91bdc4bde2
* [KEYCLOAK-3169] - UMA 2.0 Support * [KEYCLOAK-3169] - Changes to account service and more tests * [KEYCLOAK-3169] - Code cleanup and tests * [KEYCLOAK-3169] - Changes to account service and tests * [KEYCLOAK-3169] - Changes to account service and tests * [KEYCLOAK-3169] - More tests * [KEYCLOAK-3169] - Changes to adapter configuration * [KEYCLOAK-3169] - Reviewing UMA specs and more tests * [KEYCLOAK-3169] - Reviewing UMA specs and more tests * [KEYCLOAK-3169] - Changes to UMA Grant Type and refactoring * [KEYCLOAK-3169] - Refresh tokens for RPT responses and tests * [KEYCLOAK-3169] - Changes to account my resources and policy enforcers * [KEYCLOAK-3169] - Realm settings flag to enable/disable user-managed access in account mgmt console * [KEYCLOAK-3169] - More changes to my resource pages in account mgmt console * [KEYCLOAK-3169] - Need to enable user-managed on realm to run tests * [KEYCLOAK-3169] - Removing more UMA 1.0 related code * [KEYCLOAK-3169] - Only submit requests if ticket exists * [KEYCLOAK-3169] - Returning UMA 401 response when not authenticated * [KEYCLOAK-3169] - Removing unused code * [KEYCLOAK-3169] - Removing unused code * [KEYCLOAK-3169] - 403 response in case ticket is not created * [KEYCLOAK-3169] - Fixing AbstractPhotozExampleAdapterTest#testClientRoleRepresentingUserConsent * [KEYCLOAK-3169] - 403 status code only returned for non-bearer clients
242 lines
No EOL
6.9 KiB
JSON
242 lines
No EOL
6.9 KiB
JSON
{
|
|
"allowRemoteResourceManagement": true,
|
|
"policyEnforcementMode": "ENFORCING",
|
|
"resources": [
|
|
{
|
|
"name": "User Profile Resource",
|
|
"uri": "/profile",
|
|
"type": "http://photoz.com/profile",
|
|
"scopes": [
|
|
{
|
|
"name": "profile:view"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"name": "Album Resource",
|
|
"uri": "/album/*",
|
|
"type": "http://photoz.com/album",
|
|
"scopes": [
|
|
{
|
|
"name": "album:view"
|
|
},
|
|
{
|
|
"name": "album:delete"
|
|
},
|
|
{
|
|
"name": "album:create"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"name": "Admin Resources",
|
|
"uri": "/admin/*",
|
|
"type": "http://photoz.com/admin",
|
|
"scopes": [
|
|
{
|
|
"name": "admin:manage"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"name": "Scope Protected Resource",
|
|
"uri": "/scope-any",
|
|
"scopes": [
|
|
{
|
|
"name": "scope-a"
|
|
},
|
|
{
|
|
"name": "scope-b"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"policies": [
|
|
{
|
|
"name": "Only Owner Policy",
|
|
"description": "Defines that only the resource owner is allowed to do something",
|
|
"type": "rules",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"mavenArtifactVersion": "2.5.0.Final-SNAPSHOT",
|
|
"mavenArtifactId": "photoz-authz-policy",
|
|
"sessionName": "MainOwnerSession",
|
|
"mavenArtifactGroupId": "org.keycloak.testsuite",
|
|
"moduleName": "PhotozAuthzOwnerPolicy",
|
|
"applyPolicies": "[]",
|
|
"scannerPeriod": "1",
|
|
"scannerPeriodUnit": "Hours"
|
|
}
|
|
},
|
|
{
|
|
"name": "Any Admin Policy",
|
|
"description": "Defines that adminsitrators can do something",
|
|
"type": "role",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"applyPolicies": "[]",
|
|
"roles": "[{\"id\":\"admin\",\"required\":true}]"
|
|
}
|
|
},
|
|
{
|
|
"name": "Any User Policy",
|
|
"description": "Defines that only users from well known clients are allowed to access",
|
|
"type": "role",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"applyPolicies": "[]",
|
|
"roles": "[{\"id\":\"user\"},{\"id\":\"manage-albums\",\"required\":true}]"
|
|
}
|
|
},
|
|
{
|
|
"name": "Only From a Specific Client Address",
|
|
"description": "Defines that only clients from a specific address can do something",
|
|
"type": "js",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"applyPolicies": "[]",
|
|
"code": "var contextAttributes = $evaluation.getContext().getAttributes();\n\nif (contextAttributes.containsValue('kc.client.network.ip_address', '127.0.0.1')) {\n $evaluation.grant();\n}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Administration Policy",
|
|
"description": "Defines that only administrators from a specific network address can do something.",
|
|
"type": "aggregate",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"applyPolicies": "[\"Only From a Specific Client Address\",\"Any Admin Policy\"]"
|
|
}
|
|
},
|
|
{
|
|
"name": "Only Owner and Administrators Policy",
|
|
"description": "Defines that only the resource owner and administrators can do something",
|
|
"type": "aggregate",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "AFFIRMATIVE",
|
|
"config": {
|
|
"applyPolicies": "[\"Administration Policy\",\"Only Owner Policy\"]"
|
|
}
|
|
},
|
|
{
|
|
"name": "Only From @keycloak.org or Admin",
|
|
"description": "Defines that only users from @keycloak.org",
|
|
"type": "js",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"applyPolicies": "[]",
|
|
"code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRealmRole('admin') || email.endsWith('@keycloak.org')) {\n $evaluation.grant();\n}"
|
|
}
|
|
},
|
|
{
|
|
"name": "Album Resource Permission",
|
|
"description": "General policies that apply to all album resources.",
|
|
"type": "resource",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "AFFIRMATIVE",
|
|
"config": {
|
|
"defaultResourceType": "http://photoz.com/album",
|
|
"default": "true",
|
|
"applyPolicies": "[\"Any User Policy\",\"Administration Policy\"]"
|
|
}
|
|
},
|
|
{
|
|
"name": "Admin Resource Permission",
|
|
"description": "General policy for any administrative resource.",
|
|
"type": "resource",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"defaultResourceType": "http://photoz.com/admin",
|
|
"default": "true",
|
|
"applyPolicies": "[\"Administration Policy\"]"
|
|
}
|
|
},
|
|
{
|
|
"name": "View User Permission",
|
|
"description": "Defines who is allowed to view an user profile",
|
|
"type": "scope",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"applyPolicies": "[\"Only From @keycloak.org or Admin\"]",
|
|
"scopes": "[\"profile:view\"]"
|
|
}
|
|
},
|
|
{
|
|
"name": "Delete Album Permission",
|
|
"description": "A policy that only allows the owner to delete his albums.",
|
|
"type": "scope",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"applyPolicies": "[\"Only Owner and Administrators Policy\"]",
|
|
"scopes": "[\"album:delete\"]"
|
|
}
|
|
},
|
|
{
|
|
"name": "View Album Permission",
|
|
"description": "A policy that only allows the owner to view his albums.",
|
|
"type": "scope",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"applyPolicies": "[\"Only Owner and Administrators Policy\"]",
|
|
"scopes": "[\"album:view\"]"
|
|
}
|
|
},
|
|
{
|
|
"name": "Deny Policy",
|
|
"type": "js",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"code": "// by default, grants any permission associated with this policy\n$evaluation.deny();"
|
|
}
|
|
},
|
|
{
|
|
"name": "Protected Scope A Permission",
|
|
"type": "scope",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"resources": "[\"Scope Protected Resource\"]",
|
|
"scopes": "[\"scope-a\"]",
|
|
"applyPolicies": "[\"Any User Policy\"]"
|
|
}
|
|
},
|
|
{
|
|
"name": "Protected Scope B Permission",
|
|
"type": "scope",
|
|
"logic": "POSITIVE",
|
|
"decisionStrategy": "UNANIMOUS",
|
|
"config": {
|
|
"resources": "[\"Scope Protected Resource\"]",
|
|
"scopes": "[\"scope-b\"]",
|
|
"applyPolicies": "[\"Deny Policy\"]"
|
|
}
|
|
}
|
|
],
|
|
"scopes": [
|
|
{
|
|
"name": "profile:view"
|
|
},
|
|
{
|
|
"name": "album:view"
|
|
},
|
|
{
|
|
"name": "album:create"
|
|
},
|
|
{
|
|
"name": "album:delete"
|
|
},
|
|
{
|
|
"name": "admin:manage"
|
|
}
|
|
]
|
|
} |