use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class UMAPolicyProviderFactory method toRepresentation.
@Override
public UmaPermissionRepresentation toRepresentation(Policy policy, AuthorizationProvider authorization) {
UmaPermissionRepresentation representation = new UmaPermissionRepresentation();
representation.setScopes(policy.getScopes().stream().map(Scope::getName).collect(Collectors.toSet()));
representation.setOwner(policy.getOwner());
for (Policy associatedPolicy : policy.getAssociatedPolicies()) {
AbstractPolicyRepresentation associatedRep = ModelToRepresentation.toRepresentation(associatedPolicy, authorization, false, false);
RealmModel realm = authorization.getRealm();
if ("role".equals(associatedRep.getType())) {
RolePolicyRepresentation rep = RolePolicyRepresentation.class.cast(associatedRep);
for (RoleDefinition definition : rep.getRoles()) {
RoleModel role = realm.getRoleById(definition.getId());
if (role.isClientRole()) {
representation.addClientRole(ClientModel.class.cast(role.getContainer()).getClientId(), role.getName());
} else {
representation.addRole(role.getName());
}
}
} else if ("js".equals(associatedRep.getType())) {
JSPolicyRepresentation rep = JSPolicyRepresentation.class.cast(associatedRep);
representation.setCondition(rep.getCode());
} else if ("group".equals(associatedRep.getType())) {
GroupPolicyRepresentation rep = GroupPolicyRepresentation.class.cast(associatedRep);
for (GroupDefinition definition : rep.getGroups()) {
representation.addGroup(ModelToRepresentation.buildGroupPath(realm.getGroupById(definition.getId())));
}
} else if ("client".equals(associatedRep.getType())) {
ClientPolicyRepresentation rep = ClientPolicyRepresentation.class.cast(associatedRep);
for (String client : rep.getClients()) {
representation.addClient(realm.getClientById(client).getClientId());
}
} else if ("user".equals(associatedPolicy.getType())) {
UserPolicyRepresentation rep = UserPolicyRepresentation.class.cast(associatedRep);
for (String user : rep.getUsers()) {
representation.addUser(authorization.getKeycloakSession().users().getUserById(realm, user).getUsername());
}
}
}
return representation;
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class UMAPolicyProviderFactory method createGroupPolicy.
private void createGroupPolicy(Policy policy, PolicyStore policyStore, String group, String owner) {
GroupPolicyRepresentation rep = new GroupPolicyRepresentation();
rep.setName(KeycloakModelUtils.generateId());
rep.addGroupPath(group);
Policy associatedPolicy = policyStore.create(rep, policy.getResourceServer());
associatedPolicy.setOwner(owner);
policy.addAssociatedPolicy(associatedPolicy);
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class ClientScopePolicyProvider method evaluate.
@Override
public void evaluate(Evaluation evaluation) {
Policy policy = evaluation.getPolicy();
Set<ClientScopePolicyRepresentation.ClientScopeDefinition> clientScopeIds = representationFunction.apply(policy, evaluation.getAuthorizationProvider()).getClientScopes();
AuthorizationProvider authorizationProvider = evaluation.getAuthorizationProvider();
RealmModel realm = authorizationProvider.getKeycloakSession().getContext().getRealm();
Identity identity = evaluation.getContext().getIdentity();
for (ClientScopePolicyRepresentation.ClientScopeDefinition clientScopeDefinition : clientScopeIds) {
ClientScopeModel clientScope = realm.getClientScopeById(clientScopeDefinition.getId());
if (clientScope != null) {
boolean hasClientScope = hasClientScope(identity, clientScope);
if (!hasClientScope && clientScopeDefinition.isRequired()) {
evaluation.deny();
return;
} else if (hasClientScope) {
evaluation.grant();
}
}
}
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class UserPolicyProviderFactory method onExport.
@Override
public void onExport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorizationProvider) {
UserPolicyRepresentation userRep = toRepresentation(policy, authorizationProvider);
Map<String, String> config = new HashMap<>();
try {
UserProvider userProvider = authorizationProvider.getKeycloakSession().users();
RealmModel realm = authorizationProvider.getRealm();
config.put("users", JsonSerialization.writeValueAsString(userRep.getUsers().stream().map(id -> userProvider.getUserById(realm, id).getUsername()).collect(Collectors.toList())));
} catch (IOException cause) {
throw new RuntimeException("Failed to export user policy [" + policy.getName() + "]", cause);
}
representation.setConfig(config);
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class RolePolicyProvider method evaluate.
@Override
public void evaluate(Evaluation evaluation) {
Policy policy = evaluation.getPolicy();
Set<RolePolicyRepresentation.RoleDefinition> roleIds = representationFunction.apply(policy, evaluation.getAuthorizationProvider()).getRoles();
AuthorizationProvider authorizationProvider = evaluation.getAuthorizationProvider();
RealmModel realm = authorizationProvider.getKeycloakSession().getContext().getRealm();
Identity identity = evaluation.getContext().getIdentity();
for (RolePolicyRepresentation.RoleDefinition roleDefinition : roleIds) {
RoleModel role = realm.getRoleById(roleDefinition.getId());
if (role != null) {
boolean hasRole = hasRole(identity, role, realm);
if (!hasRole && roleDefinition.isRequired()) {
evaluation.deny();
return;
} else if (hasRole) {
evaluation.grant();
}
}
}
}
Aggregations