[KEYCLOAK-3135] - More tests
This commit is contained in:
parent
eec712a259
commit
8e877a7f6c
22 changed files with 498 additions and 339 deletions
|
@ -39,6 +39,7 @@ import org.keycloak.models.KeycloakSessionFactory;
|
|||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.models.UserModel.UserRemovedEvent;
|
||||
import org.keycloak.models.UserProvider;
|
||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
|
||||
import org.keycloak.util.JsonSerialization;
|
||||
|
@ -112,30 +113,36 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory<UserPoli
|
|||
try {
|
||||
KeycloakSession session = authorization.getKeycloakSession();
|
||||
RealmModel realm = authorization.getRealm();
|
||||
Set<String> updatedRoles = new HashSet<>();
|
||||
UserProvider userProvider = session.users();
|
||||
Set<String> updatedUsers = new HashSet<>();
|
||||
|
||||
if (users != null) {
|
||||
for (String userId : users) {
|
||||
UserModel user = session.users().getUserByUsername(userId, realm);
|
||||
|
||||
if (user == null) {
|
||||
user = session.users().getUserById(userId, realm);
|
||||
}
|
||||
|
||||
if (user == null) {
|
||||
throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
|
||||
}
|
||||
|
||||
updatedRoles.add(user.getId());
|
||||
}
|
||||
try {
|
||||
for (String userId : users) {
|
||||
UserModel user = null;
|
||||
|
||||
try {
|
||||
user = userProvider.getUserByUsername(userId, realm);
|
||||
} catch (Exception ignore) {
|
||||
}
|
||||
|
||||
if (user == null) {
|
||||
user = userProvider.getUserById(userId, realm);
|
||||
}
|
||||
|
||||
if (user == null) {
|
||||
throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
|
||||
}
|
||||
|
||||
updatedUsers.add(user.getId());
|
||||
}
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Error while updating policy [" + policy.getName() + "].", e);
|
||||
}
|
||||
}
|
||||
|
||||
Map<String, String> config = policy.getConfig();
|
||||
config.put("users", JsonSerialization.writeValueAsString(updatedRoles));
|
||||
config.put("users", JsonSerialization.writeValueAsString(updatedUsers));
|
||||
policy.setConfig(config);
|
||||
} catch (IOException cause) {
|
||||
throw new RuntimeException("Failed to deserialize roles", cause);
|
||||
|
|
|
@ -41,6 +41,18 @@ public class RolePolicyRepresentation extends AbstractPolicyRepresentation {
|
|||
roles.add(new RoleDefinition(name, required));
|
||||
}
|
||||
|
||||
public void addRole(String name) {
|
||||
addRole(name, false);
|
||||
}
|
||||
|
||||
public void addClientRole(String clientId, String name) {
|
||||
addRole(clientId + "/" +name, false);
|
||||
}
|
||||
|
||||
public void addClientRole(String clientId, String name, boolean required) {
|
||||
addRole(clientId + "/" + name, required);
|
||||
}
|
||||
|
||||
public static class RoleDefinition {
|
||||
|
||||
private String id;
|
||||
|
|
|
@ -49,16 +49,14 @@ public class CachedResourceStore implements ResourceStore {
|
|||
private static final String RESOURCE_ID_CACHE_PREFIX = "rsc-id-";
|
||||
private static final String RESOURCE_NAME_CACHE_PREFIX = "rsc-name-";
|
||||
|
||||
private final KeycloakSession session;
|
||||
private final CachedStoreFactoryProvider cacheStoreFactory;
|
||||
private final CacheTransaction transaction;
|
||||
private final List<String> cacheKeys;
|
||||
private StoreFactory storeFactory;
|
||||
private StoreFactory delegateStoreFactory;
|
||||
private ResourceStore delegate;
|
||||
private final Cache<String, Map<String, List<CachedResource>>> cache;
|
||||
|
||||
public CachedResourceStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
|
||||
this.session = session;
|
||||
this.cacheStoreFactory = cacheStoreFactory;
|
||||
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
|
||||
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
|
||||
|
@ -67,12 +65,12 @@ public class CachedResourceStore implements ResourceStore {
|
|||
cacheKeys.add("findByOwner");
|
||||
cacheKeys.add("findByUri");
|
||||
cacheKeys.add("findByName");
|
||||
this.storeFactory = delegate;
|
||||
this.delegateStoreFactory = delegate;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Resource create(String name, ResourceServer resourceServer, String owner) {
|
||||
Resource resource = getDelegate().create(name, getStoreFactory().getResourceServerStore().findById(resourceServer.getId()), owner);
|
||||
Resource resource = getDelegate().create(name, getDelegateStoreFactory().getResourceServerStore().findById(resourceServer.getId()), owner);
|
||||
|
||||
this.transaction.whenRollback(() -> {
|
||||
resolveResourceServerCache(resourceServer.getId()).remove(getCacheKeyForResource(resource.getId()));
|
||||
|
@ -178,14 +176,14 @@ public class CachedResourceStore implements ResourceStore {
|
|||
|
||||
private ResourceStore getDelegate() {
|
||||
if (this.delegate == null) {
|
||||
this.delegate = getStoreFactory().getResourceStore();
|
||||
this.delegate = getDelegateStoreFactory().getResourceStore();
|
||||
}
|
||||
|
||||
return this.delegate;
|
||||
}
|
||||
|
||||
private StoreFactory getStoreFactory() {
|
||||
return this.storeFactory;
|
||||
private StoreFactory getDelegateStoreFactory() {
|
||||
return this.delegateStoreFactory;
|
||||
}
|
||||
|
||||
private Resource createAdapter(CachedResource cached) {
|
||||
|
@ -272,7 +270,7 @@ public class CachedResourceStore implements ResourceStore {
|
|||
|
||||
@Override
|
||||
public void updateScopes(Set<Scope> scopes) {
|
||||
getDelegateForUpdate().updateScopes(scopes.stream().map(scope -> getStoreFactory().getScopeStore().findById(scope.getId(), cached.getResourceServerId())).collect(Collectors.toSet()));
|
||||
getDelegateForUpdate().updateScopes(scopes.stream().map(scope -> getDelegateStoreFactory().getScopeStore().findById(scope.getId(), cached.getResourceServerId())).collect(Collectors.toSet()));
|
||||
cached.updateScopes(scopes);
|
||||
}
|
||||
|
||||
|
|
|
@ -21,8 +21,6 @@ package org.keycloak.models.authorization.infinispan;
|
|||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.store.AuthorizationStoreFactory;
|
||||
import org.keycloak.authorization.store.PolicyStore;
|
||||
import org.keycloak.authorization.store.ResourceServerStore;
|
||||
import org.keycloak.authorization.store.ResourceStore;
|
||||
|
@ -37,24 +35,20 @@ import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
|
|||
*/
|
||||
public class InfinispanStoreFactoryProvider implements CachedStoreFactoryProvider {
|
||||
|
||||
private final KeycloakSession session;
|
||||
private final CacheTransaction transaction;
|
||||
private final StoreFactory delegate;
|
||||
private final CachedResourceStore resourceStore;
|
||||
private final CachedScopeStore scopeStore;
|
||||
private final CachedPolicyStore policyStore;
|
||||
private ResourceServerStore resourceServerStore;
|
||||
|
||||
public InfinispanStoreFactoryProvider(AuthorizationProvider authorizationProvider) {
|
||||
this.session = authorizationProvider.getKeycloakSession();
|
||||
public InfinispanStoreFactoryProvider(KeycloakSession session) {
|
||||
this.transaction = new CacheTransaction();
|
||||
this.session.getTransactionManager().enlistAfterCompletion(transaction);
|
||||
AuthorizationStoreFactory providerFactory = (AuthorizationStoreFactory) this.session.getKeycloakSessionFactory().getProviderFactory(StoreFactory.class);
|
||||
delegate = providerFactory.create(authorizationProvider);
|
||||
resourceStore = new CachedResourceStore(this.session, this, this.transaction, delegate);
|
||||
resourceServerStore = new CachedResourceServerStore(this.session, this.transaction, delegate);
|
||||
scopeStore = new CachedScopeStore(this.session, this, this.transaction, delegate);
|
||||
policyStore = new CachedPolicyStore(this.session, this, this.transaction, delegate);
|
||||
session.getTransactionManager().enlistAfterCompletion(transaction);
|
||||
StoreFactory delegate = session.getProvider(StoreFactory.class);
|
||||
resourceStore = new CachedResourceStore(session, this, this.transaction, delegate);
|
||||
resourceServerStore = new CachedResourceServerStore(session, this.transaction, delegate);
|
||||
scopeStore = new CachedScopeStore(session, this, this.transaction, delegate);
|
||||
policyStore = new CachedPolicyStore(session, this, this.transaction, delegate);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -33,7 +33,7 @@ import org.keycloak.provider.EnvironmentDependentProviderFactory;
|
|||
public class InfinispanStoreProviderFactory implements CachedStoreProviderFactory, EnvironmentDependentProviderFactory {
|
||||
@Override
|
||||
public CachedStoreFactoryProvider create(KeycloakSession session) {
|
||||
return null;
|
||||
return new InfinispanStoreFactoryProvider(session);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -60,9 +60,4 @@ public class InfinispanStoreProviderFactory implements CachedStoreProviderFactor
|
|||
public boolean isSupported() {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public StoreFactory create(AuthorizationProvider authorizationProvider) {
|
||||
return new InfinispanStoreFactoryProvider(authorizationProvider);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -33,7 +33,7 @@ import org.keycloak.models.KeycloakSession;
|
|||
public class JPAAuthorizationStoreFactory implements AuthorizationStoreFactory {
|
||||
@Override
|
||||
public StoreFactory create(KeycloakSession session) {
|
||||
return null;
|
||||
return new JPAStoreFactory(getEntityManager(session));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -54,9 +54,4 @@ public class JPAAuthorizationStoreFactory implements AuthorizationStoreFactory {
|
|||
private EntityManager getEntityManager(KeycloakSession session) {
|
||||
return session.getProvider(JpaConnectionProvider.class).getEntityManager();
|
||||
}
|
||||
|
||||
@Override
|
||||
public StoreFactory create(AuthorizationProvider authorizationProvider) {
|
||||
return new JPAStoreFactory(getEntityManager(authorizationProvider.getKeycloakSession()), authorizationProvider);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,18 +17,10 @@
|
|||
*/
|
||||
package org.keycloak.authorization.jpa.store;
|
||||
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.jpa.entities.PolicyEntity;
|
||||
import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
|
||||
import org.keycloak.authorization.model.Policy;
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
|
||||
import org.keycloak.authorization.store.PolicyStore;
|
||||
import org.keycloak.authorization.store.StoreFactory;
|
||||
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||
import org.keycloak.models.utils.RepresentationToModel;
|
||||
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.persistence.EntityManager;
|
||||
import javax.persistence.NoResultException;
|
||||
|
@ -37,10 +29,14 @@ import javax.persistence.criteria.CriteriaBuilder;
|
|||
import javax.persistence.criteria.CriteriaQuery;
|
||||
import javax.persistence.criteria.Predicate;
|
||||
import javax.persistence.criteria.Root;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.keycloak.authorization.jpa.entities.PolicyEntity;
|
||||
import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
|
||||
import org.keycloak.authorization.model.Policy;
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.authorization.store.PolicyStore;
|
||||
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
|
@ -48,13 +44,9 @@ import java.util.Map;
|
|||
public class JPAPolicyStore implements PolicyStore {
|
||||
|
||||
private final EntityManager entityManager;
|
||||
private final StoreFactory storeFactory;
|
||||
private final AuthorizationProvider authorization;
|
||||
|
||||
public JPAPolicyStore(EntityManager entityManager, JPAStoreFactory jpaStoreFactory, AuthorizationProvider authorization) {
|
||||
public JPAPolicyStore(EntityManager entityManager) {
|
||||
this.entityManager = entityManager;
|
||||
this.storeFactory = jpaStoreFactory;
|
||||
this.authorization = authorization;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -62,30 +54,15 @@ public class JPAPolicyStore implements PolicyStore {
|
|||
PolicyEntity entity = new PolicyEntity();
|
||||
|
||||
entity.setId(KeycloakModelUtils.generateId());
|
||||
entity.setResourceServer((ResourceServerEntity) resourceServer);
|
||||
entity.setType(representation.getType());
|
||||
entity.setName(representation.getName());
|
||||
entity.setResourceServer((ResourceServerEntity) resourceServer);
|
||||
|
||||
this.entityManager.persist(entity);
|
||||
|
||||
entity = (PolicyEntity) RepresentationToModel.toModel(representation, storeFactory, entity);
|
||||
|
||||
PolicyProviderFactory provider = authorization.getProviderFactory(entity.getType());
|
||||
|
||||
if (representation instanceof PolicyRepresentation) {
|
||||
provider.onImport(entity, PolicyRepresentation.class.cast(representation), authorization);
|
||||
} else {
|
||||
provider.onCreate(entity, representation, authorization);
|
||||
}
|
||||
|
||||
|
||||
this.entityManager.flush();
|
||||
return entity;
|
||||
}
|
||||
|
||||
public EntityManager getEntityManager() {
|
||||
return this.entityManager;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void delete(String id) {
|
||||
Policy policy = entityManager.find(PolicyEntity.class, id);
|
||||
|
@ -117,7 +94,7 @@ public class JPAPolicyStore implements PolicyStore {
|
|||
@Override
|
||||
public Policy findByName(String name, String resourceServerId) {
|
||||
try {
|
||||
Query query = getEntityManager().createQuery("from PolicyEntity where name = :name and resourceServer.id = :serverId");
|
||||
Query query = entityManager.createQuery("from PolicyEntity where name = :name and resourceServer.id = :serverId");
|
||||
|
||||
query.setParameter("name", name);
|
||||
query.setParameter("serverId", resourceServerId);
|
||||
|
@ -130,7 +107,7 @@ public class JPAPolicyStore implements PolicyStore {
|
|||
|
||||
@Override
|
||||
public List<Policy> findByResourceServer(final String resourceServerId) {
|
||||
Query query = getEntityManager().createQuery("from PolicyEntity where resourceServer.id = :serverId");
|
||||
Query query = entityManager.createQuery("from PolicyEntity where resourceServer.id = :serverId");
|
||||
|
||||
query.setParameter("serverId", resourceServerId);
|
||||
|
||||
|
@ -176,7 +153,7 @@ public class JPAPolicyStore implements PolicyStore {
|
|||
|
||||
@Override
|
||||
public List<Policy> findByResource(final String resourceId, String resourceServerId) {
|
||||
Query query = getEntityManager().createQuery("select p from PolicyEntity p inner join p.resources r where p.resourceServer.id = :serverId and (r.resourceServer.id = :serverId and r.id = :resourceId)");
|
||||
Query query = entityManager.createQuery("select p from PolicyEntity p inner join p.resources r where p.resourceServer.id = :serverId and (r.resourceServer.id = :serverId and r.id = :resourceId)");
|
||||
|
||||
query.setParameter("resourceId", resourceId);
|
||||
query.setParameter("serverId", resourceServerId);
|
||||
|
@ -186,7 +163,7 @@ public class JPAPolicyStore implements PolicyStore {
|
|||
|
||||
@Override
|
||||
public List<Policy> findByResourceType(final String resourceType, String resourceServerId) {
|
||||
Query query = getEntityManager().createQuery("select p from PolicyEntity p inner join p.config c where p.resourceServer.id = :serverId and KEY(c) = 'defaultResourceType' and c like :type");
|
||||
Query query = entityManager.createQuery("select p from PolicyEntity p inner join p.config c where p.resourceServer.id = :serverId and KEY(c) = 'defaultResourceType' and c like :type");
|
||||
|
||||
query.setParameter("serverId", resourceServerId);
|
||||
query.setParameter("type", resourceType);
|
||||
|
@ -201,7 +178,7 @@ public class JPAPolicyStore implements PolicyStore {
|
|||
}
|
||||
|
||||
// Use separate subquery to handle DB2 and MSSSQL
|
||||
Query query = getEntityManager().createQuery("select pe from PolicyEntity pe where pe.resourceServer.id = :serverId and pe.id IN (select p.id from ScopeEntity s inner join s.policies p where s.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and s.id in (:scopeIds)))");
|
||||
Query query = entityManager.createQuery("select pe from PolicyEntity pe where pe.resourceServer.id = :serverId and pe.id IN (select p.id from ScopeEntity s inner join s.policies p where s.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and s.id in (:scopeIds)))");
|
||||
|
||||
query.setParameter("serverId", resourceServerId);
|
||||
query.setParameter("scopeIds", scopeIds);
|
||||
|
@ -211,7 +188,7 @@ public class JPAPolicyStore implements PolicyStore {
|
|||
|
||||
@Override
|
||||
public List<Policy> findByType(String type, String resourceServerId) {
|
||||
Query query = getEntityManager().createQuery("select p from PolicyEntity p where p.resourceServer.id = :serverId and p.type = :type");
|
||||
Query query = entityManager.createQuery("select p from PolicyEntity p where p.resourceServer.id = :serverId and p.type = :type");
|
||||
|
||||
query.setParameter("serverId", resourceServerId);
|
||||
query.setParameter("type", type);
|
||||
|
@ -221,7 +198,7 @@ public class JPAPolicyStore implements PolicyStore {
|
|||
|
||||
@Override
|
||||
public List<Policy> findDependentPolicies(String policyId, String resourceServerId) {
|
||||
Query query = getEntityManager().createQuery("select p from PolicyEntity p inner join p.associatedPolicies ap where p.resourceServer.id = :serverId and (ap.resourceServer.id = :serverId and ap.id = :policyId)");
|
||||
Query query = entityManager.createQuery("select p from PolicyEntity p inner join p.associatedPolicies ap where p.resourceServer.id = :serverId and (ap.resourceServer.id = :serverId and ap.id = :policyId)");
|
||||
|
||||
query.setParameter("serverId", resourceServerId);
|
||||
query.setParameter("policyId", policyId);
|
||||
|
|
|
@ -18,46 +18,49 @@
|
|||
|
||||
package org.keycloak.authorization.jpa.store;
|
||||
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import javax.persistence.EntityManager;
|
||||
|
||||
import org.keycloak.authorization.store.PolicyStore;
|
||||
import org.keycloak.authorization.store.ResourceServerStore;
|
||||
import org.keycloak.authorization.store.ResourceStore;
|
||||
import org.keycloak.authorization.store.ScopeStore;
|
||||
import org.keycloak.authorization.store.StoreFactory;
|
||||
|
||||
import javax.persistence.EntityManager;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
*/
|
||||
public class JPAStoreFactory implements StoreFactory {
|
||||
|
||||
private final EntityManager entityManager;
|
||||
private final AuthorizationProvider authorization;
|
||||
private final PolicyStore policyStore;
|
||||
private final ResourceServerStore resourceServerStore;
|
||||
private final ResourceStore resourceStore;
|
||||
private final ScopeStore scopeStore;
|
||||
|
||||
public JPAStoreFactory(EntityManager entityManager, AuthorizationProvider authorizationProvider) {
|
||||
this.entityManager = entityManager;
|
||||
this.authorization = authorizationProvider;
|
||||
public JPAStoreFactory(EntityManager entityManager) {
|
||||
policyStore = new JPAPolicyStore(entityManager);
|
||||
resourceServerStore = new JPAResourceServerStore(entityManager);
|
||||
resourceStore = new JPAResourceStore(entityManager);
|
||||
scopeStore = new JPAScopeStore(entityManager);
|
||||
}
|
||||
|
||||
@Override
|
||||
public PolicyStore getPolicyStore() {
|
||||
return new JPAPolicyStore(entityManager, this, authorization);
|
||||
return policyStore;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ResourceServerStore getResourceServerStore() {
|
||||
return new JPAResourceServerStore(this.entityManager);
|
||||
return resourceServerStore;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ResourceStore getResourceStore() {
|
||||
return new JPAResourceStore(this.entityManager);
|
||||
return resourceStore;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ScopeStore getScopeStore() {
|
||||
return new JPAScopeStore(this.entityManager);
|
||||
return scopeStore;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -22,16 +22,22 @@ import java.util.Collection;
|
|||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.keycloak.authorization.model.Policy;
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.authorization.permission.evaluator.Evaluators;
|
||||
import org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProvider;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
|
||||
import org.keycloak.authorization.store.PolicyStore;
|
||||
import org.keycloak.authorization.store.ResourceServerStore;
|
||||
import org.keycloak.authorization.store.ResourceStore;
|
||||
import org.keycloak.authorization.store.ScopeStore;
|
||||
import org.keycloak.authorization.store.StoreFactory;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
|
||||
import org.keycloak.models.cache.authorization.CachedStoreProviderFactory;
|
||||
import org.keycloak.models.utils.RepresentationToModel;
|
||||
import org.keycloak.provider.Provider;
|
||||
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
|
||||
|
||||
/**
|
||||
* <p>The main contract here is the creation of {@link org.keycloak.authorization.permission.evaluator.PermissionEvaluator} instances. Usually
|
||||
|
@ -67,11 +73,10 @@ public final class AuthorizationProvider implements Provider {
|
|||
private final KeycloakSession keycloakSession;
|
||||
private final RealmModel realm;
|
||||
|
||||
public AuthorizationProvider(KeycloakSession session, RealmModel realm, Map<String, PolicyProviderFactory> policyProviderFactories) {
|
||||
public AuthorizationProvider(KeycloakSession session, RealmModel realm, StoreFactory storeFactory, Map<String, PolicyProviderFactory> policyProviderFactories) {
|
||||
this.keycloakSession = session;
|
||||
this.realm = realm;
|
||||
CachedStoreProviderFactory providerFactory = (CachedStoreProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CachedStoreFactoryProvider.class);
|
||||
storeFactory = providerFactory.create(this);
|
||||
this.storeFactory = storeFactory;
|
||||
this.policyProviderFactories = policyProviderFactories;
|
||||
this.policyEvaluator = new DefaultPolicyEvaluator(this);
|
||||
}
|
||||
|
@ -92,7 +97,92 @@ public final class AuthorizationProvider implements Provider {
|
|||
* @return the {@link StoreFactory}
|
||||
*/
|
||||
public StoreFactory getStoreFactory() {
|
||||
return this.storeFactory;
|
||||
return createStoreFactory();
|
||||
}
|
||||
|
||||
private StoreFactory createStoreFactory() {
|
||||
return new StoreFactory() {
|
||||
@Override
|
||||
public ResourceStore getResourceStore() {
|
||||
return storeFactory.getResourceStore();
|
||||
}
|
||||
|
||||
@Override
|
||||
public ResourceServerStore getResourceServerStore() {
|
||||
return storeFactory.getResourceServerStore();
|
||||
}
|
||||
|
||||
@Override
|
||||
public ScopeStore getScopeStore() {
|
||||
return storeFactory.getScopeStore();
|
||||
}
|
||||
|
||||
@Override
|
||||
public PolicyStore getPolicyStore() {
|
||||
PolicyStore policyStore = storeFactory.getPolicyStore();
|
||||
return new PolicyStore() {
|
||||
@Override
|
||||
public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) {
|
||||
return RepresentationToModel.toModel(representation, AuthorizationProvider.this, policyStore.create(representation, resourceServer));
|
||||
}
|
||||
|
||||
@Override
|
||||
public void delete(String id) {
|
||||
policyStore.delete(id);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Policy findById(String id, String resourceServerId) {
|
||||
return policyStore.findById(id, resourceServerId);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Policy findByName(String name, String resourceServerId) {
|
||||
return policyStore.findByName(name, resourceServerId);
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<Policy> findByResourceServer(String resourceServerId) {
|
||||
return policyStore.findByResourceServer(resourceServerId);
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<Policy> findByResourceServer(Map<String, String[]> attributes, String resourceServerId, int firstResult, int maxResult) {
|
||||
return policyStore.findByResourceServer(attributes, resourceServerId, firstResult, maxResult);
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<Policy> findByResource(String resourceId, String resourceServerId) {
|
||||
return policyStore.findByResource(resourceId, resourceServerId);
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<Policy> findByResourceType(String resourceType, String resourceServerId) {
|
||||
return policyStore.findByResourceType(resourceType, resourceServerId);
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<Policy> findByScopeIds(List<String> scopeIds, String resourceServerId) {
|
||||
return policyStore.findByScopeIds(scopeIds, resourceServerId);
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<Policy> findByType(String type, String resourceServerId) {
|
||||
return policyStore.findByType(type, resourceServerId);
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<Policy> findDependentPolicies(String id, String resourceServerId) {
|
||||
return policyStore.findDependentPolicies(id, resourceServerId);
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
@Override
|
||||
public void close() {
|
||||
storeFactory.close();
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -35,6 +35,7 @@ import org.keycloak.authorization.model.Scope;
|
|||
import org.keycloak.authorization.permission.ResourcePermission;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProvider;
|
||||
import org.keycloak.authorization.store.PolicyStore;
|
||||
import org.keycloak.authorization.store.ResourceStore;
|
||||
import org.keycloak.authorization.store.StoreFactory;
|
||||
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
|
||||
|
||||
|
@ -46,11 +47,13 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator {
|
|||
private final AuthorizationProvider authorization;
|
||||
private final StoreFactory storeFactory;
|
||||
private final PolicyStore policyStore;
|
||||
private final ResourceStore resourceStore;
|
||||
|
||||
public DefaultPolicyEvaluator(AuthorizationProvider authorization) {
|
||||
this.authorization = authorization;
|
||||
storeFactory = this.authorization.getStoreFactory();
|
||||
policyStore = storeFactory.getPolicyStore();
|
||||
resourceStore = storeFactory.getResourceStore();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -159,7 +162,7 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator {
|
|||
String type = resource.getType();
|
||||
|
||||
if (type != null) {
|
||||
List<Resource> resourcesByType = authorization.getStoreFactory().getResourceStore().findByType(type, resource.getResourceServer().getId());
|
||||
List<Resource> resourcesByType = resourceStore.findByType(type, resource.getResourceServer().getId());
|
||||
|
||||
for (Resource resourceType : resourcesByType) {
|
||||
if (resourceType.getOwner().equals(resource.getResourceServer().getClientId())) {
|
||||
|
|
|
@ -18,7 +18,9 @@
|
|||
|
||||
package org.keycloak.authorization.store;
|
||||
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.keycloak.authorization.store.syncronization.ClientApplicationSynchronizer;
|
||||
import org.keycloak.authorization.store.syncronization.RealmSynchronizer;
|
||||
import org.keycloak.authorization.store.syncronization.Synchronizer;
|
||||
|
@ -30,9 +32,6 @@ import org.keycloak.models.UserModel.UserRemovedEvent;
|
|||
import org.keycloak.provider.ProviderEvent;
|
||||
import org.keycloak.provider.ProviderFactory;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
*/
|
||||
|
@ -62,6 +61,4 @@ public interface AuthorizationStoreFactory extends ProviderFactory<StoreFactory>
|
|||
}
|
||||
});
|
||||
}
|
||||
|
||||
StoreFactory create(AuthorizationProvider authorizationProvider);
|
||||
}
|
||||
|
|
|
@ -18,13 +18,10 @@
|
|||
|
||||
package org.keycloak.models.cache.authorization;
|
||||
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.store.StoreFactory;
|
||||
import org.keycloak.provider.ProviderFactory;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
*/
|
||||
public interface CachedStoreProviderFactory extends ProviderFactory<CachedStoreFactoryProvider> {
|
||||
StoreFactory create(AuthorizationProvider authorizationProvider);
|
||||
}
|
||||
|
|
|
@ -1933,90 +1933,11 @@ public class RepresentationToModel {
|
|||
|
||||
private static Policy importPolicies(AuthorizationProvider authorization, ResourceServer resourceServer, List<PolicyRepresentation> policiesToImport, String parentPolicyName) {
|
||||
StoreFactory storeFactory = authorization.getStoreFactory();
|
||||
KeycloakSession session = authorization.getKeycloakSession();
|
||||
RealmModel realm = authorization.getRealm();
|
||||
for (PolicyRepresentation policyRepresentation : policiesToImport) {
|
||||
if (parentPolicyName != null && !parentPolicyName.equals(policyRepresentation.getName())) {
|
||||
continue;
|
||||
}
|
||||
|
||||
Map<String, String> config = policyRepresentation.getConfig();
|
||||
|
||||
String scopes = config.get("scopes");
|
||||
|
||||
if (scopes != null && !scopes.isEmpty()) {
|
||||
try {
|
||||
ScopeStore scopeStore = storeFactory.getScopeStore();
|
||||
List<String> scopesMap = (List<String>) JsonSerialization.readValue(scopes, List.class);
|
||||
config.put("scopes", JsonSerialization.writeValueAsString(scopesMap.stream().map(scopeName -> {
|
||||
Scope newScope = scopeStore.findByName(scopeName, resourceServer.getId());
|
||||
|
||||
if (newScope == null) {
|
||||
newScope = scopeStore.findById(scopeName, resourceServer.getId());
|
||||
}
|
||||
|
||||
if (newScope == null) {
|
||||
throw new RuntimeException("Scope with name [" + scopeName + "] not defined.");
|
||||
}
|
||||
|
||||
return newScope.getId();
|
||||
}).collect(Collectors.toList())));
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Error while importing policy [" + policyRepresentation.getName() + "].", e);
|
||||
}
|
||||
}
|
||||
|
||||
String policyResources = config.get("resources");
|
||||
|
||||
if (policyResources != null && !policyResources.isEmpty()) {
|
||||
ResourceStore resourceStore = storeFactory.getResourceStore();
|
||||
try {
|
||||
List<String> resources = JsonSerialization.readValue(policyResources, List.class);
|
||||
config.put("resources", JsonSerialization.writeValueAsString(resources.stream().map(resourceName -> {
|
||||
Resource resource = resourceStore.findByName(resourceName, resourceServer.getId());
|
||||
|
||||
if (resource == null) {
|
||||
resource = resourceStore.findById(resourceName, resourceServer.getId());
|
||||
}
|
||||
|
||||
if (resource == null) {
|
||||
throw new RuntimeException("Resource with name [" + resourceName + "] not defined.");
|
||||
}
|
||||
|
||||
return resource.getId();
|
||||
}).collect(Collectors.toList())));
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Error while importing policy [" + policyRepresentation.getName() + "].", e);
|
||||
}
|
||||
}
|
||||
|
||||
String applyPolicies = config.get("applyPolicies");
|
||||
|
||||
if (applyPolicies != null && !applyPolicies.isEmpty()) {
|
||||
PolicyStore policyStore = storeFactory.getPolicyStore();
|
||||
try {
|
||||
List<String> policies = (List<String>) JsonSerialization.readValue(applyPolicies, List.class);
|
||||
config.put("applyPolicies", JsonSerialization.writeValueAsString(policies.stream().map(policyName -> {
|
||||
Policy policy = policyStore.findByName(policyName, resourceServer.getId());
|
||||
|
||||
if (policy == null) {
|
||||
policy = policyStore.findById(policyName, resourceServer.getId());
|
||||
}
|
||||
|
||||
if (policy == null) {
|
||||
policy = importPolicies(authorization, resourceServer, policiesToImport, policyName);
|
||||
if (policy == null) {
|
||||
throw new RuntimeException("Policy with name [" + policyName + "] not defined.");
|
||||
}
|
||||
}
|
||||
|
||||
return policy.getId();
|
||||
}).collect(Collectors.toList())));
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Error while importing policy [" + policyRepresentation.getName() + "].", e);
|
||||
}
|
||||
}
|
||||
|
||||
PolicyStore policyStore = storeFactory.getPolicyStore();
|
||||
Policy policy = policyStore.findById(policyRepresentation.getId(), resourceServer.getId());
|
||||
|
||||
|
@ -2024,16 +1945,12 @@ public class RepresentationToModel {
|
|||
policy = policyStore.findByName(policyRepresentation.getName(), resourceServer.getId());
|
||||
}
|
||||
|
||||
PolicyProviderFactory providerFactory = authorization.getProviderFactory(policyRepresentation.getType());
|
||||
|
||||
if (policy == null) {
|
||||
policy = policyStore.create(policyRepresentation, resourceServer);
|
||||
} else {
|
||||
toModel(policyRepresentation, storeFactory, policy);
|
||||
policy = toModel(policyRepresentation, authorization, policy);
|
||||
}
|
||||
|
||||
providerFactory.onImport(policy, policyRepresentation, authorization);
|
||||
|
||||
if (parentPolicyName != null && parentPolicyName.equals(policyRepresentation.getName())) {
|
||||
return policy;
|
||||
}
|
||||
|
@ -2042,7 +1959,7 @@ public class RepresentationToModel {
|
|||
return null;
|
||||
}
|
||||
|
||||
public static Policy toModel(AbstractPolicyRepresentation representation, StoreFactory storeFactory, Policy model) {
|
||||
public static Policy toModel(AbstractPolicyRepresentation representation, AuthorizationProvider authorization, Policy model) {
|
||||
model.setName(representation.getName());
|
||||
model.setDescription(representation.getDescription());
|
||||
model.setDecisionStrategy(representation.getDecisionStrategy());
|
||||
|
@ -2087,10 +2004,23 @@ public class RepresentationToModel {
|
|||
model.setConfig(policy.getConfig());
|
||||
}
|
||||
|
||||
StoreFactory storeFactory = authorization.getStoreFactory();
|
||||
|
||||
updateResources(resources, model, storeFactory);
|
||||
updateScopes(scopes, model, storeFactory);
|
||||
updateAssociatedPolicies(policies, model, storeFactory);
|
||||
|
||||
PolicyProviderFactory provider = authorization.getProviderFactory(model.getType());
|
||||
|
||||
if (representation instanceof PolicyRepresentation) {
|
||||
provider.onImport(model, PolicyRepresentation.class.cast(representation), authorization);
|
||||
} else if (representation.getId() == null) {
|
||||
provider.onCreate(model, representation, authorization);
|
||||
} else {
|
||||
provider.onUpdate(model, representation, authorization);
|
||||
}
|
||||
|
||||
|
||||
representation.setId(model.getId());
|
||||
|
||||
return model;
|
||||
|
@ -2238,10 +2168,6 @@ public class RepresentationToModel {
|
|||
policy.removeResource(resourceModel);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for (Resource resourceModel : new HashSet<Resource>(policy.getResources())) {
|
||||
policy.removeResource(resourceModel);
|
||||
}
|
||||
}
|
||||
|
||||
policy.getConfig().remove("resources");
|
||||
|
|
|
@ -21,14 +21,15 @@ package org.keycloak.authorization;
|
|||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.Executor;
|
||||
|
||||
import org.keycloak.Config;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProvider;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
|
||||
import org.keycloak.authorization.store.StoreFactory;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.KeycloakSessionFactory;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
|
||||
import org.keycloak.provider.ProviderFactory;
|
||||
|
||||
/**
|
||||
|
@ -36,7 +37,6 @@ import org.keycloak.provider.ProviderFactory;
|
|||
*/
|
||||
public class DefaultAuthorizationProviderFactory implements AuthorizationProviderFactory {
|
||||
|
||||
private Executor scheduler;
|
||||
private Map<String, PolicyProviderFactory> policyProviderFactories;
|
||||
|
||||
@Override
|
||||
|
@ -46,15 +46,6 @@ public class DefaultAuthorizationProviderFactory implements AuthorizationProvide
|
|||
|
||||
@Override
|
||||
public void init(Config.Scope config) {
|
||||
//TODO: user-defined configuration
|
||||
// Executor executor = Executors.newWorkStealingPool();
|
||||
// this.scheduler = command -> {
|
||||
// Map<Class<?>, Object> contextDataMap = ResteasyProviderFactory.getContextDataMap();
|
||||
// executor.execute(() -> {
|
||||
// ResteasyProviderFactory.pushContextDataMap(contextDataMap);
|
||||
// command.run();
|
||||
// });
|
||||
// };
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -74,7 +65,11 @@ public class DefaultAuthorizationProviderFactory implements AuthorizationProvide
|
|||
|
||||
@Override
|
||||
public AuthorizationProvider create(KeycloakSession session, RealmModel realm) {
|
||||
return new AuthorizationProvider(session, realm, policyProviderFactories);
|
||||
StoreFactory storeFactory = session.getProvider(CachedStoreFactoryProvider.class);
|
||||
if (storeFactory == null) {
|
||||
storeFactory = session.getProvider(StoreFactory.class);
|
||||
}
|
||||
return new AuthorizationProvider(session, realm, storeFactory, policyProviderFactories);
|
||||
}
|
||||
|
||||
private Map<String, PolicyProviderFactory> configurePolicyProviderFactories(KeycloakSessionFactory keycloakSessionFactory) {
|
||||
|
|
|
@ -33,7 +33,6 @@ import org.jboss.resteasy.annotations.cache.NoCache;
|
|||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.model.Policy;
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
|
||||
import org.keycloak.authorization.store.PolicyStore;
|
||||
import org.keycloak.authorization.store.StoreFactory;
|
||||
|
@ -78,15 +77,7 @@ public class PolicyResourceService {
|
|||
|
||||
representation.setId(policy.getId());
|
||||
|
||||
Policy updated = RepresentationToModel.toModel(representation, authorization.getStoreFactory(), policy);
|
||||
|
||||
PolicyProviderFactory resource = getProviderFactory(updated.getType());
|
||||
|
||||
if (representation instanceof PolicyRepresentation) {
|
||||
resource.onImport(updated, PolicyRepresentation.class.cast(representation), authorization);
|
||||
} else {
|
||||
resource.onUpdate(updated, representation, authorization);
|
||||
}
|
||||
RepresentationToModel.toModel(representation, authorization, policy);
|
||||
|
||||
return Response.status(Status.CREATED).build();
|
||||
}
|
||||
|
|
|
@ -122,16 +122,7 @@ public class PolicyService {
|
|||
throw new ErrorResponseException("Policy with name [" + representation.getName() + "] already exists", "Conflicting policy", Status.CONFLICT);
|
||||
}
|
||||
|
||||
Policy policy = policyStore.create(representation, resourceServer);
|
||||
PolicyProviderFactory provider = getPolicyProviderFactory(policy.getType());
|
||||
|
||||
if (representation instanceof PolicyRepresentation) {
|
||||
provider.onImport(policy, PolicyRepresentation.class.cast(representation), authorization);
|
||||
} else {
|
||||
provider.onCreate(policy, representation, authorization);
|
||||
}
|
||||
|
||||
return policy;
|
||||
return policyStore.create(representation, resourceServer);
|
||||
}
|
||||
|
||||
@Path("/search")
|
||||
|
|
|
@ -96,6 +96,7 @@
|
|||
<filtering>true</filtering>
|
||||
<includes>
|
||||
<include>migration-test/*</include>
|
||||
<include>authorization-test/*</include>
|
||||
</includes>
|
||||
</testResource>
|
||||
<testResource>
|
||||
|
|
|
@ -16,6 +16,22 @@
|
|||
*/
|
||||
package org.keycloak.testsuite.adapter.example.authorization;
|
||||
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.keycloak.testsuite.util.IOUtil.loadJson;
|
||||
import static org.keycloak.testsuite.util.IOUtil.loadRealm;
|
||||
import static org.keycloak.testsuite.util.WaitUtils.pause;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.MalformedURLException;
|
||||
import java.net.URL;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
|
||||
import org.jboss.arquillian.container.test.api.Deployer;
|
||||
import org.jboss.arquillian.container.test.api.Deployment;
|
||||
import org.jboss.arquillian.test.api.ArquillianResource;
|
||||
|
@ -41,22 +57,6 @@ import org.keycloak.util.JsonSerialization;
|
|||
import org.openqa.selenium.By;
|
||||
import org.openqa.selenium.WebElement;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.MalformedURLException;
|
||||
import java.net.URL;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.keycloak.testsuite.util.IOUtil.loadJson;
|
||||
import static org.keycloak.testsuite.util.IOUtil.loadRealm;
|
||||
import static org.keycloak.testsuite.util.WaitUtils.pause;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
*/
|
||||
|
@ -82,17 +82,9 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
|
|||
return exampleDeployment(RESOURCE_SERVER_ID);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void beforeAbstractKeycloakTest() throws Exception {
|
||||
super.beforeAbstractKeycloakTest();
|
||||
importResourceServerSettings();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testRegularUserPermissions() throws Exception {
|
||||
try {
|
||||
this.deployer.deploy(RESOURCE_SERVER_ID);
|
||||
|
||||
performTests(() -> {
|
||||
login("alice", "alice");
|
||||
assertFalse(wasDenied());
|
||||
assertTrue(hasLink("User Premium"));
|
||||
|
@ -111,16 +103,12 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
|
|||
|
||||
navigateToAdminPage();
|
||||
assertTrue(wasDenied());
|
||||
} finally {
|
||||
this.deployer.undeploy(RESOURCE_SERVER_ID);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUserPremiumPermissions() throws Exception {
|
||||
try {
|
||||
this.deployer.deploy(RESOURCE_SERVER_ID);
|
||||
|
||||
performTests(() -> {
|
||||
login("jdoe", "jdoe");
|
||||
assertFalse(wasDenied());
|
||||
assertTrue(hasLink("User Premium"));
|
||||
|
@ -139,16 +127,12 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
|
|||
|
||||
navigateToAdminPage();
|
||||
assertTrue(wasDenied());
|
||||
} finally {
|
||||
this.deployer.undeploy(RESOURCE_SERVER_ID);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAdminPermissions() throws Exception {
|
||||
try {
|
||||
this.deployer.deploy(RESOURCE_SERVER_ID);
|
||||
|
||||
performTests(() -> {
|
||||
login("admin", "admin");
|
||||
assertFalse(wasDenied());
|
||||
assertTrue(hasLink("User Premium"));
|
||||
|
@ -167,16 +151,12 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
|
|||
|
||||
navigateToAdminPage();
|
||||
assertFalse(wasDenied());
|
||||
} finally {
|
||||
this.deployer.undeploy(RESOURCE_SERVER_ID);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGrantPremiumAccessToUser() throws Exception {
|
||||
try {
|
||||
this.deployer.deploy(RESOURCE_SERVER_ID);
|
||||
|
||||
performTests(() -> {
|
||||
login("alice", "alice");
|
||||
assertFalse(wasDenied());
|
||||
|
||||
|
@ -233,16 +213,12 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
|
|||
|
||||
navigateToUserPremiumPage();
|
||||
assertFalse(wasDenied());
|
||||
} finally {
|
||||
this.deployer.undeploy(RESOURCE_SERVER_ID);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGrantAdministrativePermissions() throws Exception {
|
||||
try {
|
||||
this.deployer.deploy(RESOURCE_SERVER_ID);
|
||||
|
||||
performTests(() -> {
|
||||
login("jdoe", "jdoe");
|
||||
|
||||
navigateToAdminPage();
|
||||
|
@ -263,23 +239,30 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
|
|||
|
||||
navigateToAdminPage();
|
||||
assertFalse(wasDenied());
|
||||
} finally {
|
||||
this.deployer.undeploy(RESOURCE_SERVER_ID);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
//KEYCLOAK-3830
|
||||
@Test
|
||||
public void testAccessPublicResource() throws Exception {
|
||||
try {
|
||||
this.deployer.deploy(RESOURCE_SERVER_ID);
|
||||
|
||||
performTests(() -> {
|
||||
driver.navigate().to(getResourceServerUrl() + "/public-html.html");
|
||||
WaitUtils.waitForPageToLoad(driver);
|
||||
assertTrue(hasText("This is public resource that should be accessible without login."));
|
||||
});
|
||||
}
|
||||
|
||||
private void performTests(TestRunnable assertion) {
|
||||
try {
|
||||
importResourceServerSettings();
|
||||
deployer.deploy(RESOURCE_SERVER_ID);
|
||||
assertion.run();
|
||||
} catch (FileNotFoundException cause) {
|
||||
throw new RuntimeException("Failed to import authorization settings", cause);
|
||||
} catch (Exception cause) {
|
||||
throw new RuntimeException("Error while executing tests", cause);
|
||||
} finally {
|
||||
this.deployer.undeploy(RESOURCE_SERVER_ID);
|
||||
deployer.undeploy(RESOURCE_SERVER_ID);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -299,7 +282,7 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
|
|||
getAuthorizationResource().importSettings(loadJson(new FileInputStream(new File(TEST_APPS_HOME_DIR + "/servlet-authz-app/servlet-authz-app-authz-service.json")), ResourceServerRepresentation.class));
|
||||
}
|
||||
|
||||
private AuthorizationResource getAuthorizationResource() throws FileNotFoundException {
|
||||
private AuthorizationResource getAuthorizationResource() {
|
||||
return getClientResource(RESOURCE_SERVER_ID).authorization();
|
||||
}
|
||||
|
||||
|
@ -317,18 +300,22 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
|
|||
pause(500);
|
||||
}
|
||||
|
||||
private void login(String username, String password) throws InterruptedException {
|
||||
navigateTo();
|
||||
Thread.sleep(2000);
|
||||
if (this.driver.getCurrentUrl().startsWith(getResourceServerUrl().toString())) {
|
||||
Thread.sleep(2000);
|
||||
logOut();
|
||||
private void login(String username, String password) {
|
||||
try {
|
||||
navigateTo();
|
||||
Thread.sleep(2000);
|
||||
if (this.driver.getCurrentUrl().startsWith(getResourceServerUrl().toString())) {
|
||||
Thread.sleep(2000);
|
||||
logOut();
|
||||
navigateTo();
|
||||
}
|
||||
|
||||
Thread.sleep(2000);
|
||||
|
||||
this.loginPage.form().login(username, password);
|
||||
} catch (Exception cause) {
|
||||
throw new RuntimeException("Login failed", cause);
|
||||
}
|
||||
|
||||
Thread.sleep(2000);
|
||||
|
||||
this.loginPage.form().login(username, password);
|
||||
}
|
||||
|
||||
private void navigateTo() {
|
||||
|
@ -362,4 +349,8 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
|
|||
navigateTo();
|
||||
getLink("Administration").click();
|
||||
}
|
||||
|
||||
private interface TestRunnable {
|
||||
void run() throws Exception;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -16,9 +16,12 @@
|
|||
*/
|
||||
package org.keycloak.testsuite.admin;
|
||||
|
||||
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import org.jboss.arquillian.container.test.api.Deployment;
|
||||
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||
import org.junit.Ignore;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.model.Policy;
|
||||
|
@ -26,23 +29,19 @@ import org.keycloak.authorization.model.ResourceServer;
|
|||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.RoleModel;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.DecisionStrategy;
|
||||
import org.keycloak.representations.idm.authorization.Logic;
|
||||
import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
|
||||
import org.keycloak.testsuite.AbstractKeycloakTest;
|
||||
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
|
||||
import org.keycloak.testsuite.util.ClientBuilder;
|
||||
import org.keycloak.testsuite.util.RealmBuilder;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||
* @version $Revision: 1 $
|
||||
*/
|
||||
@Ignore
|
||||
public class AuthzCleanupTest extends AbstractKeycloakTest {
|
||||
|
||||
@Deployment
|
||||
|
@ -52,35 +51,32 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
|
|||
|
||||
@Override
|
||||
public void addTestRealms(List<RealmRepresentation> testRealms) {
|
||||
RealmRepresentation testRealmRep = new RealmRepresentation();
|
||||
testRealmRep.setId(TEST);
|
||||
testRealmRep.setRealm(TEST);
|
||||
testRealmRep.setEnabled(true);
|
||||
testRealms.add(testRealmRep);
|
||||
testRealms.add(RealmBuilder.create().name(TEST)
|
||||
.client(ClientBuilder.create().clientId("myclient")
|
||||
.secret("secret")
|
||||
.authorizationServicesEnabled(true)
|
||||
.redirectUris("http://localhost/myclient")
|
||||
.defaultRoles("client-role-1", "client-role-2").build()).build());
|
||||
}
|
||||
|
||||
public static void setup(KeycloakSession session) {
|
||||
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
|
||||
RealmModel realm = session.realms().getRealmByName(TEST);
|
||||
ClientModel client = session.realms().addClient(realm, "myclient");
|
||||
RoleModel role1 = client.addRole("client-role1");
|
||||
RoleModel role2 = client.addRole("client-role2");
|
||||
|
||||
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
|
||||
createRolePolicy(authz, resourceServer, role1);
|
||||
createRolePolicy(authz, resourceServer, role2);
|
||||
|
||||
|
||||
session.getContext().setRealm(realm);
|
||||
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
|
||||
ClientModel myclient = realm.getClientByClientId("myclient");
|
||||
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(myclient.getId());
|
||||
createRolePolicy(authz, resourceServer, "client-role-1");
|
||||
createRolePolicy(authz, resourceServer, "client-role-2");
|
||||
}
|
||||
|
||||
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
|
||||
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, String roleName) {
|
||||
RolePolicyRepresentation representation = new RolePolicyRepresentation();
|
||||
|
||||
representation.setName(role.getName());
|
||||
representation.setName(roleName);
|
||||
representation.setType("role");
|
||||
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
|
||||
representation.setLogic(Logic.POSITIVE);
|
||||
representation.addRole(role.getName(), true);
|
||||
representation.addRole(roleName, true);
|
||||
|
||||
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
|
||||
}
|
||||
|
|
|
@ -110,7 +110,7 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
|
|||
|
||||
if (expected.getScopes() != null) {
|
||||
assertEquals(expected.getScopes().size(), associatedScopes.size());
|
||||
assertEquals(expected.getScopes().size(), associatedScopes.stream().map(representation1 -> representation1.getName()).filter(scopeName -> !expected.getScopes().contains(scopeName)).count());
|
||||
assertEquals(0, associatedScopes.stream().map(representation1 -> representation1.getName()).filter(scopeName -> !expected.getScopes().contains(scopeName)).count());
|
||||
} else {
|
||||
assertTrue(associatedScopes.isEmpty());
|
||||
}
|
||||
|
|
|
@ -17,17 +17,21 @@
|
|||
package org.keycloak.testsuite.admin.client.authorization;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.junit.Assert.fail;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import javax.management.relation.Role;
|
||||
import javax.ws.rs.NotFoundException;
|
||||
import javax.ws.rs.core.Response;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.keycloak.admin.client.resource.AuthorizationResource;
|
||||
import org.keycloak.admin.client.resource.ClientResource;
|
||||
import org.keycloak.admin.client.resource.PolicyResource;
|
||||
import org.keycloak.admin.client.resource.RolePoliciesResource;
|
||||
import org.keycloak.admin.client.resource.RolePolicyResource;
|
||||
import org.keycloak.admin.client.resource.RolesResource;
|
||||
|
@ -35,6 +39,7 @@ import org.keycloak.representations.idm.ClientRepresentation;
|
|||
import org.keycloak.representations.idm.RoleRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.DecisionStrategy;
|
||||
import org.keycloak.representations.idm.authorization.Logic;
|
||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
|
||||
import org.keycloak.testsuite.util.RealmBuilder;
|
||||
import org.keycloak.testsuite.util.RolesBuilder;
|
||||
|
@ -88,8 +93,8 @@ public class RolePolicyManagementTest extends AbstractPermissionManagementTest {
|
|||
|
||||
roles.create(new RoleRepresentation("Client Role B", "desc", false));
|
||||
|
||||
representation.addRole("Client Role A", true);
|
||||
representation.addRole(clientRep.getClientId() + "/Client Role B", true);
|
||||
representation.addRole("Client Role A");
|
||||
representation.addClientRole(clientRep.getClientId(), "Client Role B", true);
|
||||
|
||||
assertCreated(authorization, representation);
|
||||
}
|
||||
|
@ -158,6 +163,29 @@ public class RolePolicyManagementTest extends AbstractPermissionManagementTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGenericConfig() {
|
||||
AuthorizationResource authorization = getClient().authorization();
|
||||
RolePolicyRepresentation representation = new RolePolicyRepresentation();
|
||||
|
||||
representation.setName("Test Generic Config Permission");
|
||||
representation.addRole("Role A", false);
|
||||
|
||||
RolePoliciesResource policies = authorization.policies().roles();
|
||||
Response response = policies.create(representation);
|
||||
RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
|
||||
|
||||
PolicyResource policy = authorization.policies().policy(created.getId());
|
||||
PolicyRepresentation genericConfig = policy.toRepresentation();
|
||||
|
||||
assertNotNull(genericConfig.getConfig());
|
||||
assertNotNull(genericConfig.getConfig().get("roles"));
|
||||
|
||||
RoleRepresentation role = getRealm().roles().get("Role A").toRepresentation();
|
||||
|
||||
assertTrue(genericConfig.getConfig().get("roles").contains(role.getId()));
|
||||
}
|
||||
|
||||
private void assertCreated(AuthorizationResource authorization, RolePolicyRepresentation representation) {
|
||||
RolePoliciesResource permissions = authorization.policies().roles();
|
||||
Response response = permissions.create(representation);
|
||||
|
|
|
@ -0,0 +1,172 @@
|
|||
/*
|
||||
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.testsuite.admin.client.authorization;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.junit.Assert.fail;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import javax.ws.rs.NotFoundException;
|
||||
import javax.ws.rs.core.Response;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.keycloak.admin.client.resource.AuthorizationResource;
|
||||
import org.keycloak.admin.client.resource.PolicyResource;
|
||||
import org.keycloak.admin.client.resource.UserPoliciesResource;
|
||||
import org.keycloak.admin.client.resource.UserPolicyResource;
|
||||
import org.keycloak.representations.idm.UserRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.DecisionStrategy;
|
||||
import org.keycloak.representations.idm.authorization.Logic;
|
||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
|
||||
import org.keycloak.testsuite.util.RealmBuilder;
|
||||
import org.keycloak.testsuite.util.UserBuilder;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
*/
|
||||
public class UserPolicyManagementTest extends AbstractPermissionManagementTest {
|
||||
|
||||
@Override
|
||||
protected RealmBuilder createTestRealm() {
|
||||
return super.createTestRealm()
|
||||
.user(UserBuilder.create().username("User A"))
|
||||
.user(UserBuilder.create().username("User B"))
|
||||
.user(UserBuilder.create().username("User C"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCreateUserPolicy() {
|
||||
AuthorizationResource authorization = getClient().authorization();
|
||||
UserPolicyRepresentation representation = new UserPolicyRepresentation();
|
||||
|
||||
representation.setName("Realm User Policy");
|
||||
representation.setDescription("description");
|
||||
representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
|
||||
representation.setLogic(Logic.NEGATIVE);
|
||||
representation.addUser("User A");
|
||||
representation.addUser("User B");
|
||||
|
||||
assertCreated(authorization, representation);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUpdate() {
|
||||
AuthorizationResource authorization = getClient().authorization();
|
||||
UserPolicyRepresentation representation = new UserPolicyRepresentation();
|
||||
|
||||
representation.setName("Update Test User Policy");
|
||||
representation.setDescription("description");
|
||||
representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
|
||||
representation.setLogic(Logic.NEGATIVE);
|
||||
representation.addUser("User A");
|
||||
representation.addUser("User B");
|
||||
representation.addUser("User C");
|
||||
|
||||
assertCreated(authorization, representation);
|
||||
|
||||
representation.setName("changed");
|
||||
representation.setDescription("changed");
|
||||
representation.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
|
||||
representation.setLogic(Logic.POSITIVE);
|
||||
representation.setUsers(representation.getUsers().stream().filter(userName -> !userName.equals("User A")).collect(Collectors.toSet()));
|
||||
|
||||
UserPoliciesResource policies = authorization.policies().users();
|
||||
UserPolicyResource permission = policies.findById(representation.getId());
|
||||
|
||||
permission.update(representation);
|
||||
assertRepresentation(representation, permission);
|
||||
|
||||
representation.setUsers(representation.getUsers().stream().filter(userName -> !userName.equals("User C")).collect(Collectors.toSet()));
|
||||
|
||||
permission.update(representation);
|
||||
assertRepresentation(representation, permission);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDelete() {
|
||||
AuthorizationResource authorization = getClient().authorization();
|
||||
UserPolicyRepresentation representation = new UserPolicyRepresentation();
|
||||
|
||||
representation.setName("Test Delete Permission");
|
||||
representation.addUser("User A");
|
||||
|
||||
UserPoliciesResource policies = authorization.policies().users();
|
||||
Response response = policies.create(representation);
|
||||
UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
|
||||
|
||||
policies.findById(created.getId()).remove();
|
||||
|
||||
UserPolicyResource removed = policies.findById(created.getId());
|
||||
|
||||
try {
|
||||
removed.toRepresentation();
|
||||
fail("Permission not removed");
|
||||
} catch (NotFoundException ignore) {
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGenericConfig() {
|
||||
AuthorizationResource authorization = getClient().authorization();
|
||||
UserPolicyRepresentation representation = new UserPolicyRepresentation();
|
||||
|
||||
representation.setName("Test Generic Config Permission");
|
||||
representation.addUser("User A");
|
||||
|
||||
UserPoliciesResource policies = authorization.policies().users();
|
||||
Response response = policies.create(representation);
|
||||
UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
|
||||
|
||||
PolicyResource policy = authorization.policies().policy(created.getId());
|
||||
PolicyRepresentation genericConfig = policy.toRepresentation();
|
||||
|
||||
assertNotNull(genericConfig.getConfig());
|
||||
assertNotNull(genericConfig.getConfig().get("users"));
|
||||
|
||||
UserRepresentation user = getRealm().users().search("User A").get(0);
|
||||
|
||||
assertTrue(genericConfig.getConfig().get("users").contains(user.getId()));
|
||||
}
|
||||
|
||||
private void assertCreated(AuthorizationResource authorization, UserPolicyRepresentation representation) {
|
||||
UserPoliciesResource permissions = authorization.policies().users();
|
||||
Response response = permissions.create(representation);
|
||||
UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
|
||||
UserPolicyResource permission = permissions.findById(created.getId());
|
||||
assertRepresentation(representation, permission);
|
||||
}
|
||||
|
||||
private void assertRepresentation(UserPolicyRepresentation representation, UserPolicyResource permission) {
|
||||
UserPolicyRepresentation actual = permission.toRepresentation();
|
||||
assertRepresentation(representation, actual, () -> permission.resources(), () -> Collections.emptyList(), () -> permission.associatedPolicies());
|
||||
assertEquals(representation.getUsers().size(), actual.getUsers().size());
|
||||
assertEquals(0, actual.getUsers().stream().filter(userId -> !representation.getUsers().stream()
|
||||
.filter(userName -> getUserName(userId).equalsIgnoreCase(userName))
|
||||
.findFirst().isPresent())
|
||||
.count());
|
||||
}
|
||||
|
||||
private String getUserName(String id) {
|
||||
return getRealm().users().get(id).toRepresentation().getUsername();
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue