keycloak-admin 1.1.2 → 1.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/Dockerfile +24 -0
- data/.github/workflows/ci.yml +83 -0
- data/CHANGELOG.md +5 -0
- data/Gemfile.lock +3 -3
- data/README.md +267 -1
- data/lib/keycloak-admin/client/client_authz_permission_client.rb +81 -0
- data/lib/keycloak-admin/client/client_authz_policy_client.rb +76 -0
- data/lib/keycloak-admin/client/client_authz_resource_client.rb +93 -0
- data/lib/keycloak-admin/client/client_authz_scope_client.rb +71 -0
- data/lib/keycloak-admin/client/realm_client.rb +16 -0
- data/lib/keycloak-admin/representation/client_authz_permission_representation.rb +34 -0
- data/lib/keycloak-admin/representation/client_authz_policy_config_representation.rb +15 -0
- data/lib/keycloak-admin/representation/client_authz_policy_representation.rb +27 -0
- data/lib/keycloak-admin/representation/client_authz_resource_representation.rb +26 -0
- data/lib/keycloak-admin/representation/client_authz_scope_representation.rb +17 -0
- data/lib/keycloak-admin/version.rb +1 -1
- data/lib/keycloak-admin.rb +9 -0
- data/spec/client/client_authz_permission_client_spec.rb +170 -0
- data/spec/client/client_authz_policy_client_spec.rb +170 -0
- data/spec/client/client_authz_resource_client_spec.rb +150 -0
- data/spec/client/client_authz_scope_client_spec.rb +134 -0
- data/spec/integration/client_authorization_spec.rb +95 -0
- data/spec/representation/client_authz_permission_representation_spec.rb +52 -0
- data/spec/representation/client_authz_policy_representation_spec.rb +47 -0
- data/spec/representation/client_authz_resource_representation_spec.rb +33 -0
- data/spec/representation/client_authz_scope_representation_spec.rb +19 -0
- metadata +23 -3
@@ -0,0 +1,170 @@
|
|
1
|
+
RSpec.describe KeycloakAdmin::ClientAuthzPolicyClient do
|
2
|
+
|
3
|
+
describe '#initialize' do
|
4
|
+
let(:realm_name) { nil }
|
5
|
+
let(:type) { :role }
|
6
|
+
before(:each) do
|
7
|
+
@realm = KeycloakAdmin.realm(realm_name)
|
8
|
+
end
|
9
|
+
|
10
|
+
context "when realm_name is defined" do
|
11
|
+
let(:realm_name) { "master" }
|
12
|
+
it "does not raise any error" do
|
13
|
+
expect {
|
14
|
+
@realm.authz_policies("", type)
|
15
|
+
}.to_not raise_error
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
context "when realm_name is not defined" do
|
20
|
+
let(:realm_name) { nil }
|
21
|
+
it "raises any error" do
|
22
|
+
expect {
|
23
|
+
@realm.authz_policies("", type)
|
24
|
+
}.to raise_error(ArgumentError)
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
context "when type is bad value" do
|
29
|
+
let(:realm_name) { "master" }
|
30
|
+
let(:type) { "bad-type" }
|
31
|
+
it "does not raise any error" do
|
32
|
+
expect {
|
33
|
+
@realm.authz_policies("", type)
|
34
|
+
}.to raise_error
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
describe '#create!' do
|
40
|
+
let(:realm_name) { "valid-realm" }
|
41
|
+
let(:client_id) { "valid-client-id" }
|
42
|
+
let(:type) { :role }
|
43
|
+
let(:name) { "policy name" }
|
44
|
+
let(:description) { "policy description" }
|
45
|
+
let(:logic) { "POSITIVE" }
|
46
|
+
let(:decision_strategy) { "UNANIMOUS" }
|
47
|
+
let(:fetch_roles) { true }
|
48
|
+
let(:config) { { roles: [{ id: "1d305dbe-6379-4900-8e63-96541006160a", required: false }] } }
|
49
|
+
let(:client_authz_policy){ KeycloakAdmin.realm(realm_name).authz_policies(client_id, type) }
|
50
|
+
|
51
|
+
before(:each) do
|
52
|
+
stub_token_client
|
53
|
+
allow_any_instance_of(RestClient::Resource).to receive(:post).and_return '{"id":"234f6f33-ef03-4f3f-a8c0-ad7bca27b720","name":"policy name","description":"policy description","type":"role","logic":"POSITIVE","decisionStrategy":"UNANIMOUS","config":{"roles":"[{\"id\":\"1d305dbe-6379-4900-8e63-96541006160a\",\"required\":false}]"}}'
|
54
|
+
end
|
55
|
+
|
56
|
+
it "creates a new authz policy" do
|
57
|
+
response = client_authz_policy.create!(name, description, type, logic, decision_strategy, fetch_roles, config[:roles])
|
58
|
+
expect(response.id).to eq "234f6f33-ef03-4f3f-a8c0-ad7bca27b720"
|
59
|
+
expect(response.name).to eq "policy name"
|
60
|
+
expect(response.type).to eq "role"
|
61
|
+
expect(response.logic).to eq "POSITIVE"
|
62
|
+
expect(response.decision_strategy).to eq "UNANIMOUS"
|
63
|
+
expect(response.config.roles[0].id).to eq "1d305dbe-6379-4900-8e63-96541006160a"
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
describe '#get' do
|
68
|
+
let(:realm_name) { "valid-realm" }
|
69
|
+
let(:client_id) { "valid-client-id" }
|
70
|
+
let(:type) { :role }
|
71
|
+
let(:policy_id) { "234f6f33-ef03-4f3f-a8c0-ad7bca27b720" }
|
72
|
+
let(:client_authz_policy){ KeycloakAdmin.realm(realm_name).authz_policies(client_id, type) }
|
73
|
+
before(:each) do
|
74
|
+
stub_token_client
|
75
|
+
allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '{"id":"234f6f33-ef03-4f3f-a8c0-ad7bca27b720","name":"policy name","description":"policy description","type":"role","logic":"POSITIVE","decisionStrategy":"UNANIMOUS","config":{"roles":"[{\"id\":\"1d305dbe-6379-4900-8e63-96541006160a\",\"required\":false}]"}}'
|
76
|
+
end
|
77
|
+
|
78
|
+
it "returns an authz policy" do
|
79
|
+
response = client_authz_policy.get(policy_id)
|
80
|
+
expect(response.id).to eq "234f6f33-ef03-4f3f-a8c0-ad7bca27b720"
|
81
|
+
expect(response.name).to eq "policy name"
|
82
|
+
expect(response.type).to eq "role"
|
83
|
+
expect(response.logic).to eq "POSITIVE"
|
84
|
+
expect(response.decision_strategy).to eq "UNANIMOUS"
|
85
|
+
expect(response.config.roles[0].id).to eq "1d305dbe-6379-4900-8e63-96541006160a"
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
describe '#find_by' do
|
90
|
+
let(:realm_name) { "valid-realm" }
|
91
|
+
let(:client_id) { "valid-client-id" }
|
92
|
+
let(:type) { :role }
|
93
|
+
let(:name) { "policy name" }
|
94
|
+
let(:client_authz_policy){ KeycloakAdmin.realm(realm_name).authz_policies(client_id, type) }
|
95
|
+
before(:each) do
|
96
|
+
stub_token_client
|
97
|
+
allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '[{"id":"234f6f33-ef03-4f3f-a8c0-ad7bca27b720","name":"policy name","description":"policy description","type":"role","logic":"POSITIVE","decisionStrategy":"UNANIMOUS","config":{"roles":"[{\"id\":\"1d305dbe-6379-4900-8e63-96541006160a\",\"required\":false}]"}}]'
|
98
|
+
end
|
99
|
+
|
100
|
+
it "returns list of authz policies" do
|
101
|
+
response = client_authz_policy.find_by(name, type)
|
102
|
+
expect(response.size).to eq 1
|
103
|
+
expect(response[0].id).to eq "234f6f33-ef03-4f3f-a8c0-ad7bca27b720"
|
104
|
+
expect(response[0].name).to eq "policy name"
|
105
|
+
expect(response[0].type).to eq "role"
|
106
|
+
expect(response[0].logic).to eq "POSITIVE"
|
107
|
+
expect(response[0].decision_strategy).to eq "UNANIMOUS"
|
108
|
+
expect(response[0].config.roles[0].id).to eq "1d305dbe-6379-4900-8e63-96541006160a"
|
109
|
+
end
|
110
|
+
end
|
111
|
+
|
112
|
+
describe '#delete' do
|
113
|
+
let(:realm_name) { "valid-realm" }
|
114
|
+
let(:client_id) { "valid-client-id" }
|
115
|
+
let(:type) { :role }
|
116
|
+
let(:policy_id) { "234f6f33-ef03-4f3f-a8c0-ad7bca27b720" }
|
117
|
+
before(:each) do
|
118
|
+
@client_authz_policy = KeycloakAdmin.realm(realm_name).authz_policies(client_id, type)
|
119
|
+
stub_token_client
|
120
|
+
allow_any_instance_of(RestClient::Resource).to receive(:delete).and_return 'true'
|
121
|
+
end
|
122
|
+
|
123
|
+
it "deletes an authz policy" do
|
124
|
+
response = @client_authz_policy.delete(policy_id)
|
125
|
+
expect(response).to eq true
|
126
|
+
end
|
127
|
+
end
|
128
|
+
|
129
|
+
describe '#list' do
|
130
|
+
let(:realm_name) { "valid-realm" }
|
131
|
+
let(:client_id) { "valid-client-id" }
|
132
|
+
let(:type) { :role }
|
133
|
+
before(:each) do
|
134
|
+
@client_authz_policy = KeycloakAdmin.realm(realm_name).authz_policies(client_id, type)
|
135
|
+
stub_token_client
|
136
|
+
allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '[{"id":"234f6f33-ef03-4f3f-a8c0-ad7bca27b720","name":"policy name","description":"policy description","type":"role","logic":"POSITIVE","decisionStrategy":"UNANIMOUS","config":{"roles":"[{\"id\":\"1d305dbe-6379-4900-8e63-96541006160a\",\"required\":false}]"}}]'
|
137
|
+
end
|
138
|
+
|
139
|
+
it "returns list of authz policies" do
|
140
|
+
response = @client_authz_policy.list
|
141
|
+
expect(response.size).to eq 1
|
142
|
+
expect(response[0].id).to eq "234f6f33-ef03-4f3f-a8c0-ad7bca27b720"
|
143
|
+
expect(response[0].name).to eq "policy name"
|
144
|
+
expect(response[0].type).to eq "role"
|
145
|
+
expect(response[0].logic).to eq "POSITIVE"
|
146
|
+
expect(response[0].decision_strategy).to eq "UNANIMOUS"
|
147
|
+
expect(response[0].config.roles[0].id).to eq "1d305dbe-6379-4900-8e63-96541006160a"
|
148
|
+
end
|
149
|
+
end
|
150
|
+
|
151
|
+
describe '#authz_policy_url' do
|
152
|
+
let(:realm_name) { "valid-realm" }
|
153
|
+
let(:client_id) { "valid-client-id" }
|
154
|
+
let(:type) { :role }
|
155
|
+
let(:client_authz_policy){ KeycloakAdmin.realm(realm_name).authz_policies(client_id, type) }
|
156
|
+
|
157
|
+
context 'when policy_id is nil' do
|
158
|
+
let(:policy_id) { nil }
|
159
|
+
it "return a proper url" do
|
160
|
+
expect(client_authz_policy.authz_policy_url(client_id, type, policy_id)).to eq "http://auth.service.io/auth/admin/realms/valid-realm/clients/valid-client-id/authz/resource-server/policy/role?permission=false"
|
161
|
+
end
|
162
|
+
end
|
163
|
+
context 'when policy_id is not nil' do
|
164
|
+
let(:policy_id) { "234f6f33-ef03-4f3f-a8c0-ad7bca27b720" }
|
165
|
+
it "return a proper url" do
|
166
|
+
expect(client_authz_policy.authz_policy_url(client_id, type, policy_id)).to eq "http://auth.service.io/auth/admin/realms/valid-realm/clients/valid-client-id/authz/resource-server/policy/role/234f6f33-ef03-4f3f-a8c0-ad7bca27b720"
|
167
|
+
end
|
168
|
+
end
|
169
|
+
end
|
170
|
+
end
|
@@ -0,0 +1,150 @@
|
|
1
|
+
RSpec.describe KeycloakAdmin::ClientAuthzResourceClient do
|
2
|
+
describe "#initialize" do
|
3
|
+
let(:realm_name) { nil }
|
4
|
+
before(:each) do
|
5
|
+
@realm = KeycloakAdmin.realm(realm_name)
|
6
|
+
end
|
7
|
+
|
8
|
+
context "when realm_name is defined" do
|
9
|
+
let(:realm_name) { "master" }
|
10
|
+
it "does not raise any error" do
|
11
|
+
expect { @realm.attack_detections }.to_not raise_error
|
12
|
+
end
|
13
|
+
end
|
14
|
+
context "when realm_name is not defined" do
|
15
|
+
it "raise argument error" do
|
16
|
+
expect { @realm.attack_detections }.to raise_error(ArgumentError)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe "#list" do
|
22
|
+
let(:realm_name) { "valid-realm" }
|
23
|
+
let(:client_id) { "valid-client-id" }
|
24
|
+
before(:each) do
|
25
|
+
@client_authz_resource = KeycloakAdmin.realm(realm_name).authz_resources(client_id)
|
26
|
+
stub_token_client
|
27
|
+
allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '[{"name":"Default Resource","type":"urn:delme-client-id:resources:default","owner":{"id":"d259b451-371b-432a-a526-3508f3a36f3b","name":"delme-client-id"},"ownerManagedAccess":false,"_id":"94643fe2-1973-4a36-8e1f-830ade186398","uris":["/*"]},{"name":"asdfasdf","type":"urn:delme-client-id:resources:default","owner":{"id":"d259b451-371b-432a-a526-3508f3a36f3b","name":"delme-client-id"},"ownerManagedAccess":true,"displayName":"asdfasdfasdfa","_id":"385966a2-14b9-4cc4-9539-5f2fe1008222","uris":["/*"],"icon_uri":"http://icon"}]'
|
28
|
+
end
|
29
|
+
|
30
|
+
it "returns list of authz scopes" do
|
31
|
+
response = @client_authz_resource.list
|
32
|
+
expect(response.size).to eq 2
|
33
|
+
expect(response[1].id).to eq "385966a2-14b9-4cc4-9539-5f2fe1008222"
|
34
|
+
expect(response[1].name).to eq "asdfasdf"
|
35
|
+
expect(response[1].type).to eq "urn:delme-client-id:resources:default"
|
36
|
+
expect(response[1].owner_managed_access).to be_truthy
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
describe '#get' do
|
41
|
+
let(:realm_name) { "valid-realm" }
|
42
|
+
let(:client_id) { "valid-client-id" }
|
43
|
+
let(:resource_id) { "valid-resource-id" }
|
44
|
+
let(:client_authz_resource) { KeycloakAdmin.realm(realm_name).authz_resources(client_id) }
|
45
|
+
before(:each) do
|
46
|
+
stub_token_client
|
47
|
+
allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '{"name":"Default Resource","type":"urn:delme-client-id:resources:default","owner":{"id":"d259b451-371b-432a-a526-3508f3a36f3b","name":"delme-client-id"},"ownerManagedAccess":false,"_id":"94643fe2-1973-4a36-8e1f-830ade186398","uris":["/*"]}'
|
48
|
+
end
|
49
|
+
|
50
|
+
it "returns authz scope" do
|
51
|
+
response = client_authz_resource.get(resource_id)
|
52
|
+
expect(response.id).to eq "94643fe2-1973-4a36-8e1f-830ade186398"
|
53
|
+
expect(response.name).to eq "Default Resource"
|
54
|
+
expect(response.type).to eq "urn:delme-client-id:resources:default"
|
55
|
+
expect(response.owner_managed_access).to be_falsey
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
describe '#update' do
|
60
|
+
let(:realm_name) { "valid-realm" }
|
61
|
+
let(:client_id) { "valid-client-id" }
|
62
|
+
let(:resource_id) { "valid-resource-id" }
|
63
|
+
let(:client_authz_resource) { KeycloakAdmin.realm(realm_name).authz_resources(client_id) }
|
64
|
+
before(:each) do
|
65
|
+
stub_token_client
|
66
|
+
allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '{"name":"Default Resource","type":"urn:delme-client-id:resources:default","owner":{"id":"d259b451-371b-432a-a526-3508f3a36f3b","name":"delme-client-id"},"ownerManagedAccess":false,"_id":"94643fe2-1973-4a36-8e1f-830ade186398","uris":["/*"]}'
|
67
|
+
allow_any_instance_of(RestClient::Resource).to receive(:put).and_return '{"name":"Default Resource","type":"urn:delme-client-id:resources:default","owner":{"id":"d259b451-371b-432a-a526-3508f3a36f3b","name":"delme-client-id"},"ownerManagedAccess":false,"_id":"94643fe2-1973-4a36-8e1f-830ade186398","uris":["/*"]}'
|
68
|
+
end
|
69
|
+
|
70
|
+
it "returns updated authz scope" do
|
71
|
+
response = client_authz_resource.update(resource_id, {name: "Default Resource", type: "urn:delme-client-id:resources:default", uris: ["/tmp/*"], owner_managed_access: false, display_name: "Default Resource", scopes: []})
|
72
|
+
expect(response.id).to eq "94643fe2-1973-4a36-8e1f-830ade186398"
|
73
|
+
expect(response.name).to eq "Default Resource"
|
74
|
+
expect(response.type).to eq "urn:delme-client-id:resources:default"
|
75
|
+
expect(response.owner_managed_access).to be_falsey
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
describe '#create!' do
|
80
|
+
let(:realm_name) { "valid-realm" }
|
81
|
+
let(:client_id) { "valid-client-id" }
|
82
|
+
before(:each) do
|
83
|
+
@client_authz_resource = KeycloakAdmin.realm(realm_name).authz_resources(client_id)
|
84
|
+
stub_token_client
|
85
|
+
allow_any_instance_of(RestClient::Resource).to receive(:post).and_return '{"name":"Default Resource","type":"urn:delme-client-id:resources:default","owner":{"id":"d259b451-371b-432a-a526-3508f3a36f3b","name":"delme-client-id"},"ownerManagedAccess":false,"_id":"94643fe2-1973-4a36-8e1f-830ade186398","uris":["/*"]}'
|
86
|
+
end
|
87
|
+
|
88
|
+
it "returns created authz scope" do
|
89
|
+
response = @client_authz_resource.create!("Default Resource", "urn:delme-client-id:resources:default", ["/tmp/*"], false, "Default Resource", [])
|
90
|
+
expect(response.id).to eq "94643fe2-1973-4a36-8e1f-830ade186398"
|
91
|
+
expect(response.name).to eq "Default Resource"
|
92
|
+
expect(response.type).to eq "urn:delme-client-id:resources:default"
|
93
|
+
expect(response.owner_managed_access).to be_falsey
|
94
|
+
end
|
95
|
+
end
|
96
|
+
|
97
|
+
describe "#find_by" do
|
98
|
+
let(:realm_name) { "valid-realm" }
|
99
|
+
let(:client_id) { "valid-client-id" }
|
100
|
+
let(:resource_id) { "valid-resource-id" }
|
101
|
+
let(:client_authz_resource) { KeycloakAdmin.realm(realm_name).authz_resources(client_id) }
|
102
|
+
before(:each) do
|
103
|
+
stub_token_client
|
104
|
+
allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '[{"name":"Default Resource","type":"urn:delme-client-id:resources:default","owner":{"id":"d259b451-371b-432a-a526-3508f3a36f3b","name":"delme-client-id"},"ownerManagedAccess":false,"_id":"94643fe2-1973-4a36-8e1f-830ade186398","uris":["/*"]}]'
|
105
|
+
end
|
106
|
+
|
107
|
+
it "returns list of authz scopes" do
|
108
|
+
response = client_authz_resource.find_by("Default Resource", "urn:delme-client-id:resources:default", ["/tmp/*"], false, "")
|
109
|
+
expect(response.size).to eq 1
|
110
|
+
expect(response[0].id).to eq "94643fe2-1973-4a36-8e1f-830ade186398"
|
111
|
+
expect(response[0].name).to eq "Default Resource"
|
112
|
+
expect(response[0].type).to eq "urn:delme-client-id:resources:default"
|
113
|
+
expect(response[0].owner_managed_access).to be_falsey
|
114
|
+
end
|
115
|
+
end
|
116
|
+
|
117
|
+
describe "#authz_scopes_url" do
|
118
|
+
let(:realm_name) { "valid-realm" }
|
119
|
+
let(:client_id) { "valid-client-id" }
|
120
|
+
let(:client_authz_resource){ KeycloakAdmin.realm(realm_name).authz_resources(client_id) }
|
121
|
+
|
122
|
+
context 'when resource_id is nil' do
|
123
|
+
it "return a proper url" do
|
124
|
+
expect(client_authz_resource.authz_resources_url(client_id)).to eq "http://auth.service.io/auth/admin/realms/valid-realm/clients/valid-client-id/authz/resource-server/resource"
|
125
|
+
end
|
126
|
+
end
|
127
|
+
|
128
|
+
context 'when resource_id is not nil' do
|
129
|
+
it "return a proper url" do
|
130
|
+
expect(client_authz_resource.authz_resources_url(client_id, "resource-id")).to eq "http://auth.service.io/auth/admin/realms/valid-realm/clients/valid-client-id/authz/resource-server/resource/resource-id"
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
134
|
+
|
135
|
+
describe "#delete" do
|
136
|
+
let(:realm_name) { "valid-realm" }
|
137
|
+
let(:client_id) { "valid-client-id" }
|
138
|
+
let(:resource_id) { "valid-resource-id" }
|
139
|
+
let(:client_authz_resource) { KeycloakAdmin.realm(realm_name).authz_resources(client_id) }
|
140
|
+
before(:each) do
|
141
|
+
stub_token_client
|
142
|
+
allow_any_instance_of(RestClient::Resource).to receive(:delete).and_return '{}'
|
143
|
+
end
|
144
|
+
|
145
|
+
it "returns true" do
|
146
|
+
response = client_authz_resource.delete(resource_id)
|
147
|
+
expect(response).to be_truthy
|
148
|
+
end
|
149
|
+
end
|
150
|
+
end
|
@@ -0,0 +1,134 @@
|
|
1
|
+
RSpec.describe KeycloakAdmin::ClientAuthzScopeClient do
|
2
|
+
describe "#initialize" do
|
3
|
+
let(:realm_name) { nil }
|
4
|
+
before(:each) do
|
5
|
+
@realm = KeycloakAdmin.realm(realm_name)
|
6
|
+
end
|
7
|
+
|
8
|
+
context "when realm_name is defined" do
|
9
|
+
let(:realm_name) { "master" }
|
10
|
+
it "does not raise any error" do
|
11
|
+
expect { @realm.attack_detections }.to_not raise_error
|
12
|
+
end
|
13
|
+
end
|
14
|
+
context "when realm_name is not defined" do
|
15
|
+
it "raise argument error" do
|
16
|
+
expect { @realm.attack_detections }.to raise_error(ArgumentError)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe "#create" do
|
22
|
+
let(:realm_name) { "valid-realm" }
|
23
|
+
let(:client_id) { "valid-client-id" }
|
24
|
+
before(:each) do
|
25
|
+
@client_authz_scope = KeycloakAdmin.realm(realm_name).authz_scopes(client_id)
|
26
|
+
stub_token_client
|
27
|
+
allow_any_instance_of(RestClient::Resource).to receive(:post).and_return '{"id":"c0779ce3-0900-4ea3-b1d6-b23e1f19c662","name":"GET","iconUri":"http://asdfasd1","displayName":"GET authz scope"}'
|
28
|
+
end
|
29
|
+
|
30
|
+
it "returns created authz scope" do
|
31
|
+
response = @client_authz_scope.create!("GET", "GET authz scope", "http://asdfasd1")
|
32
|
+
expect(response.id).to eq "c0779ce3-0900-4ea3-b1d6-b23e1f19c662"
|
33
|
+
expect(response.name).to eq "GET"
|
34
|
+
expect(response.display_name).to eq "GET authz scope"
|
35
|
+
expect(response.icon_uri).to eq "http://asdfasd1"
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
describe "#list" do
|
40
|
+
let(:realm_name) { "valid-realm" }
|
41
|
+
let(:client_id) { "valid-client-id" }
|
42
|
+
before(:each) do
|
43
|
+
@client_authz_scope = KeycloakAdmin.realm(realm_name).authz_scopes(client_id)
|
44
|
+
stub_token_client
|
45
|
+
allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '[{"id":"c0779ce3-0900-4ea3-b1d6-b23e1f19c662","name":"GET","iconUri":"http://asdfasd1","displayName":"GET authz scope"},{"id":"d0779ce3-0900-4ea3-b1d6-b23e1f19c662","name":"POST","iconUri":"http://asdfasd2","displayName":"POST authz scope"}]'
|
46
|
+
end
|
47
|
+
|
48
|
+
it "returns list of authz scopes" do
|
49
|
+
response = @client_authz_scope.list
|
50
|
+
expect(response.size).to eq 2
|
51
|
+
expect(response.first.id).to eq "c0779ce3-0900-4ea3-b1d6-b23e1f19c662"
|
52
|
+
expect(response.first.name).to eq "GET"
|
53
|
+
expect(response.first.display_name).to eq "GET authz scope"
|
54
|
+
expect(response.first.icon_uri).to eq "http://asdfasd1"
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
|
59
|
+
describe "#delete" do
|
60
|
+
let(:realm_name) { "valid-realm" }
|
61
|
+
let(:client_id) { "valid-client-id" }
|
62
|
+
let(:scope_id) { "valid-scope-id" }
|
63
|
+
before(:each) do
|
64
|
+
@client_authz_scope = KeycloakAdmin.realm(realm_name).authz_scopes(client_id)
|
65
|
+
stub_token_client
|
66
|
+
allow_any_instance_of(RestClient::Resource).to receive(:delete).and_return ""
|
67
|
+
end
|
68
|
+
|
69
|
+
it "returns true" do
|
70
|
+
response = @client_authz_scope.delete(scope_id)
|
71
|
+
expect(response).to eq true
|
72
|
+
end
|
73
|
+
end
|
74
|
+
|
75
|
+
describe '#get' do
|
76
|
+
let(:realm_name) { "valid-realm" }
|
77
|
+
let(:client_id) { "valid-client-id" }
|
78
|
+
let(:scope_id) { "valid-scope-id" }
|
79
|
+
before(:each) do
|
80
|
+
@client_authz_scope = KeycloakAdmin.realm(realm_name).authz_scopes(client_id)
|
81
|
+
stub_token_client
|
82
|
+
allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '{"id":"c0779ce3-0900-4ea3-b1d6-b23e1f19c662","name":"GET","iconUri":"http://asdfasd1","displayName":"GET authz scope"}'
|
83
|
+
end
|
84
|
+
|
85
|
+
it "returns authz scope" do
|
86
|
+
response = @client_authz_scope.get(scope_id)
|
87
|
+
expect(response.id).to eq "c0779ce3-0900-4ea3-b1d6-b23e1f19c662"
|
88
|
+
expect(response.name).to eq "GET"
|
89
|
+
expect(response.display_name).to eq "GET authz scope"
|
90
|
+
expect(response.icon_uri).to eq "http://asdfasd1"
|
91
|
+
end
|
92
|
+
end
|
93
|
+
|
94
|
+
describe '#search' do
|
95
|
+
let(:realm_name) { "valid-realm" }
|
96
|
+
let(:client_id) { "valid-client-id" }
|
97
|
+
let(:name) { "GET" }
|
98
|
+
before(:each) do
|
99
|
+
@client_authz_scope = KeycloakAdmin.realm(realm_name).authz_scopes(client_id)
|
100
|
+
stub_token_client
|
101
|
+
allow_any_instance_of(RestClient::Resource).to receive(:get).and_return '[{"id":"c0779ce3-0900-4ea3-b1d6-b23e1f19c662","name":"GET","iconUri":"http://asdfasd1","displayName":"GET authz scope"}]'
|
102
|
+
end
|
103
|
+
|
104
|
+
it "returns list of authz scopes" do
|
105
|
+
response = @client_authz_scope.search(name)
|
106
|
+
expect(response.size).to eq 1
|
107
|
+
expect(response.first.id).to eq "c0779ce3-0900-4ea3-b1d6-b23e1f19c662"
|
108
|
+
expect(response.first.name).to eq "GET"
|
109
|
+
expect(response.first.display_name).to eq "GET authz scope"
|
110
|
+
expect(response.first.icon_uri).to eq "http://asdfasd1"
|
111
|
+
end
|
112
|
+
end
|
113
|
+
|
114
|
+
describe "#authz_scopes_url" do
|
115
|
+
let(:realm_name) { "valid-realm" }
|
116
|
+
let(:client_id) { "valid-client-id" }
|
117
|
+
let(:client_authz_scope) { KeycloakAdmin.realm(realm_name).authz_scopes(client_id) }
|
118
|
+
context 'resource_id is nil and id is nil' do
|
119
|
+
it "return a proper url" do
|
120
|
+
expect(client_authz_scope.authz_scopes_url(client_id)).to eq "http://auth.service.io/auth/admin/realms/valid-realm/clients/valid-client-id/authz/resource-server/scope"
|
121
|
+
end
|
122
|
+
end
|
123
|
+
context 'resource_id is not nil' do
|
124
|
+
it "return a proper url" do
|
125
|
+
expect(client_authz_scope.authz_scopes_url(client_id, "valid-resource-id")).to eq "http://auth.service.io/auth/admin/realms/valid-realm/clients/valid-client-id/authz/resource-server/resource/valid-resource-id/scopes"
|
126
|
+
end
|
127
|
+
end
|
128
|
+
context 'resource_id is nil and id is not nil' do
|
129
|
+
it "return a proper url" do
|
130
|
+
expect(client_authz_scope.authz_scopes_url(client_id, nil, "valid-id")).to eq "http://auth.service.io/auth/admin/realms/valid-realm/clients/valid-client-id/authz/resource-server/scope/valid-id"
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
134
|
+
end
|
@@ -0,0 +1,95 @@
|
|
1
|
+
RSpec.describe 'ClientAuthorization' do
|
2
|
+
|
3
|
+
before do
|
4
|
+
skip unless ENV["GITHUB_ACTIONS"]
|
5
|
+
|
6
|
+
KeycloakAdmin.configure do |config|
|
7
|
+
config.use_service_account = false
|
8
|
+
config.server_url = "http://localhost:8080/"
|
9
|
+
config.client_id = "admin-cli"
|
10
|
+
config.client_realm_name = "master"
|
11
|
+
config.username = "admin"
|
12
|
+
config.password = "admin"
|
13
|
+
config.rest_client_options = { timeout: 5, verify_ssl: false }
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
after do
|
18
|
+
configure
|
19
|
+
end
|
20
|
+
|
21
|
+
describe "ClientAuthorization Suite" do
|
22
|
+
it do
|
23
|
+
skip unless ENV["GITHUB_ACTIONS"]
|
24
|
+
|
25
|
+
realm_name = "dummy"
|
26
|
+
|
27
|
+
client = KeycloakAdmin.realm(realm_name).clients.find_by_client_id("dummy-client")
|
28
|
+
client.authorization_services_enabled = true
|
29
|
+
KeycloakAdmin.realm(realm_name).clients.update(client)
|
30
|
+
|
31
|
+
expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id).list.size).to eql(0)
|
32
|
+
expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).list.size).to eql(1)
|
33
|
+
expect(KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').list.size).to eql(0)
|
34
|
+
|
35
|
+
realm_role = KeycloakAdmin.realm(realm_name).roles.get("default-roles-dummy")
|
36
|
+
|
37
|
+
scope_1 = KeycloakAdmin.realm(realm_name).authz_scopes(client.id).create!("POST_1", "POST 1 scope", "http://asdas")
|
38
|
+
scope_2 = KeycloakAdmin.realm(realm_name).authz_scopes(client.id).create!("POST_2", "POST 2 scope", "http://asdas")
|
39
|
+
expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id).search("POST").first.name).to eql("POST_1")
|
40
|
+
expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id).get(scope_1.id).name).to eql("POST_1")
|
41
|
+
|
42
|
+
resource = KeycloakAdmin.realm(realm_name).authz_resources(client.id).create!("Dummy Resource", "type", ["/asdf/*", "/tmp/"], true, "display_name", [], {"a": ["b", "c"]})
|
43
|
+
|
44
|
+
expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).find_by("Dummy Resource", "", "", "", "").first.name).to eql("Dummy Resource")
|
45
|
+
expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).find_by("", "type", "", "", "").first.name).to eql("Dummy Resource")
|
46
|
+
|
47
|
+
expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).get(resource.id).scopes.count).to eql(0)
|
48
|
+
expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).get(resource.id).uris.count).to eql(2)
|
49
|
+
KeycloakAdmin.realm(realm_name).authz_resources(client.id).update(resource.id,
|
50
|
+
{
|
51
|
+
"name": "Dummy Resource",
|
52
|
+
"type": "type",
|
53
|
+
"owner_managed_access": true,
|
54
|
+
"display_name": "display_name",
|
55
|
+
"attributes": {"a":["b","c"]},
|
56
|
+
"uris": [ "/asdf/*" , "/tmp/45" ],
|
57
|
+
"scopes":[
|
58
|
+
{name: scope_1.name},{name: scope_2.name}
|
59
|
+
],
|
60
|
+
"icon_uri": "https://icon.ico"
|
61
|
+
}
|
62
|
+
)
|
63
|
+
|
64
|
+
expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).get(resource.id).scopes.count).to eql(2)
|
65
|
+
|
66
|
+
policy = KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').create!("Policy 1", "description", "role", "POSITIVE", "UNANIMOUS", true, [{id: realm_role.id, required: true}])
|
67
|
+
expect(KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').find_by("Policy 1", "role").first.name).to eql("Policy 1")
|
68
|
+
expect(KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').get(policy.id).name).to eql("Policy 1")
|
69
|
+
scope_permission = KeycloakAdmin.realm(realm_name).authz_permissions(client.id, :scope).create!("Dummy Scope Permission", "scope description", "UNANIMOUS", "POSITIVE", [resource.id], [policy.id], [scope_1.id, scope_2.id], "")
|
70
|
+
resource_permission = KeycloakAdmin.realm(realm_name).authz_permissions(client.id, :resource).create!("Dummy Resource Permission", "resource description", "UNANIMOUS", "POSITIVE", [resource.id], [policy.id], nil, "")
|
71
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "", resource.id).list.size).to eql(2)
|
72
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").get(resource_permission.id).name).to eql("Dummy Resource Permission")
|
73
|
+
expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id, resource.id).list.size).to eql(2)
|
74
|
+
|
75
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'scope').list.size).to eql(3)
|
76
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'resource').list.size).to eql(3)
|
77
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").find_by(resource_permission.name, nil).first.name).to eql("Dummy Resource Permission")
|
78
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").find_by(resource_permission.name, resource.id).first.name).to eql("Dummy Resource Permission")
|
79
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(scope_permission.name, resource.id).first.name).to eql("Dummy Scope Permission")
|
80
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(scope_permission.name, resource.id, "POST_1").first.name).to eql("Dummy Scope Permission")
|
81
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").find_by(nil, resource.id).first.name).to eql("Dummy Resource Permission")
|
82
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(nil, resource.id).first.name).to eql("Dummy Scope Permission")
|
83
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(nil, resource.id, "POST_1").first.name).to eql("Dummy Scope Permission")
|
84
|
+
expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(scope_permission.name, nil).first.name).to eql("Dummy Scope Permission")
|
85
|
+
|
86
|
+
KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'scope').delete(scope_permission.id)
|
87
|
+
KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'resource').delete(resource_permission.id)
|
88
|
+
KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').delete(policy.id)
|
89
|
+
KeycloakAdmin.realm(realm_name).authz_resources(client.id).delete(resource.id)
|
90
|
+
KeycloakAdmin.realm(realm_name).authz_scopes(client.id).delete(scope_1.id)
|
91
|
+
KeycloakAdmin.realm(realm_name).authz_scopes(client.id).delete(scope_2.id)
|
92
|
+
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
@@ -0,0 +1,52 @@
|
|
1
|
+
RSpec.describe KeycloakAdmin::ClientAuthzPermissionRepresentation do
|
2
|
+
describe '.from_hash, #resource based permission' do
|
3
|
+
it 'converts json response to class structure' do
|
4
|
+
rep = described_class.from_hash({
|
5
|
+
"id" => "e9e3bc49-fe11-4287-b6fc-fa8be4930ffa",
|
6
|
+
"resources" => ["4f55e984-d1ec-405c-a25c-1387f88acd5c"],
|
7
|
+
"policies" => ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"],
|
8
|
+
"name" => "delme policy",
|
9
|
+
"description" => "Delme policy description",
|
10
|
+
"decisionStrategy" => "UNANIMOUS",
|
11
|
+
"resourceType" => ""
|
12
|
+
})
|
13
|
+
expect(rep.id).to eq "e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"
|
14
|
+
expect(rep.resources).to eq ["4f55e984-d1ec-405c-a25c-1387f88acd5c"]
|
15
|
+
expect(rep.policies).to eq ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"]
|
16
|
+
expect(rep.name).to eq "delme policy"
|
17
|
+
expect(rep.description).to eq "Delme policy description"
|
18
|
+
expect(rep.decision_strategy).to eq "UNANIMOUS"
|
19
|
+
expect(rep.resource_type).to eq ""
|
20
|
+
expect(rep).to be_a described_class
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
describe '.from_hash, #scope based permission' do
|
25
|
+
it 'converts json response to class structure' do
|
26
|
+
rep = described_class.from_hash(
|
27
|
+
|
28
|
+
{ "id" => "4d762e5d-bf3d-4641-8f94-97e8a1869d1d",
|
29
|
+
"name" => "permission name",
|
30
|
+
"description" => "permission description",
|
31
|
+
"type" => "scope",
|
32
|
+
"policies" => ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"],
|
33
|
+
"resources" => ["4f55e984-d1ec-405c-a25c-1387f88acd5c"],
|
34
|
+
"scopes" => ["7c4809c5-33b6-4668-a318-19b302214d20"],
|
35
|
+
"logic" => "POSITIVE",
|
36
|
+
"decisionStrategy" => "UNANIMOUS"
|
37
|
+
})
|
38
|
+
expect(rep.id).to eq "4d762e5d-bf3d-4641-8f94-97e8a1869d1d"
|
39
|
+
expect(rep.resources).to eq ["4f55e984-d1ec-405c-a25c-1387f88acd5c"]
|
40
|
+
expect(rep.policies).to eq ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"]
|
41
|
+
expect(rep.scopes).to eq ["7c4809c5-33b6-4668-a318-19b302214d20"]
|
42
|
+
expect(rep.name).to eq "permission name"
|
43
|
+
expect(rep.description).to eq "permission description"
|
44
|
+
expect(rep.decision_strategy).to eq "UNANIMOUS"
|
45
|
+
expect(rep.logic).to eq "POSITIVE"
|
46
|
+
expect(rep.type).to eq "scope"
|
47
|
+
expect(rep.resource_type).to eq nil
|
48
|
+
expect(rep).to be_a described_class
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
52
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
RSpec.describe KeycloakAdmin::ClientAuthzPolicyRepresentation do
|
4
|
+
let(:realm_name) { "valid-realm" }
|
5
|
+
let(:client_id) { "valid-client-id" }
|
6
|
+
let(:policy_id) { "valid-policy-id" }
|
7
|
+
let(:role_id) { "valid-role-id" }
|
8
|
+
let(:role_name) { "valid-role-name" }
|
9
|
+
let(:policy_name) { "valid-policy-name" }
|
10
|
+
let(:policy_description) { "valid-policy-description" }
|
11
|
+
let(:policy_type) { "role" }
|
12
|
+
let(:policy_logic) { "POSITIVE" }
|
13
|
+
let(:policy_decision_strategy) { "UNANIMOUS" }
|
14
|
+
let(:policy) do
|
15
|
+
{
|
16
|
+
"id": policy_id,
|
17
|
+
"name": policy_name,
|
18
|
+
"description": policy_description,
|
19
|
+
"type": policy_type,
|
20
|
+
"logic": policy_logic,
|
21
|
+
"decisionStrategy": policy_decision_strategy,
|
22
|
+
"roles": [{ "id": role_id, "required": true }]
|
23
|
+
}
|
24
|
+
end
|
25
|
+
let(:client_authz_policy) { KeycloakAdmin.realm(realm_name).authz_policies(client_id, 'role') }
|
26
|
+
|
27
|
+
before(:each) do
|
28
|
+
stub_token_client
|
29
|
+
end
|
30
|
+
|
31
|
+
describe "#create!" do
|
32
|
+
before(:each) do
|
33
|
+
allow_any_instance_of(RestClient::Resource).to receive(:post).and_return policy.to_json
|
34
|
+
end
|
35
|
+
|
36
|
+
it "returns created authz policy" do
|
37
|
+
response = client_authz_policy.create!(policy_name, policy_description, policy_type, policy_logic, policy_decision_strategy, true, [{ id: role_id, required: true }])
|
38
|
+
expect(response.id).to eq policy_id
|
39
|
+
expect(response.name).to eq policy_name
|
40
|
+
expect(response.description).to eq policy_description
|
41
|
+
expect(response.type).to eq policy_type
|
42
|
+
expect(response.logic).to eq policy_logic
|
43
|
+
expect(response.decision_strategy).to eq policy_decision_strategy
|
44
|
+
expect(response.roles).to eq [{ "id" => role_id, "required" => true }]
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|