Example 1 with PermissionTicket
use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.
the class MapPermissionTicketStore method create.
@Override
public PermissionTicket create(String resourceId, String scopeId, String requester, ResourceServer resourceServer) {
LOG.tracef("create(%s, %s, %s, %s)%s", resourceId, scopeId, requester, resourceServer, getShortStackTrace());
String owner = authorizationProvider.getStoreFactory().getResourceStore().findById(resourceId, resourceServer.getId()).getOwner();
// @UniqueConstraint(columnNames = {"OWNER", "REQUESTER", "RESOURCE_SERVER_ID", "RESOURCE_ID", "SCOPE_ID"})
DefaultModelCriteria<PermissionTicket> mcb = forResourceServer(resourceServer.getId()).compare(SearchableFields.OWNER, Operator.EQ, owner).compare(SearchableFields.RESOURCE_ID, Operator.EQ, resourceId).compare(SearchableFields.REQUESTER, Operator.EQ, requester);
if (scopeId != null) {
mcb = mcb.compare(SearchableFields.SCOPE_ID, Operator.EQ, scopeId);
}
if (tx.getCount(withCriteria(mcb)) > 0) {
throw new ModelDuplicateException("Permission ticket for resource server: '" + resourceServer.getId() + ", Resource: " + resourceId + ", owner: " + owner + ", scopeId: " + scopeId + " already exists.");
}
MapPermissionTicketEntity entity = new MapPermissionTicketEntityImpl();
entity.setResourceId(resourceId);
entity.setRequester(requester);
entity.setCreatedTimestamp(System.currentTimeMillis());
if (scopeId != null) {
entity.setScopeId(scopeId);
}
entity.setOwner(owner);
entity.setResourceServerId(resourceServer.getId());
entity = tx.create(entity);
return entityToAdapter(entity);
}
Also used :
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
ModelDuplicateException(org.keycloak.models.ModelDuplicateException)
MapPermissionTicketEntityImpl(org.keycloak.models.map.authorization.entity.MapPermissionTicketEntityImpl)
MapPermissionTicketEntity(org.keycloak.models.map.authorization.entity.MapPermissionTicketEntity)
Example 2 with PermissionTicket
use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.
the class PermissionTicketAwareDecisionResultCollector method onComplete.
@Override
public void onComplete() {
super.onComplete();
if (request.isSubmitRequest()) {
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore();
List<Permission> permissions = ticket.getPermissions();
if (permissions != null) {
for (Permission permission : permissions) {
Resource resource = resourceStore.findById(permission.getResourceId(), resourceServer.getId());
if (resource == null) {
resource = resourceStore.findByName(permission.getResourceId(), identity.getId(), resourceServer.getId());
}
if (resource == null || !resource.isOwnerManagedAccess() || resource.getOwner().equals(identity.getId()) || resource.getOwner().equals(resourceServer.getId())) {
continue;
}
Set<String> scopes = permission.getScopes();
if (scopes.isEmpty()) {
scopes = resource.getScopes().stream().map(Scope::getName).collect(Collectors.toSet());
}
if (scopes.isEmpty()) {
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
filters.put(PermissionTicket.FilterOption.SCOPE_IS_NULL, Boolean.TRUE.toString());
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1);
if (tickets.isEmpty()) {
authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), null, identity.getId(), resourceServer);
}
} else {
ScopeStore scopeStore = authorization.getStoreFactory().getScopeStore();
for (String scopeId : scopes) {
Scope scope = scopeStore.findByName(scopeId, resourceServer.getId());
if (scope == null) {
scope = scopeStore.findById(scopeId, resourceServer.getId());
}
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
filters.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1);
if (tickets.isEmpty()) {
authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), scope.getId(), identity.getId(), resourceServer);
}
}
}
}
}
}
}
Also used :
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
Resource(org.keycloak.authorization.model.Resource)
ScopeStore(org.keycloak.authorization.store.ScopeStore)
ResourceStore(org.keycloak.authorization.store.ResourceStore)
StoreFactory(org.keycloak.authorization.store.StoreFactory)
Scope(org.keycloak.authorization.model.Scope)
Permission(org.keycloak.representations.idm.authorization.Permission)
EnumMap(java.util.EnumMap)
Example 3 with PermissionTicket
use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.
the class AuthorizationProvider method createResourceStoreWrapper.
private ResourceStore createResourceStoreWrapper(StoreFactory storeFactory) {
return new ResourceStore() {
ResourceStore delegate = storeFactory.getResourceStore();
@Override
public Resource create(String name, ResourceServer resourceServer, String owner) {
return delegate.create(name, resourceServer, owner);
}
@Override
public Resource create(String id, String name, ResourceServer resourceServer, String owner) {
return delegate.create(id, name, resourceServer, owner);
}
@Override
public void delete(String id) {
Resource resource = findById(id, null);
StoreFactory storeFactory = AuthorizationProvider.this.getStoreFactory();
PermissionTicketStore ticketStore = storeFactory.getPermissionTicketStore();
List<PermissionTicket> permissions = ticketStore.findByResource(id, resource.getResourceServer());
for (PermissionTicket permission : permissions) {
ticketStore.delete(permission.getId());
}
PolicyStore policyStore = storeFactory.getPolicyStore();
List<Policy> policies = policyStore.findByResource(id, resource.getResourceServer());
for (Policy policyModel : policies) {
if (policyModel.getResources().size() == 1) {
policyStore.delete(policyModel.getId());
} else {
policyModel.removeResource(resource);
}
}
delegate.delete(id);
}
@Override
public Resource findById(String id, String resourceServerId) {
return delegate.findById(id, resourceServerId);
}
@Override
public List<Resource> findByOwner(String ownerId, String resourceServerId) {
return delegate.findByOwner(ownerId, resourceServerId);
}
@Override
public void findByOwner(String ownerId, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByOwner(ownerId, resourceServerId, consumer);
}
@Override
public List<Resource> findByOwner(String ownerId, String resourceServerId, int first, int max) {
return delegate.findByOwner(ownerId, resourceServerId, first, max);
}
@Override
public List<Resource> findByUri(String uri, String resourceServerId) {
return delegate.findByUri(uri, resourceServerId);
}
@Override
public List<Resource> findByResourceServer(String resourceServerId) {
return delegate.findByResourceServer(resourceServerId);
}
@Override
public List<Resource> findByResourceServer(Map<Resource.FilterOption, String[]> attributes, String resourceServerId, int firstResult, int maxResult) {
return delegate.findByResourceServer(attributes, resourceServerId, firstResult, maxResult);
}
@Override
public List<Resource> findByScope(List<String> id, String resourceServerId) {
return delegate.findByScope(id, resourceServerId);
}
@Override
public void findByScope(List<String> scopes, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByScope(scopes, resourceServerId, consumer);
}
@Override
public Resource findByName(String name, String resourceServerId) {
return delegate.findByName(name, resourceServerId);
}
@Override
public Resource findByName(String name, String ownerId, String resourceServerId) {
return delegate.findByName(name, ownerId, resourceServerId);
}
@Override
public List<Resource> findByType(String type, String resourceServerId) {
return delegate.findByType(type, resourceServerId);
}
@Override
public void findByType(String type, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByType(type, resourceServerId, consumer);
}
@Override
public void findByType(String type, String owner, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByType(type, owner, resourceServerId, consumer);
}
@Override
public List<Resource> findByType(String type, String owner, String resourceServerId) {
return delegate.findByType(type, resourceServerId);
}
@Override
public List<Resource> findByTypeInstance(String type, String resourceServerId) {
return delegate.findByTypeInstance(type, resourceServerId);
}
@Override
public void findByTypeInstance(String type, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByTypeInstance(type, resourceServerId, consumer);
}
};
}
Also used :
Policy(org.keycloak.authorization.model.Policy)
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
Resource(org.keycloak.authorization.model.Resource)
ResourceStore(org.keycloak.authorization.store.ResourceStore)
StoreFactory(org.keycloak.authorization.store.StoreFactory)
Consumer(java.util.function.Consumer)
PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore)
PolicyStore(org.keycloak.authorization.store.PolicyStore)
List(java.util.List)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
Map(java.util.Map)
Example 4 with PermissionTicket
use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.
the class Permissions method all.
/**
* Returns a list of permissions for all resources and scopes that belong to the given <code>resourceServer</code> and
* <code>identity</code>.
*
* TODO: review once we support caches
*
* @param resourceServer
* @param identity
* @param authorization
* @return
*/
public static void all(ResourceServer resourceServer, Identity identity, AuthorizationProvider authorization, AuthorizationRequest request, Consumer<ResourcePermission> evaluator) {
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore();
Metadata metadata = request.getMetadata();
final AtomicLong limit;
if (metadata != null && metadata.getLimit() != null) {
limit = new AtomicLong(metadata.getLimit());
} else {
limit = new AtomicLong(Long.MAX_VALUE);
}
// obtain all resources where owner is the resource server
resourceStore.findByOwner(resourceServer.getId(), resourceServer.getId(), resource -> {
if (limit.decrementAndGet() >= 0) {
evaluator.accept(createResourcePermissions(resource, resourceServer, resource.getScopes(), authorization, request));
}
});
// resource server isn't current user
if (resourceServer.getId() != identity.getId()) {
// obtain all resources where owner is the current user
resourceStore.findByOwner(identity.getId(), resourceServer.getId(), resource -> {
if (limit.decrementAndGet() >= 0) {
evaluator.accept(createResourcePermissions(resource, resourceServer, resource.getScopes(), authorization, request));
}
});
}
// obtain all resources granted to the user via permission tickets (uma)
List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().findGranted(identity.getId(), resourceServer.getId());
if (!tickets.isEmpty()) {
Map<String, ResourcePermission> userManagedPermissions = new HashMap<>();
for (PermissionTicket ticket : tickets) {
if (limit.get() < 0) {
break;
}
ResourcePermission permission = userManagedPermissions.computeIfAbsent(ticket.getResource().getId(), s -> {
limit.decrementAndGet();
ResourcePermission resourcePermission = new ResourcePermission(ticket.getResource(), new ArrayList<>(), resourceServer, request.getClaims());
resourcePermission.setGranted(true);
return resourcePermission;
});
permission.addScope(ticket.getScope());
}
for (ResourcePermission permission : userManagedPermissions.values()) {
evaluator.accept(permission);
}
}
}
Also used :
AtomicLong(java.util.concurrent.atomic.AtomicLong)
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
HashMap(java.util.HashMap)
Metadata(org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata)
ResourceStore(org.keycloak.authorization.store.ResourceStore)
StoreFactory(org.keycloak.authorization.store.StoreFactory)
Example 5 with PermissionTicket
use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.
the class AuthorizationBean method toPermissionRepresentation.
private Collection<RequesterBean> toPermissionRepresentation(List<PermissionTicket> permissionRequests) {
Map<String, RequesterBean> requests = new HashMap<>();
for (PermissionTicket ticket : permissionRequests) {
Resource resource = ticket.getResource();
if (!resource.isOwnerManagedAccess()) {
continue;
}
requests.computeIfAbsent(ticket.getRequester(), resourceId -> new RequesterBean(ticket, authorization)).addScope(ticket);
}
return requests.values();
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
Scope(org.keycloak.authorization.model.Scope)
Date(java.util.Date)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
ResolveRelative(org.keycloak.services.util.ResolveRelative)
UserModel(org.keycloak.models.UserModel)
Map(java.util.Map)
ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation)
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
Time(org.keycloak.common.util.Time)
RealmModel(org.keycloak.models.RealmModel)
EnumMap(java.util.EnumMap)
Collection(java.util.Collection)
Set(java.util.Set)
KeycloakSession(org.keycloak.models.KeycloakSession)
Collectors(java.util.stream.Collectors)
Policy(org.keycloak.authorization.model.Policy)
List(java.util.List)
ModelToRepresentation(org.keycloak.models.utils.ModelToRepresentation)
PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore)
UriInfo(javax.ws.rs.core.UriInfo)
Collections(java.util.Collections)
Resource(org.keycloak.authorization.model.Resource)
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
HashMap(java.util.HashMap)
Resource(org.keycloak.authorization.model.Resource)
Aggregations
PermissionTicket (org.keycloak.authorization.model.PermissionTicket)34
PermissionTicketStore (org.keycloak.authorization.store.PermissionTicketStore)20
EnumMap (java.util.EnumMap)17
Resource (org.keycloak.authorization.model.Resource)12
Scope (org.keycloak.authorization.model.Scope)12
UserModel (org.keycloak.models.UserModel)10
ArrayList (java.util.ArrayList)8
Map (java.util.Map)8
Path (javax.ws.rs.Path)8
AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)8
HashMap (java.util.HashMap)7
List (java.util.List)7
Policy (org.keycloak.authorization.model.Policy)7
ResourceServer (org.keycloak.authorization.model.ResourceServer)7
ResourceStore (org.keycloak.authorization.store.ResourceStore)7
Consumes (javax.ws.rs.Consumes)6
StoreFactory (org.keycloak.authorization.store.StoreFactory)6
Collection (java.util.Collection)5
Collectors (java.util.stream.Collectors)5
POST (javax.ws.rs.POST)5
