Example 6 with PermissionTicket
use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.
the class RepresentationToModel method toModel.
public static PermissionTicket toModel(PermissionTicketRepresentation representation, String resourceServerId, AuthorizationProvider authorization) {
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
PermissionTicket ticket = ticketStore.findById(representation.getId(), resourceServerId);
boolean granted = representation.isGranted();
if (granted && !ticket.isGranted()) {
ticket.setGrantedTimestamp(System.currentTimeMillis());
} else if (!granted) {
ticketStore.delete(ticket.getId());
}
return ticket;
}
Also used :
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore)
Example 7 with PermissionTicket
use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.
the class UserSynchronizer method removeFromUserPermissionTickets.
private void removeFromUserPermissionTickets(UserRemovedEvent event, AuthorizationProvider authorizationProvider) {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PermissionTicketStore ticketStore = storeFactory.getPermissionTicketStore();
UserModel userModel = event.getUser();
Map<PermissionTicket.FilterOption, String> attributes = new EnumMap<>(PermissionTicket.FilterOption.class);
attributes.put(PermissionTicket.FilterOption.OWNER, userModel.getId());
for (PermissionTicket ticket : ticketStore.find(attributes, null, -1, -1)) {
ticketStore.delete(ticket.getId());
}
attributes.clear();
attributes.put(PermissionTicket.FilterOption.REQUESTER, userModel.getId());
for (PermissionTicket ticket : ticketStore.find(attributes, null, -1, -1)) {
ticketStore.delete(ticket.getId());
}
}
Also used :
UserModel(org.keycloak.models.UserModel)
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore)
StoreFactory(org.keycloak.authorization.store.StoreFactory)
EnumMap(java.util.EnumMap)
Example 8 with PermissionTicket
use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.
the class PermissionTicketService method delete.
@Path("{id}")
@DELETE
@Consumes("application/json")
public Response delete(@PathParam("id") String id) {
if (id == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
}
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
PermissionTicket ticket = ticketStore.findById(id, resourceServer.getId());
if (ticket == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
}
if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer() && !ticket.getRequester().equals(this.identity.getId()))
throw new ErrorResponseException("not_authorised", "permissions for [" + ticket.getResource() + "] can be deleted only by the owner, the requester, or the resource server", Response.Status.FORBIDDEN);
ticketStore.delete(id);
return Response.noContent().build();
}
Also used :
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore)
ErrorResponseException(org.keycloak.services.ErrorResponseException)
Path(javax.ws.rs.Path)
DELETE(javax.ws.rs.DELETE)
Consumes(javax.ws.rs.Consumes)
Example 9 with PermissionTicket
use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.
the class PermissionTicketService method update.
@PUT
@Consumes("application/json")
public Response update(PermissionTicketRepresentation representation) {
if (representation == null || representation.getId() == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
}
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
PermissionTicket ticket = ticketStore.findById(representation.getId(), resourceServer.getId());
if (ticket == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
}
if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer())
throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be updated only by the owner or by the resource server", Response.Status.FORBIDDEN);
RepresentationToModel.toModel(representation, resourceServer.getId(), authorization);
return Response.noContent().build();
}
Also used :
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore)
ErrorResponseException(org.keycloak.services.ErrorResponseException)
Consumes(javax.ws.rs.Consumes)
PUT(javax.ws.rs.PUT)
Example 10 with PermissionTicket
use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.
the class AccountFormService method shareResource.
@Path("resource/{resource_id}/share")
@POST
public Response shareResource(@PathParam("resource_id") String resourceId, @FormParam("user_id") String[] userIds, @FormParam("scope_id") String[] scopes) {
MultivaluedMap<String, String> formData = request.getDecodedFormParameters();
if (auth == null) {
return login("resource");
}
auth.require(AccountRoles.MANAGE_ACCOUNT);
csrfCheck(formData);
AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null);
ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findById(resource.getResourceServer());
if (resource == null) {
return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
}
if (userIds == null || userIds.length == 0) {
setReferrerOnPage();
return account.setError(Status.BAD_REQUEST, Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD);
}
for (String id : userIds) {
UserModel user = session.users().getUserById(realm, id);
if (user == null) {
user = session.users().getUserByUsername(realm, id);
}
if (user == null) {
user = session.users().getUserByEmail(realm, id);
}
if (user == null) {
setReferrerOnPage();
return account.setError(Status.BAD_REQUEST, Messages.INVALID_USER).createResponse(AccountPages.RESOURCE_DETAIL);
}
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
filters.put(PermissionTicket.FilterOption.OWNER, auth.getUser().getId());
filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId());
List<PermissionTicket> tickets = ticketStore.find(filters, resource.getResourceServer(), -1, -1);
if (tickets.isEmpty()) {
if (scopes != null && scopes.length > 0) {
for (String scope : scopes) {
PermissionTicket ticket = ticketStore.create(resourceId, scope, user.getId(), resourceServer);
ticket.setGrantedTimestamp(System.currentTimeMillis());
}
} else {
if (resource.getScopes().isEmpty()) {
PermissionTicket ticket = ticketStore.create(resourceId, null, user.getId(), resourceServer);
ticket.setGrantedTimestamp(System.currentTimeMillis());
} else {
for (Scope scope : resource.getScopes()) {
PermissionTicket ticket = ticketStore.create(resourceId, scope.getId(), user.getId(), resourceServer);
ticket.setGrantedTimestamp(System.currentTimeMillis());
}
}
}
} else if (scopes != null && scopes.length > 0) {
List<String> grantScopes = new ArrayList<>(Arrays.asList(scopes));
for (PermissionTicket ticket : tickets) {
Scope scope = ticket.getScope();
if (scope != null) {
grantScopes.remove(scope.getId());
}
}
for (String grantScope : grantScopes) {
PermissionTicket ticket = ticketStore.create(resourceId, grantScope, user.getId(), resourceServer);
ticket.setGrantedTimestamp(System.currentTimeMillis());
}
}
}
return forwardToPage("resource", AccountPages.RESOURCE_DETAIL);
}
Also used :
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
RealmsResource(org.keycloak.services.resources.RealmsResource)
Resource(org.keycloak.authorization.model.Resource)
UserModel(org.keycloak.models.UserModel)
Scope(org.keycloak.authorization.model.Scope)
PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore)
List(java.util.List)
ArrayList(java.util.ArrayList)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
EnumMap(java.util.EnumMap)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Aggregations
PermissionTicket (org.keycloak.authorization.model.PermissionTicket)34
PermissionTicketStore (org.keycloak.authorization.store.PermissionTicketStore)20
EnumMap (java.util.EnumMap)17
Resource (org.keycloak.authorization.model.Resource)12
Scope (org.keycloak.authorization.model.Scope)12
UserModel (org.keycloak.models.UserModel)10
ArrayList (java.util.ArrayList)8
Map (java.util.Map)8
Path (javax.ws.rs.Path)8
AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)8
HashMap (java.util.HashMap)7
List (java.util.List)7
Policy (org.keycloak.authorization.model.Policy)7
ResourceServer (org.keycloak.authorization.model.ResourceServer)7
ResourceStore (org.keycloak.authorization.store.ResourceStore)7
Consumes (javax.ws.rs.Consumes)6
StoreFactory (org.keycloak.authorization.store.StoreFactory)6
Collection (java.util.Collection)5
Collectors (java.util.stream.Collectors)5
POST (javax.ws.rs.POST)5
