Examples with AuthorizationProvider org.keycloak.authorization.AuthorizationProvider used on opensource projects

Example 6 with AuthorizationProvider

use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.

the class ExportUtils method createPolicyRepresentation.

private static PolicyRepresentation createPolicyRepresentation(AuthorizationProvider authorizationProvider, Policy policy) {
    try {
        PolicyRepresentation rep = toRepresentation(policy, authorizationProvider, true, true);
        Map<String, String> config = new HashMap<>(rep.getConfig());
        rep.setConfig(config);
        Set<Scope> scopes = policy.getScopes();
        if (!scopes.isEmpty()) {
            List<String> scopeNames = scopes.stream().map(Scope::getName).collect(Collectors.toList());
            config.put("scopes", JsonSerialization.writeValueAsString(scopeNames));
        }
        Set<Resource> policyResources = policy.getResources();
        if (!policyResources.isEmpty()) {
            List<String> resourceNames = policyResources.stream().map(Resource::getName).collect(Collectors.toList());
            config.put("resources", JsonSerialization.writeValueAsString(resourceNames));
        }
        Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
        if (!associatedPolicies.isEmpty()) {
            config.put("applyPolicies", JsonSerialization.writeValueAsString(associatedPolicies.stream().map(associated -> associated.getName()).collect(Collectors.toList())));
        }
        return rep;
    } catch (Exception e) {
        throw new RuntimeException("Error while exporting policy [" + policy.getName() + "].", e);
    }
}

Example 7 with AuthorizationProvider

use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.

the class RegexPolicyProvider method evaluate.

@Override
public void evaluate(Evaluation evaluation) {
    AuthorizationProvider authorizationProvider = evaluation.getAuthorizationProvider();
    RegexPolicyRepresentation policy = representationFunction.apply(evaluation.getPolicy(), authorizationProvider);
    Attributes.Entry targetClaim = evaluation.getContext().getIdentity().getAttributes().getValue(policy.getTargetClaim());
    if (targetClaim == null) {
        return;
    }
    Pattern pattern = Pattern.compile(policy.getPattern());
    Matcher matcher = pattern.matcher(targetClaim.asString(0));
    if (matcher.matches()) {
        evaluation.grant();
    }
}

Example 8 with AuthorizationProvider

use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.

the class RepresentationToModel method createResourceServer.

public static ResourceServer createResourceServer(ClientModel client, KeycloakSession session, boolean addDefaultRoles) {
    if ((client.isBearerOnly() || client.isPublicClient()) && !(client.getClientId().equals(Config.getAdminRealm() + "-realm") || client.getClientId().equals(Constants.REALM_MANAGEMENT_CLIENT_ID))) {
        throw new RuntimeException("Only confidential clients are allowed to set authorization settings");
    }
    AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
    UserModel serviceAccount = session.users().getServiceAccount(client);
    if (serviceAccount == null) {
        client.setServiceAccountsEnabled(true);
    }
    if (addDefaultRoles) {
        RoleModel umaProtectionRole = client.getRole(Constants.AUTHZ_UMA_PROTECTION);
        if (umaProtectionRole == null) {
            umaProtectionRole = client.addRole(Constants.AUTHZ_UMA_PROTECTION);
        }
        if (serviceAccount != null) {
            serviceAccount.grantRole(umaProtectionRole);
        }
    }
    ResourceServerRepresentation representation = new ResourceServerRepresentation();
    representation.setAllowRemoteResourceManagement(true);
    representation.setClientId(client.getId());
    return toModel(representation, authorization, client);
}

Example 9 with AuthorizationProvider

use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.

the class FineGrainAdminUnitTest method testClientsSearchAfterFirstPage.

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testClientsSearchAfterFirstPage() {
    testingClient.server().run(session -> {
        RealmModel realm = session.realms().getRealmByName("test");
        session.getContext().setRealm(realm);
        ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
        UserModel regularAdminUser = session.users().addUser(realm, "regular-admin-user");
        session.userCredentialManager().updateCredential(realm, regularAdminUser, UserCredentialModel.password("password"));
        regularAdminUser.grantRole(realmAdminClient.getRole(AdminRoles.QUERY_CLIENTS));
        regularAdminUser.setEnabled(true);
        UserPolicyRepresentation userPolicyRepresentation = new UserPolicyRepresentation();
        userPolicyRepresentation.setName("Only " + regularAdminUser.getUsername());
        userPolicyRepresentation.addUser(regularAdminUser.getId());
        AdminPermissionManagement management = AdminPermissions.management(session, realm);
        ClientPermissionManagement clientPermission = management.clients();
        for (int i = 15; i < 30; i++) {
            ClientModel clientModel = realm.addClient("client-search-" + (i < 10 ? "0" + i : i));
            clientPermission.setPermissionsEnabled(clientModel, true);
            Policy policy = clientPermission.viewPermission(clientModel);
            AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class);
            if (i == 15) {
                provider.getStoreFactory().getPolicyStore().create(userPolicyRepresentation, management.realmResourceServer());
            }
            policy.addAssociatedPolicy(provider.getStoreFactory().getPolicyStore().findByName("Only regular-admin-user", realmAdminClient.getId()));
        }
    });
    try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth", "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {
        List<ClientRepresentation> clients = new ArrayList<>();
        List<ClientRepresentation> result = client.realm("test").clients().findAll("client-search-", true, true, 0, 10);
        clients.addAll(result);
        Assert.assertEquals(10, result.size());
        Assert.assertThat(result.stream().map(rep -> rep.getClientId()).collect(Collectors.toList()), Matchers.is(Arrays.asList("client-search-15", "client-search-16", "client-search-17", "client-search-18", "client-search-19", "client-search-20", "client-search-21", "client-search-22", "client-search-23", "client-search-24")));
        result = client.realm("test").clients().findAll("client-search-", true, true, 10, 10);
        clients.addAll(result);
        Assert.assertEquals(5, result.size());
        Assert.assertThat(result.stream().map(rep -> rep.getClientId()).collect(Collectors.toList()), Matchers.is(Arrays.asList("client-search-25", "client-search-26", "client-search-27", "client-search-28", "client-search-29")));
        result = client.realm("test").clients().findAll("client-search-", true, true, 20, 10);
        clients.addAll(result);
        Assert.assertTrue(result.isEmpty());
    }
}

Example 10 with AuthorizationProvider

use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.

the class AuthzCleanupTest method setup.

public static void setup(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    session.getContext().setRealm(realm);
    AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
    ClientModel myclient = realm.getClientByClientId("myclient");
    ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(myclient);
    createRolePolicy(authz, resourceServer, myclient.getClientId() + "/client-role-1");
    createRolePolicy(authz, resourceServer, myclient.getClientId() + "/client-role-2");
}