use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class JPAPolicyStore method findByResource.
@Override
public void findByResource(String resourceId, String resourceServerId, Consumer<Policy> consumer) {
TypedQuery<PolicyEntity> query = entityManager.createNamedQuery("findPolicyIdByResource", PolicyEntity.class);
query.setFlushMode(FlushModeType.COMMIT);
query.setParameter("resourceId", resourceId);
query.setParameter("serverId", resourceServerId);
PolicyStore storeFactory = provider.getStoreFactory().getPolicyStore();
closing(query.getResultStream().map(entity -> storeFactory.findById(entity.getId(), resourceServerId)).filter(Objects::nonNull)).forEach(consumer::accept);
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class PolicyEvaluationCompositeRoleTest method setup.
public static void setup(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
session.getContext().setRealm(realm);
ClientModel client = session.clients().addClient(realm, "myclient");
RoleModel role1 = client.addRole("client-role1");
AuthorizationProviderFactory factory = (AuthorizationProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(AuthorizationProvider.class);
AuthorizationProvider authz = factory.create(session, realm);
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().create(client);
Policy policy = createRolePolicy(authz, resourceServer, role1);
Scope scope = authz.getStoreFactory().getScopeStore().create("myscope", resourceServer);
Resource resource = authz.getStoreFactory().getResourceStore().create("myresource", resourceServer, resourceServer.getId());
addScopePermission(authz, resourceServer, "mypermission", resource, scope, policy);
RoleModel composite = realm.addRole("composite");
composite.addCompositeRole(role1);
UserModel user = session.users().addUser(realm, "user");
user.grantRole(composite);
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class ClientScopePolicyProviderFactory method postInit.
@Override
public void postInit(KeycloakSessionFactory factory) {
factory.register(event -> {
if (event instanceof ClientScopeRemovedEvent) {
KeycloakSession keycloakSession = ((ClientScopeRemovedEvent) event).getKeycloakSession();
AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
StoreFactory storeFactory = provider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
ClientScopeModel removedClientScope = ((ClientScopeRemovedEvent) event).getClientScope();
Map<Policy.FilterOption, String[]> filters = new HashMap<>();
filters.put(Policy.FilterOption.TYPE, new String[] { getId() });
policyStore.findByResourceServer(filters, null, -1, -1).forEach(new Consumer<Policy>() {
@Override
public void accept(Policy policy) {
List<Map<String, Object>> clientScopes = new ArrayList<>();
for (Map<String, Object> clientScope : getClientScopes(policy)) {
if (!clientScope.get("id").equals(removedClientScope.getId())) {
Map<String, Object> updated = new HashMap<>();
updated.put("id", clientScope.get("id"));
Object required = clientScope.get("required");
if (required != null) {
updated.put("required", required);
}
clientScopes.add(updated);
}
}
if (clientScopes.isEmpty()) {
policyStore.delete(policy.getId());
} else {
try {
policy.putConfig("clientScopes", JsonSerialization.writeValueAsString(clientScopes));
} catch (IOException e) {
throw new RuntimeException("Error while synchronizing client scopes with policy [" + policy.getName() + "].", e);
}
}
}
});
}
});
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class GroupPolicyProviderFactory method updatePolicy.
private void updatePolicy(Policy policy, String groupsClaim, Set<GroupPolicyRepresentation.GroupDefinition> groups, AuthorizationProvider authorization) {
if (groups == null || groups.isEmpty()) {
throw new RuntimeException("You must provide at least one group");
}
Map<String, String> config = new HashMap<>(policy.getConfig());
if (groupsClaim != null) {
config.put("groupsClaim", groupsClaim);
}
List<GroupModel> topLevelGroups = authorization.getRealm().getTopLevelGroupsStream().collect(Collectors.toList());
for (GroupPolicyRepresentation.GroupDefinition definition : groups) {
GroupModel group = null;
if (definition.getId() != null) {
group = authorization.getRealm().getGroupById(definition.getId());
}
String path = definition.getPath();
if (group == null && path != null) {
String canonicalPath = path.startsWith("/") ? path.substring(1, path.length()) : path;
if (canonicalPath != null) {
String[] parts = canonicalPath.split("/");
GroupModel parent = null;
for (String part : parts) {
if (parent == null) {
parent = topLevelGroups.stream().filter(groupModel -> groupModel.getName().equals(part)).findFirst().orElseThrow(() -> new RuntimeException("Top level group with name [" + part + "] not found"));
} else {
group = parent.getSubGroupsStream().filter(groupModel -> groupModel.getName().equals(part)).findFirst().orElseThrow(() -> new RuntimeException("Group with name [" + part + "] not found"));
parent = group;
}
}
if (parts.length == 1) {
group = parent;
}
}
}
if (group == null) {
throw new RuntimeException("Group with id [" + definition.getId() + "] not found");
}
definition.setId(group.getId());
definition.setPath(null);
}
try {
config.put("groups", JsonSerialization.writeValueAsString(groups));
} catch (IOException cause) {
throw new RuntimeException("Failed to serialize groups", cause);
}
policy.setConfig(config);
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class UMAPolicyProviderFactory method createRolePolicy.
private void createRolePolicy(Policy policy, PolicyStore policyStore, String role, String owner) {
RolePolicyRepresentation rep = new RolePolicyRepresentation();
rep.setName(KeycloakModelUtils.generateId());
rep.addRole(role, false);
Policy associatedPolicy = policyStore.create(rep, policy.getResourceServer());
associatedPolicy.setOwner(owner);
policy.addAssociatedPolicy(associatedPolicy);
}
Aggregations