Merge pull request #3201 from pedroigor/KEYCLOAK-3129

[KEYCLOAK-3129] - Add authorization services endpoints to PermissionsTest
This commit is contained in:
Stian Thorgersen 2016-09-08 08:03:40 +02:00 committed by GitHub
commit d2c546bdc2
7 changed files with 158 additions and 4 deletions

View file

@ -25,6 +25,7 @@ import javax.ws.rs.POST;
import javax.ws.rs.Path; import javax.ws.rs.Path;
import javax.ws.rs.PathParam; import javax.ws.rs.PathParam;
import javax.ws.rs.Produces; import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
import java.util.List; import java.util.List;
@ -42,6 +43,17 @@ public interface ResourcesResource {
@Path("{id}") @Path("{id}")
ResourceResource resource(@PathParam("id") String id); ResourceResource resource(@PathParam("id") String id);
@GET
@NoCache
@Produces(MediaType.APPLICATION_JSON)
List<ResourceRepresentation> find(@QueryParam("name") String name,
@QueryParam("uri") String uri,
@QueryParam("owner") String owner,
@QueryParam("type") String type,
@QueryParam("scope") String scope,
@QueryParam("first") Integer firstResult,
@QueryParam("max") Integer maxResult);
@GET @GET
@NoCache @NoCache
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)

View file

@ -47,6 +47,7 @@ import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper; import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.services.Urls; import org.keycloak.services.Urls;
import org.keycloak.services.resources.admin.RealmAuth;
import javax.ws.rs.Consumes; import javax.ws.rs.Consumes;
import javax.ws.rs.POST; import javax.ws.rs.POST;
@ -74,20 +75,23 @@ import static java.util.Arrays.asList;
public class PolicyEvaluationService { public class PolicyEvaluationService {
private final AuthorizationProvider authorization; private final AuthorizationProvider authorization;
private final RealmAuth auth;
@Context @Context
private HttpRequest httpRequest; private HttpRequest httpRequest;
private final ResourceServer resourceServer; private final ResourceServer resourceServer;
PolicyEvaluationService(ResourceServer resourceServer, AuthorizationProvider authorization) { PolicyEvaluationService(ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
this.resourceServer = resourceServer; this.resourceServer = resourceServer;
this.authorization = authorization; this.authorization = authorization;
this.auth = auth;
} }
@POST @POST
@Consumes("application/json") @Consumes("application/json")
@Produces("application/json") @Produces("application/json")
public void evaluate(PolicyEvaluationRequest evaluationRequest, @Suspended AsyncResponse asyncResponse) { public void evaluate(PolicyEvaluationRequest evaluationRequest, @Suspended AsyncResponse asyncResponse) {
this.auth.requireView();
KeycloakIdentity identity = createIdentity(evaluationRequest); KeycloakIdentity identity = createIdentity(evaluationRequest);
EvaluationContext evaluationContext = createEvaluationContext(evaluationRequest, identity); EvaluationContext evaluationContext = createEvaluationContext(evaluationRequest, identity);
authorization.evaluators().from(createPermissions(evaluationRequest, evaluationContext, authorization), evaluationContext).evaluate(createDecisionCollector(authorization, identity, asyncResponse)); authorization.evaluators().from(createPermissions(evaluationRequest, evaluationContext, authorization), evaluationContext).evaluate(createDecisionCollector(authorization, identity, asyncResponse));

View file

@ -273,7 +273,7 @@ public class PolicyService {
@Path("evaluate") @Path("evaluate")
public PolicyEvaluationService getPolicyEvaluateResource() { public PolicyEvaluationService getPolicyEvaluateResource() {
this.auth.requireView(); this.auth.requireView();
PolicyEvaluationService resource = new PolicyEvaluationService(this.resourceServer, this.authorization); PolicyEvaluationService resource = new PolicyEvaluationService(this.resourceServer, this.authorization, this.auth);
ResteasyProviderFactory.getInstance().injectProperties(resource); ResteasyProviderFactory.getInstance().injectProperties(resource);

View file

@ -177,7 +177,7 @@ public class ResourceSetService {
@GET @GET
@NoCache @NoCache
@Produces("application/json") @Produces("application/json")
public Response findAll(@QueryParam("name") String name, public Response find(@QueryParam("name") String name,
@QueryParam("uri") String uri, @QueryParam("uri") String uri,
@QueryParam("owner") String owner, @QueryParam("owner") String owner,
@QueryParam("type") String type, @QueryParam("type") String type,

View file

@ -107,6 +107,11 @@ public class ScopeService {
} }
Scope scope = storeFactory.getScopeStore().findById(id); Scope scope = storeFactory.getScopeStore().findById(id);
if (scope == null) {
return Response.status(Status.NOT_FOUND).build();
}
PolicyStore policyStore = storeFactory.getPolicyStore(); PolicyStore policyStore = storeFactory.getPolicyStore();
List<Policy> policies = policyStore.findByScopeIds(Arrays.asList(scope.getId()), resourceServer.getId()); List<Policy> policies = policyStore.findByScopeIds(Arrays.asList(scope.getId()), resourceServer.getId());

View file

@ -109,7 +109,7 @@ public class ResourceService {
} }
private Set<String> findAll() { private Set<String> findAll() {
Response response = this.resourceManager.findAll(null, null, null, null, null, -1, -1); Response response = this.resourceManager.find(null, null, null, null, null, -1, -1);
List<ResourceRepresentation> resources = (List<ResourceRepresentation>) response.getEntity(); List<ResourceRepresentation> resources = (List<ResourceRepresentation>) response.getEntity();
return resources.stream().map(ResourceRepresentation::getId).collect(Collectors.toSet()); return resources.stream().map(ResourceRepresentation::getId).collect(Collectors.toSet());
} }

View file

@ -17,10 +17,12 @@
package org.keycloak.testsuite.admin; package org.keycloak.testsuite.admin;
import org.apache.bcel.generic.RETURN;
import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataOutput; import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataOutput;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.admin.client.Keycloak; import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.RealmResource; import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.models.AdminRoles; import org.keycloak.models.AdminRoles;
import org.keycloak.models.Constants; import org.keycloak.models.Constants;
@ -45,6 +47,10 @@ import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserFederationMapperRepresentation; import org.keycloak.representations.idm.UserFederationMapperRepresentation;
import org.keycloak.representations.idm.UserFederationProviderRepresentation; import org.keycloak.representations.idm.UserFederationProviderRepresentation;
import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.services.resources.admin.RealmAuth.Resource; import org.keycloak.services.resources.admin.RealmAuth.Resource;
import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.Assert; import org.keycloak.testsuite.Assert;
@ -68,6 +74,8 @@ import java.util.Map;
import java.util.concurrent.atomic.AtomicReference; import java.util.concurrent.atomic.AtomicReference;
import static org.junit.Assert.*; import static org.junit.Assert.*;
import static org.keycloak.services.resources.admin.RealmAuth.Resource.AUTHORIZATION;
import static org.keycloak.services.resources.admin.RealmAuth.Resource.CLIENT;
/** /**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a> * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -770,6 +778,123 @@ public class PermissionsTest extends AbstractKeycloakTest {
}, Resource.CLIENT, true); }, Resource.CLIENT, true);
} }
@Test
public void clientAuthorization() {
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
realm.clients().create(ClientBuilder.create().clientId("foo-authz").build());
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
foo.setServiceAccountsEnabled(true);
foo.setAuthorizationServicesEnabled(true);
realm.clients().get(foo.getId()).update(foo);
}
}, CLIENT, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
realm.clients().get(foo.getId()).authorization().getSettings();
}
}, AUTHORIZATION, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
ResourceServerRepresentation settings = authorization.getSettings();
authorization.update(settings);
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resources();
}
}, AUTHORIZATION, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scopes();
}
}, AUTHORIZATION, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policies();
}
}, AUTHORIZATION, false);
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
response.set(authorization.resources().create(new ResourceRepresentation("Test", Collections.emptySet())));
}
}, AUTHORIZATION, true);
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
response.set(authorization.scopes().create(new ScopeRepresentation("Test")));
}
}, AUTHORIZATION, true);
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
PolicyRepresentation representation = new PolicyRepresentation();
representation.setName("Test PermissionsTest");
representation.setType("js");
HashMap<String, String> config = new HashMap<>();
config.put("code", "");
representation.setConfig(config);
response.set(authorization.policies().create(representation));
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resource("nosuch").update(new ResourceRepresentation());
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scope("nosuch").update(new ScopeRepresentation());
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policy("nosuch").update(new PolicyRepresentation());
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resource("nosuch").remove();
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scope("nosuch").remove();
}
}, AUTHORIZATION, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
org.keycloak.representations.idm.ClientRepresentation foo = realm.clients().findByClientId("foo-authz").get(0);
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policy("nosuch").remove();
}
}, AUTHORIZATION, true);
}
@Test @Test
public void roles() { public void roles() {
invoke(new Invocation() { invoke(new Invocation() {
@ -1543,6 +1668,8 @@ public class PermissionsTest extends AbstractKeycloakTest {
return AdminRoles.VIEW_EVENTS; return AdminRoles.VIEW_EVENTS;
case IDENTITY_PROVIDER: case IDENTITY_PROVIDER:
return AdminRoles.VIEW_IDENTITY_PROVIDERS; return AdminRoles.VIEW_IDENTITY_PROVIDERS;
case AUTHORIZATION:
return AdminRoles.VIEW_AUTHORIZATION;
default: default:
throw new RuntimeException("Unexpected resouce"); throw new RuntimeException("Unexpected resouce");
} }
@ -1560,6 +1687,8 @@ public class PermissionsTest extends AbstractKeycloakTest {
return AdminRoles.MANAGE_EVENTS; return AdminRoles.MANAGE_EVENTS;
case IDENTITY_PROVIDER: case IDENTITY_PROVIDER:
return AdminRoles.MANAGE_IDENTITY_PROVIDERS; return AdminRoles.MANAGE_IDENTITY_PROVIDERS;
case AUTHORIZATION:
return AdminRoles.MANAGE_AUTHORIZATION;
default: default:
throw new RuntimeException("Unexpected resouce"); throw new RuntimeException("Unexpected resouce");
} }
@ -1577,6 +1706,8 @@ public class PermissionsTest extends AbstractKeycloakTest {
return AdminRoles.VIEW_IDENTITY_PROVIDERS; return AdminRoles.VIEW_IDENTITY_PROVIDERS;
case IDENTITY_PROVIDER: case IDENTITY_PROVIDER:
return AdminRoles.VIEW_REALM; return AdminRoles.VIEW_REALM;
case AUTHORIZATION:
return AdminRoles.VIEW_IDENTITY_PROVIDERS;
default: default:
throw new RuntimeException("Unexpected resouce"); throw new RuntimeException("Unexpected resouce");
} }
@ -1594,6 +1725,8 @@ public class PermissionsTest extends AbstractKeycloakTest {
return AdminRoles.MANAGE_IDENTITY_PROVIDERS; return AdminRoles.MANAGE_IDENTITY_PROVIDERS;
case IDENTITY_PROVIDER: case IDENTITY_PROVIDER:
return AdminRoles.MANAGE_REALM; return AdminRoles.MANAGE_REALM;
case AUTHORIZATION:
return AdminRoles.MANAGE_IDENTITY_PROVIDERS;
default: default:
throw new RuntimeException("Unexpected resouce"); throw new RuntimeException("Unexpected resouce");
} }