[KEYCLOAK-10870] - Deprecate support for JavaScript policy support from UMA policy endpoint
Conflicts: testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java (cherry picked from commit 13923a7683cb666d2842bc61429c23409c1493b6)
This commit is contained in:
parent
0e0177136c
commit
bad9e29c15
5 changed files with 118 additions and 25 deletions
|
@ -17,6 +17,8 @@
|
||||||
|
|
||||||
package org.keycloak.common;
|
package org.keycloak.common;
|
||||||
|
|
||||||
|
import static org.keycloak.common.Profile.Type.DEPRECATED;
|
||||||
|
|
||||||
import org.jboss.logging.Logger;
|
import org.jboss.logging.Logger;
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
|
@ -38,9 +40,9 @@ public class Profile {
|
||||||
DEFAULT,
|
DEFAULT,
|
||||||
DISABLED_BY_DEFAULT,
|
DISABLED_BY_DEFAULT,
|
||||||
PREVIEW,
|
PREVIEW,
|
||||||
EXPERIMENTAL
|
EXPERIMENTAL,
|
||||||
|
DEPRECATED;
|
||||||
}
|
}
|
||||||
|
|
||||||
public enum Feature {
|
public enum Feature {
|
||||||
ACCOUNT2(Type.EXPERIMENTAL),
|
ACCOUNT2(Type.EXPERIMENTAL),
|
||||||
ACCOUNT_API(Type.PREVIEW),
|
ACCOUNT_API(Type.PREVIEW),
|
||||||
|
@ -50,7 +52,8 @@ public class Profile {
|
||||||
OPENSHIFT_INTEGRATION(Type.PREVIEW),
|
OPENSHIFT_INTEGRATION(Type.PREVIEW),
|
||||||
SCRIPTS(Type.PREVIEW),
|
SCRIPTS(Type.PREVIEW),
|
||||||
TOKEN_EXCHANGE(Type.PREVIEW),
|
TOKEN_EXCHANGE(Type.PREVIEW),
|
||||||
AUTHZ_DROOLS_POLICY(Type.PREVIEW);
|
AUTHZ_DROOLS_POLICY(Type.PREVIEW),
|
||||||
|
UPLOAD_SCRIPTS(DEPRECATED);
|
||||||
|
|
||||||
private Type type;
|
private Type type;
|
||||||
|
|
||||||
|
@ -83,6 +86,7 @@ public class Profile {
|
||||||
private final Set<Feature> disabledFeatures = new HashSet<>();
|
private final Set<Feature> disabledFeatures = new HashSet<>();
|
||||||
private final Set<Feature> previewFeatures = new HashSet<>();
|
private final Set<Feature> previewFeatures = new HashSet<>();
|
||||||
private final Set<Feature> experimentalFeatures = new HashSet<>();
|
private final Set<Feature> experimentalFeatures = new HashSet<>();
|
||||||
|
private final Set<Feature> deprecatedFeatures = new HashSet<>();
|
||||||
|
|
||||||
private Profile() {
|
private Profile() {
|
||||||
Config config = new Config();
|
Config config = new Config();
|
||||||
|
@ -99,9 +103,13 @@ public class Profile {
|
||||||
disabledFeatures.add(f);
|
disabledFeatures.add(f);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case DEPRECATED:
|
||||||
|
deprecatedFeatures.add(f);
|
||||||
case DISABLED_BY_DEFAULT:
|
case DISABLED_BY_DEFAULT:
|
||||||
if (enabled == null || !enabled) {
|
if (enabled == null || !enabled) {
|
||||||
disabledFeatures.add(f);
|
disabledFeatures.add(f);
|
||||||
|
} else if (DEPRECATED.equals(f.getType())) {
|
||||||
|
logger.warnf("Deprecated feature enabled: " + f.name().toLowerCase());
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case PREVIEW:
|
case PREVIEW:
|
||||||
|
@ -144,6 +152,10 @@ public class Profile {
|
||||||
return CURRENT.experimentalFeatures;
|
return CURRENT.experimentalFeatures;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static Set<Feature> getDeprecatedFeatures() {
|
||||||
|
return CURRENT.deprecatedFeatures;
|
||||||
|
}
|
||||||
|
|
||||||
public static boolean isFeatureEnabled(Feature feature) {
|
public static boolean isFeatureEnabled(Feature feature) {
|
||||||
return !CURRENT.disabledFeatures.contains(feature);
|
return !CURRENT.disabledFeatures.contains(feature);
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,6 @@ import org.junit.Test;
|
||||||
import org.junit.rules.TemporaryFolder;
|
import org.junit.rules.TemporaryFolder;
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.io.FileWriter;
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.PrintWriter;
|
import java.io.PrintWriter;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
|
@ -22,9 +21,10 @@ public class ProfileTest {
|
||||||
@Test
|
@Test
|
||||||
public void checkDefaults() {
|
public void checkDefaults() {
|
||||||
Assert.assertEquals("community", Profile.getName());
|
Assert.assertEquals("community", Profile.getName());
|
||||||
assertEquals(Profile.getDisabledFeatures(), Profile.Feature.ACCOUNT2, Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DOCKER, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.AUTHZ_DROOLS_POLICY, Profile.Feature.OPENSHIFT_INTEGRATION);
|
assertEquals(Profile.getDisabledFeatures(), Profile.Feature.ACCOUNT2, Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DOCKER, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.AUTHZ_DROOLS_POLICY, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.UPLOAD_SCRIPTS);
|
||||||
assertEquals(Profile.getPreviewFeatures(), Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.AUTHZ_DROOLS_POLICY, Profile.Feature.OPENSHIFT_INTEGRATION);
|
assertEquals(Profile.getPreviewFeatures(), Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.AUTHZ_DROOLS_POLICY, Profile.Feature.OPENSHIFT_INTEGRATION);
|
||||||
assertEquals(Profile.getExperimentalFeatures(), Profile.Feature.ACCOUNT2);
|
assertEquals(Profile.getExperimentalFeatures(), Profile.Feature.ACCOUNT2);
|
||||||
|
assertEquals(Profile.getDeprecatedFeatures(), Profile.Feature.UPLOAD_SCRIPTS);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -33,10 +33,12 @@ public class ProfileTest {
|
||||||
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.DOCKER));
|
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.DOCKER));
|
||||||
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.OPENSHIFT_INTEGRATION));
|
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.OPENSHIFT_INTEGRATION));
|
||||||
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.IMPERSONATION));
|
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.IMPERSONATION));
|
||||||
|
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS));
|
||||||
|
|
||||||
System.setProperty("keycloak.profile", "preview");
|
System.setProperty("keycloak.profile", "preview");
|
||||||
System.setProperty("keycloak.profile.feature.docker", "enabled");
|
System.setProperty("keycloak.profile.feature.docker", "enabled");
|
||||||
System.setProperty("keycloak.profile.feature.impersonation", "disabled");
|
System.setProperty("keycloak.profile.feature.impersonation", "disabled");
|
||||||
|
System.setProperty("keycloak.profile.feature.upload_scripts", "enabled");
|
||||||
|
|
||||||
Profile.init();
|
Profile.init();
|
||||||
|
|
||||||
|
@ -44,10 +46,12 @@ public class ProfileTest {
|
||||||
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.DOCKER));
|
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.DOCKER));
|
||||||
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.OPENSHIFT_INTEGRATION));
|
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.OPENSHIFT_INTEGRATION));
|
||||||
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.IMPERSONATION));
|
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.IMPERSONATION));
|
||||||
|
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS));
|
||||||
|
|
||||||
System.getProperties().remove("keycloak.profile");
|
System.getProperties().remove("keycloak.profile");
|
||||||
System.getProperties().remove("keycloak.profile.feature.docker");
|
System.getProperties().remove("keycloak.profile.feature.docker");
|
||||||
System.getProperties().remove("keycloak.profile.feature.impersonation");
|
System.getProperties().remove("keycloak.profile.feature.impersonation");
|
||||||
|
System.getProperties().remove("keycloak.profile.feature.upload_scripts");
|
||||||
|
|
||||||
Profile.init();
|
Profile.init();
|
||||||
}
|
}
|
||||||
|
@ -57,6 +61,7 @@ public class ProfileTest {
|
||||||
Assert.assertEquals("community", Profile.getName());
|
Assert.assertEquals("community", Profile.getName());
|
||||||
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.DOCKER));
|
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.DOCKER));
|
||||||
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.IMPERSONATION));
|
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.IMPERSONATION));
|
||||||
|
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS));
|
||||||
|
|
||||||
File d = temporaryFolder.newFolder();
|
File d = temporaryFolder.newFolder();
|
||||||
File f = new File(d, "profile.properties");
|
File f = new File(d, "profile.properties");
|
||||||
|
@ -65,6 +70,7 @@ public class ProfileTest {
|
||||||
p.setProperty("profile", "preview");
|
p.setProperty("profile", "preview");
|
||||||
p.setProperty("feature.docker", "enabled");
|
p.setProperty("feature.docker", "enabled");
|
||||||
p.setProperty("feature.impersonation", "disabled");
|
p.setProperty("feature.impersonation", "disabled");
|
||||||
|
p.setProperty("feature.upload_scripts", "enabled");
|
||||||
PrintWriter pw = new PrintWriter(f);
|
PrintWriter pw = new PrintWriter(f);
|
||||||
p.list(pw);
|
p.list(pw);
|
||||||
pw.close();
|
pw.close();
|
||||||
|
@ -77,6 +83,7 @@ public class ProfileTest {
|
||||||
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.DOCKER));
|
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.DOCKER));
|
||||||
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.OPENSHIFT_INTEGRATION));
|
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.OPENSHIFT_INTEGRATION));
|
||||||
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.IMPERSONATION));
|
Assert.assertFalse(Profile.isFeatureEnabled(Profile.Feature.IMPERSONATION));
|
||||||
|
Assert.assertTrue(Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS));
|
||||||
|
|
||||||
System.getProperties().remove("jboss.server.config.dir");
|
System.getProperties().remove("jboss.server.config.dir");
|
||||||
|
|
||||||
|
|
|
@ -30,10 +30,8 @@ import javax.ws.rs.Path;
|
||||||
import javax.ws.rs.PathParam;
|
import javax.ws.rs.PathParam;
|
||||||
import javax.ws.rs.Produces;
|
import javax.ws.rs.Produces;
|
||||||
import javax.ws.rs.QueryParam;
|
import javax.ws.rs.QueryParam;
|
||||||
import javax.ws.rs.core.Context;
|
|
||||||
import javax.ws.rs.core.Response;
|
import javax.ws.rs.core.Response;
|
||||||
import javax.ws.rs.core.Response.Status;
|
import javax.ws.rs.core.Response.Status;
|
||||||
import javax.ws.rs.core.UriInfo;
|
|
||||||
|
|
||||||
import org.jboss.resteasy.annotations.cache.NoCache;
|
import org.jboss.resteasy.annotations.cache.NoCache;
|
||||||
import org.jboss.resteasy.spi.ResteasyProviderFactory;
|
import org.jboss.resteasy.spi.ResteasyProviderFactory;
|
||||||
|
@ -47,6 +45,7 @@ import org.keycloak.authorization.model.Policy;
|
||||||
import org.keycloak.authorization.model.Resource;
|
import org.keycloak.authorization.model.Resource;
|
||||||
import org.keycloak.authorization.model.ResourceServer;
|
import org.keycloak.authorization.model.ResourceServer;
|
||||||
import org.keycloak.authorization.store.ResourceStore;
|
import org.keycloak.authorization.store.ResourceStore;
|
||||||
|
import org.keycloak.common.Profile;
|
||||||
import org.keycloak.representations.idm.authorization.UmaPermissionRepresentation;
|
import org.keycloak.representations.idm.authorization.UmaPermissionRepresentation;
|
||||||
import org.keycloak.services.ErrorResponseException;
|
import org.keycloak.services.ErrorResponseException;
|
||||||
import org.keycloak.services.resources.admin.AdminEventBuilder;
|
import org.keycloak.services.resources.admin.AdminEventBuilder;
|
||||||
|
@ -174,6 +173,12 @@ public class UserManagedPermissionService {
|
||||||
if (!resourceScopes.containsAll(scopes)) {
|
if (!resourceScopes.containsAll(scopes)) {
|
||||||
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Some of the scopes [" + scopes + "] are not valid for resource [" + resourceId + "]", Response.Status.BAD_REQUEST);
|
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Some of the scopes [" + scopes + "] are not valid for resource [" + resourceId + "]", Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (representation.getCondition() != null) {
|
||||||
|
if (!Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
|
||||||
|
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Script upload not supported", Status.BAD_REQUEST);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -57,6 +57,10 @@ public class ProfileAssume {
|
||||||
Assume.assumeTrue("Ignoring test as feature " + feature.name() + " is not enabled", isFeatureEnabled(feature));
|
Assume.assumeTrue("Ignoring test as feature " + feature.name() + " is not enabled", isFeatureEnabled(feature));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static void assumeFeatureDisabled(Profile.Feature feature) {
|
||||||
|
Assume.assumeTrue("Ignoring test as feature " + feature.name() + " is disabled", !isFeatureEnabled(feature));
|
||||||
|
}
|
||||||
|
|
||||||
public static void assumePreview() {
|
public static void assumePreview() {
|
||||||
updateProfile();
|
updateProfile();
|
||||||
Assume.assumeTrue("Ignoring test as community/preview profile is not enabled", !profile.equals("product"));
|
Assume.assumeTrue("Ignoring test as community/preview profile is not enabled", !profile.equals("product"));
|
||||||
|
|
|
@ -18,7 +18,6 @@ package org.keycloak.testsuite.authz;
|
||||||
|
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
import static org.junit.Assert.assertNotNull;
|
import static org.junit.Assert.assertNotNull;
|
||||||
import static org.junit.Assert.assertThat;
|
|
||||||
import static org.junit.Assert.assertTrue;
|
import static org.junit.Assert.assertTrue;
|
||||||
import static org.junit.Assert.fail;
|
import static org.junit.Assert.fail;
|
||||||
|
|
||||||
|
@ -35,6 +34,7 @@ import org.keycloak.authorization.client.resource.AuthorizationResource;
|
||||||
import org.keycloak.authorization.client.resource.PolicyResource;
|
import org.keycloak.authorization.client.resource.PolicyResource;
|
||||||
import org.keycloak.authorization.client.resource.ProtectionResource;
|
import org.keycloak.authorization.client.resource.ProtectionResource;
|
||||||
import org.keycloak.authorization.client.util.HttpResponseException;
|
import org.keycloak.authorization.client.util.HttpResponseException;
|
||||||
|
import org.keycloak.common.Profile;
|
||||||
import org.keycloak.representations.AccessToken;
|
import org.keycloak.representations.AccessToken;
|
||||||
import org.keycloak.representations.idm.RealmRepresentation;
|
import org.keycloak.representations.idm.RealmRepresentation;
|
||||||
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
|
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
|
||||||
|
@ -46,6 +46,7 @@ import org.keycloak.representations.idm.authorization.PermissionTicketRepresenta
|
||||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||||
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
||||||
import org.keycloak.representations.idm.authorization.UmaPermissionRepresentation;
|
import org.keycloak.representations.idm.authorization.UmaPermissionRepresentation;
|
||||||
|
import org.keycloak.testsuite.ProfileAssume;
|
||||||
import org.keycloak.testsuite.util.ClientBuilder;
|
import org.keycloak.testsuite.util.ClientBuilder;
|
||||||
import org.keycloak.testsuite.util.GroupBuilder;
|
import org.keycloak.testsuite.util.GroupBuilder;
|
||||||
import org.keycloak.testsuite.util.RealmBuilder;
|
import org.keycloak.testsuite.util.RealmBuilder;
|
||||||
|
@ -114,7 +115,11 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
|
||||||
newPermission.addRole("role_a", "role_b", "role_c", "role_d");
|
newPermission.addRole("role_a", "role_b", "role_c", "role_d");
|
||||||
newPermission.addGroup("/group_a", "/group_a/group_b", "/group_c");
|
newPermission.addGroup("/group_a", "/group_a/group_b", "/group_c");
|
||||||
newPermission.addClient("client-a", "resource-server-test");
|
newPermission.addClient("client-a", "resource-server-test");
|
||||||
newPermission.setCondition("$evaluation.grant()");
|
|
||||||
|
if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
|
||||||
|
newPermission.setCondition("$evaluation.grant()");
|
||||||
|
}
|
||||||
|
|
||||||
newPermission.addUser("kolo");
|
newPermission.addUser("kolo");
|
||||||
|
|
||||||
ProtectionResource protection = getAuthzClient().protection("marta", "password");
|
ProtectionResource protection = getAuthzClient().protection("marta", "password");
|
||||||
|
@ -136,6 +141,12 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
|
||||||
assertTrue(permission.getUsers().containsAll(newPermission.getUsers()));
|
assertTrue(permission.getUsers().containsAll(newPermission.getUsers()));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCreateDeprecatedFeaturesEnabled() {
|
||||||
|
ProfileAssume.assumeFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS);
|
||||||
|
testCreate();
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testUpdate() {
|
public void testUpdate() {
|
||||||
ResourceRepresentation resource = new ResourceRepresentation();
|
ResourceRepresentation resource = new ResourceRepresentation();
|
||||||
|
@ -236,18 +247,23 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
|
||||||
|
|
||||||
assertTrue(permission.getClients().containsAll(updated.getClients()));
|
assertTrue(permission.getClients().containsAll(updated.getClients()));
|
||||||
|
|
||||||
permission.setCondition("$evaluation.grant()");
|
if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
|
||||||
|
permission.setCondition("$evaluation.grant()");
|
||||||
|
|
||||||
protection.policy(resource.getId()).update(permission);
|
protection.policy(resource.getId()).update(permission);
|
||||||
assertEquals(4, getAssociatedPolicies(permission).size());
|
assertEquals(4, getAssociatedPolicies(permission).size());
|
||||||
updated = protection.policy(resource.getId()).findById(permission.getId());
|
updated = protection.policy(resource.getId()).findById(permission.getId());
|
||||||
|
|
||||||
assertEquals(permission.getCondition(), updated.getCondition());
|
assertEquals(permission.getCondition(), updated.getCondition());
|
||||||
|
}
|
||||||
|
|
||||||
permission.addUser("alice");
|
permission.addUser("alice");
|
||||||
|
|
||||||
protection.policy(resource.getId()).update(permission);
|
protection.policy(resource.getId()).update(permission);
|
||||||
assertEquals(5, getAssociatedPolicies(permission).size());
|
|
||||||
|
int expectedPolicies = Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS) ? 5 : 4;
|
||||||
|
|
||||||
|
assertEquals(expectedPolicies, getAssociatedPolicies(permission).size());
|
||||||
updated = protection.policy(resource.getId()).findById(permission.getId());
|
updated = protection.policy(resource.getId()).findById(permission.getId());
|
||||||
assertEquals(1, updated.getUsers().size());
|
assertEquals(1, updated.getUsers().size());
|
||||||
assertEquals(permission.getUsers(), updated.getUsers());
|
assertEquals(permission.getUsers(), updated.getUsers());
|
||||||
|
@ -255,7 +271,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
|
||||||
permission.addUser("kolo");
|
permission.addUser("kolo");
|
||||||
|
|
||||||
protection.policy(resource.getId()).update(permission);
|
protection.policy(resource.getId()).update(permission);
|
||||||
assertEquals(5, getAssociatedPolicies(permission).size());
|
assertEquals(expectedPolicies, getAssociatedPolicies(permission).size());
|
||||||
updated = protection.policy(resource.getId()).findById(permission.getId());
|
updated = protection.policy(resource.getId()).findById(permission.getId());
|
||||||
assertEquals(2, updated.getUsers().size());
|
assertEquals(2, updated.getUsers().size());
|
||||||
assertEquals(permission.getUsers(), updated.getUsers());
|
assertEquals(permission.getUsers(), updated.getUsers());
|
||||||
|
@ -263,7 +279,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
|
||||||
permission.removeUser("alice");
|
permission.removeUser("alice");
|
||||||
|
|
||||||
protection.policy(resource.getId()).update(permission);
|
protection.policy(resource.getId()).update(permission);
|
||||||
assertEquals(5, getAssociatedPolicies(permission).size());
|
assertEquals(expectedPolicies, getAssociatedPolicies(permission).size());
|
||||||
updated = protection.policy(resource.getId()).findById(permission.getId());
|
updated = protection.policy(resource.getId()).findById(permission.getId());
|
||||||
assertEquals(1, updated.getUsers().size());
|
assertEquals(1, updated.getUsers().size());
|
||||||
assertEquals(permission.getUsers(), updated.getUsers());
|
assertEquals(permission.getUsers(), updated.getUsers());
|
||||||
|
@ -271,23 +287,25 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
|
||||||
permission.setUsers(null);
|
permission.setUsers(null);
|
||||||
|
|
||||||
protection.policy(resource.getId()).update(permission);
|
protection.policy(resource.getId()).update(permission);
|
||||||
assertEquals(4, getAssociatedPolicies(permission).size());
|
assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
|
||||||
updated = protection.policy(resource.getId()).findById(permission.getId());
|
updated = protection.policy(resource.getId()).findById(permission.getId());
|
||||||
|
|
||||||
assertEquals(permission.getUsers(), updated.getUsers());
|
assertEquals(permission.getUsers(), updated.getUsers());
|
||||||
|
|
||||||
permission.setCondition(null);
|
if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
|
||||||
|
permission.setCondition(null);
|
||||||
|
|
||||||
protection.policy(resource.getId()).update(permission);
|
protection.policy(resource.getId()).update(permission);
|
||||||
assertEquals(3, getAssociatedPolicies(permission).size());
|
assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
|
||||||
updated = protection.policy(resource.getId()).findById(permission.getId());
|
updated = protection.policy(resource.getId()).findById(permission.getId());
|
||||||
|
|
||||||
assertEquals(permission.getCondition(), updated.getCondition());
|
assertEquals(permission.getCondition(), updated.getCondition());
|
||||||
|
};
|
||||||
|
|
||||||
permission.setRoles(null);
|
permission.setRoles(null);
|
||||||
|
|
||||||
protection.policy(resource.getId()).update(permission);
|
protection.policy(resource.getId()).update(permission);
|
||||||
assertEquals(2, getAssociatedPolicies(permission).size());
|
assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
|
||||||
updated = protection.policy(resource.getId()).findById(permission.getId());
|
updated = protection.policy(resource.getId()).findById(permission.getId());
|
||||||
|
|
||||||
assertEquals(permission.getRoles(), updated.getRoles());
|
assertEquals(permission.getRoles(), updated.getRoles());
|
||||||
|
@ -295,7 +313,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
|
||||||
permission.setClients(null);
|
permission.setClients(null);
|
||||||
|
|
||||||
protection.policy(resource.getId()).update(permission);
|
protection.policy(resource.getId()).update(permission);
|
||||||
assertEquals(1, getAssociatedPolicies(permission).size());
|
assertEquals(--expectedPolicies, getAssociatedPolicies(permission).size());
|
||||||
updated = protection.policy(resource.getId()).findById(permission.getId());
|
updated = protection.policy(resource.getId()).findById(permission.getId());
|
||||||
|
|
||||||
assertEquals(permission.getClients(), updated.getClients());
|
assertEquals(permission.getClients(), updated.getClients());
|
||||||
|
@ -312,6 +330,53 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
|
||||||
fail("Expected not found");
|
fail("Expected not found");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testUpdateDeprecatedFeaturesEnabled() {
|
||||||
|
ProfileAssume.assumeFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS);
|
||||||
|
testUpdate();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testUploadScriptDisabled() {
|
||||||
|
ProfileAssume.assumeFeatureDisabled(Profile.Feature.UPLOAD_SCRIPTS);
|
||||||
|
ResourceRepresentation resource = new ResourceRepresentation();
|
||||||
|
|
||||||
|
resource.setName("Resource A");
|
||||||
|
resource.setOwnerManagedAccess(true);
|
||||||
|
resource.setOwner("marta");
|
||||||
|
resource.addScope("Scope A", "Scope B", "Scope C");
|
||||||
|
|
||||||
|
resource = getAuthzClient().protection().resource().create(resource);
|
||||||
|
|
||||||
|
UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();
|
||||||
|
|
||||||
|
newPermission.setName("Custom User-Managed Permission");
|
||||||
|
newPermission.setDescription("Users from specific roles are allowed to access");
|
||||||
|
newPermission.setCondition("$evaluation.grant()");
|
||||||
|
|
||||||
|
ProtectionResource protection = getAuthzClient().protection("marta", "password");
|
||||||
|
|
||||||
|
try {
|
||||||
|
protection.policy(resource.getId()).create(newPermission);
|
||||||
|
fail("Should fail because upload scripts is disabled");
|
||||||
|
} catch (Exception ignore) {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
newPermission.setCondition(null);
|
||||||
|
|
||||||
|
UmaPermissionRepresentation representation = protection.policy(resource.getId()).create(newPermission);
|
||||||
|
|
||||||
|
representation.setCondition("$evaluation.grant();");
|
||||||
|
|
||||||
|
try {
|
||||||
|
protection.policy(resource.getId()).update(newPermission);
|
||||||
|
fail("Should fail because upload scripts is disabled");
|
||||||
|
} catch (Exception ignore) {
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testUserManagedPermission() {
|
public void testUserManagedPermission() {
|
||||||
|
|
Loading…
Reference in a new issue