Examples with PermissionTicket org.keycloak.authorization.model.PermissionTicket used on opensource projects

Search in sources :

Example 21 with PermissionTicket

use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.

the class UserManagedPermissionUtil method updatePolicy.

public static void updatePolicy(PermissionTicket ticket, StoreFactory storeFactory) {
    Scope scope = ticket.getScope();
    Policy policy = ticket.getPolicy();
    if (policy == null) {
        Map<PermissionTicket.FilterOption, String> filter = new EnumMap<>(PermissionTicket.FilterOption.class);
        filter.put(PermissionTicket.FilterOption.OWNER, ticket.getOwner());
        filter.put(PermissionTicket.FilterOption.REQUESTER, ticket.getRequester());
        filter.put(PermissionTicket.FilterOption.RESOURCE_ID, ticket.getResource().getId());
        filter.put(PermissionTicket.FilterOption.POLICY_IS_NOT_NULL, Boolean.TRUE.toString());
        List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().find(filter, ticket.getResourceServer().getId(), -1, 1);
        if (!tickets.isEmpty()) {
            policy = tickets.iterator().next().getPolicy();
        }
    }
    if (ticket.isGranted()) {
        if (policy == null) {
            policy = createUserManagedPermission(ticket, storeFactory);
        }
        if (scope != null && !policy.getScopes().contains(scope)) {
            policy.addScope(scope);
        }
        ticket.setPolicy(policy);
    } else if (scope != null) {
        policy.removeScope(scope);
        ticket.setPolicy(null);
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) Scope(org.keycloak.authorization.model.Scope) EnumMap(java.util.EnumMap)

Example 22 with PermissionTicket

use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.

the class AuthorizationBean method toResourceRepresentation.

private Collection<ResourceBean> toResourceRepresentation(List<PermissionTicket> tickets) {
    Map<String, ResourceBean> requests = new HashMap<>();
    for (PermissionTicket ticket : tickets) {
        Resource resource = ticket.getResource();
        if (!resource.isOwnerManagedAccess()) {
            continue;
        }
        requests.computeIfAbsent(resource.getId(), resourceId -> getResource(resourceId)).addPermission(ticket, authorization);
    }
    return requests.values();
}
Also used : ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) Date(java.util.Date) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) ResolveRelative(org.keycloak.services.util.ResolveRelative) UserModel(org.keycloak.models.UserModel) Map(java.util.Map) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) Time(org.keycloak.common.util.Time) RealmModel(org.keycloak.models.RealmModel) EnumMap(java.util.EnumMap) Collection(java.util.Collection) Set(java.util.Set) KeycloakSession(org.keycloak.models.KeycloakSession) Collectors(java.util.stream.Collectors) Policy(org.keycloak.authorization.model.Policy) List(java.util.List) ModelToRepresentation(org.keycloak.models.utils.ModelToRepresentation) PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) UriInfo(javax.ws.rs.core.UriInfo) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) HashMap(java.util.HashMap) Resource(org.keycloak.authorization.model.Resource)

Example 23 with PermissionTicket

use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.

the class ResourceService method grantPermission.

private void grantPermission(UserModel user, String scopeId) {
    org.keycloak.authorization.model.Scope scope = getScope(scopeId, resourceServer);
    PermissionTicket ticket = ticketStore.create(resource.getId(), scope.getId(), user.getId(), resourceServer);
    ticket.setGrantedTimestamp(Calendar.getInstance().getTimeInMillis());
}
Also used : PermissionTicket(org.keycloak.authorization.model.PermissionTicket)

Example 24 with PermissionTicket

use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.

the class AccountFormService method processResourceActions.

@Path("resource")
@POST
public Response processResourceActions(@FormParam("resource_id") String[] resourceIds, @FormParam("action") String action) {
    MultivaluedMap<String, String> formData = request.getDecodedFormParameters();
    if (auth == null) {
        return login("resource");
    }
    auth.require(AccountRoles.MANAGE_ACCOUNT);
    csrfCheck(formData);
    AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
    PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
    if (action == null) {
        return ErrorResponse.error("Invalid action", Response.Status.BAD_REQUEST);
    }
    for (String resourceId : resourceIds) {
        Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null);
        if (resource == null) {
            return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
        }
        Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
        filters.put(PermissionTicket.FilterOption.REQUESTER, auth.getUser().getId());
        filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
        if ("cancel".equals(action)) {
            filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
        } else if ("cancelRequest".equals(action)) {
            filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString());
        }
        for (PermissionTicket ticket : ticketStore.find(filters, resource.getResourceServer(), -1, -1)) {
            ticketStore.delete(ticket.getId());
        }
    }
    return forwardToPage("authorization", AccountPages.RESOURCES);
}
Also used : PermissionTicket(org.keycloak.authorization.model.PermissionTicket) PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) RealmsResource(org.keycloak.services.resources.RealmsResource) Resource(org.keycloak.authorization.model.Resource) EnumMap(java.util.EnumMap) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Example 25 with PermissionTicket

use of org.keycloak.authorization.model.PermissionTicket in project keycloak by keycloak.

the class AccountFormService method grantPermission.

@Path("resource/{resource_id}/grant")
@POST
public Response grantPermission(@PathParam("resource_id") String resourceId, @FormParam("action") String action, @FormParam("permission_id") String[] permissionId, @FormParam("requester") String requester) {
    MultivaluedMap<String, String> formData = request.getDecodedFormParameters();
    if (auth == null) {
        return login("resource");
    }
    auth.require(AccountRoles.MANAGE_ACCOUNT);
    csrfCheck(formData);
    AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
    PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
    Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null);
    if (resource == null) {
        return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
    }
    if (action == null) {
        return ErrorResponse.error("Invalid action", Response.Status.BAD_REQUEST);
    }
    boolean isGrant = "grant".equals(action);
    boolean isDeny = "deny".equals(action);
    boolean isRevoke = "revoke".equals(action);
    boolean isRevokePolicy = "revokePolicy".equals(action);
    boolean isRevokePolicyAll = "revokePolicyAll".equals(action);
    if (isRevokePolicy || isRevokePolicyAll) {
        List<String> ids = new ArrayList<>(Arrays.asList(permissionId));
        Iterator<String> iterator = ids.iterator();
        PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
        Policy policy = null;
        while (iterator.hasNext()) {
            String id = iterator.next();
            if (!id.contains(":")) {
                policy = policyStore.findById(id, client.getId());
                iterator.remove();
                break;
            }
        }
        Set<Scope> scopesToKeep = new HashSet<>();
        if (isRevokePolicyAll) {
            for (Scope scope : policy.getScopes()) {
                policy.removeScope(scope);
            }
        } else {
            for (String id : ids) {
                scopesToKeep.add(authorization.getStoreFactory().getScopeStore().findById(id.split(":")[1], client.getId()));
            }
            for (Scope scope : policy.getScopes()) {
                if (!scopesToKeep.contains(scope)) {
                    policy.removeScope(scope);
                }
            }
        }
        if (policy.getScopes().isEmpty()) {
            for (Policy associated : policy.getAssociatedPolicies()) {
                policyStore.delete(associated.getId());
            }
            policyStore.delete(policy.getId());
        }
    } else {
        Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
        filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
        filters.put(PermissionTicket.FilterOption.REQUESTER, session.users().getUserByUsername(realm, requester).getId());
        if (isRevoke) {
            filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
        } else {
            filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString());
        }
        List<PermissionTicket> tickets = ticketStore.find(filters, resource.getResourceServer(), -1, -1);
        Iterator<PermissionTicket> iterator = tickets.iterator();
        while (iterator.hasNext()) {
            PermissionTicket ticket = iterator.next();
            if (isGrant) {
                if (permissionId != null && permissionId.length > 0 && !Arrays.asList(permissionId).contains(ticket.getId())) {
                    continue;
                }
            }
            if (isGrant && !ticket.isGranted()) {
                ticket.setGrantedTimestamp(System.currentTimeMillis());
                iterator.remove();
            } else if (isDeny || isRevoke) {
                if (permissionId != null && permissionId.length > 0 && Arrays.asList(permissionId).contains(ticket.getId())) {
                    iterator.remove();
                }
            }
        }
        for (PermissionTicket ticket : tickets) {
            ticketStore.delete(ticket.getId());
        }
    }
    if (isRevoke || isRevokePolicy || isRevokePolicyAll) {
        return forwardToPage("resource", AccountPages.RESOURCE_DETAIL);
    }
    return forwardToPage("resource", AccountPages.RESOURCES);
}
Also used : OTPPolicy(org.keycloak.models.OTPPolicy) Policy(org.keycloak.authorization.model.Policy) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) RealmsResource(org.keycloak.services.resources.RealmsResource) Resource(org.keycloak.authorization.model.Resource) ArrayList(java.util.ArrayList) Scope(org.keycloak.authorization.model.Scope) PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) PolicyStore(org.keycloak.authorization.store.PolicyStore) EnumMap(java.util.EnumMap) HashSet(java.util.HashSet) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Aggregations

PermissionTicket (org.keycloak.authorization.model.PermissionTicket)34 PermissionTicketStore (org.keycloak.authorization.store.PermissionTicketStore)20 EnumMap (java.util.EnumMap)17 Resource (org.keycloak.authorization.model.Resource)12 Scope (org.keycloak.authorization.model.Scope)12 UserModel (org.keycloak.models.UserModel)10 ArrayList (java.util.ArrayList)8 Map (java.util.Map)8 Path (javax.ws.rs.Path)8 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)8 HashMap (java.util.HashMap)7 List (java.util.List)7 Policy (org.keycloak.authorization.model.Policy)7 ResourceServer (org.keycloak.authorization.model.ResourceServer)7 ResourceStore (org.keycloak.authorization.store.ResourceStore)7 Consumes (javax.ws.rs.Consumes)6 StoreFactory (org.keycloak.authorization.store.StoreFactory)6 Collection (java.util.Collection)5 Collectors (java.util.stream.Collectors)5 POST (javax.ws.rs.POST)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial