keycloak-admin 1.1.1 → 1.1.3

data/spec/client/group_client_spec.rb

@@ -22,6 +22,35 @@ RSpec.describe KeycloakAdmin::GroupClient do
     end
   end
 
+  describe "#get" do
+    let(:realm_name) { "valid-realm" }
+
+    before(:each) do
+      @group_client = KeycloakAdmin.realm(realm_name).groups
+
+      stub_token_client
+      allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '{"id":"test_group_id","name":"test_group_name"}'
+    end
+
+    it "get a group" do
+      group = @group_client.get("test_group_id")
+      expect(group.id).to eq "test_group_id"
+      expect(group.name).to eq "test_group_name"
+    end
+
+    it "passes rest client options" do
+      rest_client_options = {timeout: 10}
+      allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
+
+      expect(RestClient::Resource).to receive(:new).with(
+        "http://auth.service.io/auth/admin/realms/valid-realm/groups/test_group_id", rest_client_options).and_call_original
+
+      group = @group_client.get("test_group_id")
+      expect(group.id).to eq "test_group_id"
+      expect(group.name).to eq "test_group_name"
+    end
+  end
+
   describe "#list" do
     let(:realm_name) { "valid-realm" }
 
@@ -39,7 +68,7 @@ RSpec.describe KeycloakAdmin::GroupClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(
@@ -51,35 +80,102 @@ RSpec.describe KeycloakAdmin::GroupClient do
     end
   end
 
-  describe "#save" do
+
+  describe "#children" do
     let(:realm_name) { "valid-realm" }
-    let(:group) { KeycloakAdmin::GroupRepresentation.from_hash(
-      "name" => "test_group_name"
-    )}
 
     before(:each) do
       @group_client = KeycloakAdmin.realm(realm_name).groups
 
       stub_token_client
-      response = double
-      allow(response).to receive(:headers).and_return(
-        { location: 'http://auth.service.io/auth/admin/realms/valid-realm/groups/be061c48-6edd-4783-a726-1a57d4bfa22b' }
-      )
-      expect_any_instance_of(RestClient::Resource).to receive(:post).with(group.to_json, anything).and_return response
+      allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '[{"id":"test_group_id","name":"test_group_name"}]'
     end
 
-    it "saves a group" do
-      @group_client.save(group)
+    it "lists children groups" do
+      groups = @group_client.children("parent_group_id")
+      expect(groups.length).to eq 1
+      expect(groups[0].name).to eq "test_group_name"
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(
-        "http://auth.service.io/auth/admin/realms/valid-realm/groups", rest_client_options).and_call_original
+        "http://auth.service.io/auth/admin/realms/valid-realm/groups/parent_group_id/children", rest_client_options).and_call_original
 
-      @group_client.save(group)
+      groups = @group_client.children("parent_group_id")
+      expect(groups.length).to eq 1
+      expect(groups[0].name).to eq "test_group_name"
+    end
+  end
+
+  describe "#save" do
+    let(:realm_name) { "valid-realm" }
+
+    before(:each) do
+      @group_client = KeycloakAdmin.realm(realm_name).groups
+
+      stub_token_client
+    end
+
+    context "when the group does not exist" do
+      let(:group) { KeycloakAdmin::GroupRepresentation.from_hash(
+        "name" => "test_group_name"
+      )}
+
+      before do
+        response = double
+        allow(response).to receive(:headers).and_return(
+          { location: 'http://auth.service.io/auth/admin/realms/valid-realm/groups/be061c48-6edd-4783-a726-1a57d4bfa22b' }
+        )
+
+        expect_any_instance_of(RestClient::Resource).to receive(:post).with(group.to_json, anything).and_return response
+      end
+
+      it "saves a group" do
+        @group_client.save(group)
+      end
+
+      it "passes rest client options" do
+        rest_client_options = {timeout: 10}
+        allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
+
+        expect(RestClient::Resource).to receive(:new).with(
+          "http://auth.service.io/auth/admin/realms/valid-realm/groups", rest_client_options).and_call_original
+
+        @group_client.save(group)
+      end
+    end
+
+    context "when the group already exists" do
+      let(:group) { KeycloakAdmin::GroupRepresentation.from_hash(
+        "id" => "test_group_id",
+        "name" => "test_group_name"
+      )}
+
+      before do
+        response = double
+        allow(response).to receive(:headers).and_return(
+          { location: 'http://auth.service.io/auth/admin/realms/valid-realm/groups/be061c48-6edd-4783-a726-1a57d4bfa22b' }
+        )
+
+        expect_any_instance_of(RestClient::Resource).to receive(:put).with(group.to_json, anything).and_return response
+      end
+
+      it "saves a group" do
+        @group_client.save(group)
+      end
+
+      it "passes rest client options" do
+        rest_client_options = {timeout: 10}
+        allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
+
+        expect(RestClient::Resource).to receive(:new).with(
+          "http://auth.service.io/auth/admin/realms/valid-realm/groups/test_group_id", rest_client_options).and_call_original
+
+        @group_client.save(group)
+      end
     end
   end
 
@@ -133,4 +229,30 @@ RSpec.describe KeycloakAdmin::GroupClient do
       expect(group_id).to eq '7686af34-204c-4515-8122-78d19febbf6e'
     end
   end
+
+  describe "#delete" do
+    let(:realm_name) { "valid-realm" }
+
+    before(:each) do
+      @group_client = KeycloakAdmin.realm(realm_name).groups
+
+      stub_token_client
+      allow_any_instance_of(RestClient::Resource).to receive(:delete).and_return ''
+    end
+
+    it "deletes a group" do
+      result = @group_client.delete("test_group_id")
+      expect(result).to be(true)
+    end
+
+    it "raises a delete error" do
+      rest_client_options = {timeout: 10}
+      allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
+
+      expect(RestClient::Resource).to receive(:new).with(
+        "http://auth.service.io/auth/admin/realms/valid-realm/groups/test_group_id", rest_client_options).and_raise("error")
+
+      expect { @group_client.delete("test_group_id") }.to raise_error("error")
+    end
+  end
 end

data/spec/client/identity_provider_client_spec.rb

@@ -78,7 +78,7 @@ RSpec.describe KeycloakAdmin::IdentityProviderClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(

data/spec/client/realm_client_spec.rb

@@ -60,7 +60,7 @@ RSpec.describe KeycloakAdmin::RealmClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(
@@ -87,7 +87,7 @@ RSpec.describe KeycloakAdmin::RealmClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(
@@ -117,7 +117,7 @@ RSpec.describe KeycloakAdmin::RealmClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(
@@ -143,7 +143,7 @@ RSpec.describe KeycloakAdmin::RealmClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(

data/spec/client/role_client_spec.rb

@@ -1,24 +1,20 @@
 RSpec.describe KeycloakAdmin::RoleClient do
   describe "#roles_url" do
     let(:realm_name) { "valid-realm" }
-    let(:role_id)    { nil }
 
-    before(:each) do
-      @built_url = KeycloakAdmin.realm(realm_name).roles.roles_url(role_id)
+    it "return a proper url without role id" do
+      @built_url = KeycloakAdmin.realm(realm_name).roles.roles_url
+      expect(@built_url).to eq "http://auth.service.io/auth/admin/realms/valid-realm/roles"
     end
+  end
 
-    context "when role_id is not defined" do
-      let(:role_id) { nil }
-      it "return a proper url without role id" do
-        expect(@built_url).to eq "http://auth.service.io/auth/admin/realms/valid-realm/roles"
-      end
-    end
+  describe "#role_id_url" do
+    let(:realm_name) { "valid-realm" }
+    let(:role_id) { "95985b21-d884-4bbd-b852-cb8cd365afc2" }
 
-    context "when role_id is defined" do
-      let(:role_id) { "95985b21-d884-4bbd-b852-cb8cd365afc2" }
-      it "return a proper url with the role id" do
-        expect(@built_url).to eq "http://auth.service.io/auth/admin/realms/valid-realm/roles/95985b21-d884-4bbd-b852-cb8cd365afc2"
-      end
+    it "return a proper url with the role id" do
+      @built_url = KeycloakAdmin.realm(realm_name).roles.role_id_url(role_id)
+      expect(@built_url).to eq "http://auth.service.io/auth/admin/realms/valid-realm/roles-by-id/95985b21-d884-4bbd-b852-cb8cd365afc2"
     end
   end
 
@@ -39,7 +35,7 @@ RSpec.describe KeycloakAdmin::RoleClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(
@@ -71,7 +67,7 @@ RSpec.describe KeycloakAdmin::RoleClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(

data/spec/client/role_mapper_client_spec.rb

@@ -56,7 +56,7 @@ RSpec.describe KeycloakAdmin::RoleMapperClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(

data/spec/client/token_client_spec.rb

@@ -49,7 +49,7 @@ RSpec.describe KeycloakAdmin::TokenClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
       stub_post
 

data/spec/client/user_client_spec.rb

@@ -141,7 +141,7 @@ RSpec.describe KeycloakAdmin::TokenClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(
@@ -167,7 +167,7 @@ RSpec.describe KeycloakAdmin::TokenClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(
@@ -213,7 +213,7 @@ RSpec.describe KeycloakAdmin::TokenClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(
@@ -246,7 +246,7 @@ RSpec.describe KeycloakAdmin::TokenClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(
@@ -273,7 +273,7 @@ RSpec.describe KeycloakAdmin::TokenClient do
     end
 
     it "passes rest client options" do
-      rest_client_options = {verify_ssl: OpenSSL::SSL::VERIFY_NONE}
+      rest_client_options = {timeout: 10}
       allow_any_instance_of(KeycloakAdmin::Configuration).to receive(:rest_client_options).and_return rest_client_options
 
       expect(RestClient::Resource).to receive(:new).with(

data/spec/configuration_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe KeycloakAdmin::RealmClient do
   let(:use_service_account) { true }
   let(:username)            { "a" }
   let(:password)            { "b" }
-  let(:rest_client_options) { {verify_ssl: OpenSSL::SSL::VERIFY_NONE} }
+  let(:rest_client_options) { {timeout: 10 } }
 
   before(:each) do
     @configuration                     = KeycloakAdmin::Configuration.new

data/spec/integration/client_authorization_spec.rb

@@ -0,0 +1,95 @@
+RSpec.describe 'ClientAuthorization' do
+
+  before do
+    skip unless ENV["GITHUB_ACTIONS"]
+
+    KeycloakAdmin.configure do |config|
+      config.use_service_account = false
+      config.server_url          = "http://localhost:8080/"
+      config.client_id           = "admin-cli"
+      config.client_realm_name   = "master"
+      config.username            = "admin"
+      config.password            = "admin"
+      config.rest_client_options = { timeout: 5, verify_ssl: false }
+    end
+  end
+
+  after do
+    configure
+  end
+
+  describe "ClientAuthorization Suite" do
+    it do
+      skip unless ENV["GITHUB_ACTIONS"]
+
+      realm_name = "dummy"
+
+      client = KeycloakAdmin.realm(realm_name).clients.find_by_client_id("dummy-client")
+      client.authorization_services_enabled = true
+      KeycloakAdmin.realm(realm_name).clients.update(client)
+
+      expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id).list.size).to eql(0)
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).list.size).to eql(1)
+      expect(KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').list.size).to eql(0)
+
+      realm_role =  KeycloakAdmin.realm(realm_name).roles.get("default-roles-dummy")
+
+      scope_1 = KeycloakAdmin.realm(realm_name).authz_scopes(client.id).create!("POST_1", "POST 1 scope", "http://asdas")
+      scope_2 = KeycloakAdmin.realm(realm_name).authz_scopes(client.id).create!("POST_2", "POST 2 scope", "http://asdas")
+      expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id).search("POST").first.name).to eql("POST_1")
+      expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id).get(scope_1.id).name).to eql("POST_1")
+
+      resource = KeycloakAdmin.realm(realm_name).authz_resources(client.id).create!("Dummy Resource", "type", ["/asdf/*", "/tmp/"], true, "display_name", [], {"a": ["b", "c"]})
+
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).find_by("Dummy Resource", "", "", "", "").first.name).to eql("Dummy Resource")
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).find_by("", "type", "", "", "").first.name).to eql("Dummy Resource")
+
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).get(resource.id).scopes.count).to eql(0)
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).get(resource.id).uris.count).to eql(2)
+      KeycloakAdmin.realm(realm_name).authz_resources(client.id).update(resource.id,
+                                                                             {
+                                                                               "name": "Dummy Resource",
+                                                                               "type": "type",
+                                                                               "owner_managed_access": true,
+                                                                               "display_name": "display_name",
+                                                                               "attributes": {"a":["b","c"]},
+                                                                               "uris": [ "/asdf/*" , "/tmp/45" ],
+                                                                               "scopes":[
+                                                                                 {name: scope_1.name},{name: scope_2.name}
+                                                                               ],
+                                                                               "icon_uri": "https://icon.ico"
+                                                                             }
+      )
+
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).get(resource.id).scopes.count).to eql(2)
+
+      policy = KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').create!("Policy 1", "description", "role", "POSITIVE", "UNANIMOUS", true, [{id: realm_role.id, required: true}])
+      expect(KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').find_by("Policy 1", "role").first.name).to eql("Policy 1")
+      expect(KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').get(policy.id).name).to eql("Policy 1")
+      scope_permission = KeycloakAdmin.realm(realm_name).authz_permissions(client.id, :scope).create!("Dummy Scope Permission", "scope description", "UNANIMOUS", "POSITIVE", [resource.id], [policy.id], [scope_1.id, scope_2.id], "")
+      resource_permission = KeycloakAdmin.realm(realm_name).authz_permissions(client.id, :resource).create!("Dummy Resource Permission", "resource description", "UNANIMOUS", "POSITIVE", [resource.id], [policy.id], nil, "")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "", resource.id).list.size).to eql(2)
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").get(resource_permission.id).name).to eql("Dummy Resource Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id, resource.id).list.size).to eql(2)
+
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'scope').list.size).to eql(3)
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'resource').list.size).to eql(3)
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").find_by(resource_permission.name, nil).first.name).to eql("Dummy Resource Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").find_by(resource_permission.name, resource.id).first.name).to eql("Dummy Resource Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(scope_permission.name, resource.id).first.name).to eql("Dummy Scope Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(scope_permission.name, resource.id, "POST_1").first.name).to eql("Dummy Scope Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").find_by(nil, resource.id).first.name).to eql("Dummy Resource Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(nil, resource.id).first.name).to eql("Dummy Scope Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(nil, resource.id, "POST_1").first.name).to eql("Dummy Scope Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(scope_permission.name, nil).first.name).to eql("Dummy Scope Permission")
+
+      KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'scope').delete(scope_permission.id)
+      KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'resource').delete(resource_permission.id)
+      KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').delete(policy.id)
+      KeycloakAdmin.realm(realm_name).authz_resources(client.id).delete(resource.id)
+      KeycloakAdmin.realm(realm_name).authz_scopes(client.id).delete(scope_1.id)
+      KeycloakAdmin.realm(realm_name).authz_scopes(client.id).delete(scope_2.id)
+
+    end
+  end
+end

data/spec/representation/client_authz_permission_representation_spec.rb

@@ -0,0 +1,52 @@
+RSpec.describe KeycloakAdmin::ClientAuthzPermissionRepresentation do
+  describe '.from_hash, #resource based permission' do
+    it 'converts json response to class structure' do
+      rep = described_class.from_hash({
+                                        "id" => "e9e3bc49-fe11-4287-b6fc-fa8be4930ffa",
+                                        "resources" => ["4f55e984-d1ec-405c-a25c-1387f88acd5c"],
+                                        "policies" => ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"],
+                                        "name" => "delme policy",
+                                        "description" => "Delme policy description",
+                                        "decisionStrategy" => "UNANIMOUS",
+                                        "resourceType" => ""
+                                      })
+      expect(rep.id).to eq "e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"
+      expect(rep.resources).to eq ["4f55e984-d1ec-405c-a25c-1387f88acd5c"]
+      expect(rep.policies).to eq ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"]
+      expect(rep.name).to eq "delme policy"
+      expect(rep.description).to eq "Delme policy description"
+      expect(rep.decision_strategy).to eq "UNANIMOUS"
+      expect(rep.resource_type).to eq ""
+      expect(rep).to be_a described_class
+    end
+  end
+
+  describe '.from_hash, #scope based permission' do
+    it 'converts json response to class structure' do
+      rep = described_class.from_hash(
+
+        { "id" => "4d762e5d-bf3d-4641-8f94-97e8a1869d1d",
+          "name" => "permission name",
+          "description" => "permission description",
+          "type" => "scope",
+          "policies" => ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"],
+          "resources" => ["4f55e984-d1ec-405c-a25c-1387f88acd5c"],
+          "scopes" => ["7c4809c5-33b6-4668-a318-19b302214d20"],
+          "logic" => "POSITIVE",
+          "decisionStrategy" => "UNANIMOUS"
+        })
+      expect(rep.id).to eq "4d762e5d-bf3d-4641-8f94-97e8a1869d1d"
+      expect(rep.resources).to eq ["4f55e984-d1ec-405c-a25c-1387f88acd5c"]
+      expect(rep.policies).to eq ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"]
+      expect(rep.scopes).to eq ["7c4809c5-33b6-4668-a318-19b302214d20"]
+      expect(rep.name).to eq "permission name"
+      expect(rep.description).to eq "permission description"
+      expect(rep.decision_strategy).to eq "UNANIMOUS"
+      expect(rep.logic).to eq "POSITIVE"
+      expect(rep.type).to eq "scope"
+      expect(rep.resource_type).to eq nil
+      expect(rep).to be_a described_class
+    end
+  end
+
+end

data/spec/representation/client_authz_policy_representation_spec.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakAdmin::ClientAuthzPolicyRepresentation do
+  let(:realm_name) { "valid-realm" }
+  let(:client_id) { "valid-client-id" }
+  let(:policy_id) { "valid-policy-id" }
+  let(:role_id) { "valid-role-id" }
+  let(:role_name) { "valid-role-name" }
+  let(:policy_name) { "valid-policy-name" }
+  let(:policy_description) { "valid-policy-description" }
+  let(:policy_type) { "role" }
+  let(:policy_logic) { "POSITIVE" }
+  let(:policy_decision_strategy) { "UNANIMOUS" }
+  let(:policy) do
+    {
+      "id": policy_id,
+      "name": policy_name,
+      "description": policy_description,
+      "type": policy_type,
+      "logic": policy_logic,
+      "decisionStrategy": policy_decision_strategy,
+      "roles": [{ "id": role_id, "required": true }]
+    }
+  end
+  let(:client_authz_policy) { KeycloakAdmin.realm(realm_name).authz_policies(client_id, 'role') }
+
+  before(:each) do
+    stub_token_client
+  end
+
+  describe "#create!" do
+    before(:each) do
+      allow_any_instance_of(RestClient::Resource).to receive(:post).and_return policy.to_json
+    end
+
+    it "returns created authz policy" do
+      response = client_authz_policy.create!(policy_name, policy_description, policy_type, policy_logic, policy_decision_strategy, true, [{ id: role_id, required: true }])
+      expect(response.id).to eq policy_id
+      expect(response.name).to eq policy_name
+      expect(response.description).to eq policy_description
+      expect(response.type).to eq policy_type
+      expect(response.logic).to eq policy_logic
+      expect(response.decision_strategy).to eq policy_decision_strategy
+      expect(response.roles).to eq [{ "id" => role_id, "required" => true }]
+    end
+  end
+end

data/spec/representation/client_authz_resource_representation_spec.rb

@@ -0,0 +1,33 @@
+RSpec.describe KeycloakAdmin::ClientAuthzResourceRepresentation do
+  describe '.from_hash' do
+    it 'converts json response to class structure' do
+      rep = described_class.from_hash({
+                                        "name" => "Default Resource",
+                                        "type" => "urn:delme-client-id:resources:default",
+                                        "owner" => {
+                                          "id" => "d259b451-371b-432a-a526-3508f3a36f3b",
+                                          "name" => "delme-client-id"
+                                        },
+                                        "ownerManagedAccess" => true,
+                                        "displayName" => "Display Name",
+                                        "attributes" => { "a" => ["b"]},
+                                        "_id" => "385966a2-14b9-4cc4-9539-5f2fe1008222",
+                                        "uris" => ["/*"],
+                                        "scopes" => [{"id"=>"c0779ce3-0900-4ea3-b1d6-b23e1f19c662",
+                                                    "name" => "GET",
+                                                    "iconUri" => "http=>//asdfasdf"}],
+                                        "icon_uri" => "http://icon"
+                                      })
+      expect(rep.id).to eq "385966a2-14b9-4cc4-9539-5f2fe1008222"
+      expect(rep.name).to eq "Default Resource"
+      expect(rep.type).to eq "urn:delme-client-id:resources:default"
+      expect(rep.uris).to eq ["/*"]
+      expect(rep.owner_managed_access).to eq true
+      expect(rep.attributes).to eq({ :"a" => ["b"]})
+      expect(rep.display_name).to eq "Display Name"
+      expect(rep.scopes[0].id).to eq "c0779ce3-0900-4ea3-b1d6-b23e1f19c662"
+      expect(rep.scopes[0].name).to eq "GET"
+      expect(rep).to be_a described_class
+    end
+  end
+end

data/spec/representation/client_authz_scope_representation_spec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakAdmin::ClientAuthzScopeRepresentation do
+  describe '.from_hash' do
+    it 'converts json response to class structure' do
+      rep = described_class.from_hash({
+                                        "id" =>"c0779ce3-0900-4ea3-b1d6-b23e1f19c662",
+                                        "name" => "GET",
+                                        "iconUri" => "http://asdfasdf/image.png",
+                                        "displayName" => "GET authz scope"
+                                      })
+      expect(rep.id).to eq "c0779ce3-0900-4ea3-b1d6-b23e1f19c662"
+      expect(rep.name).to eq "GET"
+      expect(rep.icon_uri).to eq "http://asdfasdf/image.png"
+      expect(rep.display_name).to eq "GET authz scope"
+      expect(rep).to be_a described_class
+    end
+  end
+end

data/spec/representation/group_representation_spec.rb

@@ -4,10 +4,17 @@ RSpec.describe KeycloakAdmin::GroupRepresentation do
     it "parses the sub groups into group representations" do
       group = described_class.from_hash({
         "name" => "group a",
+        "attributes" => {
+          "key" => ["value"]
+        },
+        "subGroupCount" => 1,
         "subGroups" => [{
           "name" => "subgroup b"
         }]
       })
+
+      expect(group.attributes).to eq(key: ["value"])
+      expect(group.sub_group_count).to eq 1
       expect(group.sub_groups.length).to eq 1
       expect(group.sub_groups.first).to be_a described_class
     end