("marta");
resourceInstance = authorization.resources().create(resourceInstance).readEntity(ResourceRepresentation.class);
try (Response response1 = authorization.resources().create(resourceInstance)) {
resourceInstance = response1.readEntity(ResourceRepresentation.class);
}
AuthorizationRequest request = new AuthorizationRequest();
@ -377,7 +384,9 @@ public class PermissionClaimTest extends AbstractAuthzTest {
resourceInstancePermission.addResource(resourceInstance.getId());
resourceInstancePermission.addPolicy(claimCPolicy.getName());
resourceInstancePermission = authorization.permissions().resource().create(resourceInstancePermission).readEntity(ResourcePermissionRepresentation.class);
try (Response response1 = authorization.permissions().resource().create(resourceInstancePermission)) {
resourceInstancePermission = response1.readEntity(ResourcePermissionRepresentation.class);
}
response = authzClient.authorization("marta", "password").authorize(request);
assertNotNull(response.getToken());

13
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/RolePolicyTest.java
View file

@ -23,8 +23,6 @@ import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import javax.ws.rs.core.Response;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
@ -33,7 +31,6 @@ import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
@ -51,7 +48,6 @@ import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@ -179,8 +175,7 @@ public class RolePolicyTest extends AbstractAuthzTest {
policy.addRole(role);
}
Response response = getClient().authorization().policies().role().create(policy);
response.close();
getClient().authorization().policies().role().create(policy).close();
}
private void createResourcePermission(String name, String resource, String... policies) {
@ -190,16 +185,14 @@ public class RolePolicyTest extends AbstractAuthzTest {
permission.addResource(resource);
permission.addPolicy(policies);
Response response = getClient().authorization().permissions().resource().create(permission);
response.close();
getClient().authorization().permissions().resource().create(permission).close();
}
private void createResource(String name) {
AuthorizationResource authorization = getClient().authorization();
ResourceRepresentation resource = new ResourceRepresentation(name);
Response response = authorization.resources().create(resource);
response.close();
authorization.resources().create(resource).close();
}
private RealmResource getRealm() {

26
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaDiscoveryDocumentTest.java
View file

@ -56,22 +56,24 @@ public class UmaDiscoveryDocumentTest extends AbstractKeycloakTest {
URI oidcDiscoveryUri = RealmsResource.wellKnownProviderUrl(builder).build("test", UmaWellKnownProviderFactory.PROVIDER_ID);
WebTarget oidcDiscoveryTarget = client.target(oidcDiscoveryUri);
Response response = oidcDiscoveryTarget.request().get();
try (Response response = oidcDiscoveryTarget.request().get()) {
assertEquals("no-cache, must-revalidate, no-transform, no-store", response.getHeaders().getFirst("Cache-Control"));
assertEquals("no-cache, must-revalidate, no-transform, no-store", response.getHeaders().getFirst("Cache-Control"));
UmaConfiguration configuration = response.readEntity(UmaConfiguration.class);
UmaConfiguration configuration = response.readEntity(UmaConfiguration.class);
assertEquals(configuration.getAuthorizationEndpoint(), OIDCLoginProtocolService.authUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build("test").toString());
assertEquals(configuration.getTokenEndpoint(), oauth.getAccessTokenUrl());
assertEquals(configuration.getJwksUri(), oauth.getCertsUrl("test"));
assertEquals(configuration.getTokenIntrospectionEndpoint(), oauth.getTokenIntrospectionUrl());
String registrationUri = UriBuilder
.fromUri(OAuthClient.AUTH_SERVER_ROOT)
.path(RealmsResource.class).path(RealmsResource.class, "getRealmResource").build(realmsResouce().realm("test").toRepresentation().getRealm()).toString();
assertEquals(configuration.getAuthorizationEndpoint(), OIDCLoginProtocolService.authUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build("test").toString());
assertEquals(configuration.getTokenEndpoint(), oauth.getAccessTokenUrl());
assertEquals(configuration.getJwksUri(), oauth.getCertsUrl("test"));
assertEquals(configuration.getTokenIntrospectionEndpoint(), oauth.getTokenIntrospectionUrl());
assertEquals(registrationUri + "/authz/protection/permission", configuration.getPermissionEndpoint().toString());
assertEquals(registrationUri + "/authz/protection/resource_set", configuration.getResourceRegistrationEndpoint().toString());
String registrationUri = UriBuilder
.fromUri(OAuthClient.AUTH_SERVER_ROOT)
.path(RealmsResource.class).path(RealmsResource.class, "getRealmResource").build(realmsResouce().realm("test").toRepresentation().getRealm()).toString();
assertEquals(registrationUri + "/authz/protection/permission", configuration.getPermissionEndpoint().toString());
assertEquals(registrationUri + "/authz/protection/resource_set", configuration.getResourceRegistrationEndpoint().toString());
}
}
}

9
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java
View file

@ -79,8 +79,7 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest {
policy.setName("Default Policy");
policy.setCode("$evaluation.grant();");
Response response = authorization.policies().js().create(policy);
response.close();
authorization.policies().js().create(policy).close();
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
resourceA = addResource("Resource A", "ScopeA", "ScopeB", "ScopeC");
@ -89,16 +88,14 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest {
permission.addResource(resourceA.getName());
permission.addPolicy(policy.getName());
response = authorization.permissions().resource().create(permission);
response.close();
authorization.permissions().resource().create(permission).close();
policy = new JSPolicyRepresentation();
policy.setName("Deny Policy");
policy.setCode("$evaluation.deny();");
response = authorization.policies().js().create(policy);
response.close();
authorization.policies().js().create(policy).close();
}
@Test

4
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaPermissionTicketPushedClaimsTest.java
View file

@ -64,7 +64,7 @@ public class UmaPermissionTicketPushedClaimsTest extends AbstractResourceServerT
AuthorizationResource authorization = getClient(getRealm()).authorization();
authorization.policies().js().create(policy);
authorization.policies().js().create(policy).close();
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
@ -72,7 +72,7 @@ public class UmaPermissionTicketPushedClaimsTest extends AbstractResourceServerT
representation.addScope("withdraw");
representation.addPolicy(policy.getName());
authorization.permissions().scope().create(representation);
authorization.permissions().scope().create(representation).close();
AuthzClient authzClient = getAuthzClient();
PermissionRequest permissionRequest = new PermissionRequest(resource.getId());

3
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedAccessTest.java
View file

@ -62,8 +62,7 @@ public class UserManagedAccessTest extends AbstractResourceServerTest {
policy.setName("Only Owner Policy");
policy.setCode("if ($evaluation.getContext().getIdentity().getId() == $evaluation.getPermission().getResource().getOwner()) {$evaluation.grant();}");
Response response = authorization.policies().js().create(policy);
response.close();
authorization.policies().js().create(policy).close();
}
@Test