Java Code Examples for org.keycloak.adapters.KeycloakDeployment#getPolicyEnforcer()
The following examples show how to use
org.keycloak.adapters.KeycloakDeployment#getPolicyEnforcer() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: EnforcerConfigTest.java From keycloak with Apache License 2.0 | 6 votes |
|
@Test
public void testPathConfigClaimInformationPoint() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getClass().getResourceAsStream("/authorization-test/enforcer-config-path-cip.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
Map<String, PolicyEnforcerConfig.PathConfig> paths = policyEnforcer.getPaths();
assertEquals(1, paths.size());
PathConfig pathConfig = paths.values().iterator().next();
Map<String, Map<String, Object>> cipConfig = pathConfig.getClaimInformationPointConfig();
assertEquals(1, cipConfig.size());
Map<String, Object> claims = cipConfig.get("claims");
assertNotNull(claims);
assertEquals(3, claims.size());
assertEquals("{request.parameter['a']}", claims.get("claim-a"));
assertEquals("{request.header['b']}", claims.get("claim-b"));
assertEquals("{request.cookie['c']}", claims.get("claim-c"));
}
Example 2
| Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 6 votes |
|
@Test
public void testCustomClaimProvider() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
oauth.realm(REALM_NAME);
oauth.clientId("public-client-test");
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
String token = response.getAccessToken();
OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea", token);
AuthorizationContext context = policyEnforcer.enforce(httpFacade);
Permission permission = context.getPermissions().get(0);
Map<String, Set<String>> claims = permission.getClaims();
assertTrue(context.isGranted());
assertEquals("test", claims.get("resolved-claim").iterator().next());
}
Example 3
| Source File: EnforcerConfigTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testMultiplePathsWithSameName() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getClass().getResourceAsStream("/authorization-test/enforcer-config-paths-same-name.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
Map<String, PolicyEnforcerConfig.PathConfig> paths = policyEnforcer.getPaths();
assertEquals(1, paths.size());
assertEquals(4, paths.values().iterator().next().getMethods().size());
}
Example 4
| Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testBearerOnlyClientResponse() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea");
AuthorizationContext context = policyEnforcer.enforce(httpFacade);
assertFalse(context.isGranted());
assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
oauth.realm(REALM_NAME);
oauth.clientId("public-client-test");
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
String token = response.getAccessToken();
httpFacade = createHttpFacade("/api/resourcea", token);
context = policyEnforcer.enforce(httpFacade);
assertTrue(context.isGranted());
httpFacade = createHttpFacade("/api/resourceb");
context = policyEnforcer.enforce(httpFacade);
assertFalse(context.isGranted());
assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
}
Example 5
| Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testPathConfigurationPrecendenceWhenLazyLoadingPaths() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-paths.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea");
AuthorizationContext context = policyEnforcer.enforce(httpFacade);
assertFalse(context.isGranted());
assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
oauth.realm(REALM_NAME);
oauth.clientId("public-client-test");
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
String token = response.getAccessToken();
httpFacade = createHttpFacade("/api/resourcea", token);
context = policyEnforcer.enforce(httpFacade);
assertTrue(context.isGranted());
httpFacade = createHttpFacade("/");
context = policyEnforcer.enforce(httpFacade);
assertTrue(context.isGranted());
}
Example 6
| Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testResolvingClaimsOnce() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
oauth.realm(REALM_NAME);
oauth.clientId("public-client-test");
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
String token = response.getAccessToken();
OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea", token, new Function<String, String>() {
AtomicBoolean resolved = new AtomicBoolean();
@Override
public String apply(String s) {
Assert.assertTrue(resolved.compareAndSet(false, true));
return "value-" + s;
}
});
AuthorizationContext context = policyEnforcer.enforce(httpFacade);
Permission permission = context.getPermissions().get(0);
Map<String, Set<String>> claims = permission.getClaims();
assertTrue(context.isGranted());
assertEquals("value-claim-a", claims.get("claim-a").iterator().next());
assertEquals("claim-b", claims.get("claim-b").iterator().next());
}
Example 7
| Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testOnDenyRedirectTo() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-on-deny-redirect.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea");
AuthorizationContext context = policyEnforcer.enforce(httpFacade);
assertFalse(context.isGranted());
TestResponse response = TestResponse.class.cast(httpFacade.getResponse());
assertEquals(302, response.getStatus());
List<String> location = response.getHeaders().getOrDefault("Location", Collections.emptyList());
assertFalse(location.isEmpty());
assertEquals("/accessDenied", location.get(0));
}
Example 8
| Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testNotAuthenticatedDenyUnmapedPath() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
OIDCHttpFacade httpFacade = createHttpFacade("/api/unmmaped");
AuthorizationContext context = policyEnforcer.enforce(httpFacade);
assertFalse(context.isGranted());
TestResponse response = TestResponse.class.cast(httpFacade.getResponse());
assertEquals(403, response.getStatus());
}
Example 9
| Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testMappedPathEnforcementModeDisabled() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode-path.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
OIDCHttpFacade httpFacade = createHttpFacade("/api/resource/public");
AuthorizationContext context = policyEnforcer.enforce(httpFacade);
assertTrue(context.isGranted());
httpFacade = createHttpFacade("/api/resourceb");
context = policyEnforcer.enforce(httpFacade);
assertFalse(context.isGranted());
TestResponse response = TestResponse.class.cast(httpFacade.getResponse());
assertEquals(403, response.getStatus());
oauth.realm(REALM_NAME);
oauth.clientId("public-client-test");
oauth.doLogin("marta", "password");
String token = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE), null).getAccessToken();
httpFacade = createHttpFacade("/api/resourcea", token);
context = policyEnforcer.enforce(httpFacade);
assertTrue(context.isGranted());
httpFacade = createHttpFacade("/api/resourceb", token);
context = policyEnforcer.enforce(httpFacade);
assertFalse(context.isGranted());
response = TestResponse.class.cast(httpFacade.getResponse());
assertEquals(403, response.getStatus());
httpFacade = createHttpFacade("/api/resource/public", token);
context = policyEnforcer.enforce(httpFacade);
assertTrue(context.isGranted());
}
Example 10
| Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testEnforcementModeDisabled() {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
OIDCHttpFacade httpFacade = createHttpFacade("/api/resource/public");
policyEnforcer.enforce(httpFacade);
TestResponse response = TestResponse.class.cast(httpFacade.getResponse());
assertEquals(401, response.getStatus());
}
Example 11
| Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testUsingSubjectToken() {
ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
ResourceRepresentation resource = createResource(clientResource, "Resource Subject Token", "/api/check-subject-token");
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getName());
permission.addPolicy("Only User Policy");
PermissionsResource permissions = clientResource.authorization().permissions();
permissions.resource().create(permission).close();
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
OIDCHttpFacade httpFacade = createHttpFacade("/api/check-subject-token");
AuthorizationContext context = policyEnforcer.enforce(httpFacade);
assertFalse(context.isGranted());
assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus());
oauth.realm(REALM_NAME);
oauth.clientId("public-client-test");
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
String token = response.getAccessToken();
httpFacade = createHttpFacade("/api/check-subject-token", token);
context = policyEnforcer.enforce(httpFacade);
assertTrue(context.isGranted());
}
Example 12
| Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testUsingInvalidToken() {
ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
ResourceRepresentation resource = createResource(clientResource, "Resource Subject Invalid Token", "/api/check-subject-token");
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName(resource.getName() + " Permission");
permission.addResource(resource.getName());
permission.addPolicy("Only User Policy");
PermissionsResource permissions = clientResource.authorization().permissions();
permissions.resource().create(permission).close();
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
OIDCHttpFacade httpFacade = createHttpFacade("/api/check-subject-token");
oauth.realm(REALM_NAME);
oauth.clientId("public-client-test");
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
String token = response.getAccessToken();
httpFacade = createHttpFacade("/api/check-subject-token", token);
AuthorizationContext context = policyEnforcer.enforce(httpFacade);
assertTrue(context.isGranted());
oauth.doLogout(response.getRefreshToken(), null);
context = policyEnforcer.enforce(httpFacade);
assertFalse(context.isGranted());
}
Example 13
| Source File: ClaimInformationPointProviderTest.java From keycloak with Apache License 2.0 | 4 votes |
|
private ClaimInformationPointProvider getClaimInformationProviderForPath(String path, String providerName) {
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getClass().getResourceAsStream("/authorization-test/enforcer-config-claims-provider.json"));
deployment.setClient(HttpClients.createDefault());
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
Map<String, ClaimInformationPointProviderFactory> providers = policyEnforcer.getClaimInformationPointProviderFactories();
PathConfig pathConfig = policyEnforcer.getPaths().get(path);
assertNotNull(pathConfig);
Map<String, Map<String, Object>> cipConfig = pathConfig.getClaimInformationPointConfig();
assertNotNull(cipConfig);
ClaimInformationPointProviderFactory factory = providers.get(providerName);
assertNotNull(factory);
Map<String, Object> claimsConfig = cipConfig.get(providerName);
return factory.create(claimsConfig);
}
Example 14
| Source File: PolicyEnforcerClaimsTest.java From keycloak with Apache License 2.0 | 4 votes |
|
@Test
public void testEnforceEntitlementAccessWithClaimsWithoutBearerToken() {
initAuthorizationSettings(getClientResource("resource-server-test"));
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-entitlement-claims-test.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
HashMap<String, List<String>> headers = new HashMap<>();
HashMap<String, List<String>> parameters = new HashMap<>();
AuthzClient authzClient = getAuthzClient("enforcer-entitlement-claims-test.json");
String token = authzClient.obtainAccessToken("marta", "password").getToken();
AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertFalse(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("50"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertTrue(context.isGranted());
assertEquals(1, context.getPermissions().size());
Permission permission = context.getPermissions().get(0);
assertEquals(parameters.get("withdrawal.amount").get(0), permission.getClaims().get("withdrawal.amount").iterator().next());
parameters.put("withdrawal.amount", Arrays.asList("200"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertFalse(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("50"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertTrue(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("10"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertTrue(context.isGranted());
assertEquals(1, context.getPermissions().size());
permission = context.getPermissions().get(0);
assertEquals(parameters.get("withdrawal.amount").get(0), permission.getClaims().get("withdrawal.amount").iterator().next());
}
Example 15
| Source File: PolicyEnforcerClaimsTest.java From keycloak with Apache License 2.0 | 3 votes |
|
@Test
public void testEnforceEntitlementAccessWithClaimsWithBearerToken() {
initAuthorizationSettings(getClientResource("resource-server-test"));
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-entitlement-claims-test.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
HashMap<String, List<String>> headers = new HashMap<>();
HashMap<String, List<String>> parameters = new HashMap<>();
AuthzClient authzClient = getAuthzClient("enforcer-entitlement-claims-test.json");
String token = authzClient.obtainAccessToken("marta", "password").getToken();
headers.put("Authorization", Arrays.asList("Bearer " + token));
AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertFalse(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("50"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertTrue(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("200"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertFalse(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("50"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertTrue(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("10"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertTrue(context.isGranted());
}
Example 16
| Source File: PolicyEnforcerClaimsTest.java From keycloak with Apache License 2.0 | 2 votes |
|
@Test
public void testEnforceEntitlementAccessWithClaimsWithBearerTokenFromPublicClient() {
initAuthorizationSettings(getClientResource("resource-server-test"));
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-entitlement-claims-test.json"));
PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();
HashMap<String, List<String>> headers = new HashMap<>();
HashMap<String, List<String>> parameters = new HashMap<>();
oauth.realm(REALM_NAME);
oauth.clientId("public-client-test");
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
String token = response.getAccessToken();
headers.put("Authorization", Arrays.asList("Bearer " + token));
AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertFalse(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("50"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertTrue(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("200"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertFalse(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("50"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertTrue(context.isGranted());
parameters.put("withdrawal.amount", Arrays.asList("10"));
context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters));
assertTrue(context.isGranted());
}
