Example 1 with Permission
use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.
the class PolicyEnforcer method enforce.
public AuthorizationContext enforce(OIDCHttpFacade facade) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debugv("Policy enforcement is enabled. Enforcing policy decisions for path [{0}].", facade.getRequest().getURI());
}
AuthorizationContext context = new KeycloakAdapterPolicyEnforcer(this).authorize(facade);
if (LOGGER.isDebugEnabled()) {
LOGGER.debugv("Policy enforcement result for path [{0}] is : {1}", facade.getRequest().getURI(), context.isGranted() ? "GRANTED" : "DENIED");
LOGGER.debugv("Returning authorization context with permissions:");
for (Permission permission : context.getPermissions()) {
LOGGER.debug(permission);
}
}
return context;
}
Also used :
Permission(org.keycloak.representations.idm.authorization.Permission)
AuthorizationContext(org.keycloak.AuthorizationContext)
Example 2 with Permission
use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.
the class HttpMethodAuthenticator method uma.
public HttpMethod<R> uma(AuthorizationRequest request) {
String ticket = request.getTicket();
PermissionTicketToken permissions = request.getPermissions();
if (ticket == null && permissions == null) {
throw new IllegalArgumentException("You must either provide a permission ticket or the permissions you want to request.");
}
uma();
method.param("ticket", ticket);
method.param("claim_token", request.getClaimToken());
method.param("claim_token_format", request.getClaimTokenFormat());
method.param("pct", request.getPct());
method.param("rpt", request.getRptToken());
method.param("scope", request.getScope());
method.param("audience", request.getAudience());
method.param("subject_token", request.getSubjectToken());
if (permissions != null) {
for (Permission permission : permissions.getPermissions()) {
String resourceId = permission.getResourceId();
Set<String> scopes = permission.getScopes();
StringBuilder value = new StringBuilder();
if (resourceId != null) {
value.append(resourceId);
}
if (scopes != null && !scopes.isEmpty()) {
value.append("#");
for (String scope : scopes) {
if (!value.toString().endsWith("#")) {
value.append(",");
}
value.append(scope);
}
}
method.params("permission", value.toString());
}
}
Metadata metadata = request.getMetadata();
if (metadata != null) {
if (metadata.getIncludeResourceName() != null) {
method.param("response_include_resource_name", metadata.getIncludeResourceName().toString());
}
if (metadata.getLimit() != null) {
method.param("response_permissions_limit", metadata.getLimit().toString());
}
}
return method;
}
Also used :
PermissionTicketToken(org.keycloak.representations.idm.authorization.PermissionTicketToken)
Permission(org.keycloak.representations.idm.authorization.Permission)
Metadata(org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata)
Example 3 with Permission
use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.
the class UserPermissions method hasPermission.
private boolean hasPermission(EvaluationContext context, String... scopes) {
ResourceServer server = root.realmResourceServer();
if (server == null) {
return false;
}
Resource resource = resourceStore.findByName(USERS_RESOURCE, server.getId());
List<String> expectedScopes = Arrays.asList(scopes);
if (resource == null) {
return grantIfNoPermission && expectedScopes.contains(MgmtPermissions.MANAGE_SCOPE) && expectedScopes.contains(MgmtPermissions.VIEW_SCOPE);
}
Collection<Permission> permissions;
if (context == null) {
permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server);
} else {
permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server, context);
}
for (Permission permission : permissions) {
for (String scope : permission.getScopes()) {
if (expectedScopes.contains(scope)) {
return true;
}
}
}
return false;
}
Also used :
Resource(org.keycloak.authorization.model.Resource)
ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)
Permission(org.keycloak.representations.idm.authorization.Permission)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)
Example 4 with Permission
use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.
the class DecisionPermissionCollector method createPermission.
private Permission createPermission(Resource resource, Set<String> scopes, Map<String, Set<String>> claims, AuthorizationRequest request) {
AuthorizationRequest.Metadata metadata = null;
if (request != null) {
metadata = request.getMetadata();
}
Permission permission;
if (resource != null) {
String resourceName = metadata == null || metadata.getIncludeResourceName() ? resource.getName() : null;
permission = new Permission(resource.getId(), resourceName, scopes, claims);
} else {
permission = new Permission(null, null, scopes, claims);
}
onGrant(permission);
return permission;
}
Also used :
AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest)
ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)
Permission(org.keycloak.representations.idm.authorization.Permission)
Example 5 with Permission
use of org.keycloak.representations.idm.authorization.Permission in project keycloak by keycloak.
the class PermissionTicketAwareDecisionResultCollector method onComplete.
@Override
public void onComplete() {
super.onComplete();
if (request.isSubmitRequest()) {
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore();
List<Permission> permissions = ticket.getPermissions();
if (permissions != null) {
for (Permission permission : permissions) {
Resource resource = resourceStore.findById(permission.getResourceId(), resourceServer.getId());
if (resource == null) {
resource = resourceStore.findByName(permission.getResourceId(), identity.getId(), resourceServer.getId());
}
if (resource == null || !resource.isOwnerManagedAccess() || resource.getOwner().equals(identity.getId()) || resource.getOwner().equals(resourceServer.getId())) {
continue;
}
Set<String> scopes = permission.getScopes();
if (scopes.isEmpty()) {
scopes = resource.getScopes().stream().map(Scope::getName).collect(Collectors.toSet());
}
if (scopes.isEmpty()) {
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
filters.put(PermissionTicket.FilterOption.SCOPE_IS_NULL, Boolean.TRUE.toString());
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1);
if (tickets.isEmpty()) {
authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), null, identity.getId(), resourceServer);
}
} else {
ScopeStore scopeStore = authorization.getStoreFactory().getScopeStore();
for (String scopeId : scopes) {
Scope scope = scopeStore.findByName(scopeId, resourceServer.getId());
if (scope == null) {
scope = scopeStore.findById(scopeId, resourceServer.getId());
}
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
filters.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1);
if (tickets.isEmpty()) {
authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), scope.getId(), identity.getId(), resourceServer);
}
}
}
}
}
}
}
Also used :
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
Resource(org.keycloak.authorization.model.Resource)
ScopeStore(org.keycloak.authorization.store.ScopeStore)
ResourceStore(org.keycloak.authorization.store.ResourceStore)
StoreFactory(org.keycloak.authorization.store.StoreFactory)
Scope(org.keycloak.authorization.model.Scope)
Permission(org.keycloak.representations.idm.authorization.Permission)
EnumMap(java.util.EnumMap)
Aggregations
Permission (org.keycloak.representations.idm.authorization.Permission)73
Test (org.junit.Test)50
AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)44
AccessToken (org.keycloak.representations.AccessToken)36
AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)29
ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)27
AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)23
AuthzClient (org.keycloak.authorization.client.AuthzClient)22
ClientResource (org.keycloak.admin.client.resource.ClientResource)20
ArrayList (java.util.ArrayList)19
ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)19
OAuthClient (org.keycloak.testsuite.util.OAuthClient)15
ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)14
JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)13
Response (javax.ws.rs.core.Response)12
AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)12
AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)12
PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)12
PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)12
Authorization (org.keycloak.representations.AccessToken.Authorization)11
