Search in sources :

Example 31 with AuthorizationProvider

use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.

the class GroupPolicyProviderFactory method updatePolicy.

private void updatePolicy(Policy policy, String groupsClaim, Set<GroupPolicyRepresentation.GroupDefinition> groups, AuthorizationProvider authorization) {
    if (groups == null || groups.isEmpty()) {
        throw new RuntimeException("You must provide at least one group");
    }
    Map<String, String> config = new HashMap<>(policy.getConfig());
    if (groupsClaim != null) {
        config.put("groupsClaim", groupsClaim);
    }
    List<GroupModel> topLevelGroups = authorization.getRealm().getTopLevelGroupsStream().collect(Collectors.toList());
    for (GroupPolicyRepresentation.GroupDefinition definition : groups) {
        GroupModel group = null;
        if (definition.getId() != null) {
            group = authorization.getRealm().getGroupById(definition.getId());
        }
        String path = definition.getPath();
        if (group == null && path != null) {
            String canonicalPath = path.startsWith("/") ? path.substring(1, path.length()) : path;
            if (canonicalPath != null) {
                String[] parts = canonicalPath.split("/");
                GroupModel parent = null;
                for (String part : parts) {
                    if (parent == null) {
                        parent = topLevelGroups.stream().filter(groupModel -> groupModel.getName().equals(part)).findFirst().orElseThrow(() -> new RuntimeException("Top level group with name [" + part + "] not found"));
                    } else {
                        group = parent.getSubGroupsStream().filter(groupModel -> groupModel.getName().equals(part)).findFirst().orElseThrow(() -> new RuntimeException("Group with name [" + part + "] not found"));
                        parent = group;
                    }
                }
                if (parts.length == 1) {
                    group = parent;
                }
            }
        }
        if (group == null) {
            throw new RuntimeException("Group with id [" + definition.getId() + "] not found");
        }
        definition.setId(group.getId());
        definition.setPath(null);
    }
    try {
        config.put("groups", JsonSerialization.writeValueAsString(groups));
    } catch (IOException cause) {
        throw new RuntimeException("Failed to serialize groups", cause);
    }
    policy.setConfig(config);
}
Also used : Arrays(java.util.Arrays) PolicyProviderFactory(org.keycloak.authorization.policy.provider.PolicyProviderFactory) GroupPolicyRepresentation(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation) Set(java.util.Set) KeycloakSession(org.keycloak.models.KeycloakSession) IOException(java.io.IOException) HashMap(java.util.HashMap) Config(org.keycloak.Config) Collectors(java.util.stream.Collectors) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) HashSet(java.util.HashSet) JsonSerialization(org.keycloak.util.JsonSerialization) Policy(org.keycloak.authorization.model.Policy) List(java.util.List) ModelToRepresentation(org.keycloak.models.utils.ModelToRepresentation) Map(java.util.Map) KeycloakSessionFactory(org.keycloak.models.KeycloakSessionFactory) GroupModel(org.keycloak.models.GroupModel) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) PolicyProvider(org.keycloak.authorization.policy.provider.PolicyProvider) HashMap(java.util.HashMap) GroupModel(org.keycloak.models.GroupModel) IOException(java.io.IOException) GroupPolicyRepresentation(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation)

Example 32 with AuthorizationProvider

use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.

the class ClientPolicyProvider method evaluate.

@Override
public void evaluate(Evaluation evaluation) {
    ClientPolicyRepresentation representation = representationFunction.apply(evaluation.getPolicy(), evaluation.getAuthorizationProvider());
    AuthorizationProvider authorizationProvider = evaluation.getAuthorizationProvider();
    RealmModel realm = authorizationProvider.getKeycloakSession().getContext().getRealm();
    EvaluationContext context = evaluation.getContext();
    for (String client : representation.getClients()) {
        ClientModel clientModel = realm.getClientById(client);
        if (context.getAttributes().containsValue("kc.client.id", clientModel.getClientId())) {
            evaluation.grant();
            return;
        }
    }
}
Also used : RealmModel(org.keycloak.models.RealmModel) ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation) ClientModel(org.keycloak.models.ClientModel) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext)

Example 33 with AuthorizationProvider

use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.

the class ClientScopePolicyProvider method evaluate.

@Override
public void evaluate(Evaluation evaluation) {
    Policy policy = evaluation.getPolicy();
    Set<ClientScopePolicyRepresentation.ClientScopeDefinition> clientScopeIds = representationFunction.apply(policy, evaluation.getAuthorizationProvider()).getClientScopes();
    AuthorizationProvider authorizationProvider = evaluation.getAuthorizationProvider();
    RealmModel realm = authorizationProvider.getKeycloakSession().getContext().getRealm();
    Identity identity = evaluation.getContext().getIdentity();
    for (ClientScopePolicyRepresentation.ClientScopeDefinition clientScopeDefinition : clientScopeIds) {
        ClientScopeModel clientScope = realm.getClientScopeById(clientScopeDefinition.getId());
        if (clientScope != null) {
            boolean hasClientScope = hasClientScope(identity, clientScope);
            if (!hasClientScope && clientScopeDefinition.isRequired()) {
                evaluation.deny();
                return;
            } else if (hasClientScope) {
                evaluation.grant();
            }
        }
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) RealmModel(org.keycloak.models.RealmModel) ClientScopePolicyRepresentation(org.keycloak.representations.idm.authorization.ClientScopePolicyRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ClientScopeModel(org.keycloak.models.ClientScopeModel) Identity(org.keycloak.authorization.identity.Identity)

Example 34 with AuthorizationProvider

use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.

the class GroupPolicyProvider method evaluate.

@Override
public void evaluate(Evaluation evaluation) {
    AuthorizationProvider authorizationProvider = evaluation.getAuthorizationProvider();
    GroupPolicyRepresentation policy = representationFunction.apply(evaluation.getPolicy(), authorizationProvider);
    RealmModel realm = authorizationProvider.getRealm();
    Attributes.Entry groupsClaim = evaluation.getContext().getIdentity().getAttributes().getValue(policy.getGroupsClaim());
    if (groupsClaim == null || groupsClaim.isEmpty()) {
        List<String> userGroups = evaluation.getRealm().getUserGroups(evaluation.getContext().getIdentity().getId());
        groupsClaim = new Entry(policy.getGroupsClaim(), userGroups);
    }
    for (GroupPolicyRepresentation.GroupDefinition definition : policy.getGroups()) {
        GroupModel allowedGroup = realm.getGroupById(definition.getId());
        for (int i = 0; i < groupsClaim.size(); i++) {
            String group = groupsClaim.asString(i);
            if (group.indexOf('/') != -1) {
                String allowedGroupPath = buildGroupPath(allowedGroup);
                if (group.equals(allowedGroupPath) || (definition.isExtendChildren() && group.startsWith(allowedGroupPath))) {
                    evaluation.grant();
                    return;
                }
            }
            // in case the group from the claim does not represent a path, we just check an exact name match
            if (group.equals(allowedGroup.getName())) {
                evaluation.grant();
                return;
            }
        }
    }
}
Also used : RealmModel(org.keycloak.models.RealmModel) Entry(org.keycloak.authorization.attribute.Attributes.Entry) Entry(org.keycloak.authorization.attribute.Attributes.Entry) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) Attributes(org.keycloak.authorization.attribute.Attributes) GroupModel(org.keycloak.models.GroupModel) GroupPolicyRepresentation(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation)

Example 35 with AuthorizationProvider

use of org.keycloak.authorization.AuthorizationProvider in project keycloak by keycloak.

the class UserPolicyProviderFactory method onExport.

@Override
public void onExport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorizationProvider) {
    UserPolicyRepresentation userRep = toRepresentation(policy, authorizationProvider);
    Map<String, String> config = new HashMap<>();
    try {
        UserProvider userProvider = authorizationProvider.getKeycloakSession().users();
        RealmModel realm = authorizationProvider.getRealm();
        config.put("users", JsonSerialization.writeValueAsString(userRep.getUsers().stream().map(id -> userProvider.getUserById(realm, id).getUsername()).collect(Collectors.toList())));
    } catch (IOException cause) {
        throw new RuntimeException("Failed to export user policy [" + policy.getName() + "]", cause);
    }
    representation.setConfig(config);
}
Also used : RealmModel(org.keycloak.models.RealmModel) PolicyProviderFactory(org.keycloak.authorization.policy.provider.PolicyProviderFactory) RealmModel(org.keycloak.models.RealmModel) Set(java.util.Set) KeycloakSession(org.keycloak.models.KeycloakSession) IOException(java.io.IOException) HashMap(java.util.HashMap) Config(org.keycloak.Config) Collectors(java.util.stream.Collectors) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) HashSet(java.util.HashSet) JsonSerialization(org.keycloak.util.JsonSerialization) Policy(org.keycloak.authorization.model.Policy) UserProvider(org.keycloak.models.UserProvider) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) UserModel(org.keycloak.models.UserModel) Map(java.util.Map) KeycloakSessionFactory(org.keycloak.models.KeycloakSessionFactory) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) PolicyProvider(org.keycloak.authorization.policy.provider.PolicyProvider) HashMap(java.util.HashMap) UserProvider(org.keycloak.models.UserProvider) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) IOException(java.io.IOException)

Aggregations

AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)60 Policy (org.keycloak.authorization.model.Policy)35 ClientModel (org.keycloak.models.ClientModel)35 ResourceServer (org.keycloak.authorization.model.ResourceServer)30 StoreFactory (org.keycloak.authorization.store.StoreFactory)24 RealmModel (org.keycloak.models.RealmModel)23 HashMap (java.util.HashMap)18 UserModel (org.keycloak.models.UserModel)18 Resource (org.keycloak.authorization.model.Resource)16 PolicyProvider (org.keycloak.authorization.policy.provider.PolicyProvider)15 ArrayList (java.util.ArrayList)14 Map (java.util.Map)14 Scope (org.keycloak.authorization.model.Scope)13 List (java.util.List)12 DefaultEvaluation (org.keycloak.authorization.policy.evaluation.DefaultEvaluation)12 KeycloakSession (org.keycloak.models.KeycloakSession)12 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11 Set (java.util.Set)10 Collectors (java.util.stream.Collectors)10 HashSet (java.util.HashSet)9