Example 31 with AuthorizationProvider
use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.
the class GroupPolicyProviderFactory method updatePolicy.
private void updatePolicy(Policy policy, String groupsClaim, Set<GroupPolicyRepresentation.GroupDefinition> groups, AuthorizationProvider authorization) {
if (groups == null || groups.isEmpty()) {
throw new RuntimeException("You must provide at least one group");
}
Map<String, String> config = new HashMap<>(policy.getConfig());
if (groupsClaim != null) {
config.put("groupsClaim", groupsClaim);
}
List<GroupModel> topLevelGroups = authorization.getRealm().getTopLevelGroupsStream().collect(Collectors.toList());
for (GroupPolicyRepresentation.GroupDefinition definition : groups) {
GroupModel group = null;
if (definition.getId() != null) {
group = authorization.getRealm().getGroupById(definition.getId());
}
String path = definition.getPath();
if (group == null && path != null) {
String canonicalPath = path.startsWith("/") ? path.substring(1, path.length()) : path;
if (canonicalPath != null) {
String[] parts = canonicalPath.split("/");
GroupModel parent = null;
for (String part : parts) {
if (parent == null) {
parent = topLevelGroups.stream().filter(groupModel -> groupModel.getName().equals(part)).findFirst().orElseThrow(() -> new RuntimeException("Top level group with name [" + part + "] not found"));
} else {
group = parent.getSubGroupsStream().filter(groupModel -> groupModel.getName().equals(part)).findFirst().orElseThrow(() -> new RuntimeException("Group with name [" + part + "] not found"));
parent = group;
}
}
if (parts.length == 1) {
group = parent;
}
}
}
if (group == null) {
throw new RuntimeException("Group with id [" + definition.getId() + "] not found");
}
definition.setId(group.getId());
definition.setPath(null);
}
try {
config.put("groups", JsonSerialization.writeValueAsString(groups));
} catch (IOException cause) {
throw new RuntimeException("Failed to serialize groups", cause);
}
policy.setConfig(config);
}
Also used :
Arrays(java.util.Arrays)
PolicyProviderFactory(org.keycloak.authorization.policy.provider.PolicyProviderFactory)
GroupPolicyRepresentation(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation)
Set(java.util.Set)
KeycloakSession(org.keycloak.models.KeycloakSession)
IOException(java.io.IOException)
HashMap(java.util.HashMap)
Config(org.keycloak.Config)
Collectors(java.util.stream.Collectors)
PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation)
HashSet(java.util.HashSet)
JsonSerialization(org.keycloak.util.JsonSerialization)
Policy(org.keycloak.authorization.model.Policy)
List(java.util.List)
ModelToRepresentation(org.keycloak.models.utils.ModelToRepresentation)
Map(java.util.Map)
KeycloakSessionFactory(org.keycloak.models.KeycloakSessionFactory)
GroupModel(org.keycloak.models.GroupModel)
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
PolicyProvider(org.keycloak.authorization.policy.provider.PolicyProvider)
HashMap(java.util.HashMap)
GroupModel(org.keycloak.models.GroupModel)
IOException(java.io.IOException)
GroupPolicyRepresentation(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation)
Example 32 with AuthorizationProvider
use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.
the class ClientPolicyProvider method evaluate.
@Override
public void evaluate(Evaluation evaluation) {
ClientPolicyRepresentation representation = representationFunction.apply(evaluation.getPolicy(), evaluation.getAuthorizationProvider());
AuthorizationProvider authorizationProvider = evaluation.getAuthorizationProvider();
RealmModel realm = authorizationProvider.getKeycloakSession().getContext().getRealm();
EvaluationContext context = evaluation.getContext();
for (String client : representation.getClients()) {
ClientModel clientModel = realm.getClientById(client);
if (context.getAttributes().containsValue("kc.client.id", clientModel.getClientId())) {
evaluation.grant();
return;
}
}
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation)
ClientModel(org.keycloak.models.ClientModel)
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext)
Example 33 with AuthorizationProvider
use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.
the class ClientScopePolicyProvider method evaluate.
@Override
public void evaluate(Evaluation evaluation) {
Policy policy = evaluation.getPolicy();
Set<ClientScopePolicyRepresentation.ClientScopeDefinition> clientScopeIds = representationFunction.apply(policy, evaluation.getAuthorizationProvider()).getClientScopes();
AuthorizationProvider authorizationProvider = evaluation.getAuthorizationProvider();
RealmModel realm = authorizationProvider.getKeycloakSession().getContext().getRealm();
Identity identity = evaluation.getContext().getIdentity();
for (ClientScopePolicyRepresentation.ClientScopeDefinition clientScopeDefinition : clientScopeIds) {
ClientScopeModel clientScope = realm.getClientScopeById(clientScopeDefinition.getId());
if (clientScope != null) {
boolean hasClientScope = hasClientScope(identity, clientScope);
if (!hasClientScope && clientScopeDefinition.isRequired()) {
evaluation.deny();
return;
} else if (hasClientScope) {
evaluation.grant();
}
}
}
}
Also used :
Policy(org.keycloak.authorization.model.Policy)
RealmModel(org.keycloak.models.RealmModel)
ClientScopePolicyRepresentation(org.keycloak.representations.idm.authorization.ClientScopePolicyRepresentation)
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
ClientScopeModel(org.keycloak.models.ClientScopeModel)
Identity(org.keycloak.authorization.identity.Identity)
Example 34 with AuthorizationProvider
use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.
the class GroupPolicyProvider method evaluate.
@Override
public void evaluate(Evaluation evaluation) {
AuthorizationProvider authorizationProvider = evaluation.getAuthorizationProvider();
GroupPolicyRepresentation policy = representationFunction.apply(evaluation.getPolicy(), authorizationProvider);
RealmModel realm = authorizationProvider.getRealm();
Attributes.Entry groupsClaim = evaluation.getContext().getIdentity().getAttributes().getValue(policy.getGroupsClaim());
if (groupsClaim == null || groupsClaim.isEmpty()) {
List<String> userGroups = evaluation.getRealm().getUserGroups(evaluation.getContext().getIdentity().getId());
groupsClaim = new Entry(policy.getGroupsClaim(), userGroups);
}
for (GroupPolicyRepresentation.GroupDefinition definition : policy.getGroups()) {
GroupModel allowedGroup = realm.getGroupById(definition.getId());
for (int i = 0; i < groupsClaim.size(); i++) {
String group = groupsClaim.asString(i);
if (group.indexOf('/') != -1) {
String allowedGroupPath = buildGroupPath(allowedGroup);
if (group.equals(allowedGroupPath) || (definition.isExtendChildren() && group.startsWith(allowedGroupPath))) {
evaluation.grant();
return;
}
}
// in case the group from the claim does not represent a path, we just check an exact name match
if (group.equals(allowedGroup.getName())) {
evaluation.grant();
return;
}
}
}
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
Entry(org.keycloak.authorization.attribute.Attributes.Entry)
Entry(org.keycloak.authorization.attribute.Attributes.Entry)
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
Attributes(org.keycloak.authorization.attribute.Attributes)
GroupModel(org.keycloak.models.GroupModel)
GroupPolicyRepresentation(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation)
Example 35 with AuthorizationProvider
use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.
the class UserPolicyProviderFactory method onExport.
@Override
public void onExport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorizationProvider) {
UserPolicyRepresentation userRep = toRepresentation(policy, authorizationProvider);
Map<String, String> config = new HashMap<>();
try {
UserProvider userProvider = authorizationProvider.getKeycloakSession().users();
RealmModel realm = authorizationProvider.getRealm();
config.put("users", JsonSerialization.writeValueAsString(userRep.getUsers().stream().map(id -> userProvider.getUserById(realm, id).getUsername()).collect(Collectors.toList())));
} catch (IOException cause) {
throw new RuntimeException("Failed to export user policy [" + policy.getName() + "]", cause);
}
representation.setConfig(config);
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
PolicyProviderFactory(org.keycloak.authorization.policy.provider.PolicyProviderFactory)
RealmModel(org.keycloak.models.RealmModel)
Set(java.util.Set)
KeycloakSession(org.keycloak.models.KeycloakSession)
IOException(java.io.IOException)
HashMap(java.util.HashMap)
Config(org.keycloak.Config)
Collectors(java.util.stream.Collectors)
PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation)
HashSet(java.util.HashSet)
JsonSerialization(org.keycloak.util.JsonSerialization)
Policy(org.keycloak.authorization.model.Policy)
UserProvider(org.keycloak.models.UserProvider)
UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation)
UserModel(org.keycloak.models.UserModel)
Map(java.util.Map)
KeycloakSessionFactory(org.keycloak.models.KeycloakSessionFactory)
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
PolicyProvider(org.keycloak.authorization.policy.provider.PolicyProvider)
HashMap(java.util.HashMap)
UserProvider(org.keycloak.models.UserProvider)
UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation)
IOException(java.io.IOException)
Aggregations
AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)60
Policy (org.keycloak.authorization.model.Policy)35
ClientModel (org.keycloak.models.ClientModel)35
ResourceServer (org.keycloak.authorization.model.ResourceServer)30
StoreFactory (org.keycloak.authorization.store.StoreFactory)24
RealmModel (org.keycloak.models.RealmModel)23
HashMap (java.util.HashMap)18
UserModel (org.keycloak.models.UserModel)18
Resource (org.keycloak.authorization.model.Resource)16
PolicyProvider (org.keycloak.authorization.policy.provider.PolicyProvider)15
ArrayList (java.util.ArrayList)14
Map (java.util.Map)14
Scope (org.keycloak.authorization.model.Scope)13
List (java.util.List)12
DefaultEvaluation (org.keycloak.authorization.policy.evaluation.DefaultEvaluation)12
KeycloakSession (org.keycloak.models.KeycloakSession)12
JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11
Set (java.util.Set)10
Collectors (java.util.stream.Collectors)10
HashSet (java.util.HashSet)9
