Example 1 with DefaultEvaluationContext
use of org.keycloak.authorization.common.DefaultEvaluationContext in project keycloak by keycloak.
the class ClientPermissions method canExchangeTo.
@Override
public boolean canExchangeTo(ClientModel authorizedClient, ClientModel to) {
if (!authorizedClient.equals(to)) {
ResourceServer server = resourceServer(to);
if (server == null) {
logger.debug("No resource server set up for target client");
return false;
}
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
if (resource == null) {
logger.debug("No resource object set up for target client");
return false;
}
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
if (policy == null) {
logger.debug("No permission object set up for target client");
return false;
}
Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
// if no policies attached to permission then just do default behavior
if (associatedPolicies == null || associatedPolicies.isEmpty()) {
logger.debug("No policies set up for permission on target client");
return false;
}
Scope scope = exchangeToScope(server);
if (scope == null) {
logger.debug(TOKEN_EXCHANGE + " not initialized");
return false;
}
ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
EvaluationContext context = new DefaultEvaluationContext(identity, session) {
@Override
public Map<String, Collection<String>> getBaseAttributes() {
Map<String, Collection<String>> attributes = super.getBaseAttributes();
attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
return attributes;
}
};
return root.evaluatePermission(resource, server, context, scope);
}
return true;
}
Also used :
Policy(org.keycloak.authorization.model.Policy)
Scope(org.keycloak.authorization.model.Scope)
DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext)
Resource(org.keycloak.authorization.model.Resource)
Collection(java.util.Collection)
EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext)
DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
ClientModelIdentity(org.keycloak.authorization.common.ClientModelIdentity)
Example 2 with DefaultEvaluationContext
use of org.keycloak.authorization.common.DefaultEvaluationContext in project keycloak by keycloak.
the class IdentityProviderPermissions method canExchangeTo.
@Override
public boolean canExchangeTo(ClientModel authorizedClient, IdentityProviderModel to) {
ResourceServer server = root.initializeRealmResourceServer();
if (server == null) {
logger.debug("No resource server set up for target idp");
return false;
}
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
if (resource == null) {
logger.debug("No resource object set up for target idp");
return false;
}
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
if (policy == null) {
logger.debug("No permission object set up for target idp");
return false;
}
Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
// if no policies attached to permission then just do default behavior
if (associatedPolicies == null || associatedPolicies.isEmpty()) {
logger.debug("No policies set up for permission on target idp");
return false;
}
Scope scope = exchangeToScope(server);
if (scope == null) {
logger.debug(TOKEN_EXCHANGE + " not initialized");
return false;
}
ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
EvaluationContext context = new DefaultEvaluationContext(identity, session) {
@Override
public Map<String, Collection<String>> getBaseAttributes() {
Map<String, Collection<String>> attributes = super.getBaseAttributes();
attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
return attributes;
}
};
return root.evaluatePermission(resource, server, context, scope);
}
Also used :
Policy(org.keycloak.authorization.model.Policy)
Scope(org.keycloak.authorization.model.Scope)
DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext)
Resource(org.keycloak.authorization.model.Resource)
Collection(java.util.Collection)
EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext)
DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
ClientModelIdentity(org.keycloak.authorization.common.ClientModelIdentity)
Example 3 with DefaultEvaluationContext
use of org.keycloak.authorization.common.DefaultEvaluationContext in project keycloak by keycloak.
the class UserPermissions method isImpersonatable.
@Override
public boolean isImpersonatable(UserModel user) {
ResourceServer server = root.realmResourceServer();
if (server == null) {
return true;
}
Resource resource = resourceStore.findByName(USERS_RESOURCE, server.getId());
if (resource == null) {
return true;
}
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(USER_IMPERSONATED_PERMISSION, server.getId());
if (policy == null) {
return true;
}
Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
// if no policies attached to permission then just do default behavior
if (associatedPolicies == null || associatedPolicies.isEmpty()) {
return true;
}
return hasPermission(new DefaultEvaluationContext(new UserModelIdentity(root.realm, user), session), USER_IMPERSONATED_SCOPE);
}
Also used :
Policy(org.keycloak.authorization.model.Policy)
DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext)
Resource(org.keycloak.authorization.model.Resource)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
UserModelIdentity(org.keycloak.authorization.common.UserModelIdentity)
Example 4 with DefaultEvaluationContext
use of org.keycloak.authorization.common.DefaultEvaluationContext in project keycloak by keycloak.
the class UserPermissions method canClientImpersonate.
@Override
public boolean canClientImpersonate(ClientModel client, UserModel user) {
ClientModelIdentity identity = new ClientModelIdentity(session, client);
EvaluationContext context = new DefaultEvaluationContext(identity, session) {
@Override
public Map<String, Collection<String>> getBaseAttributes() {
Map<String, Collection<String>> attributes = super.getBaseAttributes();
attributes.put("kc.client.id", Arrays.asList(client.getClientId()));
return attributes;
}
};
return canImpersonate(context) && isImpersonatable(user);
}
Also used :
DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext)
Collection(java.util.Collection)
EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext)
DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext)
ClientModelIdentity(org.keycloak.authorization.common.ClientModelIdentity)
Aggregations
DefaultEvaluationContext (org.keycloak.authorization.common.DefaultEvaluationContext)4
Collection (java.util.Collection)3
ClientModelIdentity (org.keycloak.authorization.common.ClientModelIdentity)3
Policy (org.keycloak.authorization.model.Policy)3
Resource (org.keycloak.authorization.model.Resource)3
ResourceServer (org.keycloak.authorization.model.ResourceServer)3
EvaluationContext (org.keycloak.authorization.policy.evaluation.EvaluationContext)3
Scope (org.keycloak.authorization.model.Scope)2
UserModelIdentity (org.keycloak.authorization.common.UserModelIdentity)1
