Java Code Examples for org.keycloak.adapters.KeycloakDeployment#getPolicyEnforcer()
The following examples show how to use
org.keycloak.adapters.KeycloakDeployment#getPolicyEnforcer() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: EnforcerConfigTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void testPathConfigClaimInformationPoint() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getClass().getResourceAsStream("/authorization-test/enforcer-config-path-cip.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); Map<String, PolicyEnforcerConfig.PathConfig> paths = policyEnforcer.getPaths(); assertEquals(1, paths.size()); PathConfig pathConfig = paths.values().iterator().next(); Map<String, Map<String, Object>> cipConfig = pathConfig.getClaimInformationPointConfig(); assertEquals(1, cipConfig.size()); Map<String, Object> claims = cipConfig.get("claims"); assertNotNull(claims); assertEquals(3, claims.size()); assertEquals("{request.parameter['a']}", claims.get("claim-a")); assertEquals("{request.header['b']}", claims.get("claim-b")); assertEquals("{request.cookie['c']}", claims.get("claim-c")); }
Example 2
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void testCustomClaimProvider() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); oauth.realm(REALM_NAME); oauth.clientId("public-client-test"); oauth.doLogin("marta", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null); String token = response.getAccessToken(); OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea", token); AuthorizationContext context = policyEnforcer.enforce(httpFacade); Permission permission = context.getPermissions().get(0); Map<String, Set<String>> claims = permission.getClaims(); assertTrue(context.isGranted()); assertEquals("test", claims.get("resolved-claim").iterator().next()); }
Example 3
Source File: EnforcerConfigTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testMultiplePathsWithSameName() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getClass().getResourceAsStream("/authorization-test/enforcer-config-paths-same-name.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); Map<String, PolicyEnforcerConfig.PathConfig> paths = policyEnforcer.getPaths(); assertEquals(1, paths.size()); assertEquals(4, paths.values().iterator().next().getMethods().size()); }
Example 4
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testBearerOnlyClientResponse() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea"); AuthorizationContext context = policyEnforcer.enforce(httpFacade); assertFalse(context.isGranted()); assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus()); oauth.realm(REALM_NAME); oauth.clientId("public-client-test"); oauth.doLogin("marta", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null); String token = response.getAccessToken(); httpFacade = createHttpFacade("/api/resourcea", token); context = policyEnforcer.enforce(httpFacade); assertTrue(context.isGranted()); httpFacade = createHttpFacade("/api/resourceb"); context = policyEnforcer.enforce(httpFacade); assertFalse(context.isGranted()); assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus()); }
Example 5
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testPathConfigurationPrecendenceWhenLazyLoadingPaths() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-paths.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea"); AuthorizationContext context = policyEnforcer.enforce(httpFacade); assertFalse(context.isGranted()); assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus()); oauth.realm(REALM_NAME); oauth.clientId("public-client-test"); oauth.doLogin("marta", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null); String token = response.getAccessToken(); httpFacade = createHttpFacade("/api/resourcea", token); context = policyEnforcer.enforce(httpFacade); assertTrue(context.isGranted()); httpFacade = createHttpFacade("/"); context = policyEnforcer.enforce(httpFacade); assertTrue(context.isGranted()); }
Example 6
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testResolvingClaimsOnce() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); oauth.realm(REALM_NAME); oauth.clientId("public-client-test"); oauth.doLogin("marta", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null); String token = response.getAccessToken(); OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea", token, new Function<String, String>() { AtomicBoolean resolved = new AtomicBoolean(); @Override public String apply(String s) { Assert.assertTrue(resolved.compareAndSet(false, true)); return "value-" + s; } }); AuthorizationContext context = policyEnforcer.enforce(httpFacade); Permission permission = context.getPermissions().get(0); Map<String, Set<String>> claims = permission.getClaims(); assertTrue(context.isGranted()); assertEquals("value-claim-a", claims.get("claim-a").iterator().next()); assertEquals("claim-b", claims.get("claim-b").iterator().next()); }
Example 7
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testOnDenyRedirectTo() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-on-deny-redirect.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea"); AuthorizationContext context = policyEnforcer.enforce(httpFacade); assertFalse(context.isGranted()); TestResponse response = TestResponse.class.cast(httpFacade.getResponse()); assertEquals(302, response.getStatus()); List<String> location = response.getHeaders().getOrDefault("Location", Collections.emptyList()); assertFalse(location.isEmpty()); assertEquals("/accessDenied", location.get(0)); }
Example 8
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testNotAuthenticatedDenyUnmapedPath() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); OIDCHttpFacade httpFacade = createHttpFacade("/api/unmmaped"); AuthorizationContext context = policyEnforcer.enforce(httpFacade); assertFalse(context.isGranted()); TestResponse response = TestResponse.class.cast(httpFacade.getResponse()); assertEquals(403, response.getStatus()); }
Example 9
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testMappedPathEnforcementModeDisabled() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode-path.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); OIDCHttpFacade httpFacade = createHttpFacade("/api/resource/public"); AuthorizationContext context = policyEnforcer.enforce(httpFacade); assertTrue(context.isGranted()); httpFacade = createHttpFacade("/api/resourceb"); context = policyEnforcer.enforce(httpFacade); assertFalse(context.isGranted()); TestResponse response = TestResponse.class.cast(httpFacade.getResponse()); assertEquals(403, response.getStatus()); oauth.realm(REALM_NAME); oauth.clientId("public-client-test"); oauth.doLogin("marta", "password"); String token = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE), null).getAccessToken(); httpFacade = createHttpFacade("/api/resourcea", token); context = policyEnforcer.enforce(httpFacade); assertTrue(context.isGranted()); httpFacade = createHttpFacade("/api/resourceb", token); context = policyEnforcer.enforce(httpFacade); assertFalse(context.isGranted()); response = TestResponse.class.cast(httpFacade.getResponse()); assertEquals(403, response.getStatus()); httpFacade = createHttpFacade("/api/resource/public", token); context = policyEnforcer.enforce(httpFacade); assertTrue(context.isGranted()); }
Example 10
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testEnforcementModeDisabled() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); OIDCHttpFacade httpFacade = createHttpFacade("/api/resource/public"); policyEnforcer.enforce(httpFacade); TestResponse response = TestResponse.class.cast(httpFacade.getResponse()); assertEquals(401, response.getStatus()); }
Example 11
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testUsingSubjectToken() { ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID); ResourceRepresentation resource = createResource(clientResource, "Resource Subject Token", "/api/check-subject-token"); ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation(); permission.setName(resource.getName() + " Permission"); permission.addResource(resource.getName()); permission.addPolicy("Only User Policy"); PermissionsResource permissions = clientResource.authorization().permissions(); permissions.resource().create(permission).close(); KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); OIDCHttpFacade httpFacade = createHttpFacade("/api/check-subject-token"); AuthorizationContext context = policyEnforcer.enforce(httpFacade); assertFalse(context.isGranted()); assertEquals(403, TestResponse.class.cast(httpFacade.getResponse()).getStatus()); oauth.realm(REALM_NAME); oauth.clientId("public-client-test"); oauth.doLogin("marta", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null); String token = response.getAccessToken(); httpFacade = createHttpFacade("/api/check-subject-token", token); context = policyEnforcer.enforce(httpFacade); assertTrue(context.isGranted()); }
Example 12
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testUsingInvalidToken() { ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID); ResourceRepresentation resource = createResource(clientResource, "Resource Subject Invalid Token", "/api/check-subject-token"); ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation(); permission.setName(resource.getName() + " Permission"); permission.addResource(resource.getName()); permission.addPolicy("Only User Policy"); PermissionsResource permissions = clientResource.authorization().permissions(); permissions.resource().create(permission).close(); KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); OIDCHttpFacade httpFacade = createHttpFacade("/api/check-subject-token"); oauth.realm(REALM_NAME); oauth.clientId("public-client-test"); oauth.doLogin("marta", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null); String token = response.getAccessToken(); httpFacade = createHttpFacade("/api/check-subject-token", token); AuthorizationContext context = policyEnforcer.enforce(httpFacade); assertTrue(context.isGranted()); oauth.doLogout(response.getRefreshToken(), null); context = policyEnforcer.enforce(httpFacade); assertFalse(context.isGranted()); }
Example 13
Source File: ClaimInformationPointProviderTest.java From keycloak with Apache License 2.0 | 4 votes |
private ClaimInformationPointProvider getClaimInformationProviderForPath(String path, String providerName) { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getClass().getResourceAsStream("/authorization-test/enforcer-config-claims-provider.json")); deployment.setClient(HttpClients.createDefault()); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); Map<String, ClaimInformationPointProviderFactory> providers = policyEnforcer.getClaimInformationPointProviderFactories(); PathConfig pathConfig = policyEnforcer.getPaths().get(path); assertNotNull(pathConfig); Map<String, Map<String, Object>> cipConfig = pathConfig.getClaimInformationPointConfig(); assertNotNull(cipConfig); ClaimInformationPointProviderFactory factory = providers.get(providerName); assertNotNull(factory); Map<String, Object> claimsConfig = cipConfig.get(providerName); return factory.create(claimsConfig); }
Example 14
Source File: PolicyEnforcerClaimsTest.java From keycloak with Apache License 2.0 | 4 votes |
@Test public void testEnforceEntitlementAccessWithClaimsWithoutBearerToken() { initAuthorizationSettings(getClientResource("resource-server-test")); KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-entitlement-claims-test.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); HashMap<String, List<String>> headers = new HashMap<>(); HashMap<String, List<String>> parameters = new HashMap<>(); AuthzClient authzClient = getAuthzClient("enforcer-entitlement-claims-test.json"); String token = authzClient.obtainAccessToken("marta", "password").getToken(); AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertFalse(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("50")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertTrue(context.isGranted()); assertEquals(1, context.getPermissions().size()); Permission permission = context.getPermissions().get(0); assertEquals(parameters.get("withdrawal.amount").get(0), permission.getClaims().get("withdrawal.amount").iterator().next()); parameters.put("withdrawal.amount", Arrays.asList("200")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertFalse(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("50")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertTrue(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("10")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertTrue(context.isGranted()); assertEquals(1, context.getPermissions().size()); permission = context.getPermissions().get(0); assertEquals(parameters.get("withdrawal.amount").get(0), permission.getClaims().get("withdrawal.amount").iterator().next()); }
Example 15
Source File: PolicyEnforcerClaimsTest.java From keycloak with Apache License 2.0 | 3 votes |
@Test public void testEnforceEntitlementAccessWithClaimsWithBearerToken() { initAuthorizationSettings(getClientResource("resource-server-test")); KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-entitlement-claims-test.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); HashMap<String, List<String>> headers = new HashMap<>(); HashMap<String, List<String>> parameters = new HashMap<>(); AuthzClient authzClient = getAuthzClient("enforcer-entitlement-claims-test.json"); String token = authzClient.obtainAccessToken("marta", "password").getToken(); headers.put("Authorization", Arrays.asList("Bearer " + token)); AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertFalse(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("50")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertTrue(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("200")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertFalse(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("50")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertTrue(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("10")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertTrue(context.isGranted()); }
Example 16
Source File: PolicyEnforcerClaimsTest.java From keycloak with Apache License 2.0 | 2 votes |
@Test public void testEnforceEntitlementAccessWithClaimsWithBearerTokenFromPublicClient() { initAuthorizationSettings(getClientResource("resource-server-test")); KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-entitlement-claims-test.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); HashMap<String, List<String>> headers = new HashMap<>(); HashMap<String, List<String>> parameters = new HashMap<>(); oauth.realm(REALM_NAME); oauth.clientId("public-client-test"); oauth.doLogin("marta", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null); String token = response.getAccessToken(); headers.put("Authorization", Arrays.asList("Bearer " + token)); AuthorizationContext context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertFalse(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("50")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertTrue(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("200")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertFalse(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("50")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertTrue(context.isGranted()); parameters.put("withdrawal.amount", Arrays.asList("10")); context = policyEnforcer.enforce(createHttpFacade("/api/bank/account/1/withdrawal", token, headers, parameters)); assertTrue(context.isGranted()); }